Greetings everyone!
Today, we’ll be attacking a machine called Unattended on a platform called CyberSecLabs! So without further ado, let’s jump right into it!
As always, we’ll start off with our trusty nmap scan!
So we see a few ports open that we can start probing. We may as well start off by checking port 80 and see what we can find there! Let’s plug the IP address into a web browser and see what we’re greeted with.
Under “Server Information”, we see it displays HttpFileServer 2.3 (also noted in our nmap scan!). Let’s click on it and see where it brings us.
Interesting! Let’s see if there are any vulnerabilities we can exploit pertaining to Rejetto. Time to fire up Metasploit!
Perfect! We have our exploit selected! But let’s set our options first before we run the exploit:
What we did here was set the RHOSTS to our target IP, set the LHOST to our tun0 interface, and set the LPORT for where we want our shell to listen on. Time to run the exploit!
It worked! We have a meterpreter shell! Doing a quick “getuid” command shows we are the user named pink, so chances are we’ll have to escalate our privileges to gain root access!
What we’re going to do is run a program called WinPEAS, which is an excellent tool we can run to help us enumerate possible Windows privilege escalation techniques. First we’ll move into the Temp folder and then upload the WinPEAS.exe into the folder.
With the file in place, we can now run it! There is quite a lot in the output returned, but there is something that stands out almost immediately:
Let’s browse to the location of the file:
Opening the file, we see there is something very juicy in it!
Cleartext password! This is perfect as it seems we now have full blown Administrator credentials! Let’s try connecting with these credentials using a tool called “psexec”:
We were able to connect with those credentials! We can now grab the System flag!
A nice, easy box to kind of get back into the swing of things! I plan on posting more by the way; I’m currently prepping for the PWK through various sites and platforms, so there will be a lot of boxes I plan on exploiting and posting about while I do my preparation!
Thanks for reading!