Last updated
Last updated
Acute is a hard Windows machine that starts with a website on port 443. The certificate of the website reveals a domain name atsserver.acute.local. Looking around the website there are several employees mentioned and with this information it is possible to construct a list of possible users on the remote machine. Enumerating the website reveals a form with procedures regarding newcomers to the company. The form reveals the default password that all accounts are initially set up with. It also reveals a link for a Windows PowerShell Web Access (PSWA) session. Combining all the available information from the enumeration process an attacker is able to get into a PowerShell session as the user edavies on Acute-PC01. Then, it is discovered that the user edavies is also logged on using an interactive session. Upon spying on the actions of edavie the clear text password of the imonks user for ATSSERVER can be retrieved. The user imonks is running under Just Enough Administration (JEA) on ATSSERVER, but even with the limited command set an attacker is able to modify a script on ATSSERVER in order to make edavies a local administrator on Acute-PC01. Now that edavies is a local administrator the HKLM\sam and HKLM\system can be retrieved from the system in order to extract the password hashes of all the users. The administrator hash turns out to be crackable and the clear text password is re-used for awallace on ATSSERVER. The user awallace is able to create BAT scripts on a directory where the user Lois will execute them. Lois has the rights to add imonks to the site_admin group which in turn has right access to the Domain Admins group. So, after imonks is added to the site_admin group he can add himself to the Domain Admins group and acquire administrative privileges.
Scope
IP Address: 10.10.11.145
Nmap Scan
First, I added the domain name, FQDN and computer name to hosts file
HTTP Enumeration
subdomain enumeration didn't get anything
https://acute.local/
However, atsserver.acute.local has a webapp
Several users found but I need to know the format of each user.
In the top right of the page, there is a link to .docx file
When I clicked it, It downloaded the file to my kali machine, So I will explore it locally.
Looking at the file details:
The Creator of the file is Fcastle which is not in my users list, So I will add him first along with Daniel by whom the file was modified. Also, it gave us a hint that the username format is First Letter from first name + Last name So the user list should be like this:
Another important thing is Created on Acute-PC01 which tell us that there is a computer name called Acute-PC01.
So, we have now two computer names
I opened the docx file and it looks like this:
There are two new links that I want to explore.
The two pages respond with 404
This raw tells that the default password is Password1! and several users have this passwords
PSWA means PowerShell Web Access and dc_manage seems to be kind of restrictions or something.
The last raw has a link when clicked it, it takes me to https://atsserver.acute.local/Acute_Staff_Access
At the end, I can see that there is a group with name site admin and Lois has control of it.
https://atsserver.acute.local/Acute_Staff_Access
It's a PowerShell web Access Console, I have the password, two computer names and several users. I will try them.
When providing wrong credentials, this message appears
A new message appears with user Chall says that we aren't authorized to connect to that computer name, So I will try the other one.
When I changed the computer name to Acute-PC01 and try to authenticate with chall, it also failed However, when tried with Edavies it took me to the PowerShell Console.
Jmorgan & Natasha exists on the machine along with edavies.
I want to see who is a member on Remote Managment users but when asked the domain it failed, So I switch to query local group and got a result
I also looked at administrators group and I found that Jmorgan is a member of it.
I need to upgrade my shell, So I can use nc or meterpreter shell. In our situation, meterpreter shell is better and we will know why after few steps.
At root file system, there is a non-standard folder Utils
Viewing the folder permission, I found the edavies has (M) modify permission which means he can Read, Wirte, Execute, Delete.
I don't know why this folder exists but I will continue from this folder as I have permissions on it.
Creating a meterpreter shell
Starting MetaSploit framework and start listening
Download the shell and execute it.
Receiving a connection back
Personally, I didn't know what to do next as no escalation path was clear to me, So I got a hint that you can use
screensharefeature frommeterpretersession to capture desktop screenshot.
An html page is opened, and I waited for something can be useful
If you get error like this:
use the following command:
After few moments, A new PowerShell console is opened, and several commands is entered
I now get new user credentials imonks:W3_4R3_th3_f0rce.
I also notice that when tried to connect with PSSession it failed, and it used dc_manage configuration file.
At meterpreter, I started a shell and try to execute command as imonks
Enter-PSSession failed as we saw in screenshot, So I will try Invoke-Command and successfully :)
The user flag is there along with wm.ps1 file.
User Flag: 42fd899d0cffc822513xxxxxxxxxxxxx
wm.ps1 contain PowerShell Credentials of Jmorgan user which we know that he is local admin at Acute-PC01
I couldn't run the script as it as Edavies because he isn't the user that creates this file, So I will try to run the script as imonks to get a shell as jmorgan.
But first I will modify this script to send me a shell.
Creating meterpreter shell to receive connection as jmorgan
Start to listen with MetaSploit
I want to modify the wm.ps1 script, So I typed Get-Commnad to see available commands I can run
I will use Set-Content to add the following lines to the script
Check everything is correct
Trigger the Script
Shell as awallace
I will use hashdump feature to dump hashes and try to crack it
Only Administrator hash was cracked using https://crackstation.net/
I want to know which users exists on atsserver
I will try to authenticate as these users with the password of administrator I cracked
A got a hit with awallace user
I tried to enumerate programs folder before with imoks but got Access Denied, So I will enumerate them again but with awllace user
I will look again at keepmeon this time
Listing the content of the file gives this script
Asking ChatGPT about the exact function of that script:
So, I can create .bat file and get it executed after 5 minutes as Lois the comment says. We also saw that Lois is the only user who can add members to Site_admin groups, So I will add jmorgan to that groups and get Domain Admins privileges
The comment field says that the site_admin group has access to domain admins
Write a .bat file to add awallace to site_admin
After few minutes, the user is added
Root Flag: d078dca1007c6bcdxxxxxxxxxxxxxxxx
