9 box enum iis apppool\defaultapppool

Nothing using PowerUp.ps1

PEAS

[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
 [*] OS Version: 1809 (17763)
 [!] CVE-2020-1013 : VULNERABLE
  [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 1 potential vulnerabilities.
 
Computer Name           :   WORKER
User Name               :   Administrator
User Id                 :   500
Is Enabled              :   True
User Type               :   Administrator
Comment                 :   Built-in account for administering the computer/domain
Last Logon              :   2021-09-23 19:36:37
Logons Count            :   94
Password Last Set       :   2020-04-05 21:13:02

͹ Installed Applications --Via Program Files/Uninstall registry--
 Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
    C:\Program Files\Azure DevOps Server 2019
    C:\Program Files\common files
    C:\Program Files\desktop.ini
    C:\Program Files\Git
    C:\Program Files\internet explorer
    C:\Program Files\Microsoft SQL Server
    C:\Program Files\Microsoft Visual Studio 10.0
    C:\Program Files\Microsoft.NET
    C:\Program Files\TortoiseSVN
    C:\Program Files\Uninstall Information
    C:\Program Files\Windows Defender
    C:\Program Files\Windows Defender Advanced Threat Protection
    C:\Program Files\WindowsApps
    C:\Program Files\WindowsPowerShell
    C:\Program Files\VMware

Host File
    10.10.10.202    devops.worker.htb

# something is running on 8080?
TCP        127.0.0.1             8080          127.0.0.1             49700           Established       4               System

p.ps1

Program Files files and directories permissions - backdoor windows binaries:
Group: Users, Permissions: CreateFiles, AppendData, Read, Synchronize on C:\Program Files\Microsoft SQL Server\140\DTS\DataDumps

# interesting file saw in different sections
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.agent
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials_rsaparams
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.service

Possible passwords found in files on all drives are being dumped to pwds.txt.
C:\Users\Public\pwds.txt
C:\Windows\debug\PASSWD.LOG
W:\svnrepos\www\conf\passwd

List installed software:
Name                                   Property
----                                   --------
Git_is1                                Inno Setup: Setup Version                          : 5.6.1 (u)
                                       Inno Setup: App Path                               : C:\Program Files\Git
																			   DisplayName                                        : Git version 2.27.0
Microsoft SQL Server 14                DisplayName     : Microsoft SQL Server 2017 (64-bit)
                                       SystemComponent : 1
Microsoft SQL Server SQL2017           DisplayName          : Microsoft SQL Server 2017 (64-bit)
                                       DisplayIcon          : "C:\Program Files\Microsoft SQL Server\140\
									   
Directory: C:\Program Files
Mode          LastWriteTime Length Name
----          ------------- ------ ----
d----- 2020-03-28     14:46        Azure DevOps Server 2019
d----- 2020-07-24     12:04        common files
d----- 2020-07-07     17:45        Git
d----- 2018-09-15     09:12        internet explorer
d----- 2020-03-28     15:01        Microsoft SQL Server
d----- 2020-03-28     15:00        Microsoft Visual Studio 10.0
d----- 2020-03-28     15:00        Microsoft.NET
d----- 2020-04-04     22:56        TortoiseSVN
d----- 2020-07-24     12:04        VMware
d----- 2020-04-02     20:04        Windows Defender
d----- 2020-07-14     13:59        Windows Defender Advanced Threat Protection
d----- 2018-09-15     09:12        WindowsPowerShell

Seatbelt.exe

====== InstalledProducts ======

  DisplayName                    : Azure DevOps Server 2019 Update 1.1
  DisplayVersion                 : 17.153.29522.3
  Publisher                      : Microsoft Corporation
  InstallDate                    : 0001-01-01 00:00:00
  Architecture                   : x86

  DisplayName                    : Azure DevOps Server Express 2019 Update 1.1
  DisplayVersion                 : 17.153.29522.3
  Publisher                      : Microsoft Corporation
  InstallDate                    : 0001-01-01 00:00:00
  Architecture                   : x86

	DisplayName                    : Browser for SQL Server 2017
  DisplayVersion                 : 14.0.1000.169
  Publisher                      : Microsoft Corporation
  InstallDate                    : 0001-01-01 00:00:00
  Architecture                   : x86

  DisplayName                    : Git version 2.27.0
  DisplayVersion                 : 2.27.0
  Publisher                      : The Git Development Community
  InstallDate                    : 0001-01-01 00:00:00
  Architecture                   : x64

  DisplayName                    : TortoiseSVN 1.13.1.28686 (64 bit)
  DisplayVersion                 : 1.13.28686
  Publisher                      : TortoiseSVN
  InstallDate                    : 0001-01-01 00:00:00
  Architecture                   : x64
  
====== UdpConnections ======
  Local Address          PID    Service                 ProcessName
  0.0.0.0:1434           1800   SQLBrowser              sqlbrowser.exe

Previous10 box manual enum Next8 privesc PrintSoofer FAIL

Last updated 3 years ago