Greetings everyone and happy Friday!
Welcome back to another walkthrough of a system hosted on the CyberSecLabs platform! The machine we’ll be attacking today is called Secret, so let’s jump right in!
We’ll start off by scanning the host with Nmap:
So we have quite a bit of ports open here, and a lot to work with! Right off the bat, we should be focused on port 445 which is SMB. Let’s start probing at that port to see if we can find any additional information.
We’ll start by using a tool called smbclient to enumerate possible shares. We can do this by specifying the “-L” switch:
When prompted for a password, we can simply press enter to see if we can list the shares without providing any credentials. For the shares that are listed, we see some pretty normal shares, however the one called Office_Share seems out of place. Let’s try connecting to it!
We were able to connect to it without providing credentials! Let’s list out anything we can see here with the “ls” command:
So going off of the directories that are listed, it looks like we have some usernames to work with! The next step will be to download anything and everything in these directories. The command mget * will allow us to download everything in these directories.
Hmmm! It looks like there was a pretty interesting file that we were able to download in one of the directories! The files is called “Default_Password.txt”, so let’s display its contents!
Beauty! Now we have a password and possible usernames from the directories we found! But what now? Usually in a domain environment, usernames with follow a certain pattern, such as:
- firstname.lastname
- firstinitial.lastname
- firstnamelastname
I did some experimenting here with a pattern that would work in combination with the password we found. For this, I used a tool called “lookupsid”, which brute forces SIDs.
Eventually, I was able to get a return using the “jcakes” username:
Knowing this, we can use the jcakes username and found password to connect to the system.
Revisiting our original Nmap scan, one of the ports that was shown open was port 5985, which is used for Windows Remote Management! Seems pretty probable that we can connect to it! We’ll use a tool called “evil-winrm” to establish the connection!
Perfect! We were able to connect with jcakes credentials! Let’s grab the Access flag while we’re here:
Now it’s time to escalate our privileges! Let’s upload winPEAS to start enumerating possible priv-esc options:
Now let’s run it!
Scrolling through its output, we find something too good to be true:
Another password! Now we’ll use PsExec to connect with this newly found password. But what account will we use? Well, we already know the username pattern follows the firstinitial.lastname parameter, so we’ll need to try it out with the original usernames we found alongside this password.
Looks like the “bdover” account worked! Let’s grab that system flag!
Woooo!
Thanks for reading!