Initial Compromise of Active Directory

Summary

Since both machines are accessible, we can select one to continue our progress within the network. Upon logging into the WRK2 machine, we begin by inspecting the user profile to identify any available methods for privilege escalation. Notably, we find a netcat executable within the Downloads folder.

Privilege Escalation

We use the command:

schtasks /query /fo csv /v | findstr "SYSTEM" > tasks.csv

to create a CSV file that lists tasks running with administrative privileges (the `/fo csv` option outputs the data in CSV format).

Reviewing the file, we see that most tasks are located in the Windows directory, indicating they are likely well-configured. However, a closer look at the CSV file shows one specific task running from C:\SYNC\sync.bat.

To verify the permissions of the file, we use the command:

icacls C:\SYNC\sync.bat

This confirms that our user has (F) Full Access to the file.

With this information, we can set up a listener using the previously found netcat executable. We then modify the task to connect back to our listener using netcat with administrative privileges, allowing us to receive an elevated reverse shell.

After a few minutes (no more than 5), we should receive our administrative reverse shell. Alternatively, we can trigger the task immediately by using the following command:

schtasks /run /tn FULLSYNC

This forces the reverse shell to initiate instantly.

Flag 4

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

Flag 4: Administrative access to Corporate Division Tier 2 Infrastructure

PreviousPermieter Breach NextFull Compromise of CORP Domain

Last updated 2 months ago