Skip to content

Latest commit

 

History

History
47 lines (30 loc) · 1.4 KB

report.md

File metadata and controls

47 lines (30 loc) · 1.4 KB
Raw

[THM] Relevant


Client details:-

  • Machine: Relevant

  • URL: relevant.thm

  • IP: 10.10.240.89

  • Scope of work:

    • find user.txt (gain sys shell) & root.txt (privesc)
    • report any/all vulnerabilities found doing so



Penetration Test:-

find step-by-step pentest notes here

Reconnaissance & Scanning:

  • Nmap scan [results]

    • cmd: nmap -p- 10.10.184.24 > nmap -sC -sV -A -p 80,135,139,445,3389,49663,49667,49669 -o nmap.log 10.10.184.24

  • OS detected: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)

  • SMB client: connected without login

    • cmd: smbclient -L 10.10.240.89 -U guest
    • found file with sensitive data on nt4wrksv shared foldar > passwords.txt
      • user1: Bob pwd1:!P@$$W0rD!123
      • user2: Bill pwd2:Juw4nnaM4n420696969!$$$

  • Gobuster scan [results]

    • cmd: gobuster dir -u http://10.10.191.233:49663 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

  • Got reverse shell

    • uploaded reverse shell created with msfvenom via smb
    • accesses/executed the .aspx file from web
      • can access shared foldar (same as smb's) via p49663
    • setup listener nc -lnvp 443

  • Got user.txt = THM{fdk4ka34vk346ksxfr21tg789ktf45}

  • Got root.txt = THM{1fk5kf469devly1gl320zafgl345pv}