Beyond
This is the beyond page that an additional post enumeration and assessment are conducted with the SYSTEM level privileges after compromising the target system.
Scheduled Tasks
*Evil-WinRM* PS C:\Users\Administrator> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Cleanup \ Ready
Down Detector \ ReadyCleanup
*evil-winrm* ps c:\Users\Administrator> cmd /c schtasks /QUERY /TN \Cleanup /V /FO LIST
folder: \
hostname: DC
taskname: \Cleanup
next run time: N/A
status: Ready
logon mode: Interactive/Background
last run time: 9/27/2023 12:13:34 AM
last result: 0
author: N/A
task to run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "Get-DnsServerResourceRecord -ZoneName 'intelligence.htb' | Where-Object HostName -match 'web' | Remove-DnsServerResourceRecord -ZoneName 'intelligence.htb' -Force"
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: Administrator
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: 72:00:00
schedule: Scheduling data is not available in this format.
schedule type: At system start up
start time: N/A
start date: N/A
end date: N/A
days: N/A
months: N/A
repeat: Every: N/A
repeat: Until: Time: N/A
repeat: Until: Duration: N/A
repeat: Stop If Still Running: N/ADown Detector
*Evil-WinRM* PS C:\Users\Administrator> cmd /c schtasks /QUERY /TN "\Down Detector" /V /FO LIST
Folder: \
HostName: DC
TaskName: \Down Detector
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 9/27/2023 12:53:34 AM
Last Result: 0
Author: N/A
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\IT\downdetector.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Ted.Graves
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AADIDNS Poisoning
*evil-winrm* ps c:\Users\Administrator\Documents> Get-ACL "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Select-Object Owner, Access
Owner Access ----- ------
NT AUTHORITY\SYSTEM Everyone Allow ...ad:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb, in this context, is the Distinguished Name (DN) of an Active Directory (AD) object, specifically a ADIDNS System object. This is a common format for specifying the location or path of an AD object.
Everyone is ALLOWED to the ADIDNS System object
*evil-winrm* ps c:\Users\Administrator\Documents> Get-ACL "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Select-Object -ExpandProperty Access
activedirectoryrights : GenericRead
inheritancetype : None
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : Everyone
isinherited : False
inheritanceflags : None
propagationflags : None
activedirectoryrights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
isinherited : False
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : CreateChild
inheritancetype : None
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : NT AUTHORITY\Authenticated Users
isinherited : False
inheritanceflags : None
propagationflags : None
activedirectoryrights : GenericAll
inheritancetype : None
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : NT AUTHORITY\SYSTEM
isinherited : False
inheritanceflags : None
propagationflags : None
activedirectoryrights : GenericAll
inheritancetype : None
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : intelligence\Domain Admins
isinherited : False
inheritanceflags : None
propagationflags : None
activedirectoryrights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : intelligence\DnsAdmins
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 4c164200-20c0-11d0-a768-00aa006e0529
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 4c164200-20c0-11d0-a768-00aa006e0529
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 5f202010-79a5-11d0-9020-00c04fc2d4cf
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 5f202010-79a5-11d0-9020-00c04fc2d4cf
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : bc0ac240-79a9-11d0-9020-00c04fc2d4cf
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : bc0ac240-79a9-11d0-9020-00c04fc2d4cf
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 037088f8-0ae1-11d2-b422-00a0c968f939
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : 037088f8-0ae1-11d2-b422-00a0c968f939
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : Self
inheritancetype : Descendents
objecttype : 9b026da6-0d3c-465c-8bee-5199d7165cba
inheritedobjecttype : bf967a86-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : CREATOR OWNER
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : Self
inheritancetype : Descendents
objecttype : 9b026da6-0d3c-465c-8bee-5199d7165cba
inheritedobjecttype : bf967a86-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\SELF
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : b7c69e6d-2cc7-11d2-854e-00a0c983f608
inheritedobjecttype : bf967a86-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : b7c69e6d-2cc7-11d2-854e-00a0c983f608
inheritedobjecttype : bf967a9c-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty
inheritancetype : Descendents
objecttype : b7c69e6d-2cc7-11d2-854e-00a0c983f608
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : WriteProperty
inheritancetype : Descendents
objecttype : ea1b7b93-5e48-46d5-bc6c-4df4fda78a35
inheritedobjecttype : bf967a86-0de6-11d0-a285-00aa003049e2
objectflags : ObjectAceTypePresent, InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\SELF
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : GenericRead
inheritancetype : Descendents
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 4828cc14-1437-45bc-9b07-ad6f015e5f28
objectflags : InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : GenericRead
inheritancetype : Descendents
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : bf967a9c-0de6-11d0-a285-00aa003049e2
objectflags : InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : GenericRead
inheritancetype : Descendents
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : bf967aba-0de6-11d0-a285-00aa003049e2
objectflags : InheritedObjectAceTypePresent
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : InheritOnly
activedirectoryrights : ReadProperty, WriteProperty
inheritancetype : All
objecttype : 3f78c3e5-f79a-46bd-a0b8-9d18116ddc79
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : ObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\SELF
isinherited : True
inheritanceflags : ContainerInherit, ObjectInherit
propagationflags : None
activedirectoryrights : ReadProperty, WriteProperty, ExtendedRight
inheritancetype : All
objecttype : 91e647de-d96f-4b70-9557-d63ff4f3ccd8
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : ObjectAceTypePresent
accesscontroltype : Allow
identityreference : NT AUTHORITY\SELF
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : GenericAll
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : intelligence\Enterprise Admins
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : ListChildren
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : BUILTIN\Pre-Windows 2000 Compatible Access
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None
activedirectoryrights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
inheritancetype : All
objecttype : 00000000-0000-0000-0000-000000000000
inheritedobjecttype : 00000000-0000-0000-0000-000000000000
objectflags : None
accesscontroltype : Allow
identityreference : BUILTIN\Administrators
isinherited : True
inheritanceflags : ContainerInherit
propagationflags : None