OSCP PREPROTİONS – HTB SecNotes

SecNotes machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we detected 80/tcp http Microsoft IIS httpd 10.0, 445/tcp Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB), 8808/tcp ssports-bcast ports.
We provide enuemration via port 80

Here we get a login screen where we tried default paros, looked at the source code, looked at the webanalyzer and could not get any valuable information.
We scanned with Gobuster and did not find any noteworthy directories.

We create a user by clicking on the “Sign up now” button

We have created a user named Muhammed and we are logging in with this credential

The remarkable part here is the tyler@secnotes.htb mail part, where we both identify the domain and note that there may be a user named tyler.
Let’s test if this user exists or not.
This is how we get an error when there is an invalid user

This is how we get the error that we are getting a valid user.

Now let’s look at this for the tyler user

Here we understand that there is definitely tyler user, we try default passwords and we did not get any results. We tried a sql injection attack and we were not successful. We connect from the user we created and provide enumeration. Create New Note

Change Password

Here, there is a common problem with password change mechanisms, which is the inability to verify that the user knows the current password. Password recovery mechanisms also allow users to change their password without knowing the current password, but may require an additional verification step, such as sending the reset request to the email address associated with the username. If a malicious user gets the victim to click on a malicious password change request and the existing password does not need to be verified, they can take control of the account.
Here, let’s try to figure out how we can get the user to make a request
Contact Us;

Here, while sending a message to the user, let’s send it to see if it reacts and listen to it with nc.
We write our local ip address on the contact us side and listen with nc.

After sending, we saw that the request came with nc.

The request was made with windowspowershell.
Now here the tyler user is redirected on this form and can click on the link if a malicious password reset request is sent to this user. CSRF tokens would defend against this attack, but they are not implemented in the web application. In Burp, the ” “Change Password” request type is changed from POST to GET and the malicious URL is generated and forwarded.

We convert the port method to get method.

GET /change_pass.php?password=password1&confirm_password=password1&submit=submit HTTP/1.1

We detected that he saw a request here by sending a request to our own machine.
Can I log in immediately?
In user Tyler
tyler:password1
we were able to log in successfully with credential information

Here, when we look at the notes, we get credenial information.

tyler : 92g!mA8BGjOirkL%OG*&
credential information.
We provide smb enumereation using this information.

We have seen the new-site sharing area and we connect to it

Here is the iisstart.htm file, this is the default iss part, now we are looking for the 8808 port that we detected in this nmap.

It’s the same staradnrt login screen to an iis server, let’s test if we can upload files here
We upload a file named Test and see if it is created

Our test.txt file has been created and we are running its content, let’s create a shell oho here and let’s see if it will work.
We created our shell.php file and proceed to the machine

Now let’s go to this shell file

We have obtained a shell here.
This should give us a reveshell, so let’s pass nc to the target machine and then trigger nc from this command screen to get a revershell.

We obtained shell from user secnotes\tyler

Here we got the user flag but not the root flag

Therefore we provide local enumeratio.

We encountered bash in windows and it seemed interesting that bash.exe is running here, let’s see if we can get it to work for us

After typing bash, the root user is accessed but again we cannot access the administrator user

Here we see the /mnt directory
Let’s go here

Here we access the a linux file system
We go to the root directory and continue enumeration

Burada .bash_history dosyasında yönetici kullanıcısının şifresini alıyorum
Gidip smbclient ile bağlanalım.

Successfully connected
Here we get the rıt flagi

We have the root flag.
Here we could have obtained it using the psexec impacket tool.