![]() Not shown: 65469 closed ports, 45 filtered ports Warning: 10.10.10.59 giving up on port because retransmission cap hit (10). Nmap finds 21 open TCP nmap -p-min-rate 10000 -oA scans/nmap-alltcp 10.10.10.59 Finally, I’ll show a local Windows exploit that was common at the time of the box release, CVE-2017-0213. There’s also SeImpersonate privilege in a shell gained via MSSQL, which can be leveraged to get root as well. To escalate, there’s a scheduled task running a writable PowerShell script as administrator. Alternatively, I can spot a Firefox installer and a note saying that certain HTML pages on the FTP server will be visited regularly, and craft a malicious page to exploit that browser. First there’s a KeePass db with creds for SMB, which has a binary with creds for MSSQL, and I can use MSSQL access to run commands and get a shell. ![]() With FTP access, there are two paths to root. The box starts with a lot of enumeration, starting with a SharePoint instance that leaks creds for FTP. Tally is a difficult Windows Machine from Egre55, who likes to make boxes with multiple paths for each step.
0 Comments
Leave a Reply. |