So now it is time to solve the easiest level of the hacking challenges.
General information:
Given was an IP address to which an attacker had to gain access. As simple as that ;-)
Target PC IP: 192.168.0.104
Goal: Gain system/administrator access to the target system.
The Solution
As with all good hacking challenges I start with performing some recon and what tool is better to use then nmap ^^
I both scan the TCP and UDP ports (most common ones) of the machine using the following commands:
TCP: nmap -sSV 192.168.0.104
UDP: nmap -sU 192.168.0.104
From the results, I learn that the SNMP service of the box is active. Let's try to connect to the port using snmpcheck (without a community string as the port showed up as open, and don't have a the real community string... yet):
This seems to work, from the output of snmpcheck I can identify the local users of the box. One of them seems very interesting, a test user account named B100_Test.
From the nmap results (TCP ports), I notice that remote desktop connections to the PC should be possible (open RDP port). So I try to connect to the PC and after some password guessing I notice that the password "test" simply seems to work for the 'test' account.
Once connected to the box, I see that I don't have administrative privileges :'( Yet ... ;-)
Back to recon it is... A very popular way of escalating privileges within a Windows environment (next to Kitrap0d, meterpreter, ...) is using a vulnerable service... I investigate the services and find out a B100_Test service that is being executed with 'local system' privileges and the executed file is accessible for the B100_Test user... I am getting close :-)
I replace the executable with 'taskmgr.exe' (which I of course have to rename to b100_service.exe):
I manually start the service and the Task Manager appears, from where I am able to launch a command prompt. Hoorah! I'm a privileged user on the PC :-) As a proof, I've added a user named Tim!
Any questions or remarks? Let us know in the comments.
