4 box enum cortin
C:\>more \xampp\phpMyAdmin\config.inc.php
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'Welkom1!';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
c:\>dir
Directory of c:\
25-04-2019 16:50 57.937 bankv2.exe
PEAS
[*] Enumerating installed KBs...
[!] CVE-2019-0836 : VULNERABLE
[>] https://exploit-db.com/exploits/46718
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[!] CVE-2019-1064 : VULNERABLE
[>] https://www.rythmstick.net/posts/cve-2019-1064/
[!] CVE-2019-1130 : VULNERABLE
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
[!] CVE-2019-1315 : VULNERABLE
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
[!] CVE-2019-1388 : VULNERABLE
[>] https://github.com/jas502n/CVE-2019-1388
[!] CVE-2019-1405 : VULNERABLE
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
[>] https://github.com/apt69/COMahawk
[!] CVE-2020-0668 : VULNERABLE
[>] https://github.com/itm4n/SysTracingPoc
[!] CVE-2020-0683 : VULNERABLE
[>] https://github.com/padovah4ck/CVE-2020-0683
[>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1
[!] CVE-2020-1013 : VULNERABLE
[>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 9 potential vulnerabilities.
Users
BANKROBBER\admin
|->Groups: Administrators,Gebruikers
BANKROBBER\Administrator(Disabled): Ingebouwd account voor beheer van de computer of het domein
|->Groups: Administrators
# running processes
mysqld(2644)[c:\xampp\mysql\bin\mysqld.exe] -- POwn: Cortin
Permissions: Authenticated Users [WriteData/CreateFiles]
Possible DLL Hijacking folder: c:\xampp\mysql\bin (Authenticated Users [WriteData/CreateFiles])
Command Line: "c:\xampp\mysql\bin\mysqld.exe" --defaults-file="c:\xampp\mysql\bin\my.ini" --standalone --console
Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: Cortin::BANKROBBER:1122334455667788:ac3165e5ba7e0e3bc7b192d7df93a115:01010000000000003694b03663b6d701574e37228e96dead000000000800300030000000000000000000000000200000667e960dd570db55e8d859b9e71b13f45e0c30b7eedb49914e5039557f3c3e970a00100000000000000000000000000000000000090000000000000000000000
Looking for Firefox DBs
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history
Firefox credentials file exists at C:\Users\Cortin\AppData\Roaming\Mozilla\Firefox\Profiles\ybxlv9hk.default\key4.db
Run SharpWeb (https://github.com/djhohnstein/SharpWeb)
Searching hidden files or folders in C:\Users home (can be slow)
C:\Users\Cortin\Sjablonen
C:\Users\All Users\Sjablonen
C:\Users\All Users\Bureaublad
# interesting file
File Permissions "C:\Users\Cortin\AppData\Local\Temp\storePwd.exe": Cortin [AllAccess]
Last updated