Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
Scheduled Tasks
As expected, there are 4 scheduled tasks;
CleanPermsCleanSPNCreateExplorerShellUnelevatedTaskUser_Feed_Synchronization-{EFE1614B-2B33-4ED0-AD7E-E59FAAE42451}
CleanPerms
powershell.exe -c "c:\users\administrator\contacts\PermsAndGroups.ps1
get-aduser winrm_svc | set-adobject -Clear ServicePrincipalName
get-aduser batch_runner | set-adobject -Clear ServicePrincipalName
Set-ADServiceAccount delegator -PrincipalsAllowedToDelegateToAccount $null
net group ServiceMgmt oorend /del
cmd /c 'dsacls "OU=service users,DC=rebound,DC=htb" /resetDefaultDACL'
cmd /c 'dsacls "cn=batch_runner,OU=service users,DC=rebound,DC=htb" /resetDefaultDACL'
cmd /c 'dsacls "cn=winrm_svc,OU=service users,DC=rebound,DC=htb" /resetDefaultDACL'
cmd /c 'dsacls.exe "ou=service users,dc=rebound,dc=htb" /g rebound\servicemgmt:GA'CleanSPN
powershell -c "C:\users\administrator\contacts\SPNandPass.ps1
net user winrm_svc Idonthitnkthismattersnow123
set-aduser -identity "winrm_svc" -cannotchangepassword $true
net user batch_runner SpanishDisquisitionaasdsvv123-
set-aduser -identity "batch_runner" -cannotchangepassword $true
set-aduser -identity "batch_runner" -serviceprincipalnames $null
set-aduser -identity "winrm_svc" -serviceprincipalnames $null
$objects = Get-ADobject -searchbase "OU=Service Users,DC=rebound,DC=htb" -Filter *
$objectsToDelete = $objects | Where-Object { $_.Name -notin @("winrm_svc", "batch_runner", "Service Users") }
foreach ($object in $objectsToDelete) {
Remove-ADobject -identity $object.distinguishedname -Confirm:$false -Recursive
}CreateExplorerShellUnelevatedTask
User_Feed_Synchronization-{EFE1614B-2B33-4ED0-AD7E-E59FAAE42451}
Objects
Managed Service Accounts
delegator
ldap_monitor
ServiceMgmt
tbrady
ReadgMSAPassword
dc01
