Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
c:\Windows\system32> net user administrator Qwer1234
The command completed successfully.I will first change the password of the administrator user for ease of access
c:\Windows\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
c:\Windows\system32> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.Enabling RDP
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ xfreerdp /u:administrator /p:Qwer1234 /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0 Accessing
Established
Scheduled Tasks
PS C:\Users\Administrator> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Deletion \ Disabled
Dev \ Disabled
Hashy \ Ready
Wipe \ Ready
- Deletion
- Dev
- Hashy
- Wipe
Deletion
3 minutes interval
powershell.exe -c "rm c:\shared\*"
Dev
5 minutes interval
powershell -c "C:\users\administrator\music\dev.ps1"
dev.ps1
c:\Users\Administrator\Music> dir
Volume in drive C has no label.
Volume Serial Number is 1DF4-493D
directory of c:\Users\Administrator\Music
06/07/2022 07:14 AM <DIR> .
06/07/2022 07:14 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 4,373,200,896 bytes free
ps c:\Users\Administrator> ls -Path C:\ -ErrorAction SilentlyContinue -Recurse -Include dev.ps1
dev.ps1 doesn’t exist
Hashy
1 minute interval
powershell.exe. -c "C:\users\administrator\contacts\trigger.ps1"
trigger.ps1
c:\Users\Administrator\Contacts> type trigger.ps1
$pattern = "([0-9]{1,3}\.){3}[0-9]{1,3}"
$ips = @()
if (test-path -path c:\shared\*.ini){
gc c:\Shared\*.ini| % {
if (($_ -match $pattern)) {
$ips += [regex]::Match($_, $pattern).Value
}
}
}
foreach ($ip in $ips){
net use * \\$ip\aa /user:flight.htb\c.bum Tikkycoll_431012284
}
$DateToDelete = (get-date).AddMinutes(-2)
get-childitem c:\shared | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Itemfor mimicking user action to the c:\Shared directory or the \\g0.flight.htb\Shared share
Wipe
5 minutes interval
powershell.exe -C "C:\users\administrator\contacts\wipe.ps1"
wipe.ps1
c:\Users\Administrator\Contacts> type wipe.ps1
remove-item "c:\xampp\htdocs\*" -Recurse -Force -Confirm:$false
copy-item -path "c:\users\administrator\videos\flight.htb" -Destination "C:\xampp\htdocs\" -Recurse
copy-item -path "c:\users\administrator\videos\school.flight.htb" -Destination "C:\xampp\htdocs\" -Recurse
remove-item "c:\inetpub\development" -Recurse -Force -Confirm:$false
copy-item -path "c:\users\administrator\videos\development" -Destination "C:\inetpub\development\" -recurse
cmd /c 'icacls "c:\inetpub\development" /grant flight.htb\c.bum:(OI)(CI)W /T'Wiping the following directories by restoring them;
c:\xampp\htdocs\c:\users\administrator\videos\flight.htbc:\users\administrator\videos\school.flight.htb
c:\inetpub\developmentc:\users\administrator\videos\development
granting the c.bum user write access to the c:\inetpub\development directory
Web
Apache
run as svc_apache
IIS
Inherited from DefaultAppPool
SMB
Shared
Web
Active Directory Users and Computer
Computer
Users
DPAPI
BCKUPKEY_PREFERRED Secret
BCKUPKEY_P Secret
BCKUPKEY_4f5ea213-d0bb-43d2-b7d5-716cb9c27484 Secret
BCKUPKEY_3bf8ec76-d37e-4679-9991-0e27ec1af95f Secret
