search

172.16.114.7 (INTRANET) /

Local Flag:
    C:\Users\michelle\Desktop\local.txt
    e93918567d1a06b5f2a0ecf3eea1f05c
    
Root Flag:
    C:\Users\Administrator\Desktop\proof.txt
    045ebc3421e2bd5d837e044dc3c7eaf0

Access Method

proxychains xfreerdp /u:michelle /p:NotMyPassword0k? /v:172.16.87.7 /kbd:0x0000040a +clipboard /cert:ignore /size:75% /drive:/home/kali/OffSec/ChallengeLabs/Challenge2_Relia/,SHARE

  • While we can write to the directory, we cannot modify the existing files inside it

  • Lets extract the scheduler.exe file and perform additional analysis on the WINPREP machine

  • Running the file a couple of times, we can see that some .dll files are not found as we are starting up scheduler.exe

  • Maybe we can place a malicious .dll file that has the same name to get an elevated shell?

  • I dont see it in my attempt, but the .dll file that should show up as name not found should be beyondhelper.dll

  • Make sure to rename the shell when we move it to the same directory as the scheduler.exe on .7

  • We can see the service on the services app instead of using sc.exe here

  • Use stop-service -force scheduler in powershell to stop the service after uploading the .dll file

  • Restart the service and return to our listener, we should get an elevated shell

hashtag
Admin Enumeration

Previous172.16.114.6 (DC02) /Next172.16.114.14 (WK01) /

Last updated