Initial Assessment
Interface & IP Configuration
PS C:\mrci0x1> ipconfig /allWindows IP Configuration
Host Name . . . . . . . . . . . . : WINLPE-SRV01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : .htb
Ethernet adapter Ethernet1:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-C5-4B
IPv4 Address. . . . . . . . . . . : 192.168.20.56(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
Ethernet adapter Ethernet0:
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-90-94
IPv4 Address. . . . . . . . . . . : 10.129.43.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 1.1.1.1, 8.8.8.8Multiple network interfaces = multiple networks = pivot opportunity.
ARP Cache
PS C:\mrci0x1> arp -aInterface: 10.129.43.8 --- 0x4
Internet Address Physical Address Type
10.129.0.1 00-50-56-b9-4d-df dynamic
10.129.43.12 00-50-56-b9-da-ad dynamic
10.129.43.13 00-50-56-b9-5b-9f dynamic
Interface: 192.168.20.56 --- 0x9
Internet Address Physical Address Type
192.168.20.255 ff-ff-ff-ff-ff-ff staticRouting Table
PS C:\mrci0x1> route printIPv4 Route Table
===========================================================================
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.129.0.1 10.129.43.8 25
0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.56 271
10.129.0.0 255.255.0.0 On-link 10.129.43.8 281
192.168.20.0 255.255.255.0 On-link 192.168.20.56 271Check multiple routes = multiple reachable subnets.
Active Directory Domain Controllers (if joined to domain)
C:\mrci0x1> nltest /dclist:htbhtb\DC01 (10.129.43.12)
htb\DC02 (10.129.43.13)Windows Defender Status
PS C:\mrci0x1> Get-MpComputerStatusAMEngineVersion : 1.1.17900.7
AMProductVersion : 4.10.14393.2248
AMServiceEnabled : True
AMServiceVersion : 4.10.14393.2248
AntispywareEnabled : True
AntispywareSignatureAge : 1
AntispywareSignatureLastUpdated : 3/28/2021 2:59:13 AM
AntispywareSignatureVersion : 1.333.1470.0
AntivirusEnabled : True
AntivirusSignatureAge : 1
AntivirusSignatureLastUpdated : 3/28/2021 2:59:12 AM
AntivirusSignatureVersion : 1.333.1470.0
BehaviorMonitorEnabled : False
ComputerID : 54AF7DE4-3C7E-4DA0-87AC-831B045B9063
ComputerState : 0
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : False
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : FalseRealTimeProtection disabled = better for tools execution.
AppLocker Effective Policy
PS C:\mrci0x1> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsPathConditions : {%PROGRAMFILES%\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : 06dce67b-934c-454f-a263-2515c8796a5d
Name : (Default Rule) All scripts located in the Program Files folder
Description : Allows members of the Everyone group to run scripts that are located in the Program Files folder.
UserOrGroupSid : S-1-1-0
Action : Allow
PathConditions : {*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : ed97d0cb-15ff-430f-b82c-8d7832957725
Name : (Default Rule) All scripts
Description : Allows members of the local Administrators group to run all scripts.
UserOrGroupSid : S-1-5-32-544
Action : AllowTest AppLocker Rule For Specific Binary
PS C:\mrci0x1> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User EveryoneFilePath PolicyDecision MatchingRule
-------- -------------- ------------
C:\Windows\System32\cmd.exe Denied c:\windows\system32\cmd.ex
cmd.exeis blocked for normal users here.
Got it. Here’s the clean version exactly as you requested:
System Information
C:\mrci0x1> systeminfoHost Name: WINLPE-SRV01
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
System Manufacturer: VMware, Inc.
System Model: VMware7,1
Processor(s): 3 Processor(s) Installed.
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Total Physical Memory: 6,143 MB
Domain: WORKGROUPInstalled Patches
C:\mrci0x1> wmic qfeHotFixID InstalledOn
KB3199986 11/21/2016
KB5001078 3/25/2021
KB4103723 3/25/2021PS C:\mrci0x1> Get-HotFix | ft -AutoSizeHotFixID InstalledBy InstalledOn
KB3199986 NT AUTHORITY\SYSTEM 11/21/2016
KB4054590 Administrator 3/30/2021
KB5001078 NT AUTHORITY\SYSTEM 3/25/2021
KB3200970 Administrator 4/13/2021Running Processes and Services
C:\mrci0x1> tasklist /svcImage Name PID Services
services.exe 664 lsass.exe
FileZilla Server 1140 FileZilla Server
inetinfo.exe 1164 IISADMIN
vmtoolsd.exe 2112 VMTools
MsMpEng.exe 2136 WinDefendNetwork Connections & Enumeration
PS C:\mrci0x1> netstat -anoProto Local Address Foreign Address State PID
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 1096
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 3520
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 968if you want to find the service linked to the port by PID
PS C:\mrci0x1> netstat -ano | findstr :8080 TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 2028
TCP [::]:8080 [::]:0 LISTENING 2028then
PS C:\mrci0x1> tasklist | findstr 2028Tomcat8.exeEnvironment Variables
C:\mrci0x1> setHOMEDRIVE=C:
HOMEPATH=\Users\Administrator
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;
USERNAME=AdministratorInstalled Programs
C:\mrci0x1> wmic product get nameName
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Java 8 Update 231 (64-bit)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
Java Auto UpdaterPS C:\mrci0x1> Get-WmiObject -Class Win32_Product | select Name, VersionName Version
SQL Server 2016 Database Engine 13.2.5026.0
Java 8 Update 231 (64-bit) 8.0.2310.11
VMware Tools 11.0.0.1033607Current User
C:\mrci0x1> echo %USERNAME%htb-studentCurrent User Privileges
C:\mrci0x1> whoami /privPrivilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledCurrent User Groups
C:\mrci0x1> whoami /groupsGroup Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled groupLogged-In Users
C:\mrci0x1> query user USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>administrator rdp-tcp#2 1 Active . 3/25/2021 9:27 AMAll Users
C:\mrci0x1> net userAdministrator DefaultAccount Guest
helpdesk htb-student jordan
sarah secsvcAll Groups
C:\mrci0x1> net localgroupAdministrators
Backup Operators
Hyper-V Administrators
Remote Desktop Users
UsersGroup Details
C:\mrci0x1> net localgroup administratorsMembers
Administrator
helpdesk
sarah
secsvcPassword Policy
C:\mrci0x1> net accountsForce user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.Named Pipes Enumeration
Use Sysinternals’ PipeList to enumerate active named pipes.
C:\mrci0x1> pipelist.exe /accepteulaPipe Name Instances Max Instances
--------- --------- -------------
InitShutdown 3 -1
lsass 4 -1
ntsvcs 3 -1
scerpc 3 -1
epmapper 3 -1
atsvc 3 -1
eventlog 3 -1
spoolss 3 -1
srvsvc 4 -1
vmware-authdpipe 1 1PS C:\mrci0x1> gci \\.\pipe\
PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Pipe Name Instances Max Instances
--------- --------- -------------
InitShutdown 3 -1
lsass 4 -1
ntsvcs 3 -1
scerpc 3 -1
Winsock2\CatalogChangeListener-340-0 1 1Check Named Pipe Permissions
C:\mrci0x1> accesschk64.exe /accepteula \\.\Pipe\lsass -v\\.\Pipe\lsass
Untrusted Mandatory Level [No-Write-Up]
RW Everyone
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW NT AUTHORITY\ANONYMOUS LOGON
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW BUILTIN\Administrators
FILE_ALL_ACCESSC:\mrci0x1> accesschk.exe -accepteula -w \pipe\WindscribeService -v\\.\Pipe\WindscribeService
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESSFor All Pipes:
C:\mrci0x1> accesschk64.exe /accepteula -w \pipe\* -vAccess Tokens
PS C:\mrci0x1> whoami /privPrivilege Name Description State
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledRunning Processes
C:\mrci0x1> tasklist /svcImage Name PID Services
services.exe 664 lsass.exe
FileZilla Server 1140 FileZilla Server
inetinfo.exe 1164 IISADMIN
vmtoolsd.exe 2112 VMTools
MsMpEng.exe 2136 WinDefendCurrent User Session
C:\mrci0x1> query userUSERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>mrci0x1 rdp-tcp#2 1 Active . 3/25/2021 9:27 AMEnvironment Variables
C:\mrci0x1> setHOMEDRIVE=C:
HOMEPATH=\Users\mrci0x1
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\mrci0x1\AppData\Local\Microsoft\WindowsApps;
USERNAME=mrci0x1Last updated