Lateral Movement

The 172.16.8.50 host which is also MS01 host that we have left to check out. We can WinRM into this host with backupadm users credentials. We know WinRM is open from our nmap scans on port 5985.

evil-winrm -i 172.16.8.50 -u backupadm

The user is not a local admin. So we need to escalate our privileges.

After digging a bit look for the low hanging fruits like c:/panther folder we find an unattend.xml file with credentials.

Let search about this user

This isn't a domain user, but it's interesting that this user has Remote Desktop access but is not a member of the local admins group. Let's RDP in and see what we can do.

Looking at the installed software on the system

We find lots of standard and non standard application including C:\Program Files (x86)\SysaxAutomation.

There is an exploit we can follow to get privesc.

According to the write-up, this Sysax Scheduled Service runs as the local SYSTEM account and allows users to create and run backup jobs. If the option to run as a user is removed, it will default to running the task as the SYSTEM account.

1. I create a file called pwn.bat with the content net localgroup administrators ilfserveradm /add and save it in Documents folder.

2. Open C:\Program Files (x86)\SysaxAutomation\sysaxschedscp.exe

3. Select Setup Scheduled/Triggered Tasks

4. Add task (Triggered)

5. Update folder to monitor to be C:\Users\ilfserveradm\Documents

6. Check Run task if a file is added to the monitor folder or subfolder(s)

7. Choose Run any other Program and choose C:\Users\ilfserveradm\Documents\pwn.bat

8. Uncheck Login as the following user to run task

9. Click Finish and then Save

Now to trigger it we need to modify the Documents folder by creating lets say a .txt file and check we it worked with