Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target domain.
C:\Windows\system32> net user adm1n Qwer1234 /Add /Domain
[+] Executing %COMSPEC% /Q /c echo net user adm1n Qwer1234 /Add /Domain ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\FSfOzrTe.bat & %COMSPEC% /Q /c %SYSTEMROOT%\FSfOzrTe.bat & del %SYSTEMROOT%\FSfOzrTe.bat
The command completed successfully.
C:\Windows\system32> net groups "Domain Admins" /Add adm1n /Domain
[+] Executing %COMSPEC% /Q /c echo net groups "Domain Admins" /Add adm1n /Domain ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\kqnKKHnU.bat & %COMSPEC% /Q /c %SYSTEMROOT%\kqnKKHnU.bat & del %SYSTEMROOT%\kqnKKHnU.bat
The command completed successfully.Created a new DA
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ xfreerdp /u:adm1n /p:Qwer1234 /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0 
RDP’d
Scheduled Tasks
PS C:\Windows\system32> cat C:\Users\Administrator\Documents\maintenance\ldap.ps1
while (-not ((test-netconnection -computername dc01 -port 389).TcpTestSucceeded)) {
Restart-Service -Name 'NTDS' -Force
Start-Sleep -Seconds 30
}
while ( (get-service -name adfssrv).status -eq 'Stopped') {
Start-Service -Name adfssrv
Start-Sleep -Seconds 10
}ADFS
DNS
corp
Trust
Firewall
Hyper-V
corp
services
user:6aCT9_qBCUjZqJbm
user@services:~$ sudo su root
[sudo] password for user:
root@services:/home/user# whoami
root
root@services:/home/user# hostname
services
root@services:/home/user# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:44:3c:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.20/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe44:3c02/64 scope link
valid_lft forever preferred_lft forever
3: br-2f33d8ccba0b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:da:b3:3b:04 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 brd 172.20.255.255 scope global br-2f33d8ccba0b
valid_lft forever preferred_lft forever
inet6 fe80::42:daff:feb3:3b04/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f2:51:38:3b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: br-5c78870d8653: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ca:25:f4:2c brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-5c78870d8653
valid_lft forever preferred_lft forever
inet6 fe80::42:caff:fe25:f42c/64 scope link
valid_lft forever preferred_lft forever
6: br-956fa3b88287: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:06:75:13:1e brd ff:ff:ff:ff:ff:ff
inet 172.21.0.1/16 brd 172.21.255.255 scope global br-956fa3b88287
valid_lft forever preferred_lft forever
inet6 fe80::42:6ff:fe75:131e/64 scope link
valid_lft forever preferred_lft forever
7: br-c23f0ab91bee: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:5a:8d:4e:d9 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-c23f0ab91bee
valid_lft forever preferred_lft forever
inet6 fe80::42:5aff:fe8d:4ed9/64 scope link
valid_lft forever preferred_lft forever
9: veth47a5df7@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5c78870d8653 state UP group default
link/ether ca:b9:d7:1e:27:8d brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::c8b9:d7ff:fe1e:278d/64 scope link
valid_lft forever preferred_lft forever
11: vethb4c0aff@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-956fa3b88287 state UP group default
link/ether 4a:bf:87:98:59:28 brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::48bf:87ff:fe98:5928/64 scope link
valid_lft forever preferred_lft forever
13: veth0a2b83d@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2f33d8ccba0b state UP group default
link/ether 36:b2:11:55:64:16 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::34b2:11ff:fe55:6416/64 scope link
valid_lft forever preferred_lft forever
15: veth6f3913b@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c23f0ab91bee state UP group default
link/ether 66:6d:e2:59:0b:fe brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::646d:e2ff:fe59:bfe/64 scope link
valid_lft forever preferred_lft forever
17: veth8fec770@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5c78870d8653 state UP group default
link/ether 4e:8e:87:19:49:7b brd ff:ff:ff:ff:ff:ff link-netnsid 4
inet6 fe80::4c8e:87ff:fe19:497b/64 scope link
valid_lft forever preferred_lft forever
19: vethebe1ea4@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5c78870d8653 state UP group default
link/ether be:2b:0c:b9:a2:16 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::bc2b:cff:feb9:a216/64 scope link
valid_lft forever preferred_lft foreverBetter
Crontab
root@services:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
* * * * * /bin/bash /root/scripts/krbrenew.sh
root@services:~# cat /root/scripts/krbrenew.sh
#!/bin/bash
docker exec intranet-backend-1 sshpass -p 'uxLmt*udNc6t3HrF' ssh -o "StrictHostKeyChecking no" florence.ramirez@ghost.htb@dev-workstation "echo 'uxLmt*udNc6t3HrF' | kinit"Nginx Overhead Proxies
root@services:~# ls /etc/nginx/sites-enabled/
core.ghost.htb ghost.htb gitea.ghost.htb intranet.ghost.htb4
root@services:~# cat /etc/nginx/sites-enabled/core.ghost.htb
server {
listen 8443 ssl;
server_name core.ghost.htb;
ssl_certificate /etc/nginx/certificates/core/https_core.ghost.htb.cert;
ssl_certificate_key /etc/nginx/certificates/core/https_core.ghost.htb.key;
location / {
proxy_pass https://localhost:6000;
}
}
root@services:~# cat /etc/nginx/sites-enabled/ghost.htb
server {
listen 8008;
server_name ghost.htb;
location / {
proxy_pass http://localhost:4000;
}
}
root@services:~# cat /etc/nginx/sites-enabled/gitea.ghost.htb
server {
listen 8008;
server_name gitea.ghost.htb;
location / {
proxy_pass http://localhost:3000;
}
}
root@services:~# cat /etc/nginx/sites-enabled/intranet.ghost.htb
server {
listen 8008;
server_name intranet.ghost.htb;
location /api-dev/ {
proxy_pass http://localhost:8000;
}
location / {
proxy_pass http://localhost:5000;
proxy_set_header X-Forwarded-Host $host:8008;
}
}Docker Instances
root@services:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
621de11273cb intranet-backend "/docker-entrypoint.…" 13 days ago Up 2 hours 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp intranet-backend-1
1dd8d5ce0cac intranet-frontend "docker-entrypoint.s…" 13 days ago Up 2 hours 0.0.0.0:5000->3000/tcp, :::5000->3000/tcp intranet-frontend-1
2702f3e390ed adfs-server "docker-entrypoint.s…" 3 weeks ago Up 2 hours 0.0.0.0:6000->8008/tcp, :::6000->8008/tcp adfs-server-1
76c93d151d05 gitea-server "/usr/bin/entrypoint…" 5 months ago Up 2 hours 22/tcp, 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp gitea
26ae7990f3dd ghost-ghost "docker-entrypoint.s…" 5 months ago Up 2 hours 0.0.0.0:4000->2368/tcp, :::4000->2368/tcp ghost
c2ea6871e69c dev-workstation-dev-workstation "/docker-entrypoint.…" 5 months ago Up 2 hours 137-139/tcp, 445/tcp, 0.0.0.0:9022->22/tcp, :::9022->22/tcp dev-workstation6 Docker instances
Hyper-V Services
