We have anonymous login for ftp, lets get into it and download all the files.
wget --recursive --no-parent --ftp-user=anonymous --ftp-password=a ftp://10.10.10.77
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
With readme.txt we can come to a conclusion that there is some automation to open rtf file. we need to email a rtf reverse shell. But we don't have any victim emails.
➜ documents exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.65
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:10:31 21:13:00+05:30
File Access Date/Time : 2024:01:13 11:50:22+05:30
File Inode Change Date/Time : 2024:01:13 11:50:13+05:30
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
We got a email -> nico@megabank.com
Now we need to create a reverse shell in rtf format.
https://github.com/bhdresh/CVE-2017-0199