martin.t

Checking for user privileges of the martin.t user after making Lateral Movement on the ws-3.university.htb host

C:\Windows\system32> whoami /All
 
USER INFORMATION
----------------
 
User Name           SID                                          
=================== =============================================
university\martin.t S-1-5-21-2056245889-740706773-2266349663-1127
 
 
GROUP INFORMATION
-----------------
 
Group Name                                 Type             SID                                           Attributes                                        
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
UNIVERSITY\Content Evaluators              Group            S-1-5-21-2056245889-740706773-2266349663-1126 Mandatory group, Enabled by default, Enabled group
UNIVERSITY\Research & Development          Group            S-1-5-21-2056245889-740706773-2266349663-1130 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                     
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

The martin.t user is part of UNIVERSITY\Content Evaluators and UNIVERSITY\Research & Development groups

Automation-Scripts

PS C:\Program Files\Automation-scripts> ls
 
 
    Directory: C:\Program Files\Automation-scripts
 
 
Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       10/21/2024   4:17 PM           1278 get-lectures.ps1                                                      
-a----        9/14/2024  12:13 AM            410 wpad-cache-cleaner.ps1

Checking the PowerShell scripts as the martin.t user

get-lectures.ps1

PS C:\Program Files\Automation-scripts> cat get-lectures.ps1
cat get-lectures.ps1
$DC_IP =$(Get-DnsClientServerAddress -AddressFamily IPv4 -InterfaceIndex 8).ServerAddresses
$lectures = $(curl "http://university.htb/api/get_verified_uploaded_lectures/" -Proxy $("http://"+$DC_IP)).content
$lectures_list = $lectures -split "`n"
for ($i= 0; $i -lt ($lectures_list.Count-1); $i++ ){
    $lec_path = "\\"+$DC_IP+"\Lectures\"+$lectures_list[$i]
    cp $lec_path C:\Users\Public\Lectures\
}
$files_list = Get-ChildItem -Path C:\Users\Public\Lectures\ -Filter "*.zip" -File
foreach ($file in $files_list) {
     $mimetype = ((& 'C:\Program Files\Trid\trid.exe' -n:1 $file.FullName) -split "`n")[-1]
     if ($mimetype -match "ZIP compressed archive"){
         rm ~\Desktop\Lecture -Recurse
         Expand-Archive -Path $file.FullName -DestinationPath ~\Desktop\Lecture
         $url_files_list = Get-ChildItem -Path ~\Desktop\Lecture -Filter "*.url" -File
         foreach ($url_file in $url_files_list) {
             
             $url_file_mimetype = ((& 'C:\Program Files\Trid\trid.exe' -n:1 $url_file.FullName) -split "`n")[-1]
             if ($url_file_mimetype -match "Windows URL shortcut"){
                 start $url_file.FullName
             }
         }
     }
     rm $file.FullName
}
 
Get-ChildItem ~\Desktop\Lecture | Remove-Item -Recurse -Force

The current user, martin.t, is able to read the C:\Program Files\Automation-scripts\get-lectures.ps1 file This explains how I was able to achieve code execution through the .url file

wpad-cache-cleaner.ps1

PS C:\Program Files\Automation-scripts> cat wpad-cache-cleaner.ps1
cat : Access to the path 'C:\Program Files\Automation-scripts\wpad-cache-cleaner.ps1' is denied.
At line:1 char:1
+ cat wpad-cache-cleaner.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Program File...che-cleaner.ps1:String) [Get-Content], Unauthorized 
   AccessException
    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand

The martin.t user is still unable to access the wpad-cache-cleaner.ps1 file This might be running under a higher privileged user; Administrator or SYSTEM

InfoSec LAB

Explorer

University_User_Privileges_martin.t-ws-3.university.htb

martin.t

Automation-Scripts

get-lectures.ps1

wpad-cache-cleaner.ps1

Interactive Graph View

Table of Contents

Backlinks