Network Configuration Operators Members in this group can have some administrative privileges t. IIS_IUSRS Built-in group used by Internet Information Services. Hyper-V Administrators Members of this group have complete and unrestricted access to. Guests Guests have the same access as members of the Users group by de. SeTimeZonePrivilege Change the time zone EnabledĪccess Control Assistance Operators Members of this group can remotely query authorization attribut.Īdministrators Administrators have complete and unrestricted access to the com.īackup Operators Backup Operators can override security restrictions for the sol.Ĭryptographic Operators Members are authorized to perform cryptographic operations.ĭevice Owners Members of this group can change system-wide settings.ĭistributed COM Users Members are allowed to launch, activate and use Distributed COM.Įvent Log Readers Members of this group can read event logs from local machine SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeUndockPrivilege Remove computer from docking station Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeShutdownPrivilege Shut down the system Enabled Mandatory Label\Medium Mandatory Level Label S-1-16-8192 NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by defaul NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by defaul NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by defaul NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by defaul NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by defaul SSH to the Target ssh Enumeration Operating Environment In this particular example, we were able to issue a POST request to the API and obtain a set of running process which revealed credentials issued on the command line. ariah:NowiseSloopTheory139Īn unprotected API allows an unauthenticated user to issue requests to an API endpoint that returns sensitive information about the host. Looks like we have a username and a base 64 encoded password. Set it to 0 since we're not sending any data. Well, what about a POST request? curl -X POST -H 'Content-Length: 0'Ĭontent-Length is a required header for a POST request. The response from the server is a bit intriguing. Let's see if we can test it manually with curl. So, I inspected the page source code and the answer was clear as to why.Īll of the form actions point to an APIPA IP address, and causes the actions to fail. When interacting with the buttons on this page, the actions timeout. sudo nmap -Pn -p139 -T4 -script "discovery and smb*" NICKEL Let's use the discovery category of all smb* scripts with nmap and see what we get back now that we have a NetBIOS name. sudo nano /etc/hosts Edit the hosts file 192.168.179.99 NICKEL Add an entry for this targetĭoing some Googling, the product number, 2 is assigned to Windows 10 version 1903. The RDP enumeration from the initial nmap scan gives me a NetBIOS name for the target. Use netcat to get a version banner from the service. Test the FTP server for anonymous login and see if I can get a version banner from the server. # Nmap done at Thu Aug 25 22:24:46 2022 - 1 IP address (1 host up) scanned in 89.66 seconds |_smb2-time: ERROR: Script execution failed (use -d to debug) |_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Service Info: OS: Windows CPE: cpe:/o:microsoft:windows No exact OS matches for host (test conditions non-ideal). OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7Īggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%) Running (JUST GUESSING): Microsoft Windows XP|7 (89%) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port |_http-server-header: Microsoft-HTTPAPI/2.0ģ3333/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: T02:24:45+00:00 0s from scanner time.Ĩ089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |