HACKTHEBOX * Vulnerable Machine Writeup

Jarvis (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.143 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 01:23 GMT Nmap scan report for 10.10.10.143 Host is up (0.22s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA) | 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA) |_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1…

Powershell * WMI

Associations

A common and popular example is of the classes which deal with network adapter: PS C:\Windows\system32> Get-WmiObject -Class *win32_networkadapter* -List We can use associators of to extract information from all the above classes: The __RELPATH property in an instance can be used as a key to list relationship: PS C:\Windows\system32> Get-WmiObject -Class win32_networkadapter | f1…

Vulnerable Machine Writeup * VULNHUB

HA_CHAKRAVYUH

root@kali:~/Downloads# nmap -p- -A 192.168.22.131 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 09:47 GMT Nmap scan report for 192.168.22.131 Host is up (0.00066s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c6:54:93:e8:1c:aa:f7:5f:d0:7d:6e:2e:df:ec:88:69 (RSA) | 256 d4:b4:2e:96:4e:f7:f6:b7:83:a8:ef:06:6c:80:1d:25 (ECDSA)…

Powershell * WMI

More Windows Utilities

WMI code creater: WMIGen 10.0.6: Click on Generate. Click on run . WMI on remote computer: PS C:\> Get-WmiObject -Class win32_operatingsystem -ComputerName 192.168.222.144 -Credential SECURITY\administrator PS C:\> whoami PS C:\> Get-WmiObject -Class win32_bios -ComputerName 192.168.222.144 This we run when WMI is restricted: PS C:\> $sess = New-CimSession -ComputerName 192.168.222.144 -Credential SECURITY\administrator PS C:\> Get-CimInstance -CimSession…