Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far.
The first step is always the same: discovering the machine on the network. To do so:
I managed to retrieve the IP address:
Let’s start to fingerprint the different services to exploit it.
Then, I used Nmap to retrieve the services running:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Using Nikto as well:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
localstart.asp was asking some credentials but unfortunately I didn’t have them.
I also used DirBuster but I couldn’t find relevant files/directories.
I decided to target the FTP Server. I checked if there was an anonymous access on the FTP but there was none. Unfortunately.
Based on the Web Application I decided to create some custom Wordlist because I didn’t have any clue on what kind of password it could have been .
I used the awesome tool Wyd that extracts single words/strings in some files.
To do so:
And then :
The output is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Moreover, I didn’t have any clue on the Username but thanks to the information we retrieved, I thought the username was something like:
1 2 3 4 5 6 7 8
After cracking it using Hydra, I was able to log in using those credentials: Bob/Matrix. Yay!
1 2 3 4 5 6 7 8 9 10
Thanks to this access, I found a file called:
*#1 This very common Windows file is not downloaded or interpretered but rather executed server side *
The scenario I have now is to create a reverse meterpreter backdoor, upload it, and execute it by getting to the page
I created the payload using msfpayload:
Then, I uploaded the backdoor, had a listener on port 4444 and got a meterpreter session. Good!
However, the meterpreter session stopped few mins later because of some timeout with the Web application”. I decided to :
- Re-execute the backdoor by accessing the file through the Web server
- Then, after getting the meterpreter session, execute it again:
execute -f backdoor.exe
- Go in backgroud, and restart a handler.
You need to do it fast enough to catch the connection. Otherwise, you’ll wait, and wait..
Then, I got this second meterpreter session and I was sure this would not terminate because of some timeout. It was time to get SYSTEM privileges!
The first attempt was to use
getsystem but unfortunately, I didn’t have enough privileges.
I couldn’t migrate to another process.
So, I decided to have a lot at all the processes, and services running on localhost which were not accessible from the outside. That’s where I found the Terminal Server.
I decided to add some route:
I added a route that allowed me target the remote machine with the IP 127.0.0.1. The traffic was tunneled through the meterpreter’s session. Nice trick, like it.
Then, I portforwarded the Terminal Server port: 3389.
I did it like this:
portfwd add -l 3389 -p 3389 -r 127.0.0.1
That allowed me to target the local port 3389 and will forward the whole traffic to the remote port 3389. Another nice trick I like with Meterpreter.
Thanks to this, I was able to use rdesktop and log in with Bob account (using password: Matrix). Then, I executed again the backdoor to get a proper user running the process.
I managed to retrieve another meterpreter’s session. I tried to use
getsystem command again but no luck.
However, I remember about an exploit called Kitrap0d.
I checked if it was still in Metasploit (I remember it was another method in getsystem) and I was able to use it. Linked it to my Meterpreter’s session and “Voilà!”, I got SYSTEM privileges. :–)
The metasploit module is: exploit/windows/local/ms10_015_kitrap0d.
Then, I was able to dump hashes from the system:
1 2 3 4 5 6 7
And then, I cracked the passwords (for fun) using John The Ripper and Administrator’s password was: P@SSW0RD12345.
I hope you liked the write-up which contains (in my opinion) funny tricks by adding some route, doing port forwarding, etc. Cheers and see you soon!