Posted by : moamjad

 

 

 

Phases of penetration testing activities include the following:


    Planning – Customer goals are gathered and rules of engagement obtained.
    Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and exploits.

    Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon new access.

    Reporting – Document all found vulnerabilities and exploits, failed attempts, and company strengths and weaknesses.


scope

assessment Details
Internal & external Penetration Test 10.10.266.244


Vulnerability Summary

Finding Severity
weak password High
RCE High
token impersonation High



starting the pentesting engagement with Nmap

 sudo nmap -A -T4 --open -vv 10.10.226.224 -oN nmap -Pn
  80/tcp   open  http       syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=alfred
| Issuer: commonName=alfred
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-08-11T16:26:23
| Not valid after:  2023-02-10T16:26:23
| MD5:   3038 e053 8bfa 8e35 d8d8 ae42 4a7b c5fc
| SHA-1: c0e0 bea1 b805 d325 2efa 1e3f aa32 23eb 986f 7f57
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQF06qDRJBJ41Cqf7rqpG8kDANBgkqhkiG9w0BAQUFADAR
| MQ8wDQYDVQQDEwZhbGZyZWQwHhcNMjIwODExMTYyNjIzWhcNMjMwMjEwMTYyNjIz
| WjARMQ8wDQYDVQQDEwZhbGZyZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDdxRnRn3a5UAn/E89zRhYTH1GyokrqQCp6NgpYYgaa6Y1YCcZnrLGLDEJw
| eXhYOgT1Q/O33soDyDeH9f+Jcp3awG0cG4YGnVh2FEiRwNnwYIVkqJVI0SqtuLYH
| /BKZwU+6LT24xJ8BtFSaORzeQBc3gyfwWkx2RUlGx27VPxqEoLrVKYraw6hyqCE3
| WIJUlMKE7OFpEYPvl1+dRJsCCQki6ZqJrb1uqVNljeFEDc+kZo5kWqd0gnO8jt1I
| dA41BMe4EtIAKmYZGG8IulAotWDhTdXOfSarhoHPVvWTPTXD5uTo0RAcN6sterGO
| WvheMnEL9fm4yGdLUfv8U25U81HvAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUFAAOCAQEAjjJfpfDBizHwIIDh
| NzHqn1Dz44bnuCkuxdfZ+u3WrqQ0XuflgTMhgbqN8OZZPuXzZHQNdbnYieQimXVw
| kRAR/JbqTC+8s+cYBRytpu/ZSO1f61yz2fiySSxjr/bkrQY/SVr7fpR57BQl6bh9
| Y+lx4ms3p45YcQnuOIPKvIvPw60potiGHWmnT17XWcrA44TFdgB0NITnx7xVNRk2
| AaA/GyIjsbkt/s9fs3kqN8OK3HhkdC3FxPZzRpkW6AsxBwTc5CgeQg7if4CafRSA
| j+G8IXwBpRY5SyTz6YJeSKxEjrF1I9u9RtnnGxOHujkexmOf73s6RTRVP/4ENUT4
| NS4Czg==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-08-12T16:34:20+00:00; 0s from scanner time.
8080/tcp open  http       syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
   

Found 3 port open 

let's start with port 80 → HTTP

let's try directory brute forcing

we found nothing interesting

 
Port 8080 → HTTP

 

 

 

 

 

 

 

 

 

Try Credential admin:admin, and we get in  

 


let's look around for something interesting

we can see that there is away we can execute command 

ok first let's set up a listener with Metasploit 


 now copy the PowerShell command in the command executor 

 


we got a reverse shell -  sessions to view the sessions

Sessions -i → To interact with the session  

Privilege Escalation:

Let's use token impersonation to gain system access. 

  1. Load incognito
  2. list_tokens -g 
  3. Impersonate_token "BUILTIN\Administrators"

If You cannot find the flag in the default place or there is no hint of the location of the flag, you can use search command  to search the system for the file












Leave a Reply

Subscribe to Posts | Subscribe to Comments

- Copyright © Quarks - Blogger Templates - Powered by Blogger - Designed by Johanes Djogan -