NMAP
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: PhotoStore - Home
81/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Network Monitor
82/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-07 17:02:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TROY
| NetBIOS_Domain_Name: TROY
| NetBIOS_Computer_Name: TROY-DC
| DNS_Domain_Name: troy.thm
| DNS_Computer_Name: TROY-DC.troy.thm
| DNS_Tree_Name: troy.thm
| Product_Version: 10.0.17763
|_ System_Time: 2021-03-07T17:03:27+00:00
| ssl-cert: Subject: commonName=TROY-DC.troy.thm
| Not valid before: 2021-02-18T18:07:12
|_Not valid after: 2021-08-20T18:07:12
|_ssl-date: 2021-03-07T17:04:06+00:00; +35s from scanner time.
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: Host: TROY-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsPORT 139/445 (SMB)
Didn’t found any shares on the machine so now we have 3 http ports to enumerate
PORT 80 (HTTP)
I fuzzed for files and directory but found nothing interesting
We see a sign-up page
On registering an account
I uploaded an image having .jpg extension
And could see full path of the image
Also inspecting the source code we see that this using javascript
Now I used burpsuite to send this request to intruder so I could test for command injection but before doing it we need to block the javascript file which is filtering
Make sure to check tick on Disable Cache and right click on script.js and select block url and refresh the page you will be able to use spaces in text field
We can now use ping command to verify command injeciton
Using a powershell reverse shell I got rce to the machine
For convinince I generated a payload for getting a metepreter session
Ran winPeas but nothing interesting
Also I tried to upload BloodHound.ps1 to gather information about active directory
Invoke-Bloodhound -CollectionMethod All -Domain troy.thm -ZipFileName loot.zip
Now I want this zip archive on my local machine so I could see what information it found
The reason why I used metasploit : )
After having the zip archive on my local machine I started bloodhound and neo4j
Now simply drag and drop the zip archive it will automatically extract the archive and then you can run quries
On running the qurey Find All Domain Admins
Then running Kerberoastable accounts
Kerberoastable accounts of high value
Download rubeus.exe
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
On running rubeus we will immediately get a hash
Now we need to run hashcat against it and we are done because achilles is an administartor
It cracks the hash
Now we could either login with RDP ,psexec or with evil-winrm
