Wednesday, May 23, 2012

Solutions: The Hex Factor v2011 (level B100)

So now it is time to solve the easiest level of the hacking challenges.

General information:
Given was an IP address to which an attacker had to gain access. As simple as that ;-)

Target PC IP:
Goal: Gain system/administrator access to the target system.

The Solution
As with all good hacking challenges I start with performing some recon and what tool is better to use then nmap ^^

I both scan the TCP and UDP ports (most common ones) of the machine using the following commands:

TCP: nmap -sSV
UDP: nmap -sU

From the results, I learn that the SNMP service of the box is active. Let's try to connect to the port using snmpcheck (without a community string as the port showed up as open, and don't have a the real community string... yet):

This seems to work, from the output of snmpcheck I can identify the local users of the box. One of them seems very interesting, a test user account named B100_Test.

From the nmap results (TCP ports), I notice that  remote desktop connections to the PC should be possible (open RDP port). So I try to connect to the PC and after some password guessing I notice that the password "test" simply seems to work for the 'test' account.

Once connected to the box, I see that I don't have administrative privileges :'(  Yet ... ;-)

Back to recon it is... A very popular way of escalating privileges within a Windows environment  (next to Kitrap0d, meterpreter, ...) is using a vulnerable service... I investigate the services and find out a B100_Test service that is being executed with 'local system' privileges and the executed file is accessible for the B100_Test user... I am getting close :-)  

 I replace the executable with 'taskmgr.exe' (which I of course have to rename to b100_service.exe):

I manually start the service and the Task Manager appears, from where I am able to launch a command prompt. Hoorah! I'm a privileged user on the PC :-) As a proof, I've added a user named Tim!

Any questions or remarks? Let us know in the comments.