System/Kernel
*Evil-WinRM* PS C:\Users\wao\Documents> cmd /c ver
Microsoft Windows [Version 10.0.17763.3650]
*Evil-WinRM* PS C:\Users\wao\Documents> systeminfo ; Get-ComputerInfo
systeminfo.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 2/13/2024 3:25:14 AM
WindowsProductId : 00429-00521-62775-AA722
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffVersion 10.0.17763.3650Windows Server 2019 StandardDesktop
Networks
*Evil-WinRM* PS C:\Users\wao\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : WS-3
Primary Dns Suffix . . . . . . . : university.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : university.htb
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-05-80-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::349:6988:18c6:65c6%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.99.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 134223197
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-5C-98-78-08-00-27-CD-0E-DB
DNS Servers . . . . . . . . . . . : fe80::215:5dff:fe05:8007%8
192.168.99.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.99.2 --- 0x8
Internet Address Physical Address Type
192.168.99.1 00-15-5d-05-80-01 dynamic
192.168.99.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Unable to initialize device PRNN/A
*Evil-WinRM* PS C:\Users\wao\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 800
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 328
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 796
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 612
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 612
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 1844
TCP 192.168.99.2:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 800
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 496
TCP [::]:49665 [::]:0 LISTENING 328
TCP [::]:49666 [::]:0 LISTENING 796
TCP [::]:49667 [::]:0 LISTENING 612
TCP [::]:49668 [::]:0 LISTENING 612
TCP [::]:49669 [::]:0 LISTENING 604
TCP [::]:49670 [::]:0 LISTENING 1844Users & Groups
*Evil-WinRM* PS C:\Users\wao\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
sshd WDAGUtilityAccount
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/13/2024 1:49 AM Administrator
d----- 10/7/2024 12:11 PM Administrator.UNIVERSITY
d----- 2/24/2024 4:10 PM George.A
d----- 2/24/2024 4:13 PM Jakken.C
d----- 10/18/2024 12:21 PM Martin.T
d----- 2/24/2024 4:09 PM Nya.R
d-r--- 2/23/2024 6:28 PM Public
d----- 2/27/2024 10:29 PM Rose.L
d----- 2/24/2024 6:20 PM waosshdAdministrator.UNIVERSITYGeorge.AJakken.CMartin.TNya.RRose.L
*Evil-WinRM* PS C:\Users\wao\Documents> net localgroup ; net group /DOMAIN
Aliases for \\WS-3
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
The command completed successfully.
The request will be processed at a domain controller for domain university.htb.
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorProcesses
*Evil-WinRM* PS C:\Users\wao\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
0 0 80 36 92 0 cmd
148 9 6684 12576 3080 0 conhost
131 8 6532 11132 3788 1 conhost
297 12 2140 5308 408 0 csrss
241 11 1772 5120 484 1 csrss
354 15 3580 14828 2580 1 ctfmon
582 25 23388 51856 892 1 dwm
1442 54 27172 79048 900 1 explorer
52 6 1624 4576 728 1 fontdrvhost
52 6 1448 3916 736 0 fontdrvhost
0 0 56 8 0 0 Idle
970 30 5820 17444 612 0 lsass
232 13 2828 10360 3772 0 msdtc
0 7 460 68632 68 0 Registry
145 8 1572 7684 3564 1 RuntimeBroker
297 16 5412 17208 3712 1 RuntimeBroker
287 14 3156 15900 4040 1 RuntimeBroker
677 32 19468 48224 3504 1 SearchUI
350 13 4904 11972 604 0 services
700 29 15140 40672 3408 1 ShellExperienceHost
155 10 1952 10112 3776 1 shutdown
445 17 4696 24556 3036 1 sihost
53 3 484 1212 300 0 smss
673 20 14948 26848 328 0 svchost
622 30 8012 25736 364 0 svchost
827 34 13952 24532 372 0 svchost
228 13 1988 7896 388 0 svchost
373 16 11800 16324 488 0 svchost
955 22 6712 23588 708 0 svchost
2016 55 27956 62144 796 0 svchost
704 17 5100 11356 800 0 svchost
431 16 3608 13072 968 0 svchost
729 45 10496 25288 984 0 svchost
293 15 3360 10452 1072 0 svchost
406 32 9032 18028 1332 0 svchost
322 11 2044 9080 1512 0 svchost
200 10 2100 8332 1584 0 svchost
475 25 3796 13268 1720 0 svchost
166 12 2104 7756 1844 0 svchost
470 22 18864 34176 2000 0 svchost
166 9 4764 13248 2960 0 svchost
485 21 6836 32112 3044 1 svchost
1462 0 192 136 4 0 System
214 20 3724 12468 3068 1 taskhostw
168 10 1780 8620 1436 0 VSSVC
171 11 1348 7020 496 0 wininit
255 11 2500 10932 540 1 winlogon
173 10 2656 8968 1004 0 WmiPrvSE
1143 30 57892 79940 0.86 3652 0 wsmprovhostexplorerVSSVC
Tasks
*Evil-WinRM* PS C:\Users\wao\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTaskFirewall & AV
*Evil-WinRM* PS C:\Users\wao\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable Yes Network Discovery
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\wao\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\wao\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\wao\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is DA09-D830
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
10/28/2024 11:40 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 9,831,661,568 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190