HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Acute is a hard Windows machine that starts with a website on port `443`. The certificate of the website reveals a domain name `atsserver.acute.local`. Looking around the website there are several employees mentioned and with this information it is possible to construct a list of possible users on the remote machine. Enumerating the website reveals a form with procedures regarding newcomers to the company. The form reveals the default password that all accounts are initially set up with. It also reveals a link for a `Windows PowerShell Web Access` (PSWA) session. Combining all the available information from the enumeration process an attacker is able to get into a PowerShell session as the user `edavies` on `Acute-PC01`. Then, it is discovered that the user `edavies` is also logged on using an interactive session. Upon spying on the actions of `edavie` the clear text password of the `imonks` user for `ATSSERVER` can be retrieved. The user `imonks` is running under `Just Enough Administration` (JEA) on `ATSSERVER`, but even with the limited command set an attacker is able to modify a script on `ATSSERVER` in order to make `edavies` a local administrator on `Acute-PC01`. Now that `edavies` is a local administrator the `HKLM\sam` and `HKLM\system` can be retrieved from the system in order to extract the password hashes of all the users. The Administrator's hash turns out to be crackable and the clear text password is re-used for `awallace` on `ATSSERVER`. The user `awallace` is able to create `BAT` scripts on a directory where the user `Lois` will execute them. `Lois` has the rights to add `imonks` to the `site_admin` group which in turn has right access to the `Domain Admins` group. So, after `imonks` is added to the `site_admin` group he can add himself to the `Domain Admins` group and acquire Administrative privileges.
Machine Matrix