Initial Compromise of Active Directory
Summary
Since both machines are accessible, we can select one to continue our progress within the network. Upon logging into the WRK2 machine, we begin by inspecting the user profile to identify any available methods for privilege escalation. Notably, we find a netcat executable within the Downloads folder.
Privilege Escalation

We use the command:
schtasks /query /fo csv /v | findstr "SYSTEM" > tasks.csv
to create a CSV file that lists tasks running with administrative privileges (the `/fo csv` option outputs the data in CSV format).
Reviewing the file, we see that most tasks are located in the Windows
directory, indicating they are likely well-configured. However, a closer look at the CSV file shows one specific task running from C:\SYNC\sync.bat
.

To verify the permissions of the file, we use the command:
icacls C:\SYNC\sync.bat
This confirms that our user has (F) Full Access
to the file.

With this information, we can set up a listener using the previously found netcat
executable. We then modify the task to connect back to our listener using netcat with administrative privileges, allowing us to receive an elevated reverse shell.


After a few minutes (no more than 5), we should receive our administrative reverse shell. Alternatively, we can trigger the task immediately by using the following command:
schtasks /run /tn FULLSYNC
This forces the reverse shell to initiate instantly.

Flag 4
Last updated
Was this helpful?