Post-Exploitation
ipconfig /all
|S-chain|-<>-127.0.0.1:8083-<><>-172.16.8.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:8083-<><>-172.16.8.3:5985-<><>-OK
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC01
Primary Dns Suffix . . . . . . . : INLANEFREIGHT.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : INLANEFREIGHT.LOCAL
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-16-51
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8c6e:6173:2179:e0a5%4(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.8.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.8.1
DHCPv6 IAID . . . . . . . . . . . : 100683862
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-29-62-C9-00-50-56-B9-16-51
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-B9-3A-88
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ad24:d126:19f:f31d%7(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.9.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.9.1
DHCPv6 IAID . . . . . . . . . . . : 167792726
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-29-62-C9-00-50-56-B9-16-51
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : EnabledWe see a new network 172.16.9.0/16.
We find one live host 172.16.9.25.
Going through the Department Shares folder, now we can access the Private subfolder there.
We find some RSA keys
I downloaded both harry and james RSA keys perhaps one of them will let us SSH into the new found host. But to even explore the other network and run scans to see if SSH is open and what other services are running we need to perform a Double Pivot.
So basically, our host -> linux DMZ host -> DC01 -> network.
For that we need the binaries for Windows as well. I used the following version:
Double Pivot
After transferring the agent.exe file to DC01 through DMZ host, we can run it. But before that we need to add a new listener on our attack hosts ligolo-ng console:
On DC01 we can start the agent and get the connection: (it connects with DMZ)
We dont really have to add the route as the .9.0 is already in our route of /16.
Our SSH should now work:
Privilege Escalation
Enumerating the OS
It is vulnerable to CVE-2022-0847 aka DirtyPipe. We can use the exploit-2 which is about exploiting SUID binaries.
First we search for SUID binaries:
We get a few including this:
Last updated