Automation Scripts
Checking the filysystem after conducting a basic system enumeration on the wc-3.university.htb host
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2024 12:13 AM Automation-Scripts
d----- 9/15/2018 12:28 AM Common Files
d----- 11/5/2022 12:03 PM internet explorer
d----- 2/23/2024 3:44 PM PackageManagement
d----- 2/23/2024 4:22 PM Trid
d----- 11/5/2022 12:03 PM Windows Defender
d----- 11/5/2022 12:03 PM Windows Defender Advanced Threat Protection
d----- 11/5/2022 12:03 PM Windows Mail
d----- 11/5/2022 12:03 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 11/5/2022 12:03 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 2/23/2024 3:44 PM WindowsPowerShellThere are some interesting directories in the C:\Program Files directory, which were also discovered by PEAS
C:\Program Files\Automation-ScriptsC:\Program Files\Trid
*Evil-WinRM* PS C:\Program Files\Automation-Scripts> ls
Directory: C:\Program Files\Automation-Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/21/2024 4:17 PM 1278 get-lectures.ps1
-a---- 9/14/2024 12:13 AM 410 wpad-cache-cleaner.ps1
*Evil-WinRM* PS C:\Program Files\Automation-Scripts> cat *.ps1
Access to the path 'C:\Program Files\Automation-Scripts\get-lectures.ps1' is denied.
At line:1 char:1
+ cat *.ps1
+ ~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Program File...et-lectures.ps1:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
Access to the path 'C:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1' is denied.
At line:1 char:1
+ cat *.ps1
+ ~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Program File...che-cleaner.ps1:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandThe C:\Program Files\Automation-Scripts directory contains 2 PowerShell scripts, but they cannot be read by the current user (wao)
Based on the naming alone, the get-lectures.ps1 file seems to be processing possibly uploaded lecture files, whereas the wpad-cache-cleaner.ps1 file might be responsible for cleaning up the Web Proxy Auto-Discovery (WPAD) cache.
TrID
TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it’s extensible and can be trained to recognize new formats in a fast and automatic way.
*Evil-WinRM* PS C:\Program Files\trid> ls
Directory: C:\Program Files\trid
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/23/2024 4:17 PM 108544 trid.exe
-a---- 2/23/2024 4:22 PM 7378984 triddefs.trd
*Evil-WinRM* PS C:\Program Files\trid> .\trid.exe -?
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Usage: TrID <[path]filespec(s)...> [-ae|-ce] [-d:file] [-ns] [-n:nn]
[-@] [-v] [-w] [-?]
Where: <filespec> Files to identify/analyze
-ae Add guessed extension to filename
-ce Change filename extension
-d:file Use the specified defs package
-ns Disable unique strings check
-n:nn Number of matches to show (default: 5)
-@ Read file list from stdin
-v Verbose mode - display def name, author, etc.
-w Wait for a key before exiting
-? This help!trid.exe is available
*Evil-WinRM* PS C:\Program Files\trid> .\trid.exe "C:\Program Files\Automation-Scripts\get-lectures.ps1" -v
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Definitions found: 17251
Analyzing...
Collecting data from file: C:\Program Files\Automation-Scripts\get-lectures.ps1
* Error: Can't open file C:\Program Files\Automation-Scripts\get-lectures.ps1N/A