4 box enum cortin

C:\>more \xampp\phpMyAdmin\config.inc.php
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'Welkom1!';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

c:\>dir
 Directory of c:\
25-04-2019  16:50            57.937 bankv2.exe

PEAS

[*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc

 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

 [*] Finished. Found 9 potential vulnerabilities.


Users
    BANKROBBER\admin
        |->Groups: Administrators,Gebruikers
    BANKROBBER\Administrator(Disabled): Ingebouwd account voor beheer van de computer of het domein
        |->Groups: Administrators

# running processes
mysqld(2644)[c:\xampp\mysql\bin\mysqld.exe] -- POwn: Cortin
    Permissions: Authenticated Users [WriteData/CreateFiles]
    Possible DLL Hijacking folder: c:\xampp\mysql\bin (Authenticated Users [WriteData/CreateFiles])
    Command Line: "c:\xampp\mysql\bin\mysqld.exe" --defaults-file="c:\xampp\mysql\bin\my.ini" --standalone --console

Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    Cortin::BANKROBBER:1122334455667788:ac3165e5ba7e0e3bc7b192d7df93a115:01010000000000003694b03663b6d701574e37228e96dead000000000800300030000000000000000000000000200000667e960dd570db55e8d859b9e71b13f45e0c30b7eedb49914e5039557f3c3e970a00100000000000000000000000000000000000090000000000000000000000
  
Looking for Firefox DBs
  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
    Firefox credentials file exists at C:\Users\Cortin\AppData\Roaming\Mozilla\Firefox\Profiles\ybxlv9hk.default\key4.db
 Run SharpWeb (https://github.com/djhohnstein/SharpWeb)


Searching hidden files or folders in C:\Users home (can be slow)
     C:\Users\Cortin\Sjablonen
     C:\Users\All Users\Sjablonen
     C:\Users\All Users\Bureaublad
	 
# interesting file
File Permissions "C:\Users\Cortin\AppData\Local\Temp\storePwd.exe": Cortin [AllAccess]

Previous5 privesc bankv2.exe Next3 admin backdoorchecker.php

Last updated 3 years ago

C:\>more \xampp\phpMyAdmin\config.inc.php $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'Welkom1!'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true; c:\>dir Directory of c:\ 25-04-2019 16:50 57.937 bankv2.exe

PEAS

[*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc

 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

 [*] Finished. Found 9 potential vulnerabilities.


Users
    BANKROBBER\admin
        |->Groups: Administrators,Gebruikers
    BANKROBBER\Administrator(Disabled): Ingebouwd account voor beheer van de computer of het domein
        |->Groups: Administrators

# running processes
mysqld(2644)[c:\xampp\mysql\bin\mysqld.exe] -- POwn: Cortin
    Permissions: Authenticated Users [WriteData/CreateFiles]
    Possible DLL Hijacking folder: c:\xampp\mysql\bin (Authenticated Users [WriteData/CreateFiles])
    Command Line: "c:\xampp\mysql\bin\mysqld.exe" --defaults-file="c:\xampp\mysql\bin\my.ini" --standalone --console

Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    Cortin::BANKROBBER:1122334455667788:ac3165e5ba7e0e3bc7b192d7df93a115:01010000000000003694b03663b6d701574e37228e96dead000000000800300030000000000000000000000000200000667e960dd570db55e8d859b9e71b13f45e0c30b7eedb49914e5039557f3c3e970a00100000000000000000000000000000000000090000000000000000000000
  
Looking for Firefox DBs
  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
    Firefox credentials file exists at C:\Users\Cortin\AppData\Roaming\Mozilla\Firefox\Profiles\ybxlv9hk.default\key4.db
 Run SharpWeb (https://github.com/djhohnstein/SharpWeb)


Searching hidden files or folders in C:\Users home (can be slow)
     C:\Users\Cortin\Sjablonen
     C:\Users\All Users\Sjablonen
     C:\Users\All Users\Bureaublad
	 
# interesting file
File Permissions "C:\Users\Cortin\AppData\Local\Temp\storePwd.exe": Cortin [AllAccess]