Port enumeration

Using nmap I am able to found 2 open ports, 80 and 5985. 0be1290c052e1336362352bf02c2a523.png

Web enumeration

First thing I see is the URL, it looks like it is refering to a local file. 98456b663e56a60ad76d80191afc840b.png Using path traversal, I found who I am able to access other local files in the system. cd2332d250abe4e5b2f7eb5ac2728e5f.png

Responder

Using this vulnerability, I will be able to access internal services of the machine, and the windows, will send the NTLM hash, who can be intercepted with respondes.

responder -I tun0

59132d9b28958c714e132d75a845d1ee.png Using the LFI vulnerability, I access to a smb service. 7f2597ef1f58661db95f76e2f615dad1.png Responder has intercepted the NTLM hash. b872974a235df15de62a2be431ce1bc2.png

Hash crack

Using John the Ripper, Im able to crack the password hash.

john --wordlist=/usr/share/wordlists/rockyou.txt john.txt

1164c9d618d8090fc7b6ca24b103d71f.png

Obtaining a shell

Using this password, I can obtain a shell using evil-winrm.

evil-winrm -u Administrator -p badminton -i 10.129.32.194

17ef909d0aa86435d1d5e52d4dcd0da7.png Using this shell I'm able to found the flag. 7fffef5c1d7d921d455159f029639e92.png