How to pwn cybertalents remote machine
Writeup for "remote" Machine
Hi there! today we well pwn “remote” machine on CyberTalents :
In the beginning, I want to inform you that you can pwn this machine in a very simple way using Metasploit but in this writeup, we will use a more difficult way to pwn it.
Now Let’s Start ..
Enumeration :
The scan told us there is http service at port 1337, let’s take a look
As we saw in the scan and on the site, the site is running on a HttpFileServer 2.3
so let’s search for exploit :
Let’s first know simply what is the affected part and how it can be exploited :
The infected parameter is the search parameter. If we type %00{.exec|cmd.} in the search box, the cmd will open in the target machine.
The exec command is part of the infected software, there are save, read , write, and many other commands
For more : https://nvd.nist.gov/vuln/detail/CVE-2014-6287#vulnCurrentDescriptionTitle
so to get reverse shell we need to upload netcat to the victim machine and then execute it
and we well use the previous script to helping us
now let’s copy this script to our machine directory to edit it :
1
searchsploit -m windows/remote/39161.py
then let’s take a look on the script to know how it works …
1
gedit 39161.py
After two minutes of analysis I’ve understood what Script do :
1
2
3
4
The script contains three main functions
One to save a subscript that downloads netcat
And one for executing this subscript
And the third is to run the netcat
To implement these three functions ,We have to do three things
First, we modify ngrok to help us do the second and third steps
1
2
We need to add some modification to ngrok to make it running multiple simultaneous tunnels, one for HTTP and one for TCP
To see how we can do this: https://stackoverflow.com/questions/25522360/ngrok-configure-multiple-port-in-same-domain
- This is my config
Second, we create a web server and upload the netcat on it
- We will use
python -m SimpleHTTPServer {port-num} - But you should use this command in the nc.exe directory , you can find nc.exe and many useful tools in usr/share/windows-resources/binaries
Third, we need to run ngrok
- In this situation, we will run ngrok with this command
1
./ngrok start --all
Now let’s edit the python script
first, we need to change ip_addr variable to the HTTP web server URL that ngrok gave us
second , we need to change ip_addr in vbs3 variable to the TCP link that ngrok gave us
Third , we need to change the local_port variable to the port of the TCP link that ngrok gave us.
Final look
Exploit
It works ! And we get reverse shell
Post Exploitation
I tried to put the flag as written but it was wrong
I searched for about 10 minutes until I found a folder called mRemoteNG In C:\Program Files (x86)
I googled that name and found that it is a program that allows you to view all of your remote connections in a simple yet powerful tabbed interface.
Now we need to know what version of the software we have installed to search for an exploit
to do that we have two step
first , Run WMIC
Type wmic and press Enter.Second , Pull list of installed applications
At the wmic:root\cli> prompt, type the following command:1
/node:TargetComputerNameHere product get name, version, vendor
After a few moments, a list will be displayed in the command prompt detailing the programs installed on the target computer.
My operation
Now let’s search for an Exploit
I found this awesome blog https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/
I did what the blog said in my terminal :
let’s decrypt the password using this github script
https://github.com/haseebT/mRemoteNG-Decrypt
