We began to scan the machine with AutoRecon tool
Nmap Result
Based on the Nmap smb-os-discovery, the OS that is running are Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3).
We will first begin with the SMB enumeration on port 139 and 445.
By using smbclient, we found that below are the list of shares:
ADMIN$
C$
IPC$
nt4wrksv
And then begin to enumerate nt4wrksv share first as that look more unusual, we found that there is only 1 file passwords.txt in that share. And it contain base64 encoded user and password. After decoded, it give us 2 users and passwords.
The next we will start to enumerate http port 80 that is running Microsoft-IIS/10.0 based on Nmap result.
Nothing is found, then realized we have another http at port 49663, and quickly start a gobuster with that.
And nt4wrksv directory is found which is the same name as the share so we can try to check whether they are linked by creating a file in smb and access it through the HTTP and verified they are linked.
Initial Access
- The initial access of the step are as below:
2. Upload a kali built-in web shell through smb
3. Test our webshell on web port 49963
4. Start a simple HTTP server and execute a netcat download from the webshell (or a reverse shell directly)
5. Start a listener and run the netcat to gain reverse shell
Privilege Escalation
After we gain access to the system, we found the SeImpersonatePrivilege is enabled by executing ‘whoami /priv’ command. This is a common vulnerability and can be exploited by JuicyPotato tool. However, during our tries, it failed. And we found that there is a newer exploit call PrintSpoofer and this time we successfully exploited an gain root. The steps are as simple as below:
- Upload PrintSpoofer.exe to victim machine
2. run this command: PrintSpoofer.exe -i -c powershell
Why it can happen?
The enabled privilege is very powerful because it allow us to run code or even create a new process in the context of another user by calling CreateProcessAsUser() for SeAssignPrimaryTokenPrivilege or CreateProcessWithToken() for SeImpersonatePrivilege.
