InfoSec LAB

Fuse_IT_Department

Created: 2 min read

IT Department

After running the basic enumeration, I also found an interesting directory at the system root

*evil-winrm* ps c:\> dir
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/29/2020   5:13 PM                Departments
d-----        5/29/2020   5:23 PM                HP Universal Print Driver
d-----        5/29/2020   4:36 PM                inetpub
d-----        5/26/2020   6:08 PM                PerfLogs
d-r---        6/11/2020   1:57 AM                Program Files
d-----        5/29/2020   4:54 PM                Program Files (x86)
d-----         6/1/2020   4:24 AM                test
d-----         2/2/2023  12:22 PM                tmp
d-r---        5/31/2020   5:08 PM                Users
d-----        10/9/2020   8:16 AM                Windows
-ar---        6/10/2020   6:22 PM            334 readme.txt
 
 
*evil-winrm* ps c:\> cd Departments ; dir
 
 
    directory: C:\Departments
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/10/2020   5:39 PM                IT

it seems there is a directory for the it department; c:\Department\IT

*evil-winrm* ps c:\Departments\IT> tree /f
Folder PATH listing
volume serial number is 00000037 e6c8:44FE
c:.
ÃÄÄÄbackups
³       backup_tapes.txt
³       mega_mountain_tape_request.pdf
³
ÃÄÄÄdr
³       offsite_dr_invocation.txt
³
ÀÄÄÄnew starters
    ÀÄÄÄ2020
            New Starter - Bridget Nielson.txt

There is a total of 3 sub-directories and each one has a file or two Wait. These files look familiar. These are the documents that were printed and logged in the PaperCut web app.

backup_tapes.txt

*Evil-WinRM* PS C:\Departments\IT> cat backups\backup_tapes.txt
 
Backup Tapes for Restore
 
AWK7335736
AWL7637858
AWK7368638
ARL4462545
AWL5424525
AWK3625245

Some arbitrary codes?

mega_mountain_tape_request.pdf

It’s basically the same as the backup_tapes.txt file

offsite_dr_invocation.txt

*Evil-WinRM* PS C:\Departments\IT> cat dr\offsite_dr_invocation.txt
 
contact: mark allory
building pin: 12443231

This one has someone’s name and pin numbers Given the name, it’s probably access code to a remote site facility

New Starter - Bridget Nielson.txt

*evil-winrm* ps c:\Departments\IT> cat "new starters\2020\New Starter - Bridget Nielson.txt"
new joiner
 
Bridget Nielson
bnielson
Fabricorp01

This file is basically how I got here.

Unfortunately, nothing was gained out of this enumeration. Deadend.

Interactive Graph View

Backlinks