CyberSecLabs and "Secret" Challenge Walthrough

Last week, CyberSecLabs (cyberseclabs.co.uk) broke in to the pentesting lab scene by releasing numerous, real world lab environments meant for introductory and intermediate users alike.  They offer to Hello World of boxes based on Eternal Blue, as well as other Linux and Windows machines.  The lab environments are incredibly responsive and quicker to start up and access than the HTB alternative that we've all grown increasingly frustrated with over the last many months. The user dashboard is interactive, letting you know how many challenges and machines you've completed, as well as server information and more.  It's clean, well thought out, and not a confusing maze of links like you find in the HTB dashboard.  

My profile/dashboard page on CyberSecLabs

 As you can see, I've done a couple of the beginner labs, as well as a "Community Lab," which are considered a bit more difficult than the beginner lab alternatives.

"Secret" Walkthrough

Machine control dashboard

Like most other pentesting lab challenges and environments, we are met with a simple description of the machine and underlying operating system.  So let's get to work. We connect using OpenVPN and the .ovpn file we download from our dashboard, run it, and click the start button on the machine (where the stop button is above).  

Information Gathering

The first thing we need to do is get an understanding of our target machine by running:

nmap -T4 -A -Pn 172.31.2.1

 We can quickly determine by the returned information that we are looking at a Windows Server/Domain Controller.

nmap -T4 -A -Pn 172.31.2.1

Great!  We have some information that we can use.  SMB is running on 139/445, Kerberos is running on 88, and we can glean some information about the Domain Controller domain SECRET.org.

Enumeration and First Low Privilege Hash

Now that we have some information to go off of, let's start poking around a bit.  Starting at the easiest targets and moving outward, we begin with enumerating the SMB service by running:

smbclient -L \\\\172.31.2.1\\

  SMB enumeration

As we can see, there are several options, however one sticks out: Office_Share.  Let's run the following smbclient command in hopes that it allows anonymous login:

smbclient \\\\172.31.2.1\\Office_Share

smbclient anonymous login

This is great, and a common misconfiguration by many system administrators.  Further enumeration shows us that there are several user directories available, which should be noted.

SMB Directory

Now that we know there are directories available, we can traverse them manually, however I've chosen to download the directories and their contents directly to my Kali machine using:

recurse ON
prompt OFF
mget *

SMB download command and results

 We can also see a couple of .txt documents while downloading (due to setting recursiveness to on). On inspection of the downloaded directory, we can clearly see a password, however we don't know who or what it belongs to.  

 Didn't think you were getting off that easy I hope

So we have a password, and a bunch of user directories, but no idea what to do with them.  We can try using a tool called lookupsid.py which allows us to enumerate valid usernames from a single valid user ran through the tool.  However, this would take time to do manually.  Alternatively, we can create a simple script in Bash to run a larger username list we create ourselves based on the directory names we located earlier.

Username List

Now that we have our list of possible usernames, we can go to work utilizing lookupsid.py, using the following command:

for user in $(cat users.txt); do lookupsid.py SECRET/$user:'<insert that password we found>'@172.31.2.1

 Failed Attempt Example

Successful Attempt Example

If you used the above example username list, you will see that the 8th attempt was successful.  Please make note of this name, as I will not give it away.  We also need to keep track of the usernames enumerated from running lookupsid.py as these may be leveraged in the future.

Method #2

We can utilize a tool called crackmapexec to enumerate users until we find the correct one.  The command to do so is as follows:

crackmapexec smb 172.31.2.1 -u users.txt -p <passwordhere>


Knowing the username and password, we can attempt to login using psexec.py, however this proves to be unsuccessful as there are no shares that are writeable by this user.  A bit of search around, however, shows us a tool called "evil-winrm," which takes advantage of Windows Remote Management that is running on the earlier discovered port 5985, provided we have user credentials to do so.  Luckily, we have discovered those credentials.  We can run the following command, which will give us a Powershell command shell for the user we know currently:

evil-winrm -i 172.31.2.1 -u <username> -p <password>
evil-winrm Powershell Command Prompt

A simple directory traversal to the Desktop of this user gives us our first flag, access.txt.  Use the "more access.txt" command to reveal the hash and submit it to the dashboard.

Access Flag
 We can traverse to the other user directories, however we quickly figure out that the users are privileged, and we are unable to access the directories.

Privilege Escalation

As it's become apparent we have no access to the higher privileged directories, we need another way in.  A bit of research suggests that "winPEAS" may be a suitable choice, and we need to go about uploading it to the target machine.  We can do this using the upload command inside of the evil-winrm command prompt using the following command:

upload winPEAS.exe 

(note you will need to adjust your directory location accordingly)
winPEAS.exe upload

Before we get to work utilizing winPEAS.exe, we first need to prepare it for use in the Powershell prompt by typing the following:

"C:\Users\<usernamehere>\Desktop\winPEAS.exe
(adjust the directory location based on where you uploaded it to)

Once you have prepared winPEAS.exe to be used, you can run it using the following:

. .\winPEAS.exe

 The next part can take several minutes to complete.  Once it does, scroll through the information you find.  One part should particularly stand out as it is a "Default Password."  Note this as we will need it to take control of the system. 

 Default Password

 Armed with this new found password, we can modify our earlier lookupsid.py script, replacing it with psexec.  Being as we aren't sure if the password belongs to another user, or which one if it does, we can simply insert the new password where the old one was, and run it.  

for user in $(cat users.txt); do psexec.py SECRET/$user:'<newpassword'@172.31.2.1; done

We start to get output like we did the first time, however psexec.py gives us a command shell when it finds the correct user associated with the password.  You can count the number of attempts required, and then look back at your username list to determine which user it belongs to. 

NT AUTHORITY\SYSTEM Access
We can finally traverse to the Administrator user Desktop directory, and find our hard earned, shiny system.txt flag.  Capture it, and submit the hash on the dashboard and you have completed the challenge.

system.txt flag

Method #2

Utilizing crackmapexec, we can use the new found password, and add it to our password list and run it.  This will reveal username and password credentials if any exist, using the following command:

 crackmapexec smb 172.31.2.1 -u /root/Desktop/users.txt -p /root/Desktop/passes.txt 

crackmapexec credentials

We then use psexec.py to gain an elevated command shell on the machine, where we can finish our tasks.  Use the following:
psexec.py <username>:'<password>'@172.31.2.1

psexec login and command shell

nt authority\system
 
system flag

 


Comments

5xj6cj6m4n said…
The deck is normally shuffled after each turn to ensure equity, could be} no|and there's no} delay in gameplay as it is a computer doing it. Online roulette operates utilizing RNG software program, until you resolve to play reside roulette. The sequences generated by the programme correspond to a random outcome on the wheel; to this 코인카지노 end, the spinning roulette wheel on the display works similar to the spinning reels in video slots. We have an unbelievable new participant welcome bonus we offer to all those who be a part of and register an account with us. Any website dealing with cash and private information needs to be secure. That is why we solely thought-about sites with encryption software program and legitimate licensing information, ensuring that all one|that each one} your data and transactions are secure.

Popular Posts