keepmeon

Upon making a Lateral Movement to the ATSSERVER host as the awallace user, I found out that the current user has access to the previously undiscovered directory; C:\Program Files\keepmeon

PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ls "C:\Program Files\keepmeon"}
 
 
    Directory: C:\Program Files\keepmeon
 
 
Mode                 LastWriteTime         Length Name                               PSComputerName                    
----                 -------------         ------ ----                               --------------                    
-a----        21/12/2021     14:57            128 keepmeon.bat                       ATSSERVER

The directory contains a single batch script; keepmeon.bat

PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {cat "C:\Program Files\keepmeon\keepmeon.bat"}
 
REM This is run every 5 minutes. For Lois use ONLY
@echo off
 for /R x" == "%~0" call "%%x"
)

This batch script recursively searches for all files with the .bat extension in the current directory and its subdirectories. For each .bat file found, it checks if the file is not the same as the batch script itself (denoted by %~0). If the file is not the same as the running batch script, it calls and executes that file.

The batch script claims to be running periodically with an interval of 5 minutes and there is a mention of Lois

Lois was mentioned in the Word document file earlier; New_Starter_CheckList_v7.pdf In the current context, Lois is likely referred to the lhopkins user It also shows that only Lois can become site admin

Site_Admin

PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {net group /DOMAIN}
 
Group Accounts for \\
 
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Managers
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*Site_Admin
The command completed with one or more errors.

It turns out that site admin is referred to the actual Site_Admin domain group

PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {net group /DOMAIN Site_Admin}
 
Group name     Site_Admin
Comment        Only in the event of emergencies is this to be populated. This has access to Domain Admin group
 
Members
 
-------------------------------------------------------------------------------
The command completed successfully.

Looking further into the Site_Admin group, it’s described in the Comment section that the Site_Admin group has access to the Domain Admins group. While this is rather ambiguous as it does not specify what type of access that is, I’d assume that it would be some kind of write access

Overall, this appears to be the way to DA Moving on to Privilege Escalation phase

InfoSec LAB

Explorer

Acute_keepmeon

keepmeon

Site_Admin

Interactive Graph View

Table of Contents

Backlinks