πŸͺŸJacko

IP: 192.168.65.66

Enumeration

Nmap scan

nmap 192.168.65.66 -sV -p- -A 

Service Enumeration

TCP/80

TCP/135

TCP/139/445

Went back and tried to connect to the shares with tony's credentials but neither shared worked.

TCP/7680

TCP/8082

The credentials already in the form will work to log in, just hit connect.

Found tony as username.

LFI

Found version numbers.

Found exploit in exploit-db for this exact version. https://www.exploit-db.com/exploits/49384arrow-up-right Confirmed RCE.

Found some credentials in wrapper.conf

Found tony's credentials. wrapper.ntservice.account=.\tony wrapper.ntservice.password=BeyondLakeBarber399

Had to get a hint here as none of the shells I kept trying worked and had to look at two or three different methods in different walk throughs.

Created reverse shell.

Hosted it via SMB.

Ran my listener and got a shell.

Fixed path because only few commands were running.

Possible printspooler lpe.

I believe this may be vulnerable to a printer nightmare attack. Curled printspoofer.exe to tony's desktop. https://github.com/dievus/printspooferarrow-up-right

Root

Last updated