10 box manual enum
c:\Users>dir
Directory of c:\Users
2020-07-07 17:53 <DIR> .
2020-07-07 17:53 <DIR> ..
2020-03-28 15:59 <DIR> .NET v4.5
2020-03-28 15:59 <DIR> .NET v4.5 Classic
2020-08-18 00:33 <DIR> Administrator
2021-09-23 21:32 <DIR> Public
2020-07-22 01:11 <DIR> restorer
2020-07-08 19:22 <DIR> robisl
# cannot enter any; access denied
# saw W:\ in PEAS and other PE scripts
# checking for all drives attached
c:\Users\Public>wmic logicaldisk get deviceid, volumename, description
Description DeviceID VolumeName
Local Fixed Disk C:
Local Fixed Disk W: Work
[OR]
c:\Users\Public>fsutil fsinfo drives
Drives: C:\ W:\
# powershell -c get-psdrive -psprovider filesystem
w:\>dir
Directory of w:\
2020-06-16 18:59 <DIR> agents
2020-03-28 15:57 <DIR> AzureDevOpsData
2020-04-03 11:31 <DIR> sites
2020-06-20 16:04 <DIR> svnrepos
# in p.ps1 found W:\svnrepos\www\conf\passwd
# default is: W:\svnrepos\www\conf>more authz
W:\agents\agent01>more W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
# exploring W:\agents\
W:\agents\agent01>dir /a
dir /a
Volume in drive W is Work
Volume Serial Number is E82A-AEA8
Directory of W:\agents\agent01
2020-04-02 22:05 <DIR> .
2020-04-02 22:05 <DIR> ..
2020-04-02 22:05 163 .agent
2020-04-02 22:05 241 .credentials
2020-04-02 22:05 1894 .credentials_rsaparams
2020-04-02 22:05 32 .service
2020-04-02 22:05 <SYMLINKD> bin [w:\agents\agentbase\bin]
2020-04-02 22:05 <SYMLINK> config.cmd [w:\agents\agentbase\config.cmd]
2020-04-02 22:05 <SYMLINKD> externals [w:\agents\agentbase\externals]
2020-04-02 22:05 <SYMLINK> run.cmd [w:\agents\agentbase\run.cmd]
2021-09-23 22:24 <DIR> _diag
2021-09-23 22:24 <DIR> _work
6 File(s) 2330 bytes
W:\agents\agent01>more .agent
more .agent
{
"agentId": 1,
"agentName": "Hamilton01",
"poolId": 1,
"poolName": "Default",
"serverUrl": "http://127.0.0.1:8080/",
"workFolder": "_work"
}
W:\agents\agent01>more .credentials
more .credentials
{
"scheme": "OAuth",
"data": {
"clientId": "0835e5a8-1280-4512-82ea-366912d1fd5a",
"authorizationUrl": "http://127.0.0.1:8080/_apis/oauth2/token",
"oauthEndpointUrl": "http://127.0.0.1:8080/_apis/oauth2/token"
}
}
# loooking more closely at the passwords we got password for robisl
# user on box
Last updated