InfoSec LAB

Blackfield_Beyond

Created: 3 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.

c:\Windows\system32> net user administrator Qwer1234
The command completed successfully.

I will first change the password of the administrator user for ease of access

c:\Windows\system32> cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
 
c:\Windows\system32> cmd /c netsh firewall add portopening TCP 3389 "Remote Desktop"
 
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.

Enabling RDP

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ xfreerdp /u:administrator /p:Qwer1234 /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0

Accessing

There is indeed the encrypted root.txt file, alongside the notes.txt file

Sysinfo

PS C:\Users\Administrator> systeminfo
 
Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-00521-62775-AA435
Original Install Date:     01/02/2020, 11:04:40
System Boot Time:          22/12/2023, 05:26:14
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 1,362 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 1,903 MB
Virtual Memory: In Use:    2,896 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    BLACKFIELD.local
Logon Server:              \\DC01
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB4552924
                           [02]: KB4494174
                           [03]: KB4512577
                           [04]: KB4523204
                           [05]: KB4537759
                           [06]: KB4549947
                           [07]: KB4565349
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.192
                                 [02]: fe80::283b:32d2:12e8:c7b9
                                 [03]: dead:beef::283b:32d2:12e8:c7b9
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Scheduled Tasks

ps c:\Users\Administrator> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State 
TaskName                                                         TaskPath State
--------                                                         -------- -----
CreateExplorerShellUnelevatedTask                                \        Ready
User_Feed_Synchronization-{C49F846B-BF93-4D69-8C77-E5E1D059D80E} \        Ready

None. Those are default

Services

PS C:\Users\Administrator> netstat -ano | Select-String 0.0.0.0:123
 
  UDP    0.0.0.0:123            *:*                                    1064
  
PS C:\Users\Administrator> Get-Service w32time
 
Status   Name               DisplayName
------   ----               -----------
Running  w32time            Windows Time

NTP server is running on the port 123 It’s just blocked for access due to FW

support

dont_req_preauth is set for the support account

audit2020

The support account can change/reset password of the audit2020 account

The audit2020 account can read the \\dc01.blackfield.local\forensic share, which is mapped to the C:\Users\Administrators\Documents\forensic directory

Autologon

There is also autologon.exe from Sysinternal This explains how I was able to extract the CLEARTEXT credential of the administrator account

Spooler

Crashed spooler service due to exploiting [[Blackfield_Privilege_Escalation_3#[CVE-2021-1675](https //nvd.nist.gov/vuln/detail/CVE-2021-1675)|CVE-2021-1675]] and [[Blackfield_Privilege_Escalation_4#[CVE-2021-34527](https //nvd.nist.gov/vuln/detail/CVE-2021-34527)|CVE-2021-34527]]

Interactive Graph View

Backlinks