Accumulate

CTF

The thing we need to do is to perform an nmap scan to enumerate all ports open and the services operating on those ports.

The nmap scan shows that two ports are open: port 80 running Microsoft IIS httpd 10.0 and port 3389 ms-wbt-server.

Opening the webpage on the browser shows us a normal windows server webpage.

Also, searching on google for the ms-wbt-server tells us that this is a protocol used by Windows Remote Desktop. This may indicate that we can connect remotely do the target machine if we get the right credentials.

To solve the first question we need to look for hidden directories. In day 2 we used diresearch to do that. This time I will use gobuster.

With gobuster we managed to find the answer to the first question.

Our next task is to get access to the target machine.

Navigating to the hidden directory takes us to a retro fanatic page run by someone called Wade, which is basically a forum about games.

If we click on "Wade" it takes us the his user page. After examining the content, much of it is useless for us, except a simple post:

By clicking on "Ready Player One" and scrolling down on the comments we have what it seems to be the password of his account.

On the bottom right corner we have a login button that takes us to a wordpress login page. So we can try to login using wade as the username and the supposed password we just found.

We successfully logged in to the wordpress page, which confirms that it was indeed that password that we found. After some time wasted here to realized it was a rabbit hole, it was time to look again at the ms-wbt-server that we found earlier.

So we know that we can have remote desktop access through this protocol on port 3389, and we have credentials to do so. After googling for a good app to connect remotely I came accross remmina.

We now managed to get access the target machine remotely and read the contents of user.txt

To elevate our privileges and read the contents of root.txt, DarkStar left us an hint.

Seeing google chrome in the desktop and reading this hint just makes it obvious that we need to search on wade's browser history, although that wasn't even needed.

Opening google chrome shows us that wade had saved a page about the CVE-2019-1388.

Some google search and we can find out that this is a windows privilege escalation technique through UAC, using the 'HTML Help Activex Control' exe file to escalate privileges. We can find this file in the recycle bin.

There are loads of youtube video tutorials on how to recreate this post-exploitation attack.

By opening the file as administrator, we are prompted for the administrator password (that we don't have), so we click on Show more details.

We then click the link to show information about the publisher's certificate.

Next we choose to open it with Internet Explorer.

Once the page open (we dont have internet so it wont display any content) we click save as a save the file as C:\Windows\System32\*.*.

Once there we select cmd.exe and choose open.

And we are now authority\system and can get the root.txt.txt flag as show below.