Vulnerabilities
The website on port 80 allows us to upload a .htaccess file which then allows us to specify custom file types. We can leverage this to bypass the server’s file type filtering and achieve remote code execution with a PHP webshell.
svc_apache uses a very weak password, which allowed us to easily recover it with a dictionary attack using Rockyou.txt.
svc_mssql has the
Credentials
svc_mssql:trustno1
Hashes
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec*$EBE25705596E41A5045A2709E53A5505$F7B77C5A79CB9CCCA30B20C0CDE1B01BF994A0D50DB8456FA11A15AE6BE8A60A9FAD1A8ADB195B2EAF3EC34A2028A784EDF70461BD52E1C368E227E5EEFF2EC8F69B75A969897102A3A9CB40AFE944209AA432FC772230E719AA5A7CEA1B412E9F9F1D647F8DF9E4C859C5193239DBA644BB478A3322E272A935D70A3CFE2DBF16269D9D3267F315238A203CDDA0295A983395D1C9E37533DAFE978CB050D1A7BB20423094713D6D29F5EDA65FB46ACE8E49705216A8F88FD4E9EDB2B09E41AA13E99C22EF26264D8C845B095C159E7508A08D8EADD161B4B4956A77924506D86AD565B4DB8A1927D0D8CFF367BD330B0AC8C41EEFA08E099DB56364368661DE1465B83850EF1D91AB4EEDF1FB6EC098076876DEDF67F2CBD7F535D1FBEFCDF33258D245EC840D7F9FCCEE510A79C5F11725704CE3FDEF7634067A10A5A381A2556E48B6D5E9BA42C719E1996AB8952680547AA7C4A55973DD0C9625ACD25C17CDB66FEA4A7F7B2E22438EB8B99A9E608A6FE11169CC89036227A2AB9D098902C6AF7C40FE41B58BA10BDE1A4F3C739E30F81C27FA069EF09F8EF375E47C8FDCE3B20022D1A7DA2286F1693BB6F77549EA298EDD71D92C096E9F76CC462F6247D1F154B3376E85D429D54E5E40DFC847A38CEA1C9C8C4F336D1F2E04C26048B6CDD22EECB1B5B3CB641679F6DC7398F51D1F5134A407DF965947F31517A6595C0ACAC25FB39FCED1A480832F989071C808DDC180B0429400990C337A28CA78A30174337AA298E939CA74CE4F882B93A763026EC87629372B72F6A905D7312C992989256EC338EF49C7EE7BC7B94C67CBC45D3C589FFEBE53FC182B3E72B57B1210A8B56ADEC3E4080D7BC6EB413524D96D89D2606AD3BE1FE7A448AC079D9E14467B6968BE16B56A9126F52C8C7A6FFCE29D429CDEBDF51A2D32D350FF75A63AC1E68267FD2C1253D9C54583659ECC3A8329D67616D02AD468E9EE505E744572A48590DCC661E3BC13F94CBDF7DFC8091577AB23A2BD15A2D2E0BC2F059991861885250FDA8D9197E3FDEAA7A5D49459A1EAB731F81644EBE59F271A833FF7D1E0D58548FFECE21B64CADBA7A994B9297207DD87BAE74C7385636F88162A7A1668578E36162748478CE06CE1C3C97E35FFD6B9D08C0205EEE348FD0130FB3AC917D3561B5192AB0C207985CEB9FEB00E5B65BADA4AAED249154988F2581F11E145D18D06264EAB4970FD4A62F27960096C26DFACAD189ECB3892BF93860033A63798171858C824CCE5013F4C91DC8681FBFB94648B1DFE6B67E0FD5BB041DF2A697DF2153D8887A4D3A12C0E079CF54F8C580F450CD86B24F07B60F89DDFE07757D0B1579AB5ED018BDADB5DDED6C2DEC7A91D758332F1B68AC4B9F62A2FB9FABA99B481CB4FF617781466B2DFB3DF4D63D4BE17262479F1BCECCA9341F868FD4D7D0CBF35B76B4BD9B97B597584575F29C0D9BCE65A70DA6D165A3ABA6A9FBF7AB3E34364A8995FA0013B5B70480F69906AD8BC798919C7A5DD168E2BD04C0DE7F2C5399349D070F0C3A1F94148989E86646150F3ACC1476C65081138072D2EDA1C479E29E5C4A16E765F11A4EBCACC13CC