Conquer PriviaHub: Unleash Your Inner Pro on the Priviatech Machine

Conquer PriviaHub – Unleash Your Inner Pro on the Priviatech Machine

Welcome to Your Ultimate Guide to Mastering PriviaHub’s Priviatech Machine

Ready to dive into the thrilling world of PriviaHub? This guide is your golden ticket to navigating and mastering the retired “PRIVIATECH” machine. We’ll walk you through each step, from spotting vulnerabilities to gaining system privileges. Let’s get started!

Step 1: Initial Scanning – The Recon Mission

First things first, we need to scope out the terrain. We’ll use the trusty NMAP tool to scan for open ports, active services, and the operating system. Here’s the command you’ll need:

nmap -A <<IP_Address>> -Pn -v

Let’s break down what each part of this command does:

  • -A parameter: This is like your Swiss Army knife, performing a SYN scan, detecting service versions, identifying the OS, and running a traceroute.
  • -Pn parameter: This ensures NMAP scans machines that are closed to PING requests, which is common on PriviaHub as machines mimic real corporate networks.
  • -v parameter: This gives you the nitty-gritty details about the scan.

The scan reveals that ports 80, 1801, 2103, 2105, 2107, and 49157 are open, running IIS and RPC services. The operating system is identified as Windows Server 2012.

Step 2: Web Application Access – The Infiltration

Next, we’ll access the machine’s port 80 via a web browser. This leads us to a web application interface with “Home” and “Contact” pages. The “Contact” page has a form for communication, complete with a file upload feature.

To test the form, we’ll fill out the text fields and upload a .bmp file. Once submitted, the file is uploaded to the server, confirming that the upload functionality is working as intended.

Step 3: Directory and File Scanning – The Investigation

Assuming the uploaded file is stored in a directory accessible via the web service, we’ll use the “dirb” tool to identify the files and directories present. The scan reveals an “uploads” directory. Accessing the uploaded .bmp file via the web browser confirms that files are uploaded without proper validation, posing a significant security risk.

Step 4: Exploiting the Vulnerability – The Exploitation

To exploit this vulnerability, we’ll create a malicious .aspx file using the msfvenom tool from the Metasploit Framework. This file is designed to establish a meterpreter session. We’ll access the “Contact” page again, fill out the form, and upload the malicious file.

Upon successful upload, accessing the malicious file at “/uploads/getShell.aspx” should establish a meterpreter session. We’ll use the Metasploit Framework’s “handler” module to start a listening mode, and accessing the uploaded page will successfully load the malicious file, resulting in a meterpreter session.

Step 5: Privilege Escalation – The Takeover

The obtained meterpreter session runs under a low-privileged service account. To read the “privflag.txt” file, we need to escalate our privileges. We can exploit the MS16-075 security vulnerability for this purpose. This vulnerability allows service accounts to access the token data of the SYSTEM account, the most privileged account.

To exploit this vulnerability, we’ll use the “Potato.exe” application. This application captures the SYSTEM token, and the “incognito” module in meterpreter can be used to switch to this token. However, if meterpreter isn’t helpful, we can use the “Kumpir.exe” application, an advanced version of Potato.exe. Kumpir.exe captures the SYSTEM token and runs a specified file with SYSTEM privileges.

Using Kumpir.exe, we’ll upload and execute a malicious .exe file containing a meterpreter payload, resulting in a new meterpreter session with SYSTEM privileges. This successfully completes the privilege escalation process, granting us full control over the system.

A Comprehensive Guide to Penetration Testing

Introduction to PriviaHub Access Machine Solution

PriviaHub Access Machine Solution – In this article, we delve into the solution steps for the retired “ACCESS” machine on the PriviaHub platform. This guide provides a detailed walkthrough of the penetration testing process, from initial scanning to privilege escalation.

Initial Scanning with Nmap

The first step involves scanning the machine to identify open ports, current services, and the operating system. We use the Nmap tool with the following command: nmap -A <IP_Address> -Pn -v.

Understanding Nmap Parameters

  • -A Parameter: Performs SYN scanning, service version detection, OS detection, and traceroute.
  • -Pn Parameter: Allows Nmap to scan machines that do not respond to PING requests. This is particularly useful for the PriviaHub platform, where many machines are PING-closed.
  • -v Parameter: Provides detailed information about the scanning process.

Analyzing Scan Results

The scan results reveal that port 80 is running Microsoft IIS httpd 7.5. Additionally, the “http-methods” script shows that the PUT method is supported, which can be used to upload and execute files on the target machine. WebDAV service is also running, supporting various HTTP methods, including PUT.

Verifying WebDAV Service

To confirm the WebDAV service, we use the “webdav_scanner” module in the Metasploit Framework. This module requires the host or IP address of the machine. After setting the RHOSTS parameter and running the module, we successfully verify the WebDAV service.

Exploiting WebDAV

With WebDAV confirmed, the next step is to exploit it to gain access to the machine. We use a Metasploit Framework module designed for this purpose. The module allows us to upload a malicious .asp file to the target machine.

Setting Up the Exploit Module

To run the exploit module, we need to set the required parameters, including the RHOSTS parameter and a payload. The payload is crucial for obtaining a session on the target machine. We use the “show options” command to view and set the payload parameters, such as LHOST and LPORT.

Handling Unauthorized Access

During the file upload, we encounter a 401 status code, indicating unauthorized access. To proceed, we need valid credentials. By examining the header information of a request to the target machine’s port 80, we find base64-encoded authorization parameters. Decoding these parameters reveals the necessary credentials.

Gaining Authorized Access

With the obtained credentials, we set the HTTPUSERNAME and HTTPPASSWORD parameters in the exploit module. Running the exploit successfully uploads and executes the malicious file, granting us a meterpreter session with low-privilege service account credentials.

Privilege Escalation

The final step involves escalating our privileges to gain SYSTEM-level access. We utilize the MS16-075 vulnerability, which allows service accounts to access the token data of the SYSTEM account. Using the “incognito” module and the “Potato.exe” application, we successfully elevate our privileges to SYSTEM level.

Using Potato.exe for Privilege Escalation

We upload the “Potato.exe” application and the required DLL files to the target machine using the meterpreter “upload” command. Executing “Potato.exe” with the meterpreter “execute” command triggers the MS16-075 vulnerability, allowing us to impersonate the SYSTEM token and gain full control over the machine.

Similar Posts