Windows

Challenge: Brainstorm This is a room that tests on reverse engineering a chat program to exploit a Windows machine. Recon Nmap: ─$ nmap -sC -sV -Pn 10.10.37.33 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-22 00:02 EDT Nmap scan report for hi-hormel-wg010.hi.umn.edu (10.10.37.33) Host is up (0.22s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: BRAINSTORM | NetBIOS_Domain_Name: BRAINSTORM | NetBIOS_Computer_Name: BRAINSTORM | DNS_Domain_Name: brainstorm | DNS_Computer_Name: brainstorm | Product_Version: 6.1.7601 |_ System_Time: 2023-09-22T04:05:48+00:00 | ssl-cert: Subject: commonName=brainstorm | Not valid before: 2023-09-21T03:52:41 |_Not valid after: 2024-03-22T03:52:41 |_ssl-date: 2023-09-22T04:06:19+00:00; +1s from scanner time. 9999/tcp open abyss? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 216.80 seconds First thing I noticed was Port 21 ftp was open with the anonymous FTP login enabled. I checked it out by running ftp 10.10.37.33 with the name anonymous. ...

Challenge: Relevant Recon NMAP I was not able to find any clues from the initial Nmap scans and other tools that I used. So I looked up the official writeup, and the author suggests to run a scan that detects the open ports and then run more focused Nmap scan on them. He created a tool threader3000 and I decided to give it a try. The result showed that port 80, 139, 135, 445, 3389, 5985, 49663, 49666, and 49668. And these 40,000s are commonly used for backend operations within virtual environments such as AWS. ...

Challenge: HackPark In this box, it introduces Hydra, RCE & WinPEAS tools/techniques to exploit a Windows System. Recon NMAP nmap -sC -sV -O -sT 10.10.170.188 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 18:27 UTC Nmap scan report for ip-10-10-170-188.eu-west-1.compute.internal (10.10.170.188) Host is up (0.00068s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements | http-methods: |_ Potentially risky methods: TRACE 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2023-06-20T18:28:29+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=hackpark | Not valid before: 2023-06-19T18:14:25 |_Not valid after: 2023-12-19T18:14:25 | rdp-ntlm-info: | Target_Name: HACKPARK | NetBIOS_Domain_Name: HACKPARK | NetBIOS_Computer_Name: HACKPARK | DNS_Domain_Name: hackpark | DNS_Computer_Name: hackpark | Product_Version: 6.3.9600 |_ System_Time: 2023-06-20T18:28:24+00:00 MAC Address: 02:51:BA:0B:1C:1B (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012 (89%) OS CPE: cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.85 seconds Port 80 runs Microsoft HTTPAPI httpd 2.0. Also, port 3389 indicates that once we get the cred to get onto the target machine we can remotely access it by using xfreerdp or rdesktop. ...

Challenge: Alfred This box is about exploiting Jenkins (misconfiguration). Jenkins is an open source continuous integration/continuous delivery and deployment (CI/CD) automation software DevOps tool written in the Java programming language. This tool is used to implement CI/CD workflows, called pipelines. This box introduces a tool called Nishang which is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. ...

Challenge: Blue There wasn’t a description, so I ran nmap on the IP address that I was given: PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-30T01:23:49 |_ start_date: 2023-04-30T01:19:21 | smb2-security-mode: | 210: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-04-30T02:23:51+01:00 |_clock-skew: mean: -19m03s, deviation: 34m35s, median: 54s Port 135 was open, so I googled if there were any exploits regarding the msrpc service. I was able to find this article. ...