- Philipp R. Proksch
This room will feature a Mr. Robot themed Windows machine, that you have to enumerate and gain initial access with Metasploit. After that use a Powershell script to further enumerate the machine and escalate your privileges to Administrator.
Task 1: Intruduction
Who is the employee of the month?
- Bill Harper
We get presented a blank page with the company logo and a picture.
After checking the page source (STRG + U), we see that the picture is named "BillHarper.png", this could possibly be the name of the employee.
Using Googles reverse image search, we can confirm that the name we are looking for is "Bill Harper".
Task 2: Initial Access
Scan the machine with nmap. What is the other port running a web server on?
Running an NMAP scan to find open ports (-p-), service versions (-sV) and saving it to a file (| tee), so we can check it later if we need to. We can see that it's a Windows maschine running another web server on port 8080.
nmap 10.10.237.146 -sV -p- | tee nmap_initial.txt
Take a look at the other web server. What file server is running?
- Rejetto HTTP File Server
When visiting the webiste we just found, we get presented an oldshool file server overlay, stating the server information in the bottom left corner.
What is the CVE number to exploit this file server?
Searching exploid-db we find a Remote Command Execution script using Metasploid.
Use Metasploit to get an initial shell. What is the user flag?
Since we now know what exploit we want to use, fire up Metasploit (msfconsole) and search for it (search 2014-6287) and load it (use 0). After that we need to find out what options we have to set (options).
Now set the variables we need to fill in.
set RHOSTS 10.10.237.146
set RPORT 8080
Execute! We got ourselfes a nice and cozy meterpreter shell on the target.
Next we are searching for the user.txt flag. Change into the user directory, to Bill and then to the Desktop. Here we got our first flag, use cat to print it out.
meterpreter> cat user.txt
Task 3: Privilege Escalation
What is the name of the service which shows up as an unquoted service path vulnerability?
Now we are downloading the PowerUp.ps1 script that is given to us here to our maschine using a secound command line window and upload it to the target with meterpreter (upload).
meterpreter> upload /PowerUp.ps1
That's it, we got root access.