Shyam Pareek

Machine Name: Bastion
IP: 10.10.10.134
Starting with nmap scan, got the following results:

As per nmap scan result, smb was discovered which can be logged in as guest. So I tried to checked for the directories and found a Backup folder.

I browsed inside the Backups folder and found 2 vhd files. One of them was very huge in size around 5GB.

Virtual hard disk (VHD) is a disk image file format for storing the complete contents of a hard drive. The disk image, sometimes called a virtual machine, replicates an existing hard drive and includes all data and structural elements. It can be stored anywhere the physical host can access.

I searched about vhd files and found some useful information on how to use them or open them.

I had linux installed on my system and this was a Windows machine so I was facing problems mounting the VHD into my system. 

I decided to complete this machine on Windows OS itself and installed Windows on Virtualbox.

I mounted the drive into my Windows VM successfully.

Then I opened the vhd file using 7zip and I was able to read all the contents inside the vhd file. I couldn’t find anything useful as such, so I downloaded the SAM and SYSTEM files into my system.

I searched on google about how to crack the SAM files to get password from them and found a tool for Windows i.e. Pwdump : http://www.tarasco.org/security/pwdump_7/index.html

I used the tool and was able to get the password hashes. Now I had to crack these hash to get the passwords in plain text.

I found an online password hash cracker and it easily gave me the password in clear text.

I tried another hash but it gave me no result maybe because it wasn’t a proper valid hash.

Using the password I was able to login through ssh.

So finally, I got the user shell now!

I looked for installed programs on the system and found mRemote was the only software installed in the program files directory.

I had no idea what this software was about as I never heard about it before so I searched for some common vulnerabilities on this program and found this article:

https://robszar.wordpress.com/2012/08/07/view-mremote-passwords-4/

Using the method provided in the article I could view the stored passwords. And to do this I had to download the config file, in which the passwords and other details are saved.

I installed mRemote software in my WIndows VM and followed the article step-by-step and it gave me the password.

According to the stored credentials, DC was the username but it didn’t work when I tried to login using ssh. I already had the user so root was left so I tried Administrator as username which successfully logged me in as root user and finally I got the root flag!

Starting with the Nmap scan, I discovered port 80 opened

So I went ahead and browsed through the webpage and found a website related to education but nothing useful here.

While looking at the source code of the web pages, I noticed something suspicious with the image file so I downloaded it.

  When I viewed the image file on my terminal, it gave me some message like this:

So we have the password now but the last character is missing in it. I used burp intruder to brute-force the password with all possible characters at the end and found the correct password to be: Th4C00lTheacha#

As mentioned in the message, the Username should be Giovanni.

Moving forward now…

I started the recursive directory buster and found moodle directory along with the config file which contained the password of the database and the name of the database. I was able to log in to moodle using the password message hidden inside the image.

So, I have one more credential which I can use later maybe.

Now, I searched for some moodle exploits and found one RCE vulnerability exploit which I could use here.

As the exploit says, we need to add a question and the payload is injected in the answer field.

Here we go with the payload injection.

And I got the reverse shell!

As I already had the database name and password. I logged into the MariaDB!

After successfully logging into the database I searched for the username and password tables and found some credentials. There were 2 users under the name Giovanni and one seems to be a backup user. 

I searched for the password hashes and was able to crack one of them easily, which belonged to user Giovannibak. The cracked hash gave me the password as expelled.

Then I was successful in logging in as a user with the credentials and got the user flag.

Moving forward to root now.

Now I could edit the shadow file directly

So let’s change the root hash to user hash

Finally, I was able to access the root user with the same password as the user.

Netmon is one of the easiest  Windows machine. It comes with PRTG Network Monitor Installed which is vulnerable and we need to find the exploit of its version to get root permissions.
Let’s start with Nmap first! I have completed the scan and the results are below:
As we can see port 21 is open with anonymous login allowed
Port 80 is openly running PRTG Network Monitor but we need to find credentials to get access to the PRTG panel. So let’s find out!

I saw FTP was open with anonymous login. Let’s enumerate it now!
I logged in to FTP using anonymous: anonymous as user:pass and found all the directories listed there.
I browsed to the Public folder and found the user flat. Piece of cake, isn’t it? 😀
Now, I needed to find a way to login into the PRTG panel. So I searched for default user:pass used in PRTG Monitors and found some juicy information on a Reddit thread which really helped. As mentioned in the thread, I browsed for the directory which stored old config files but I couldn’t find anything while browsing via. Ftp as all those directories were hidden. So, I copied that complete path that was shown in the Reddit post and was easily able to download those config files. Reddit source: https://www.reddit.com/r/sysadmin/comments/835dai/prtg_exposes_domain_accounts_and_passwords_in/

I opened the config file in notepad and found the credentials to log in to the PRTG panel. Though there was a slight change in the password, I was able to guess the correct one luckily. [email protected] was the password that I found in the config file and the correct password was [email protected]

AND…we’re in!
As soon as I got in, I checked the version of PRTG and searched for the exploit if there was any.
And I found an exploit here which was quite easy!
Exploit link: https://github.com/wildkindcc/CVE-2018-9276
Running the python exploit:

Voila! The exploit was successful and I got the root permissions.

Let’s finish this and collect the root flag!