forward | EPICFS <> BLOG

Source

https://portal.offsec.com/labs/practice

Date

Mar 25, 2025 → Mar 25, 2025

Tag

Network Scanning

Credential Harvesting

Privilege Escalation Techniques

192.168.134.157 Nmap

└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-25 01:26 EDT Nmap scan report for 192.168.134.157 Host is up (0.052s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 139/tcp open netbios-ssn 445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 13.77 seconds

└─# nmap -sU -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-25 01:26 EDT Warning: 192.168.134.157 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.134.157 Host is up (0.069s latency). All 65535 scanned ports on 192.168.134.157 are in ignored states. Not shown: 65386 open|filtered udp ports (no-response), 149 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 144.90 seconds

139,445

SMB can login

I believe these .reg files contain important information, and I found the script below

go-DecryptTeamViewer

Secd0g • Updated May 30, 2023

Then I successfully obtained the password

username	password
fox	iparalipomenidellabatracomiomachia
alberobello	alberobello
giammy	hackmeifyoureable
golemitratigunda	bangladesh
mara	paralipomenibatracomiomachia
vale	cocomerirossi

We discovered that only fox can log in

After investigating the .forward file, we discovered that when an email is sent to fox, it uses the command in .forward to forward it. We can replace the command in .forward with a reverse shell, then send an email to connect to the target machine.