12/2020

Description:

Target IP: 10.10.10.104 A Windows machine hosting 2 applications: an inventory application and Powershell access service. The inventory web app is susceptible to SQL injection vulnerability which allows attacker to injects OS commands. Make the target machine connect to SMB service on the attack machine and get Net-NTLMv2 hash of user - Stacy. Using Stacycredential to connect to the remote powershell access web application. Privilege escalation gained by exploiting CVE-2016-6914. The target is protected by signature-based Anti-Virus and AppLocker. Switched Prometheus, a malware written in c++ that has a built-in wrapper instead of a crude msfvenom payload to evade detection.

Difficulty:

medium

Flags:

User: 10C1C275385280605E96ADD808C1A0AD

Root: CF559C6C121F683BF3E56891E80641B1

Enumeration

Nmap port scan result.

Nmap service scan result.

! Discover service:

• HTTP (80): MS IIS server.
• HTTPS (443): MS IIS server.
• RDP (3389): MS remote desktop.
• Windows Remote management (5985): HTTP-based WinRM

Examine the web application on port 443.

! it only shows a picture of a dog.

Brute-forcing more endpoints on this web application with gobuster.

A remote powershell access is on /remote or /Remote .