That is….a lot. The theme of this box is clearly patience and enumeration. There are a ton of rabbit holes we could go down to start, but it looks like
8080 are serving HTTP, so let’s start by scanning there. I usually start with
dirb since it’s quick and dirty, and we can always bust out the bigger guns / bigger lists if need be.
Unfortunately, this is one of thoses cases.
8080 comes back with some basic CMS-y stuff, but not much else. Some lightweight manual testing seems to indicate there’s no SQLi here, and OrchardCMS looks up-to-date, so that looks like a dead end. Make a note to review the Orchard source code if we can’t find anything else, and bust out some bigger scans with
gobuster and a larger list, like
While that runs, we can look at some of the other open ports. There is definitely some interesting stuff, especially the exposed Active Directory, Kerberos, MSSQL Server:
Nothing useful pops out from the Active Directory search, but Kerberos brought back a few interesting leads. Why don’t you go read up on them. I’ll wait here.
It looks like our scans are done, and this time a super suspicious directory pops out at us:
secure_notes on port
1337, which has two files:
web.configjust leads to a
dev_notestalks about database set up, and something is definitely strange about that file name. Yup, it’s base64:
And that looks a lot like hex:
Hmmm, I wonder what this is for? With this password and the username (it’s in the
dev_notes file), you can either connect to the database and poke around manually, or use something like sqlmap to pull down the contents. Whichever you prefer, you’ll come out with another username and password, and a quick test with
rpcclient should confirm their use. SANS has a great article on some of the fun things you can do with
From here, it’s time to get box access / escalate. Did you do you research on some of our possible options? If you did, you saw that both
MS16-014 seem a little farfetched, as they require running applications on the host which something we can’t do yet.
MS14-068 looks super interesting, however, since it could elevate our privleges to DA and get us full access to the SMB shares (did you notice that was running on
445? You should connect via smbclient with james and poke around to see what exists and what he has access to).
One of my favorite tools for working with Windows and its various networking protocols is impacket, and it has a great script for exploiting
MS14-068. This is brain-dead simple, so I’ll leave the rest as an exercise to the reader, but if you have any trouble, remember that you need all of the appropriate hostnames to resolve.