Screenshot_20220415_082046

I Can’t Even Say Less Chatting More Hacking Because Nah This Box Deserves Some Respect, Really Educational 🥸

I Advice You Give It a Go First Before Following The Steps Here There are Different Ways Of Getting Root, Two I Know Of 😎

So no futher ado let’s jump right into it 💨

Firing Up The Machine We Get An Ip address

ENUMERATION 🔍

Screenshot_20220416_231838

So many posts are open I cant’s start listing them but yh we’ll focus on the mains
Port 139, 445 is Open that can be connected to with smbclient
- smbclient -L \IP-Addy

Screenshot_20220415_075948

One share allows anonymous login, Connect to it and get the files
What’s the file type ?
What’s the file used for ?
Can the file password be cracked ?
What’s In the zip you cracked
What’s the file ? Can it also be cracked ?

Screenshot_20220415_075930

While cracking the pfx file if it shows no hass loaded there’s a slieght issue with your hash, remove any ‘, “b’ “

Screenshot_20220415_080005

Extract the pfx file

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]

Screenshot_20220415_080030

Initial Foothold

Remember the zip’s name ? winrm ? Login via evil-winrm

Screenshot_20220415_080039

So We’re in

gif

You can run any enumeration script of your choice just run upload “script” (make sure it’s in the directory you’re running evil-winrm from)

Screenshot_20220415_080039

run your sript, you’ll notice the powershell history is there, view it

Screenshot_20220415_080104

So we can see a series of instructions

gif

We repeat the commands, and we’re able to successfully act as the svc_decoy user

Screenshot_20220415_080129

git

Privilege Escalation

So we see now have to think how to get root after all we have some credentials already Remeber in the smbclient folder there was a folder of Help blah blah it contained things about ldaps and we from our scans we have ldap3 open ports So we dump ldaps

laps python dumping script

Screenshot_20220415_075854

We have admin password

So now you do understand gif

We have to change the commands in history gif

Copy the password from that dump (my pass is different cos i had to reset the machine half way)

Screenshot_20220415_080154

Great we can run actions as admin we upload nc.exe through our evil-winrm Turn off win defend or whitelist the upload path (c:\users) Screenshot_20220415_080216