This is A Black Box Penetration Testing Challenge.

Begin with an nmap scan on target and find various smb shares and therefore decide to use smb-enum-share script from nmap.

We sue smbmap to see all the shares and permissions. here nt4wrksv has read and write permissions

Using smbclient we connect to nt4wrksv (leave password blank)

and we find a password file which we know is base64 encoded as base63 usually ends with = or == and has A-Z and a-z and numbers

we decode it online

we find 2 usernames Bill and Bob and their passwords

Now something which i missed was scanning all the ports using -p - option in nmap and we quickly notice port 49663 open with http service running in it.Navigate to the webpage and we see the same Microsoft iis server running.

Since we have 2 webpages running (on port 80 and 49663) we can find all directories. I suggest you to use dirsearch as it is pretty past.Also make sure the wordlist you use is directory-list-2.3-medium.txt (the location has been given below) This will take a long 15–20 minutes but you will find a hidden directory.

We found a directory called nt4wrksv which is actually a smbshare (and i hope you remember it has read and write permissions)

We can see the contents of the passwords.txt file inside nt4wrksv

So since we have read and write permissions, why not try uploading a reverse shell and getting a connection.

Using smbclient we connect to nt4wrksv share and use the command put to upload a random text file called hello.txt which contains “hi”

and yes we can access it in the browser by visiting the right path.

Before we upload our reverse shell file in the smb share, lets do some more enumeration and try other possibilities since we have 2 usernames and passwords (bill and bob )We can run psexec along with username and passwords of bill and bob and try getting a shell.Although you can download it from github, it is installed by default in kali.

Here is the location of psexec.py and the usage is:

python3 psexec.py username:’password’@ip

We first try with the credentials of Bob but it doesnt work however we do find that Bob is a legit user in the system

However when we try the same with Bill, we get a error and there is actually no user as Bill and this is actually a fake user make by the creator of this room as a distraction.

Since port 3389 is also running and it is a RDP(remote desktop) port, we can try to connect to the target but it fails.

since we are out of luck we finally continue and make our shell using msfvenom and name it as shell.aspx (we use aspx extension since it a windows webserver)

Now connect to the share and upload the payload using the command put

NOTE: Further on, Due to some Bug i was getting error while connecting to smb share and was unable to reboot the machine or ping it even after changing my vpn connection.Therefore i am sharing the solution from the writeup of the creator of this room(The Mayor)

Exploitation

Having determined that we have read and write permissions to the web directory linked through the SMB share, we can craft a reverse shell payload to connect to the machine. Knowing that IIS generally requires an aspx shell, we craft one with msfvenom. Seeing that the machine is running Server 2016, we should use a x64 architecture. We upload the payload to the SMB share, start a netcat listener on the port that we declared in the payload, and use curl to execute the command.

Now that we have shell access we can use the whoami /priv command to check our user privileges. We see that we have SeImpersonate privileges, which can commonly be used to escalate using a potato attack, or with incognito if impersonation tokens exist. However, DCOM is disabled on this server which prevents potato attacks, and there are no tokens to impersonate.

There is a newer exploit that came about several months ago called Printspoofer that exploits a vulnerability in Windows where certain service accounts are required to run with elevated privileges utilizing the SeImpersonate privilege. (DOWNLOAD LINK: )

We see that we are the iis apppool\defaultapppool service account user, which should allow us to elevate using the Printspoofer exploit.

Using the SMB share, we can upload the Printspoofer exploit to the machine, navigate to the C:/inetpub/wwwroot/nt4wrksv directory, and locate it.

Printspoofer.exe uploaded

Having uploaded the exploit we can run it with basic flags to execute it and elevate our privileges to the system user.

Printspoofer exploit with escalated privileges

We can then navigate to the user directories to secure the user and root flags to complete the challenge.

User and Root flags

This room shows the importance of scanning all ports during nmap scan and also finding all directories.We also learnt about Printspoofer exploit which we can run if we have SeImpersonatePrivilege enabled.I hope you learned from this walkthrough-ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube