Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the SYSTEM after compromising the target system.
c:\WINDOWS\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
c:\WINDOWS\system32> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.RDP
The jason user appears to have either RDP or GUI session
Scheduled Tasks
2 more;
\CleanJob\redis-restore
\CleanJob
c:\WINDOWS\system32> cmd /c schtasks /QUERY /TN \CleanJob /V /FO LIST
folder: \
hostname: ATOM
taskname: \CleanJob
next run time: N/A
status: Running
logon mode: Interactive only
last run time: 1/8/2024 6:12:52 PM
last result: 267009
author: ATOM\Administrator
task to run: C:\Users\jason\appdata\roaming\cache\clean.bat
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: jason
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: 72:00:00
schedule: Scheduling data is not available in this format.
schedule type: At logon time
start time: N/A
start date: N/A
end date: N/A
days: N/A
months: N/A
repeat: Every: N/A
repeat: Until: Time: N/A
repeat: Until: Duration: N/A
repeat: Stop If Still Running: N/Ac:\Users\jason\appdata\roaming\cache\clean.bat
c:\Users\jason\appdata\roaming\cache\clean.bat
C:\WINDOWS\system32> type C:\Users\jason\appdata\roaming\cache\clean.bat
@echo off
:LOOP
del /s /q c:\software_updates\*
rd /s /q c:\software_updates\client1
rd /s /q c:\software_updates\client2
rd /s /q c:\software_updates\client3
copy c:\users\jason\documents\UAT_Testing_Procedures.pdf c:\software_updates\UAT_Testing_Procedures.pdf
mkdir c:\software_updates\client1
mkdir c:\software_updates\client2
mkdir c:\software_updates\client3
ping -n 300 127.0.0.1 > nul
GOTO :LOOP
:EXIT\redis-restore
c:\WINDOWS\system32> schtasks /QUERY /TN \redis-restore /V /FO LIST
folder: \
hostname: ATOM
taskname: \redis-restore
next run time: N/A
status: Ready
logon mode: Interactive/Background
last run time: 1/9/2024 11:11:01 AM
last result: 0
author: ATOM\Administrator
task to run: C:\Users\Administrator\Documents\run.bat
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: Administrator
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: 72:00:00
schedule: Scheduling data is not available in this format.
schedule type: At logon time
start time: N/A
start date: N/A
end date: N/A
days: N/A
months: N/A
repeat: Every: N/A
repeat: Until: Time: N/A
repeat: Until: Duration: N/A
repeat: Stop If Still Running: N/Ac:\Users\Administrator\Documents\run.bat
c:\Users\Administrator\Documents\run.bat
C:\WINDOWS\system32> type C:\Users\Administrator\Documents\run.bat
@echo off
sc start winrm
sc stop redis
copy c:\users\administrator\documents\dump.rdb "C:\Program Files\Redis\dump.rdb"
sc start redis
ping -n 5 127.0.0.1 > nul
del "C:\Program Files\Redis\dump.rdb"Web
c:\> cd C:\xampp && dir
Volume in drive C has no label.
Volume Serial Number is 9793-C2E6
directory of c:\xampp
03/31/2021 07:00 AM <DIR> .
03/31/2021 07:00 AM <DIR> ..
03/31/2021 11:27 AM <DIR> anonymous
03/31/2021 11:27 AM <DIR> apache
06/07/2013 03:15 AM 436 apache_start.bat
03/31/2021 11:28 AM 176 apache_stop.bat
03/30/2013 04:29 AM 9,439 catalina_service.bat
10/22/2019 05:36 AM 4,478 catalina_start.bat
10/22/2019 05:35 AM 4,180 catalina_stop.bat
03/31/2021 11:28 AM <DIR> cgi-bin
03/31/2021 11:27 AM <DIR> contrib
03/31/2021 11:26 AM 2,731 ctlscript.bat
03/30/2013 04:29 AM 78 filezilla_setup.bat
06/07/2013 03:15 AM 150 filezilla_start.bat
06/07/2013 03:15 AM 149 filezilla_stop.bat
03/31/2021 11:37 AM <DIR> htdocs
03/31/2021 11:26 AM <DIR> img
03/31/2021 11:28 AM <DIR> install
08/27/2019 06:01 AM 299 killprocess.bat
03/31/2021 11:26 AM <DIR> licenses
03/31/2021 11:26 AM <DIR> locale
03/31/2021 11:26 AM <DIR> mailoutput
03/31/2021 11:27 AM <DIR> mailtodisk
06/07/2013 03:15 AM 136 mercury_start.bat
06/07/2013 03:15 AM 60 mercury_stop.bat
03/31/2021 11:26 AM <DIR> mysql
06/03/2019 03:39 AM 471 mysql_start.bat
03/31/2021 11:28 AM 256 mysql_stop.bat
03/13/2017 03:04 AM 824 passwords.txt
03/31/2021 11:28 AM <DIR> php
03/31/2021 11:27 AM 792 properties.ini
03/12/2021 05:02 PM 7,499 readme_de.txt
03/12/2021 05:02 PM 7,369 readme_en.txt
03/30/2013 04:29 AM 60,928 service.exe
03/30/2013 04:29 AM 1,255 setup_xampp.bat
03/31/2021 11:26 AM <DIR> src
12/08/2016 10:40 AM 2,052 test_php.bat
03/31/2021 11:27 AM <DIR> tmp
03/31/2021 11:28 AM 133,001 uninstall.dat
03/31/2021 11:28 AM 12,512,059 uninstall.exe
03/31/2021 11:27 AM <DIR> webdav
06/05/2019 04:10 AM 3,368,448 xampp-control.exe
03/31/2021 07:00 AM 1,201 xampp-control.ini
03/31/2021 07:00 AM 1,089 xampp-control.log
03/31/2021 11:27 AM 1,084 xampp_shell.bat
03/30/2013 04:29 AM 118,784 xampp_start.exe
03/30/2013 04:29 AM 118,784 xampp_stop.exe
29 File(s) 16,358,208 bytes
18 Dir(s) 4,873,510,912 bytes freec:\xampp> tree /F /A htdocs
Folder PATH listing
volume serial number is 02e2e1c8 9793:C2E6
c:\XAMPP\HTDOCS
| index.html
|
+---images
| heed.png
|
\---releases
heed_setup_v1.0.0.zipconf
PS C:\xampp\apache\conf> cat .\httpd.conf | Where-Object { $_ -notmatch '^#' } | ForEach-Object { $_.TrimEnd() }
Define SRVROOT "C:/xampp/apache"
ServerRoot "C:/xampp/apache"
Listen 80
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_lock_module modules/mod_dav_lock.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule status_module modules/mod_status.so
LoadModule version_module modules/mod_version.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin postmaster@localhost
ServerName localhost:80
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "C:/xampp/htdocs"
<Directory "C:/xampp/htdocs">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.php index.pl index.cgi index.asp index.shtml index.html index.htm \
default.php default.pl default.cgi default.asp default.shtml default.html default.htm \
home.php home.pl home.cgi home.asp home.shtml home.html home.htm
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error.log"
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access.log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "C:/xampp/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "C:/xampp/cgi-bin">
AllowOverride All
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler cgi-script .cgi .pl .asp
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
<IfModule mime_magic_module>
MIMEMagicFile "conf/magic"
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-info.conf
Include conf/extra/httpd-vhosts.conf
Include "conf/extra/httpd-proxy.conf"
Include "conf/extra/httpd-default.conf"
Include "conf/extra/httpd-xampp.conf"
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
AcceptFilter http none
AcceptFilter https none
<IfModule mod_proxy.c>
<IfModule mod_proxy_ajp.c>
Include "conf/extra/httpd-ajp.conf"
</IfModule>
</IfModule>80
PS C:\xampp\apache\conf> cat .\extra\httpd-ssl.conf | Where-Object { $_ -notmatch '^#' } | ForEach-Object { $_.TrimEnd() }
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:C:/xampp/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "C:/xampp/htdocs"
ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "C:/xampp/apache/logs/error.log"
TransferLog "C:/xampp/apache/logs/access.log"
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/xampp/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "C:/xampp/apache/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>443