Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the SYSTEM after compromising the target system.
Scheduled Tasks
PS C:\tmp> Powershell -c Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskPath TaskName State
-------- -------- -----
\ CreateExplorerShellUnelevatedTask Ready
\ KillCmdProcesses Ready
\ Script Cleanup Ready
\ SSA_6010_RunScriptPath Ready
\ Start LDAP Ready
\ StartAppPools Ready
\ User_Feed_Synchronization-{B5D... Ready
\ User_Feed_Synchronization-{F8F... Ready There are 5 none default scheduled tasks
KillCmdProcesses
PS C:\> cmd /c schtasks /QUERY /TN \KillCmdProcesses /V /FO LIST
Folder: \
HostName: DC1
TaskName: \KillCmdProcesses
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/3/2024 1:02:58 PM
Last Result: 1
Author: BLAZORIZED\administrator
Task To Run: powershell -enc LQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAC0AQwBvAG0AbQBhAG4AZAAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACIAYwBtAGQAIgAgAHwAIABTAHQAbwBwAC0AUAByAG8AYwBlA
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A┌──(kali㉿kali)-[~/…/htb/labs/blazorized]
└─$ echo LQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAC0AQwBvAG0AbQBhAG4AZAAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACIAYwBtAGQAIgAgAHwAIABTAHQAbwBwAC0AUAByAG8AYwBlA | base64 -d
-WindowStyle Hidden -ExecutionPolicy Bypass -Command Get-Process -Name "cmd" | Stop-Procebase64: invalid inputScript Cleanup
PS C:\> cmd /c schtasks /QUERY /TN "\Script Cleanup" /V /FO LIST
Folder: \
HostName: DC1
TaskName: \Script Cleanup
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/3/2024 1:13:58 PM
Last Result: 0
Author: BLAZORIZED\administrator
Task To Run: powershell C:\Users\Administrator\Documents\cleanup.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Users\Administrator\Documents\cleanup.ps1
C:\Users\Administrator\Documents\cleanup.ps1
PS C:\> cat C:\Users\Administrator\Documents\cleanup.ps1
$targetDir = "C:\Windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23"
$keepList = @(
"1CD3EDA333CAA",
"2BECF3DC0B3D",
"2F3FCC01E0A3",
"3DACA30B03D1",
"3EAF2A3E0CED",
"21FDFAAFC1D0",
"113EB3B0B2D3",
"23010E0A1A33",
"A3F211DCB11D",
"AADE1BA2A3E3",
"AC2210DC311B",
"B2ACCF2BABFB",
"BE11A3E0EA13",
"BFDDF0E1B33E",
"C20F1322FB3C",
"CD102CDEFD0E",
"CED022B22EBA",
"D0ECECBC1CCF",
"F1D30FCB0100",
"FD33C0CE11AC",
"02FCE0D1303F.bat"
)
$items = Get-ChildItem -Path $targetDir
foreach ($item in $items) {
if ($keepList -notcontains $item.Name) {
try {
if ($item.PSIsContainer) {
Remove-Item -Path $item.FullName -Recurse -Force
} else {
Remove-Item -Path $item.FullName -Force
}
Write-Host "Deleted: $($item.FullName)"
} catch {
Write-Host "Failed to delete: $($item.FullName) - $($_.Exception.Message)"
}
} else {
Write-Host "Kept: $($item.FullName)"
}
}SSA_6010_RunScriptPath
PS C:\> cmd /c schtasks /QUERY /TN \SSA_6010_RunScriptPath /V /FO LIST
Folder: \
HostName: DC1
TaskName: \SSA_6010_RunScriptPath
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/3/2024 1:22:58 PM
Last Result: 1
Author: BLAZORIZED\administrator
Task To Run: powershell.exe -enc SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAYwB0AGkAdgBlAEQAaQByAGUAYwB0AG8AcgB5ADsACgAkAHAAYQB0AHQAZQByAG4AIAA9ACAAIgBeAEEAMwAyAEYARgAzAEEARQBBAEEAMgAzAFwAXAAqACIAOwAKACQAdQBzAGUAcgBuAGEAbQBlACAAPQAgACIAUwBTAEEAXwA2ADAAMQAwACIAOwAKACQAc
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SSA_6010
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ echo SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAYwB0AGkAdgBlAEQAaQByAGUAYwB0AG8AcgB5ADsACgAkAHAAYQB0AHQAZQByAG4AIAA9ACAAIgBeAEEAMwAyAEYARgAzAEEARQBBAEEAMgAzAFwAXAAqACIAOwAKACQAdQBzAGUAcgBuAGEAbQBlACAAPQAgACIAUwBTAEEAXwA2ADAAMQAwACIAOwAKACQAc | base64 -d
Import-Module ActiveDirectory;
$pattern = "^A32FF3AEAA23\\*";
$username = "SSA_6010";
$base64: invalid inputStart LDAP
PS C:\> cmd /c schtasks /QUERY /TN "\Start LDAP" /V /FO LIST
Folder: \
HostName: DC1
TaskName: \Start LDAP
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/3/2024 9:34:58 AM
Last Result: 0
Author: BLAZORIZED\administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\users\administrator\documents\ldap.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/Ac:\users\administrator\documents\ldap.ps1
c:\users\administrator\documents\ldap.ps1
PS C:\> cat c:\users\administrator\documents\ldap.ps1
cat : Cannot find path 'C:\users\administrator\documents\ldap.ps1' because it does not exist.
At line:1 char:1
+ cat c:\users\administrator\documents\ldap.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\users\admini...uments\ldap.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommanddeleted?
StartAppPools
PS C:\> cmd /c schtasks /QUERY /TN \StartAppPools /V /FO LIST
Folder: \
HostName: DC1
TaskName: \StartAppPools
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/3/2024 1:24:58 PM
Last Result: 0
Author: BLAZORIZED\administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\users\administrator\documents\StartWebApps.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/Ac:\users\administrator\documents\StartWebApps.ps1
c:\users\administrator\documents\StartWebApps.ps1
PS C:\> cat c:\users\administrator\documents\StartWebApps.ps1
function Start-StoppedAppPools {
$appPools = Get-IISAppPool
foreach ($appPool in $appPools) {
$appPoolState = (Get-WebAppPoolState -Name $appPool.Name).Value
if ($appPoolState -eq "Stopped") {
Start-WebAppPool -Name $appPool.Name
Write-Output "Started application pool: $($appPool.Name)"
}
}
}
Start-StoppedAppPools
exit 0