SecNotes machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of port scanning, we detected 80/tcp http Microsoft IIS httpd 10.0, 445/tcp Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB), 8808/tcp ssports-bcast ports.
We provide enuemration via port 80
Here we get a login screen where we tried default paros, looked at the source code, looked at the webanalyzer and could not get any valuable information.
We scanned with Gobuster and did not find any noteworthy directories.
We create a user by clicking on the “Sign up now” button
We have created a user named Muhammed and we are logging in with this credential
The remarkable part here is the email@example.com mail part, where we both identify the domain and note that there may be a user named tyler.
Let’s test if this user exists or not.
This is how we get an error when there is an invalid user
This is how we get the error that we are getting a valid user.
Now let’s look at this for the tyler user
Here we understand that there is definitely tyler user, we try default passwords and we did not get any results. We tried a sql injection attack and we were not successful. We connect from the user we created and provide enumeration. Create New Note
Here, there is a common problem with password change mechanisms, which is the inability to verify that the user knows the current password. Password recovery mechanisms also allow users to change their password without knowing the current password, but may require an additional verification step, such as sending the reset request to the email address associated with the username. If a malicious user gets the victim to click on a malicious password change request and the existing password does not need to be verified, they can take control of the account.
Here, let’s try to figure out how we can get the user to make a request
Here, while sending a message to the user, let’s send it to see if it reacts and listen to it with nc.
We write our local ip address on the contact us side and listen with nc.
After sending, we saw that the request came with nc.
The request was made with windowspowershell.
Now here the tyler user is redirected on this form and can click on the link if a malicious password reset request is sent to this user. CSRF tokens would defend against this attack, but they are not implemented in the web application. In Burp, the ” “Change Password” request type is changed from POST to GET and the malicious URL is generated and forwarded.
We convert the port method to get method.
GET /change_pass.php?password=password1&confirm_password=password1&submit=submit HTTP/1.1
We detected that he saw a request here by sending a request to our own machine.
Can I log in immediately?
In user Tyler
we were able to log in successfully with credential information
Here, when we look at the notes, we get credenial information.
tyler : 92g!mA8BGjOirkL%OG*&
We provide smb enumereation using this information.
We have seen the new-site sharing area and we connect to it
Here is the iisstart.htm file, this is the default iss part, now we are looking for the 8808 port that we detected in this nmap.
It’s the same staradnrt login screen to an iis server, let’s test if we can upload files here
We upload a file named Test and see if it is created
Our test.txt file has been created and we are running its content, let’s create a shell oho here and let’s see if it will work.
We created our shell.php file and proceed to the machine
Now let’s go to this shell file
We have obtained a shell here.
This should give us a reveshell, so let’s pass nc to the target machine and then trigger nc from this command screen to get a revershell.
We obtained shell from user secnotes\tyler
Here we got the user flag but not the root flag
Therefore we provide local enumeratio.
We encountered bash in windows and it seemed interesting that bash.exe is running here, let’s see if we can get it to work for us
After typing bash, the root user is accessed but again we cannot access the administrator user
Here we see the /mnt directory
Let’s go here
Here we access the a linux file system
We go to the root directory and continue enumeration
Burada .bash_history dosyasında yönetici kullanıcısının şifresini alıyorum
Gidip smbclient ile bağlanalım.
Here we get the rıt flagi
We have the root flag.
Here we could have obtained it using the psexec impacket tool.