PriviaHub Access Machine Solution: A Comprehensive Guide to Penetration Testing

Introduction to PriviaHub Access Machine Solution

In this article, we delve into the solution steps for the retired “ACCESS” machine on the PriviaHub platform. This guide provides a detailed walkthrough of the penetration testing process, from initial scanning to privilege escalation.

Initial Scanning with Nmap

The first step involves scanning the machine to identify open ports, current services, and the operating system. We use the Nmap tool with the following command: nmap -A <IP_Address> -Pn -v.

Understanding Nmap Parameters

• -A Parameter: Performs SYN scanning, service version detection, OS detection, and traceroute.
• -Pn Parameter: Allows Nmap to scan machines that do not respond to PING requests. This is particularly useful for the PriviaHub platform, where many machines are PING-closed.
• -v Parameter: Provides detailed information about the scanning process.

Analyzing Scan Results

The scan results reveal that port 80 is running Microsoft IIS httpd 7.5. Additionally, the “http-methods” script shows that the PUT method is supported, which can be used to upload and execute files on the target machine. WebDAV service is also running, supporting various HTTP methods, including PUT.

Verifying WebDAV Service

To confirm the WebDAV service, we use the “webdav_scanner” module in the Metasploit Framework. This module requires the host or IP address of the machine. After setting the RHOSTS parameter and running the module, we successfully verify the WebDAV service.

Exploiting WebDAV

With WebDAV confirmed, the next step is to exploit it to gain access to the machine. We use a Metasploit Framework module designed for this purpose. The module allows us to upload a malicious .asp file to the target machine.

Setting Up the Exploit Module

To run the exploit module, we need to set the required parameters, including the RHOSTS parameter and a payload. The payload is crucial for obtaining a session on the target machine. We use the “show options” command to view and set the payload parameters, such as LHOST and LPORT.

Handling Unauthorized Access

During the file upload, we encounter a 401 status code, indicating unauthorized access. To proceed, we need valid credentials. By examining the header information of a request to the target machine’s port 80, we find base64-encoded authorization parameters. Decoding these parameters reveals the necessary credentials.

Gaining Authorized Access

With the obtained credentials, we set the HTTPUSERNAME and HTTPPASSWORD parameters in the exploit module. Running the exploit successfully uploads and executes the malicious file, granting us a meterpreter session with low-privilege service account credentials.

Privilege Escalation

The final step involves escalating our privileges to gain SYSTEM-level access. We utilize the MS16-075 vulnerability, which allows service accounts to access the token data of the SYSTEM account. Using the “incognito” module and the “Potato.exe” application, we successfully elevate our privileges to SYSTEM level.

Using Potato.exe for Privilege Escalation

We upload the “Potato.exe” application and the required DLL files to the target machine using the meterpreter “upload” command. Executing “Potato.exe” with the meterpreter “execute” command triggers the MS16-075 vulnerability, allowing us to impersonate the SYSTEM token and gain full control over the machine.