HTB: Retired Machine Querier (Windows — Medium) — TCM’s PNPT Capstone
We will start off with an nmap scan
Now we will run a Service scan
We’ll check and see if there are any open SMB shares
Let’s authenticate and see what we can find
Let’s install oletools via pip
Then we can use one of the tools (olevba) to read the file
User: reporting
Password: PcwTWTHRwryjc$c6
Let’s run help
Nothing really of interest when enumerating users
Let’s start up responder
Within the SQL connection, we will use xp_dirtree to connect to our machine
We receive an NTML hash from Responder
Let’s try and crack it with the rockyou wordlist
Let’s log into mssql as the service account
We will start up a netcat session
Then we will set up an smbserver in the directory we are hosting netcat and use it with xp_cmdshell to get us reverse connection
Enabling the cmdshell
Forgot to set the smb2support flag on my SMB Server
It takes a few seconds for the shell to connect
User.txt
Answer: aa8302fa3a2ee0f0a2b00418e397666b
Let’s upload PowerUp from PowerSploit
We will get into powershell, and then invoke it, followed by running all checks
Admin password: MyUnclesAreMarioAndLuigi!!1!
Using wmiexec to get an admin shell
Root.txt
Answer: ad746032c73d8f2b12ec45cd9496dd43
0xdf’s write-up on the other paths to root