Navigate back to the homepage

Advent of Cyber Day 13 Accumulate

Ludovic COULON
May 8th, 2020 · 1 min read

TryHackMe | Advent of Cyber

Mcsysadmin has been super excited with their new security role, but wants to learn even more. In an attempt to show their l33t skills, they have found a new box to play with.

This challenge accumulates all the things you’ve learnt from the previous challenges(that being said, it may be a little more difficult than the previous challenges). Here’s the general way to attempt exploitation when just given an IP address:

  • Start out with an NMAP scan to see what services are running
  • Enumerate these services and try exploit them
  • use these exploited services to get an initial access to the host machine
  • enumerate the host machine to elevate privileges

Credit to DarkStar7471 for creating this challenge! Not all tasks will include supporting material!

Setup

1gobuster dir -u  http://10.10.98.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1gobuster dir -u  http://10.10.98.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url:            http://10.10.98.16
7[+] Threads:        10
8[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9[+] Status codes:   200,204,301,302,307,401,403
10[+] User Agent:     gobuster/3.0.1
11[+] Timeout:        10s
12===============================================================
132020/05/08 16:24:29 Starting gobuster
14===============================================================
15**/retro (Status: 301)**
blog_image

http://10.10.98.16/retro/index.php/2019/12/09/ready-player-one/

One Comment on “Ready Player One”

  1. Wade December 9, 2019

    Leaving myself a note here just in case I forget how to spell it: parzival

Now we can try to log to the wordpress admin with the creds given by the user

1username : Wade
2password : parzival

http://10.10.98.16/retro/wp-login.php

After trying many attempts to get a reverse shell working with WordPress, i’m going to try an another attack.

With the nmap scan we discover the port 3389

180/tcp   open  http          syn-ack Microsoft IIS httpd 10.0
2| http-methods:
3|   Supported Methods: OPTIONS TRACE GET HEAD POST
4|_  Potentially risky methods: TRACE
5|_http-server-header: Microsoft-IIS/10.0
6|_http-title: IIS Windows Server
73389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
8| rdp-ntlm-info:
9|   Target_Name: RETROWEB
10|   NetBIOS_Domain_Name: RETROWEB
11|   **NetBIOS_Computer_Name: RETROWEB**
12|   DNS_Domain_Name: RetroWeb
13|   DNS_Computer_Name: RetroWeb
14|   Product_Version: 10.0.14393
15|_  **System_Time: 2020-05-08T20:33:08+00:00**
16| ssl-cert: Subject: commonName=RetroWeb
17| Issuer: commonName=RetroWeb
18| Public Key type: rsa
19| Public Key bits: 2048
20| Signature Algorithm: sha256WithRSAEncryption
21| Not valid before: 2020-05-07T20:02:50
22| Not valid after:  2020-11-06T20:02:50
23| MD5:   9b6b 0322 e36d 74e5 9334 0313 35dd 81b7
24| SHA-1: 410c 8275 4f20 c2f8 b943 1927 40b8 de27 af29 f8bf
25| -----BEGIN CERTIFICATE-----
26| MIIC1DCCAbygAwIBAgIQKUOrPeP7+aVM6j6diuzmUDANBgkqhkiG9w0BAQsFADAT
27| MREwDwYDVQQDEwhSZXRyb1dlYjAeFw0yMDA1MDcyMDAyNTBaFw0yMDExMDYyMDAy
28| NTBaMBMxETAPBgNVBAMTCFJldHJvV2ViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
29| MIIBCgKCAQEAoRk88D0fxMB6g1Dn+Jv1eJ1Xa7SDi8/T77KlhNRH7bpWKIRupqyr
30| JW0LeS48uUjfgGhqpaPgsdkNHjU7r+kyco6wSzYPt4AsHVW2/M/9lqxZ9JjXxjnF
31| DCtV1LmZe6l9Oi1q/DTU8o57wLpgXCRTSZMYD8DWCq4o/NCQgKF36b19g/Q8IOzB
32| mVSPEgHRzzf09idzVTTWYMg5f36ZQufnsGEAQB06/tjZs20PngSYj9o+m+Idobri
33| w+AFqxOB2OomuveSDXHawgWNoKGEqHEgkCNO4OR6onFo+gOVkI5Wn5ppZw86BtwQ
34| /qg1VrdRQlDvxPSwEUMywjHhJD7dTjKp8QIDAQABoyQwIjATBgNVHSUEDDAKBggr
35| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAJ8A3kLh+U1n
36| MjAGFIdOU/aoX5tKVAOGQI7NhCStR4V8rt1jzl83t5LYDRgu4BvwJmzpqTu2jlBM
37| ORPnyaa+UfQmsA/P8itYmDRuGEWBnVAwWgfykfKlxDvxowhsIGQvulgUF4BuH+6I
38| LEeZNSNPh3U7cCdQelEp5Uf+NikhEOnyAwbcABdJMm/QRazFtbnvV0vI6bWuudj8
39| ykqlasuZ/rFn9AXbEL4uHEZH9OmvOkZj4jPxrcxE9zN1SFcuEa6wBV8S7j9Ryvka
40| VG1J8q2FsO4kouO23MCi3IN8aeFA9fKOAO2co+1VGiunpjC1p/Wsi5gRzzdw0J6u
41| nJ82sCcskO0=
42|_-----END CERTIFICATE-----
43|_ssl-date: 2020-05-08T20:33:09+00:00; +4s from scanner time.
44Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

As you can see with the output, you can validate that there is a “Computer Name” and we can maybe try to access it with the previous creds that we have.

How to connect to a remote desktop from Linux

1sudo apt-get install -y remmina

#1 A web server is running on the target. What is the hidden directory which the website lives on?

1/retro

#2 Gain initial access and read the contents of user.txt

blog_image
blog_image
13b99fbdc6d430bfb51c72c651a261927

#3 [Optional] Elevate privileges and read the content of root.txt

blog_image

As you can see, there is a bookmark on the google chrome session, let’s try it !

NVD - CVE-2019-1388

https://www.youtube.com/watch?v=3BQKpPNlTSo

blog_image
blog_image
1C:\Windows\System32\*.*
blog_image
blog_image
blog_image
17958b569565d7bd88d10c6f22d1c4063 # root flag

More articles from Ludovic COULON

Payloads digispark

Payloads digispark

April 12th, 2020 · 1 min read

Ethical hacking course

Ethical hacking course write up base on the course -> https://www.udemy.com/course/real-world-ethical-hacking/

March 11th, 2020 · 6 min read
© 2020 Ludovic COULON
Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com
063664e4.js" async="">64e4.js" async="">wBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com