9 box enum iis apppool\defaultapppool
Nothing using PowerUp.ps1
PEAS
[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
[*] OS Version: 1809 (17763)
[!] CVE-2020-1013 : VULNERABLE
[>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/
[*] Finished. Found 1 potential vulnerabilities.
Computer Name : WORKER
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 2021-09-23 19:36:37
Logons Count : 94
Password Last Set : 2020-04-05 21:13:02
Installed Applications --Via Program Files/Uninstall registry--
Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
C:\Program Files\Azure DevOps Server 2019
C:\Program Files\common files
C:\Program Files\desktop.ini
C:\Program Files\Git
C:\Program Files\internet explorer
C:\Program Files\Microsoft SQL Server
C:\Program Files\Microsoft Visual Studio 10.0
C:\Program Files\Microsoft.NET
C:\Program Files\TortoiseSVN
C:\Program Files\Uninstall Information
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell
C:\Program Files\VMware
Host File
10.10.10.202 devops.worker.htb
# something is running on 8080?
TCP 127.0.0.1 8080 127.0.0.1 49700 Established 4 System
p.ps1
Program Files files and directories permissions - backdoor windows binaries:
Group: Users, Permissions: CreateFiles, AppendData, Read, Synchronize on C:\Program Files\Microsoft SQL Server\140\DTS\DataDumps
# interesting file saw in different sections
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.agent
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials_rsaparams
Group: defaultapppool, Permissions: Write on W:\agents\agent01\.service
Possible passwords found in files on all drives are being dumped to pwds.txt.
C:\Users\Public\pwds.txt
C:\Windows\debug\PASSWD.LOG
W:\svnrepos\www\conf\passwd
List installed software:
Name Property
---- --------
Git_is1 Inno Setup: Setup Version : 5.6.1 (u)
Inno Setup: App Path : C:\Program Files\Git
DisplayName : Git version 2.27.0
Microsoft SQL Server 14 DisplayName : Microsoft SQL Server 2017 (64-bit)
SystemComponent : 1
Microsoft SQL Server SQL2017 DisplayName : Microsoft SQL Server 2017 (64-bit)
DisplayIcon : "C:\Program Files\Microsoft SQL Server\140\
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-03-28 14:46 Azure DevOps Server 2019
d----- 2020-07-24 12:04 common files
d----- 2020-07-07 17:45 Git
d----- 2018-09-15 09:12 internet explorer
d----- 2020-03-28 15:01 Microsoft SQL Server
d----- 2020-03-28 15:00 Microsoft Visual Studio 10.0
d----- 2020-03-28 15:00 Microsoft.NET
d----- 2020-04-04 22:56 TortoiseSVN
d----- 2020-07-24 12:04 VMware
d----- 2020-04-02 20:04 Windows Defender
d----- 2020-07-14 13:59 Windows Defender Advanced Threat Protection
d----- 2018-09-15 09:12 WindowsPowerShell
Seatbelt.exe
====== InstalledProducts ======
DisplayName : Azure DevOps Server 2019 Update 1.1
DisplayVersion : 17.153.29522.3
Publisher : Microsoft Corporation
InstallDate : 0001-01-01 00:00:00
Architecture : x86
DisplayName : Azure DevOps Server Express 2019 Update 1.1
DisplayVersion : 17.153.29522.3
Publisher : Microsoft Corporation
InstallDate : 0001-01-01 00:00:00
Architecture : x86
DisplayName : Browser for SQL Server 2017
DisplayVersion : 14.0.1000.169
Publisher : Microsoft Corporation
InstallDate : 0001-01-01 00:00:00
Architecture : x86
DisplayName : Git version 2.27.0
DisplayVersion : 2.27.0
Publisher : The Git Development Community
InstallDate : 0001-01-01 00:00:00
Architecture : x64
DisplayName : TortoiseSVN 1.13.1.28686 (64 bit)
DisplayVersion : 1.13.28686
Publisher : TortoiseSVN
InstallDate : 0001-01-01 00:00:00
Architecture : x64
====== UdpConnections ======
Local Address PID Service ProcessName
0.0.0.0:1434 1800 SQLBrowser sqlbrowser.exe
Last updated