System/Kernel
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 14393.4283.amd64fre.rs1_release.210303-1802
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server Core
windowsinstalldatefromregistry : 9/24/2020 6:54:17 AM
windowsproductid : 00376-30821-30176-AA213
windowsproductname : Windows Server 2016 Standard
windowsregisteredorganization : Managed by Terraform
windowsregisteredowner : Administrator
windowssystemroot : C:\Windows
osserverlevel : ServerCore
timezone : (UTC+00:00) Dublin, Edinburgh, Lisbon, London
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2016 Standard
6.3
Managed by Terraform
14393.4283.amd64fre.rs1_release.210303-1802
Networks
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ipconfig /all ; arp -a
Windows IP Configuration
Host Name . . . . . . . . . . . . : apt
Primary Dns Suffix . . . . . . . : htb.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : htb.local
htb
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-47-0D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::24b(Preferred)
Lease Obtained. . . . . . . . . . : Sunday, October 22, 2023 1:26:25 PM
Lease Expires . . . . . . . . . . : Monday, October 23, 2023 12:26:25 AM
IPv6 Address. . . . . . . . . . . : dead:beef::183f:801c:80e2:9c63(Preferred)
IPv6 Address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f(Preferred)
Link-local IPv6 Address . . . . . : fe80::183f:801c:80e2:9c63%5(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.213(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:feb9:d784%5
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 50352214
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-C6-CD-0D-00-50-56-B9-47-0D
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
Interface: 10.10.10.213 --- 0x5
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1844
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 460
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 984
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49695 0.0.0.0:0 LISTENING 1936
TCP 0.0.0.0:58348 0.0.0.0:0 LISTENING 1864
TCP 10.10.10.213:53 0.0.0.0:0 LISTENING 1936
TCP 10.10.10.213:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1936
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 592
TCP [::]:135 [::]:0 LISTENING 820
TCP [::]:389 [::]:0 LISTENING 592
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 592
TCP [::]:593 [::]:0 LISTENING 820
TCP [::]:636 [::]:0 LISTENING 592
TCP [::]:3268 [::]:0 LISTENING 592
TCP [::]:3269 [::]:0 LISTENING 592
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 1844
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 460
TCP [::]:49665 [::]:0 LISTENING 936
TCP [::]:49666 [::]:0 LISTENING 984
TCP [::]:49667 [::]:0 LISTENING 592
TCP [::]:49669 [::]:0 LISTENING 592
TCP [::]:49670 [::]:0 LISTENING 592
TCP [::]:49675 [::]:0 LISTENING 584
TCP [::]:49695 [::]:0 LISTENING 1936
TCP [::]:58348 [::]:0 LISTENING 1864
TCP [::1]:53 [::]:0 LISTENING 1936
TCP [dead:beef::24b]:53 [::]:0 LISTENING 1936
TCP [dead:beef::183f:801c:80e2:9c63]:53 [::]:0 LISTENING 1936
TCP [dead:beef::b885:d62a:d679:573f]:53 [::]:0 LISTENING 1936
TCP [fe80::183f:801c:80e2:9c63%5]:53 [::]:0 LISTENING 1936Users & Groups
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> net user ; net user /DOMAIN
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
henry.vinson henry.vinson_adm krbtgt
The command completed with one or more errors.
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
henry.vinson henry.vinson_adm krbtgt
The command completed with one or more errors.*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> net localgroup ; net group /DOMAIN
Aliases for \\APT
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*apt-Admins
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*System Managed Accounts Group
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.apt-Admins
Processes
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
39 4 1544 2580 3764 1 cmd
94 8 1312 1172 736 0 conhost
94 8 4964 9544 0.03 3228 0 conhost
110 9 5344 11324 3700 1 conhost
301 13 1864 4208 380 0 csrss
155 9 1796 8284 468 1 csrss
350 31 14168 22704 1864 0 dfsrs
154 12 2172 7408 1672 0 dfssvc
215 13 3556 12412 2556 0 dllhost
351 30 8008 10916 1936 0 dns
140 11 4008 9264 1984 0 gisvc
0 0 0 4 0 0 Idle
124 12 1836 5712 1992 0 ismserv
1958 217 54212 71068 592 0 lsass
517 30 37788 48888 1844 0 Microsoft.ActiveDirectory.WebServices
191 13 2604 9772 2672 0 msdtc
471 73 204720 159372 364 0 MsMpEng
181 39 3252 9480 2788 0 NisSrv
457 31 111328 43756 1488 0 powershell
301 11 4084 9988 584 0 services
51 2 360 1216 296 0 smss
957 43 9388 24300 400 0 svchost
379 33 11904 17116 692 0 svchost
333 13 2532 8976 764 0 svchost
422 18 3112 9020 820 0 svchost
604 21 4896 12476 928 0 svchost
401 20 10240 17192 936 0 svchost
228 15 3100 12180 976 0 svchost
754 31 16760 33196 984 0 svchost
133 9 1748 7100 1288 0 svchost
198 11 2044 8172 1704 0 svchost
265 16 4740 14228 1836 0 svchost
137 11 3588 10480 1852 0 svchost
201 14 4532 11532 2044 0 svchost
104 7 2232 8216 3860 0 svchost
244 19 7564 13268 3920 0 svchost
764 0 128 140 4 0 System
164 12 1764 9288 996 1 taskhostw
98 7 1132 6372 2308 0 unsecapp
195 16 2300 10756 2316 0 vds
147 12 3104 10376 2024 0 VGAuthService
71 7 1208 5556 3564 1 vm3dservice
329 22 8988 22016 864 0 vmtoolsd
171 15 3324 13132 3940 1 vmtoolsd
92 8 924 4940 460 0 wininit
190 10 1976 9464 536 1 winlogon
419 16 8212 18420 1520 0 WmiPrvSE
238 13 13808 21276 2892 0 WmiPrvSE
1217 31 54000 77940 0.95 1888 0 wsmprovhostTasks
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandErrorServices
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
"C:\Program Files\VMware\VMware Tools\gisvc.exe" False GISvc
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2102.4-0\MsMpEng.exe" True WinDefend Firewall & AV
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
80 TCP Enable Inbound http
135 TCP Enable Inbound http
135 TCP Enable Inbound http
80 TCP Enable Inbound http
135 TCP Enable Inbound http
135 TCP Enable Inbound http
5985 TCP Enable Inbound Firewall Rule for WinRM
135 TCP Enable Inbound Firewall Rule for RPC
445 TCP Enable Inbound Firewall Rule for SMB
icmp configuration for domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
80 TCP Enable Inbound http
135 TCP Enable Inbound http
135 TCP Enable Inbound http
80 TCP Enable Inbound http
135 TCP Enable Inbound http
135 TCP Enable Inbound http
5985 TCP Enable Inbound Firewall Rule for WinRM
135 TCP Enable Inbound Firewall Rule for RPC
445 TCP Enable Inbound Firewall Rule for SMB
icmp configuration for standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .Firewall is heavily enabled as expected
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c dir /s C:\Windows\Microsoft.NET\Framework\msbuild
Volume in drive C is System
Volume Serial Number is BF99-DE3E
directory of c:\Windows\Microsoft.NET\Framework\v4.0.30319
07/16/2016 02:18 PM <DIR> MSBuild
0 File(s) 0 bytes
total files listed:
0 File(s) 0 bytes
1 Dir(s) 10,724,515,840 bytes free
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C is System
Volume Serial Number is BF99-DE3E
directory of c:\Windows\Microsoft.NET\Framework
07/16/2016 02:18 PM <DIR> .
07/16/2016 02:18 PM <DIR> ..
09/24/2020 09:10 AM <DIR> v1.0.3705
07/16/2016 02:18 PM <DIR> v1.1.4322
07/16/2016 02:18 PM <DIR> v2.0.50727
10/22/2023 01:35 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 10,724,515,840 bytes free
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.6.01586