Conquer PriviaHub: Unleash Your Inner Pro on the Priviatech Machine

Welcome to Your Ultimate Guide to Mastering PriviaHub’s Priviatech Machine

Ready to dive into the thrilling world of PriviaHub? This guide is your golden ticket to navigating and mastering the retired “PRIVIATECH” machine. We’ll walk you through each step, from spotting vulnerabilities to gaining system privileges. Let’s get started!

Step 1: Initial Scanning – The Recon Mission

First things first, we need to scope out the terrain. We’ll use the trusty NMAP tool to scan for open ports, active services, and the operating system. Here’s the command you’ll need:

nmap -A <<IP_Address>> -Pn -v

Let’s break down what each part of this command does:

• -A parameter: This is like your Swiss Army knife, performing a SYN scan, detecting service versions, identifying the OS, and running a traceroute.
• -Pn parameter: This ensures NMAP scans machines that are closed to PING requests, which is common on PriviaHub as machines mimic real corporate networks.
• -v parameter: This gives you the nitty-gritty details about the scan.

The scan reveals that ports 80, 1801, 2103, 2105, 2107, and 49157 are open, running IIS and RPC services. The operating system is identified as Windows Server 2012.

Step 2: Web Application Access – The Infiltration

Next, we’ll access the machine’s port 80 via a web browser. This leads us to a web application interface with “Home” and “Contact” pages. The “Contact” page has a form for communication, complete with a file upload feature.

To test the form, we’ll fill out the text fields and upload a .bmp file. Once submitted, the file is uploaded to the server, confirming that the upload functionality is working as intended.

Step 3: Directory and File Scanning – The Investigation

Assuming the uploaded file is stored in a directory accessible via the web service, we’ll use the “dirb” tool to identify the files and directories present. The scan reveals an “uploads” directory. Accessing the uploaded .bmp file via the web browser confirms that files are uploaded without proper validation, posing a significant security risk.

Step 4: Exploiting the Vulnerability – The Exploitation

To exploit this vulnerability, we’ll create a malicious .aspx file using the msfvenom tool from the Metasploit Framework. This file is designed to establish a meterpreter session. We’ll access the “Contact” page again, fill out the form, and upload the malicious file.

Upon successful upload, accessing the malicious file at “/uploads/getShell.aspx” should establish a meterpreter session. We’ll use the Metasploit Framework’s “handler” module to start a listening mode, and accessing the uploaded page will successfully load the malicious file, resulting in a meterpreter session.

Step 5: Privilege Escalation – The Takeover

The obtained meterpreter session runs under a low-privileged service account. To read the “privflag.txt” file, we need to escalate our privileges. We can exploit the MS16-075 security vulnerability for this purpose. This vulnerability allows service accounts to access the token data of the SYSTEM account, the most privileged account.

To exploit this vulnerability, we’ll use the “Potato.exe” application. This application captures the SYSTEM token, and the “incognito” module in meterpreter can be used to switch to this token. However, if meterpreter isn’t helpful, we can use the “Kumpir.exe” application, an advanced version of Potato.exe. Kumpir.exe captures the SYSTEM token and runs a specified file with SYSTEM privileges.

Using Kumpir.exe, we’ll upload and execute a malicious .exe file containing a meterpreter payload, resulting in a new meterpreter session with SYSTEM privileges. This successfully completes the privilege escalation process, granting us full control over the system.