49 lines
1.3 KiB
Markdown
49 lines
1.3 KiB
Markdown
|
|
||
|
|
## Searching for password
|
||
|
|
|
||
|
|
- In Registry
|
||
|
|
```
|
||
|
|
# VNC reg query "HKCU\Software\ORL\WinVNC3\Password"
|
||
|
|
# Windows autologin reg query
|
||
|
|
"HKLM\SOFTWARE\Microsoft\Windows
|
||
|
|
NT\Currentversion\Winlogon"
|
||
|
|
# SNMP Paramters reg query
|
||
|
|
"HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
|
||
|
|
# Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
|
||
|
|
# Search for password in registry reg query HKLM /f password /t
|
||
|
|
REG_SZ /s reg query HKCU /f password /t REG_SZ /s
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
## Port Forwarding
|
||
|
|
|
||
|
|
1. Use netstat -ano to see which ports are open
|
||
|
|
![[image.BY7GW1.png]]
|
||
|
|
|
||
|
|
2. Download the latest version of plink.exe for the correct
|
||
|
|
architecture
|
||
|
|
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
|
||
|
|
|
||
|
|
3. Host it on attack machine, download with certutil on victim
|
||
|
|
machine to a writeable folder (/temp/ or the user folder)
|
||
|
|
|
||
|
|
4. gedit /etc/ssh/sshd_config and set PermitRootLogin to Yes
|
||
|
|
![[image.1R0DW1.png]]
|
||
|
|
|
||
|
|
5. Restart and start SSH service
|
||
|
|
![[image.LN8OW1.png]]
|
||
|
|
|
||
|
|
6. Use the plink syntax for port forwarding
|
||
|
|
![[image.5B6BW1.png]]
|
||
|
|
|
||
|
|
7. Should bring us to "root" on our box - then we know it was
|
||
|
|
successful
|
||
|
|
![[image.ZN1NW1.png]]
|
||
|
|
|
||
|
|
8. Use winexe to get access to the machine again as
|
||
|
|
administrator
|
||
|
|
- Hit enter a few times until you get a shell9.
|
||
|
|
![[image.D7YRW1.png]]
|
||
|
|
|
||
|
|
9. You are now root/system!
|
||
|
|
![[image.GJOFW1.png]]
|