We leverage CVE-2022-0739 to retrieve password hashes from the database. Once in the admin panel, we utilize CVE-2021-29447 to do a local file disclosure. We disclose the configuration file of WordPress and retrieve the password for the FTP service. From the FTP service, we are able to receive creds to log into the machine.There is a passpie binary whose master password we crack. Finally, we retrieve credentials for the root user.
First, retrieve files in the FTP server. From these files, we retrieve valid credentials to access telnet. On the machine, we realise that there are stored credentials. We execute a reverse shell from these credentials and achive a SYSTEM shell.
In this box, we use RPC and LDAP to collect valid AD usernames. This allows us to perform ASREPRoasting, which yields a TGS that can be cracked. With these credentials, we can winRM into the machine. From the output of BloodHound, we learn that we can run ourselves into Exchange Windows Permissions, which has WriteDACL over the domain object. We grant ourselves full control over the domain and perform DCSync on the machine. Like this, we get an admin shell.
The OSTicket web application will provide an email account in its domain when a support ticket is raised. We can use this email address to log into Mattermost. In Mattermost, we find an exposed credentials, which can be used to SSH into the server. In the server, we can use credential hunting to get the password of root in the database or brute force with sucrack.
Using the provided credentials, we can log in via WinRM. Then, we collect information for Bloodhound. With this information, we change the password of Micheal user, then the password of benjamin. Benjamin is able to access the FTP service and retrieve a psafe3 file. After cracking the hash, we retrieve the credentials of Emily. Emily is able to perform targeted kerberoasting on Ethan. As Ethan, we can perform DCSync and retrieve the Administrator hash. Finally, we pop a SYSTEM shell via psexec.
