Reconnaissance
Enumeration
Exploitation
Windows Privilege Escalation
________________________________________
Reconnaissance
Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.We can see there are three ports are open port 21,23 & 80
port 21 allowed anonymous ftp login, lets login
Enumeration
We can see there are two directory Backups & EngineerBackups directory have backup.mdb file and Engineer directory has Access Control.zip file. We have download both files in our attacking machine
Access Control.zip need a password
when we run strings command on backup.mdb we get some interesting string.
Lets try this password and extract the file, we get “Access Control.pst” file, to convert the file run “readpst Access Control.pst” command it will convert into .mbox format
run cat command to see what we have inside the file
Exploitation
we get the user credentials and we have telnet port open, so lets login into telnet
we get the low priv
After Enumerating directories we got the link file in “C:\Users\Public\Desktop”, lets see what we have inside, we can see runas command executed as administrator. Runas command allow us to run commands as another user and the /savecred allows us to use the command without asking password
Windows Privilege Escalation
Now run a Python SimpleHTTPServer on port 80 on attacking machine to upload nc.exe file on victim machine to find nc.exe in attacking machine run locate nc.exe command, to transfer nc.exe file we can use “powershell” or “certutil” command, now start the netcat listener on attacking machine and final we will use runas command to get the reverseshell We got the shell User flag is in “C:\Users\security\Desktop” and root flag is in “C:\Users\Administrator\Desktop”
Extra Content
Creating Base64 (UTF-16LE) on attacking machine to use in victim machine as a Powershell EncodedCommand to get reverse shell
we will use runas command to get the reverseshell as shown above image, to see in video here is a link of ippsec video.