Note: For anyone participating within endgames, please keep in mind when downloading for .ovpn file to select the UDP option and you may sometimes need to regenerate your vpn to interact with the boxes.
we can see we have the following ports open on the target machine 10.13.38.12
25,80,443
Lets find further information on this ports
sudo nmap -sCV -A -p25,80,443 -oA TCP_10.13.38.12 10.13.38.12
results
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Did not follow redirect to https://humongousretail.com/
443/tcp open ssl/http Microsoft IIS httpd 7.5
|_ssl-date: 2024-01-21T03:31:10+00:00; -1s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_http-title: Did not follow redirect to https://humongousretail.com/
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_http-server-header: Microsoft-IIS/7.5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.94%I=7%D=1/20%Time=65AC8FC3%P=x86_64-pc-linux-gnu%r(NULL
SF:,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL
SF:\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCH
SF:ANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n
SF:")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.H
SF:TB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x20R
SF:CPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20ESM
SF:TP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Ba
SF:d\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comm
SF:ands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x2
SF:0\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|Vista|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Embedded Standard 7 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%), Microsoft Windows Vista SP2 (89%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 288.19 ms 10.10.14.1
2 288.27 ms 10.13.38.12
what we see
we can see SMTP, Simple Mail Transfer Protol (port 25) is enabled: Possible Phishing? enumerate usernames?
We can see IIS both HTTP and HTTPS Both redirecting to humongousretail.com we can add this to our hosts file
HTTPS
Looks like the web site offers some kind of subcription service
if we scroll to the bottom the page we can find a link 'Join the team' which shows us an email address jointheteam@humongousretail.com could be useful for phishing if need be
Lets start enumerating
Lets run Nikto and see if these are any low hanging furits
nikto --output nikto_scan_humongousretail
results
---------------------------------------------------------------------------
+ Target IP: 10.13.38.12
+ Target Hostname: humongousretail.com
+ Target Port: 80
+ Start Time: 2024-01-20 22:39:54 (GMT-5)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /xdpD6NIS.ashx: Retrieved x-aspnet-version header: 2.0.50727.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ /README.TXT: This might be interesting.
+ /readme.txt: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /license.txt: License file found may identify site software.
+ /LICENSE.TXT: License file found may identify site software.
+ 7962 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2024-01-20 23:21:07 (GMT-5) (2473 seconds)
---------------------------------------------------------------------------
Gobuster, lets see if we can find any hidden directories
gobuster dir -k -u http://humongousretail.com/ -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50
when we click 'skip to logon' we are bought to a login prompt
what is Citrix XenApp?
essentially it is an extended solution to Microsoft's Remote Desktop Service, allowing users to access their workstations remotely. If we could find a set of working credentials this could provide us access to internal hosts or applications
SMTP
Lets see if we can enumerate any users in the domain via SMTP using the Pentest monkey's smtp-user-enum tool, essentially we will run this with a wordlist, the domain name humongousretail.com , which matches the email we found earlier, and we are going to utilise the RECP TO method
Now we can use the following emails, and try to Phish for credentials related to the Citrix Login
Lets use the Social Engineering Toolkit to set up a fake website and phish the users, as SET supports cloning web pages and capturing incomming credentials
for this we can utuilze swaks which can be used to send emails from the command line
Lets create a body.txt file
Hey
we are currently running tests via the citrix login page, we need to confrim all users login information is up to date, if you could verify this and login via http://10.10.14.4/remote/auth/login.aspx
best regards
IT team
Now we can send our malicous email off and hopefully some one will attempt to login
after waiting for a minute a user attempted to login into there account
we have the following creds
HTB.LOCAL/awardel: @M3m3ntoM0ri@
Lets see if we can login via the citrix prompt
WOOHOOO we have access
Looking through messages we need to download the citrix client to gain further functionality of the application, we can download it from the following link
