Enumerating port 1337 and 8080
⇒ There’s a login on port 8080, sadly we couldn’t find anything useful on there :
→ Couldnt find anything…..
⇒ On 1337 we have an default IIS page :
→ After running gobuster we discover :
→ The dev_notes file name contains a weird string. Base64 decoding it we get an hex :
Decoding the hex :
Password : m$$ql_S@_P@ssW0rd!
⇒ Logged in on mssql using mssqlclient.py and the credentials that we found :
mssqlclient.py -p 1433 admin:’m$$ql_S@_P@ssW0rd!’@10.10.10.52
Enumerating mssql server :
⇒ We will be using tool named dbeaver :
→ We got user James credentials :
Exploiting Kerberos [ MS14-068 ]
⇒ This vulnerability could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers.
→ This is well known exploit and it’s always worth checking when pentesting .
⇒ We will be using Goldenpac.py from impacket :
python goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 HTB.LOCALemail@example.com