InfoSec LAB

Infiltrator_Beyond

Created: 7 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as the SYSTEM after compromising the target system.

C:\Windows\system32> net user /ADD adm1n Qwer1234
The command completed successfully.
 
C:\Windows\system32> net groups "Domain Admins" /ADD adm1n
The command completed successfully.

Scheduled Tasks

PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
 
TaskName                                                         TaskPath   State
--------                                                         --------   -----
CA_Template_CleaningUp                                           \          Ready
CleaningUp                                                       \          Ready
CreateExplorerShellUnelevatedTask                                \        Running
LDAP                                                             \          Ready
lock_drive_E                                                     \          Ready
Messenger                                                        \          Ready
StartEndRDP                                                      \          Ready
User_Feed_Synchronization-{18F6B90D-76C4-4BC4-8812-251E19A824B3} \          Ready

CA_Template_CleaningUp

C:\Windows\system32> schtasks /QUERY /TN \CA_Template_CleaningUp /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \CA_Template_CleaningUp
Next Run Time:                        9/4/2024 7:59:54 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/4/2024 7:57:54 AM
Last Result:                          0
Author:                               INFILTRATOR\Administrator
Task To Run:                          powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\Links\cleanup_ca.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute 
Start Time:                           5:05:54 AM
Start Date:                           2/19/2024
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        0 Hour(s), 2 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

C:\Users\Administrator\Links\cleanup_ca.ps1

C:\Users\Administrator\Links\cleanup_ca.ps1

C:\Windows\system32> type C:\Users\Administrator\Links\cleanup_ca.ps1
ipmo C:\users\Administrator\Links\ADCSTemplate.psm1
Import-Module PSPKI
# Get the current templates
$current_templates = Get-ADCSTemplate
$current_templates = $current_templates.name
# Define the Infiltrator_Template
$infiltrator_template_name = "Infiltrator_Template"
 
 
# Check if Infiltrator_Template exists
if ($current_templates -contains $infiltrator_template_name) {
    Remove-ADCSTemplate -DisplayName $infiltrator_template_name -Confirm:$False
    Write-Host "Infiltrator_Template removed successfully."
}
New-ADCSTemplate -DisplayName Infiltrator_Template -JSON (Get-Content C:\Users\Administrator\Links\Infiltrator_Template.json -Raw) -Publish
$template = Get-CertificateTemplate -Name Infiltrator_Template
Get-CertificateTemplateAcl -Template $template |  Add-CertificateTemplateAcl -Identity infiltrator_svc$ -AccessType Allow -AccessMask Write, Read | Set-CertificateTemplateAcl | Format-List

CleaningUp

C:\Windows\system32> schtasks /QUERY /TN \CleaningUp /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \CleaningUp
Next Run Time:                        9/4/2024 8:01:39 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/4/2024 7:56:39 AM
Last Result:                          0
Author:                               INFILTRATOR\Administrator
Task To Run:                          powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\Links\cleaning_up.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute 
Start Time:                           11:11:39 AM
Start Date:                           12/12/2023
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        0 Hour(s), 5 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

C:\Users\Administrator\Links\cleaning_up.ps1

C:\Users\Administrator\Links\cleaning_up.ps1

C:\Windows\system32> type C:\Users\Administrator\Links\cleaning_up.ps1
net group "CHIEFS MARKETING" E.RODRIGUEZ /del
dsacls.exe "CN=E.rodriguez,OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB" /resetDefaultDACL
dsacls.exe "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" /I:T /G "E.RODRIGUEZ:WS"
dsacls.exe "OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB" /resetDefaultDACL
dsacls.exe "OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB" /G "infiltrator\D.ANDERSON:GA"
 
 
Set-ADAccountPassword -Identity "E.rodriguez" -NewPassword (ConvertTo-SecureString "Eth@n_D1g1Tal@202!" -AsPlainText -Force) -Reset
Set-ADAccountPassword -Identity "M.harris" -NewPassword (ConvertTo-SecureString "D3v3l0p3r_Pass@1337!" -AsPlainText -Force) -Reset
 
 
$Remove_Memebers = Get-ADobject -searchbase "OU=Marketing Digital,DC=infiltrator,DC=htb" -Filter * | Where-Object {$_.Name -notin @("Marketing Digital", "E.rodriguez")}
 
foreach ($Member in $Remove_Memebers) {
	Remove-ADobject -identity $Member.distinguishedname -Confirm:$false -Recursive
}

LDAP

C:\Windows\system32> schtasks /QUERY /TN \LDAP /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \LDAP
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        8/26/2024 2:17:40 AM
Last Result:                          0
Author:                               INFILTRATOR\Administrator
Task To Run:                          powershell.exe C:\users\administrator\links\ldap.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          Administrator
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

C:\users\administrator\links\ldap.ps1

C:\users\administrator\links\ldap.ps1

C:\Windows\system32> type C:\users\administrator\links\ldap.ps1
while (-not ((test-netconnection -ComputerName dc01 -port 389).TcpTestSucceeded)) {
    Restart-Service -Name 'NTDS' -Force
    Start-Sleep -Seconds 30
}

lock_drive_E

C:\Windows\system32> schtasks /QUERY /TN \lock_drive_E /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \lock_drive_E
Next Run Time:                        9/4/2024 8:04:10 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/4/2024 8:01:10 AM
Last Result:                          0
Author:                               INFILTRATOR\administrator
Task To Run:                          powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\Links\Lock-BitLocker.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          SYSTEM
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute 
Start Time:                           6:25:10 PM
Start Date:                           2/25/2024
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        0 Hour(s), 3 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

C:\Users\Administrator\Links\Lock-BitLocker.ps1

C:\Users\Administrator\Links\Lock-BitLocker.ps1

C:\Windows\system32> type C:\Users\Administrator\Links\Lock-BitLocker.ps1
$mountPoint = 'E'
 
# Check if BitLocker is already locked
$bitlockerStatus = Get-BitLockerVolume -MountPoint $mountPoint | Select-Object -ExpandProperty LockStatus
 
if ($bitlockerStatus -eq 'Unlocked') {
    # Lock BitLocker if it's not already locked
    Lock-BitLocker -MountPoint $mountPoint
    Write-Host "BitLocker locked successfully for $mountPoint."
} else {
    Write-Host "BitLocker is already locked for $mountPoint. No action taken."
}

Messenger

C:\Windows\system32> schtasks /QUERY /TN \Messenger /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \Messenger
Next Run Time:                        N/A
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/3/2024 10:36:09 AM
Last Result:                          0
Author:                               INFILTRATOR\Administrator
Task To Run:                          powershell.exe C:\Users\Administrator\Links\messenger.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          Administrator
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At system start up
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

C:\Users\Administrator\Links\messenger.ps1

C:\Users\Administrator\Links\messenger.ps1

C:\Windows\system32> type C:\Users\Administrator\Links\messenger.ps1
# Start Output Messenger for admin account
$processName = 'OMServerService'
$programPath = 'C:\Program Files\Output Messenger\OutputMessenger.exe'
 
while ($true) {
    $process = Get-Process -Name $processName -ErrorAction SilentlyContinue
 
    if ($process) {
        Start-Process -FilePath $programPath
        break
    } else {
        Start-Sleep -Seconds 5
    }
}

StartEndRDP

C:\Windows\system32> schtasks /QUERY /TN \StartEndRDP /V /FO LIST
 
Folder: \
HostName:                             DC01
TaskName:                             \StartEndRDP
Next Run Time:                        9/4/2024 8:04:16 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        9/4/2024 8:02:16 AM
Last Result:                          0
Author:                               INFILTRATOR\administrator
Task To Run:                          powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\Links\start_end_rdp.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          Administrator
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute 
Start Time:                           4:24:16 PM
Start Date:                           2/26/2024
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        0 Hour(s), 2 Minute(s)
Repeat: Until: Time:                  None
Repeat: Until: Duration:              Disabled
Repeat: Stop If Still Running:        Disabled

C:\Users\Administrator\Links\start_end_rdp.ps1

C:\Users\Administrator\Links\start_end_rdp.ps1

C:\Windows\system32> type C:\Users\Administrator\Links\start_end_rdp.ps1
 
# Clear existing RDP credentials for the specified target
cmdkey /list | ForEach-Object {
    if ($_ -like "*target=TERMSRV/*") {
        cmdkey /del:($_ -replace " ","" -replace "Target:","")
    }
}
 
# Define RDP connection parameters
$Server = "infiltrator.htb"
$User = "o.martinez"
$Password = "M@rtinez_P@ssw0rd!"
 
# Store RDP credentials
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
 
# Initiate RDP connection
Start-Process "mstsc" -ArgumentList "/v:$Server"
 
# Function to check if the user "o.martinez" is active
function Check-UserActive {
    $output = qwinsta /server:$Server
    return $output | Select-String -Pattern "o.martinez"
}
 
# Wait for RDP to start and periodically check if the user is active
Start-Sleep -Seconds 5 # Wait a few seconds for the RDP session to start
 
$userActive = $null
 
while ($null -eq $userActive) {
    $userActive = Check-UserActive
    if ($userActive) {
        # If the user is active, end the RDP session
        Stop-Process -Name mstsc -Force
        Write-Output "User 'o.martinez' is active on $Server. RDP session ended."
        break
    } else {
        # Wait a bit before checking again
        Start-Sleep -Seconds 5
    }
}
 
if (-not $userActive) {
    Write-Output "User 'o.martinez' is not active on $Server."
}

Interactive Graph View

Backlinks