Initial enumeration as the Chase user,
Continuing the Post Enumeration
System/Kernel
*evil-winrm* ps c:\Users\Chase\Documents> Get-ComputerInfo
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 4/21/2019 4:07:07 AM
windowsproductid : 00429-00520-27817-AA303
windowsproductname : Windows Server 2019 Standard
windowsregisteredorganization :
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
keyboardlayout :
timezone : (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
logonserver :
powerplatformrole : Desktop
deviceguardsmartstatus : OffNetworks
*Evil-WinRM* PS C:\Users\Chase\Documents> netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 468
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1312
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2228
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 608
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 628
TCP 10.10.10.149:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.149:5985 10.10.14.3:47582 TIME_WAIT 0
TCP 10.10.10.149:5985 10.10.14.3:47588 ESTABLISHED 4
TCP 127.0.0.1:49672 127.0.0.1:49673 ESTABLISHED 4068
TCP 127.0.0.1:49673 127.0.0.1:49672 ESTABLISHED 4068
TCP 127.0.0.1:49674 127.0.0.1:49675 ESTABLISHED 784
TCP 127.0.0.1:49675 127.0.0.1:49674 ESTABLISHED 784
TCP 127.0.0.1:49678 127.0.0.1:49679 ESTABLISHED 6324
TCP 127.0.0.1:49679 127.0.0.1:49678 ESTABLISHED 6324
TCP 127.0.0.1:49680 127.0.0.1:49681 ESTABLISHED 6656
TCP 127.0.0.1:49681 127.0.0.1:49680 ESTABLISHED 6656Users & Groups
*evil-winrm* ps c:\Users\Chase\Documents> net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Chase DefaultAccount
Guest Hazard Jason
support WDAGUtilityAccount
The command completed with one or more errors.
*evil-winrm* ps c:\Users\Chase\Documents> net localgroup
Aliases for \\SUPPORTDESK
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
The command completed successfully.Processes
*Evil-WinRM* PS C:\Users\Chase\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
461 17 2212 5408 364 0 csrss
290 13 1972 5132 480 1 csrss
360 15 3560 14768 4660 1 ctfmon
166 9 1868 9780 0.03 808 1 dllhost
250 14 3908 13400 3400 0 dllhost
617 35 30648 59808 960 1 dwm
1492 58 23724 79668 4996 1 explorer
401 33 31324 90752 1.33 784 1 firefox
1084 69 138972 215116 8.69 4068 1 firefox
347 19 10228 39840 0.20 5908 1 firefox
378 28 22152 58940 0.75 6324 1 firefox
355 25 16456 39172 0.16 6656 1 firefox
49 6 1492 3944 768 0 fontdrvhost
49 6 1776 4720 772 1 fontdrvhost
0 0 56 8 0 0 Idle
971 23 5772 14896 628 0 lsass
223 13 3020 10356 3792 0 msdtc
0 12 316 14676 88 0 Registry
275 14 3004 15160 1928 1 RuntimeBroker
304 16 5456 17020 5260 1 RuntimeBroker
145 8 1628 7620 5368 1 RuntimeBroker
674 33 19868 62392 5124 1 SearchUI
532 11 4896 9600 608 0 services
688 28 14968 52452 4904 1 ShellExperienceHost
437 17 4832 24128 4240 1 sihost
53 3 528 1204 268 0 smss
471 23 5760 16296 2228 0 spoolsv
122 7 1232 5660 112 0 svchost
149 9 1808 11788 296 0 svchost
141 7 1316 5756 312 0 svchost
199 12 1980 9748 368 0 svchost
85 5 900 3868 728 0 svchost
854 20 7088 22680 748 0 svchost
854 16 5108 11652 856 0 svchost
252 10 2012 7744 904 0 svchost
377 13 10412 14504 948 0 svchost
230 12 2684 11408 1100 0 svchost
184 9 1780 7632 1108 0 svchost
154 7 1208 5684 1124 0 svchost
432 9 2764 8952 1132 0 svchost
120 15 3668 7744 1160 0 svchost
212 9 2056 7480 1252 0 svchost
172 10 1772 8088 1272 0 svchost
286 13 4056 11284 1304 0 svchost
364 17 4648 13848 1312 0 svchost
145 8 1688 7568 1320 0 svchost
243 13 3200 8452 1384 0 svchost
304 11 1988 8684 1416 0 svchost
341 14 4252 11460 1468 0 svchost
191 12 2112 12092 1580 0 svchost
317 10 2424 8384 1652 0 svchost
163 9 2196 7416 1660 0 svchost
408 32 8712 17012 1688 0 svchost
194 11 1964 8228 1748 0 svchost
159 9 1892 7156 1848 0 svchost
223 11 2800 10896 1868 0 svchost
238 11 2376 9752 1900 0 svchost
166 12 4036 10980 2300 0 svchost
183 22 2484 9944 2308 0 svchost
461 20 11900 27016 2332 0 svchost
373 15 10184 19672 2364 0 svchost
261 13 2568 7912 2392 0 svchost
133 9 1616 6624 2436 0 svchost
136 8 1516 6196 2468 0 svchost
205 11 2280 8428 2484 0 svchost
126 8 1224 5424 2516 0 svchost
468 16 3352 11756 2632 0 svchost
209 12 1796 7512 2640 0 svchost
233 14 4664 11860 2664 0 svchost
283 20 4328 13988 2700 0 svchost
169 10 2144 13308 2732 0 svchost
163 9 3172 7732 3076 0 svchost
384 23 3408 12412 3088 0 svchost
115 7 1232 5332 4012 0 svchost
228 12 3044 13632 4260 1 svchost
366 18 5364 26936 4300 1 svchost
205 11 2720 11952 4460 0 svchost
171 9 1488 7272 4580 0 svchost
168 9 4088 11712 4620 0 svchost
251 14 3176 13872 4768 0 svchost
297 20 11152 14552 4952 0 svchost
194 15 6028 10008 5596 0 svchost
332 18 14852 31524 5604 0 svchost
171 11 2460 13212 5608 0 svchost
306 15 13940 16152 7108 0 svchost
1863 0 192 160 4 0 System
210 20 3904 12440 4372 1 taskhostw
167 11 2896 10968 2528 0 VGAuthService
142 8 1676 6956 2568 0 vm3dservice
136 9 1792 7472 2864 1 vm3dservice
384 22 9776 21764 2612 0 vmtoolsd
261 19 5308 16796 5456 1 vmtoolsd
171 11 1464 6956 468 0 wininit
282 13 2808 12936 540 1 winlogon
345 16 9108 18724 3608 0 WmiPrvSE
1909 30 88452 107772 1.33 5424 0 wsmprovhostThere are running instances of Firefox on the target system
Schtasks
*evil-winrm* ps c:\Users\Chase\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
info: There are no scheduled tasks presently available at your access level.
TaskName Next Run Time Status
======================================== ====================== ===============
info: There are no scheduled tasks presently available at your access level.
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
microsoft compatibility appraiser 1/12/2023 4:53:29 AM Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 1/11/2023 6:00:00 PM Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
data integrity scan 1/20/2023 12:30:57 AM Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
device 1/12/2023 3:40:29 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Ready
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
EDP Inaccessible Credentials Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
info: There are no scheduled tasks presently available at your access level.
TaskName Next Run Time Status
======================================== ====================== ===============
refreshcache 1/12/2023 12:19:05 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
speechmodeldownloadtask 1/12/2023 3:36:31 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
windows defender scheduled scan 1/12/2023 4:42:26 AM Ready
Windows Defender Verification N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
queuereporting 1/11/2023 3:38:45 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
scheduled start 1/12/2023 1:14:10 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Disabled
Recovery-Check N/A DisabledFirewall & AV
*Evil-WinRM* PS C:\Users\Chase\Documents> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound Firefox (C:\Program Files\Mozilla Firefox) / C:\Program Files\Mozilla Firefox\firefox.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .The target system has firewall enabled. Firefox is the only application allowed for inbound traffic