1) Enumeration will show you running web server. Additionally, it's important to note SMB and WinRM are also running . We will leverage these once we get a hold of some credentials.
2) Web server has a login page -> I didn't try username/password combination and proceeded to "Login as guest". The page has a publicly available conversation between "Hazard" and "Support Admin" in issues.php. Additionally, there is an attachment within this conversation. The attachment contains some credzzz. Be sure to crack all of them if time permits. I used this site for the type 7 password: <http://www.ifm.net.nz/cookbooks/passwordcracker.html>
3) Lookupsids.py an impacket tool that serves as a Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups. With the following set of credentials (hazard:stealth1agent), we can enumerate usernames from the target host.
4) With a list of potential usernames and a list of potential passwords... you can use crackmapexec to automate login attempts via SMB or winRM. Below is the whole screenshot of what this looked like :). It stops once it authenticates with a valid set of credentials. Chase:<bunch of garble>
5) I use my go-to WinRM Shell just to keep it different. I simple change the credentials and IP address and call it a day.
6) Running processes show firefox is running. Using procdump, we are able to dump the PID to see if we can find some creds in there (Spoiler alert. We find creds).
7) I transfer the *.dmp file onto my Kali machine and user Strings for my initial swing at this. I also grep for the word "password" and poof... #magic. We can see some creds being passed. "login_password" is the variable being.
8) You can use crackmapexec for the last part of this... or if you get bored, switch to some psexec action. Pretty simple. Use either tool to get your shell or simple run commands. Both of these generate plenty of artifacts on your target systems so be sure to research those if you have OPSEC considerations. Below are some links I found if you want to look more into psexec detection:
Thank you all for reading this. Until next time!