AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • IP : 10.10.197.249
  • Enumeration
  • Port 80
  • Port 3389
  • I'm IN!
  • Root
  • More Rooteyer

Was this helpful?

  1. Boxes/Write Ups
  2. TryHackMe

Anthem

PreviousTryHackMeNextHelpful Links

Last updated 2 years ago

Was this helpful?

IP : 10.10.197.249

Enumeration

Nmap Scan

nmap -sV -p- 10.10.197.249 -A -Pn

Question 1 : 80 Question 2 : 3389 Added Anthem.com to /etc/hosts to view the web page.

Port 80

Disallowed Entries : /bin /config /umbraco /umbraco_client

Question 3: UmbracoIsTheBest! Question 4: umbraco Question 5: anthem.com Question 6:Solomon Grundy Question 7: SG@anthem.com

Could not get any reverse shells going on the machine.

Port 3389

Tried logging in with the same credentials that got me into the umbraco site. Had to remove the domain name to get the login to work SG and UmbracoIsTheBest! as the password. 

rdesktop 10.10.197.249 -u SG -p UmbracoIsTheBest!

I'm IN!

Tried a few different MSFvenom payloads but they kept getting detected by Defender. Made a Hoaxshell reverse connection using Revshell.com.

Found a hidden folder with a file in it at. C:\backups\restore.txt

Was unable to open the file at first. But it did let me edit the Security Permissions.

Just so happens to be a password in this text file.

Root

sc create rev binpath= "C:\Users\Administrator\Desktop\rev.exe" type= own type= interact
#Started the service
sc start rev

More Rooteyer

Found an RCE for this machine.

Was feeling squirrelly and wanted to try to elevate to NT authority\System. Found an article how to do it. Created my executable with msfvenom. Added Desktop folder to exceptions in Defender, I am Administrator after all. Curl the reverse shell executable to the Desktop folder. Created the service.

πŸ—ƒοΈ
πŸͺŸ
https://www.exploit-db.com/exploits/49488
https://blog.geoda-security.com/2017/06/elevate-from-admin-to-nt-authoritysystem.html
robots.txt