12/2020

Description:

Target IP: 10.10.10.130.

Arkham is a Windows box using well-built security options for its component, with well-placed poor configurations. It hosts 2 web servers: an IIS and an Apache Tomcat server. The Apache server integrated Java Server Faces framework to create its *userSubscribe* page interface. The threat actor got the JSF ViewState encryption and hash key from a disk image file that contains the xml configuration file for the Apache server. The acquired key is essential to launch a deserialization attack and spawn a reverse shell under Alfred’s privilege. Another backup archive was found in /Downloads directory of Alfred and it stores a Microsoft Office mail folder. Discover Batman’s credential and used that credential to Invoke a new reverse shell that grant Batman’s privilege on the victim machine. Because user Batman is in local administrator group, Batman has full access to SMB C$ share drive which has the root flag.

Difficulty:

medium

Flags:

User: ba659321c89c48a3dcb915bc46d58071

Root: 636783f913109f2809701e8545ef4fdb

Enumeration

Nmap port scan result.

Nmap service scan result.

! Discover services:

• HTTP (80): Windows IIS 10.0.
• RPC (135): Windows RPC.
• Service network (139).
• SMB (445).
• HTTP (8080): Tomcat server 8.5.37.

Examine the web server on port 80.

Examine the web server on port 8080.