Relevant
Nmap
SMB shows the share 'nt4wrksv' when authenticating with null credentials.
Using smbclient
to connect to the share shows the file passwords.txt.
The contents of passwords.txt is shown below:
We can see from the title and the trailing '==' that this is likely base64 encoded. Running both of these through base64 with the -d
switch shows the true value.
Unfortunately I was unable to use the credentials in any capacity. Referring back to SMB earlier we do have write access to the share nt4wrksv. Checking the share name and the passwords.txt file against port 49663 shows we can see the passwords.txt file.
With this we can use the following aspx reverse shell found here: https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx.
Upload the shell to the SMB share.
Set a listener and then browse to the location of http://<IP>/nt4wrksv/shell.aspx. Shortly after we should receive a reverse shell.
Checking the available privilege we do have SeImpersonatePrivilege which is not surprising as this is normally given to service accounts.
I tried a Juicypotato exploit here and was unsuccessful. It seemed AV was removing my exploit every time I tried to run it. Further research on Google shows a newer exploit that abuses this privilege to gain SYSTEM which is linked here: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/.
We can download a pre-compiled exploit here: https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
Once uploaded to the machine through SMB we can run with the following syntax to gain a SYSTEM shell.
Last updated