root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

image

First enumeration with nmap

# Nmap 7.94SVN scan initiated Thu May  9 22:48:48 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 80,3389 -Pn 10.10.80.56
Nmap scan report for 10.10.80.56
Host is up (0.16s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-09T21:51:35+00:00; +2m34s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2024-05-09T21:51:31+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2024-05-08T21:45:36
|_Not valid after:  2024-11-07T21:45:36
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  9 22:49:01 2024 -- 1 IP address (1 host up) scanned in 12.92 seconds

Enumerating the web server

image

Opening the ip on a browser, we got a windows default webpage

image

bruteforcing web dirs, we got some dirs, and it also looks like a wordpress servce is running.

image

navigating to the webpage, we can see a game server, looks like a web3 gaming site.

image

There’s lots of information on the webpage, used cewl to make a wordlist from the webpage and we will try to bruteoforce later.

image

using wpscan to enumerate usernames and plugins present, we got user wade.

image

bruteforce password with the wordlist we made earlier from cewl. we got the password. wade:parzival.

image

login wp-admin.

image

login success to wp-admin.

image

Upload a malicious php payload to the web app. in the theme selection option.

image

navigate to the webshell, and trigger RCE.

image

Pop a revershell.

Privilege Escalation

image

SEIMPERSONATE is enabled.

image

printspoofer and godpotato did not work.

image

trying cme to see if we can login RDP, we can see we can go in rdp.

image

login rdp to the target.

image

found a binary exe file in the recycle bin, restore it.

image

restore the file.

image

try to run the application, it asked for admin password. we don’t have it so let’s move on.

image

checking systeminfo, we can see the build number of this machine. 10.0.14393 N/A Build 14393.

image

found an exploit on github.

image

download the exploit to our machine.

image

send the file to our target.

image

extract thee content of the file.

image

run the exploit and boom we got Admin.

image

and we are through.