🪟Anthem

IP : 10.10.197.249

Enumeration

Nmap Scan

nmap -sV -p- 10.10.197.249 -A -Pn

Question 1 : 80 Question 2 : 3389 Added Anthem.com to /etc/hosts to view the web page.

Port 80

Disallowed Entries : /bin /config /umbraco /umbraco_client

Question 3: UmbracoIsTheBest! Question 4: umbraco Question 5: anthem.com Question 6:Solomon Grundy Question 7: [email protected]

Found an RCE for this machine. https://www.exploit-db.com/exploits/49488

Could not get any reverse shells going on the machine.

Port 3389

Tried logging in with the same credentials that got me into the umbraco site. Had to remove the domain name to get the login to work SG and UmbracoIsTheBest! as the password.

rdesktop 10.10.197.249 -u SG -p UmbracoIsTheBest!

I'm IN!

Tried a few different MSFvenom payloads but they kept getting detected by Defender. Made a Hoaxshell reverse connection using Revshell.com.

Found a hidden folder with a file in it at. C:\backups\restore.txt

Was unable to open the file at first. But it did let me edit the Security Permissions.

Just so happens to be a password in this text file.

Root

Was feeling squirrelly and wanted to try to elevate to NT authority\System. Found an article how to do it. https://blog.geoda-security.com/2017/06/elevate-from-admin-to-nt-authoritysystem.html Created my executable with msfvenom. Added Desktop folder to exceptions in Defender, I am Administrator after all. Curl the reverse shell executable to the Desktop folder. Created the service.

sc create rev binpath= "C:\Users\Administrator\Desktop\rev.exe" type= own type= interact
#Started the service
sc start rev

More Rooteyer