A vulnerable program is disclosed by an employee.
Please find me. I hide in a organization's network.
- Externally exploit PWN service to take control of the device and then scan the network topology. Bruteforce to hijack the router. After gaining control of the router, exploit RDP vulnerability in WINDOWS 7 device and capture the flag.
### Network topology
##### Step 1: Exploit the pwn challenge provided by the Organiser
- After penetrating the server, it is easy to see the secret file which reads the credentials to the device
##### Step 2: Scan internal network range
- After taking over the Ubuntu device, scan the network range.
- Netdiscover/nmap will result in Router X (IP 10.0.255.51)
- Bruteforce to get the router's account. After finding out the account “***admin/271206***", access the router and do the following commands: *Show ip interface brief, Show ip route, Show arp, Show access-list, and so on.*
- Scan other devices in the same network range for Router Y and Router Z based on ICMP Reply and the information in the ARP table of Router X. Router Y and Router Z have the same account details as Router X with “***admin/271206***”
- Add route to access Y, Z
Ip route add 10.0.0.0/16 via 10.0.255.51 dev eth0
and run the same commands:* Show ip interface brief, Show ip route, Show arp, Show access-list, Show access-list, etc. *
- You will see PC-Admin (192.168.205.7) from Router Z
##### Step 3: RCE WIN 7 through RDP
- From Router Z, perform NAT WIN 7 (PC-Admin (192.168.205.7) so that Ubuntu can be connected to WIN7
Z(config)# ip nat inside source static 192.168.205.7 10.0.13.7
Z(config)# interface e0/0
ip nat outside
Z(config)# interface e0/2
ip nat inside
- RDP ms2019-0708 vulnerability exists in the device.
- On completing the exploitation, you will see the flag.txt file in windows/system32.
- Flag is “Cr4cK1nG_aNd_H4ck1nG_1s_L34rn1nG”