search
BlogTwitterLinkedIn

🥷Stealth (Windows)

Use your evasion skills to pwn a Windows target with an updated defence mechanism.

hashtag
Enumeración de Red

hashtag
Nmap

Scan general y específico de servicios
sudo nmap -sS --min-rate 5000 -p- --open -n -Pn 10.10.131.99 -oN puertos
nmap -sCV -p139,445,3389,5985,7680,8000,8080,8443,47001,49664,49665,49666,49667,49668,49670,49672 10.10.131.99 -oN nmap

hashtag
Resultado nmap

PORT      STATE    SERVICE       VERSION
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HOSTEVASION
|   NetBIOS_Domain_Name: HOSTEVASION
|   NetBIOS_Computer_Name: HOSTEVASION
|   DNS_Domain_Name: HostEvasion
|   DNS_Computer_Name: HostEvasion
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-03T11:00:29+00:00
| ssl-cert: Subject: commonName=HostEvasion
| Not valid before: 2025-08-02T10:53:10
|_Not valid after:  2026-02-01T10:53:10
|_ssl-date: 2025-08-03T11:01:08+00:00; +1s from scanner time.
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  filtered pando-pub
8000/tcp  open     http          PHP cli server 5.5 or later
|_http-title: 404 Not Found
8080/tcp  open     http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: PowerShell Script Analyser
8443/tcp  open     ssl/http      Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-title: PowerShell Script Analyser
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49668/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     msrpc         Microsoft Windows RPC
49672/tcp open     msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-08-03T11:00:29
|_  start_date: N/A

Sistema Windows

hashtag
Enumeración SMB/RPC - Null Session

Access denied

Access denied

hashtag
Enumeración de Servicio Web

hashtag
http://10.10.131.99:8000/

Not Found The requested resource / was not found on this server.

hashtag
http://10.10.131.99:8080/

PowerShell Script Analyser Please upload any .ps1 PowerShell script to see if it is malicious or not (Dev Mode). The tool is in dev-mode and only allow .ps1 format at this stage.

PowerShell Reverse Shell en archivo .ps1 malicioso?

hashtag
Explotación: File Upload a RCE

hashtag
PowerShell Reverse Shell Interactiva

LogoPowerShell-reverse-shell/powershell-reverse-shell.ps1 at main · martinsohn/PowerShell-reverse-shellGitHubchevron-right

  • Subir archivo > Ejecución automática

hashtag
Intrusión en el Sistema

Shell: hostevasion\evader

hashtag
Enumeración Post-Intrusión

hashtag
C:\Users\evader\desktop\encodedflag

You can get the flag by visiting the link http://<IP_OF_THIS_PC>:8000/asdasdadasdjakjdnsdfsdfs.php

hashtag
http://10.10.131.99:8000/asdasdadasdjakjdnsdfsdfs.php

Hey, seems like you have uploaded invalid file. Blue team has been alerted. Hint: Maybe removing the logs files for file uploads can help?

hashtag
Obtención de User Flag

hashtag
C:\Users\evader\documents\task\file.ps1

hashtag
C:\xampp\htdocs\uploads\

  • log.txt

Flag: http://10.10.131.99:8000/asdasdadasdjakjdnsdfsdfs.php

hashtag
Enumeración de Superficie

  • builtin\Users

  • Ningún privilegio útil

  • builtin\Users: (F)

Las instalaciones XAMPP en Windows, registran Apache como servicio bajo la cuenta LocalSystem, cuyo token incorpora de forma nativa el privilegio SeImpersonatePrivilege Al desplegar una webshell en el directorio raíz de la aplicación y ejecutarla vía HTTP, el intérprete PHP se carga en el contexto del proceso de Apache, heredando íntegramente el token con el privilegio SeImpersonate habilitado.

hashtag
Desplegando P0wny-Shell

LogoGitHub - flozz/p0wny-shell: Single-file PHP shellGitHubchevron-right

hashtag
webshell: http://10.10.131.99:8080/pony.php

hashtag
Nuevo privilegio en contexto de servicio

hashtag
Escalada de Privilegios - SeImpersonate Privilege

hashtag
Escalada con RogueWinRM

hashtag
WinRM está en ejecución

No vulnerable a RogueWinRM

hashtag
Escalada con GodPotato

LogoGitHub - BeichenDream/GodPotatoGitHubchevron-right

Potato privilege escalation is usually used when we obtain WEB/database privileges. We can elevate a service user with low privileges to “NT AUTHORITY\SYSTEM” privileges.

hashtag
webshell: http://10.10.131.99:8080/pony.php

hashtag
Compromiso del Sistema

Shell: NT AUTHORITY\SYSTEM

Última actualización