Hello Everyone !
The victim of this week’s Hall tool Evil-WinRM, written in ruby.
https://github.com/Hall, we get our first flag from user.txt on the Desktop.
3- Privilege Escalation
The “todo.txt” file requests that the problems at the http://10.10.10.149 address be checked and corrected for the problem in the router config file. In other words, a user named Chase is the person who will solve the problem of a user named Hazard. The last part has been informed that the Guest account has limited access.
We use the “get-process” command to see which browser Chase controls the problems in. Looks like Chase was using the firefox browser. Our current goal is to read firefox’s dump file using ProcDump software. With ProcDump, you can determine why apps crash. You can put Procdump in the Evil-WinRM folder and add it to its current location with the upload command.
Thanks to string64 software, we will convert the dumped file into a string and write it to the txt file, then filter the text file to identify the words “login.php”. This allows us to access the inputs entered on the login screen and identify the passwords of other users.
Here we learned the password of “email@example.com” using “login.php” filtering in firefox crash reports. I’ll try to log into the Administrator account using “Administrator:4dD!5}x/re8]FBuZ”.
We’re using the Evil-WinRM to re-enter, we’re taking our flag.