Nt4wrksv

[Valda Atkeson]

Movingonto enumeration, we got few options here; we'll start with the HTTP sites running. Doing the usually 2.3-medium list against 80/tcp[HTTP] I let run for awhile and got nothing, so I started an additional one against 49663/tcp[HTTP] and also got nothing. Using what we've already discovered, we can try the name of the share we found as possibly it could be a re-used directory name; 'nt4wrksv'.

With the two highlighted boxes, we can work our way toward SYSTEM. For this I wasn't in the mood to use *Potato, so I use updated PrintSpoofer instead (less hassle); this. Go ahead and download the exploit and upload it to the SMB share as we did above.

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field.

Scanning the hidden web directories on both ports 80/tcp and 49663/tcp takes a while but is worth it (with directory-list-2.3-medium.txt). Nothing interesting stands out on port 80/tcp, but we find that the nt4wrksv share found previously is also available as a hidden location on port 49663/tcp.

relevant is a tryhackme room designed to simulate a black box penetration test. as such, no information is provided about the target whatsoever, with the exception of its scope. as proof of exploitation, two flags must be secured:

connecting to SMB with those credentials works, but the permissions for those accounts are similar to anonymous connections. disappointing. bill and bob shall not help us any further, as this seems to be another red herring.

we then upload hacky.aspx to the nt4wrksv share with get hacky.aspx in SMB and execute the payload through HTTP ( -ip:49663/nt4wrksv/hacky.aspx), instantly granting us a shell to our target and access to the output of user.txt.

enumerating privileges on our current user instantly shows us how we will escalate our privileges to SYSTEM, since having SeImpersonatePrivilege enabled instantly makes this box vulnerable to printspoofer64 ( -abusing-impersonate-privileges/):

this target was a nice demonstration of rabbit holes and red herrings that might be encountered during pentests. getting clues that are either too obvious or too intricate is often a good sign that something dubious might be happening behind the scenes.

Relevant is a medium rated widows room on TryHackMe by TheMayor. Here contents of a share on the smb which can be accessed by anyone, is relfected to a webserver which is used to get a shell on the box as IIS user and SeImpersonatePrivilege was abused to get a system shell on the box.

Looking at the results we can connect to 2 shares,ie IPC$ and nt4wrksv but not to 2 other shares. It is because we dont have enough permission. But we do have enough permission over share nt4wrksv and we can see a file called passwords.txt. We can mount the share to our device which will make it easier to work with.

Looks like we have write permissions for the share nt4wrksv. But it is not over yet. If I specify some user that definitely doesnot exist like this_user_doesnot_exist, the output of the CME will be the following.

CME tells us that this is a valid credential and list the shares for us, but this user possibly can not exist and if it does the password cant be the one that we provided. What CME did was, it did the anonymous authentication for the users that does not exist. But it did tell that password of one of our user is incorrect and that might be valid user on the box ie Bill.Since we have write permission of this share, if there is any chance the content of this share is reflected on the webserver, we can put a aspx shell on this share and get code execution, as for linux we would have uploaded a php shell.

And notice something different here. I am using rlwrap which can be installed from apt store. As on linux the returned shell would not have autocompletion or arrow keys functions so, we used to get a interactive shell using python or socat. Here using rlwrap we can get the functionality of the arrow keys only.

Here we are running as IIS user which is a service account on the windows box. It is similiar to www-data on the linux box. As we have a shell as iis, we can read the content of the inetpub directory which contains the content of the webserver. inetpub can be thought as the /var/www/html in the linux system.

The first thing that I do on the linux on is checking the sudoers entry using sudo -l and on the windows we have to first check the privilege assigned to the user that we are running as. Since we are running as IIS, it is likely that the service accounts have more privileges than the normal user account. Privileges are something that when enabled gives the low privilege user to do some privileged operaion.

We can see that few of the privileges are enabled for our user. And we can use the SeImpersonatePrivilege to get the shell as authority/system.If you have having a very hard time with the privilege escalation on windows, you could solve windows10privesc by Tib3rius and windowsprivescarena by TCM.

This was an easy Windows machine that involved exploiting the Microsoft Eternal Blue exploit to gain immediate system-level access or alternatively an open SMB share to gain initial access and token impersonation to escalate privileges to system.

According to the instructions on the GitHub repository, all that is required is to specify the target IP address, SMB port and valid credentials to authenticate if required, and a SYSTEM shell will be returned.

Although Juicy Potato is normally used to exploit token impersonation, this only works if DCOM is enabled on the server. A great alternative is the PrintSpoofer exploit. Downloading the exploit from the Git repository and placing it on the nt4wrksv SMB share so it can be easily transferred to the target machine:

I am a penetration tester and cyber security / Linux enthusiast.Through this blog, I would like to share my passion for penetration testing, hoping that this might be of help for other students and professionals out there. I will be more than glad to exchange ideas with other fellow pentesters and enthusiasts.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Relevant est un dfi de niveau moyen sur TryHackMe. Je dois aborder ce dfi comme un vritable test d'intrusion. C'est dans ce sens que ce rapport est crit pour retracer le processus et comment j'ai russi trouver les deux drapeaux cachs sur le systme cible. L'approche utilise pour effectuer cette pntration est une approche bote noire car je ne connais presque rien du systme au dpart. J'expliquerai comment procder en utilisant une vulnrabilit connue lie aux serveurs samba.

C'est une bonne chose de commencer par une analyse complte des ports, car un certain nombre de ports ne figurent pas dans le top 10 000. Nous allons maintenant excuter une analyse de service sur ces ports pour une numration plus pousse et utiliser galement des scripts courants.

Voyons ce que nous pouvons obtenir du serveur samba. En utilisant SMBClient, il nous suffit de lancer la commande suivante pour essayer d'numrer les partages et de laisser vide le champ mot de passe :

Ensuite, excutons une autre analyse Nmap pour vrifier les vulnrabilits connues au sein du service SMB. Nmap a un certain nombre de scripts "smb-vuln-msxx-xxx" qui peuvent tre utiliss pour tester le service SMB pour les exploits publics.

D'aprs la sortie de l'analyse, il apparat que la machine est vulnrable MS17-010, qui est une vulnrabilit d'excution de code distance dans SMBv1. Connexion au partage nt4wrksv et tlchargement du fichier "passwords.txt" qui y est stock :

3a8082e126