WinRM

Exactly one year since I pushed the first commit to evil-winrm-py. It started as a simple idea: the legendary Evil-WinRM (the Ruby tool every pentester loves) was incredibly powerful, but slower command execution and canceling commands felt clunky. I wanted a version that was faster, more responsive, and handled interrupts gracefully, and since Python is my go-to language, it made sense to rewrite it in Python. So I set out to rewrite it from scratch in Python, leveraging libraries like pypsrp for the heavy lifting of WinRM communication. ...

Escape is a medium-difficulty Windows machine on Hack The Box that revolves around Active Directory. The initial foothold is gained by finding credentials in a PDF file on an open SMB share. This access is then leveraged to connect to an MSSQL service, from which we capture and crack the NTLM hash of a service account. Lateral movement is achieved by discovering another user’s credentials in a log file. Finally, privilege escalation to Administrator is accomplished by exploiting a misconfiguration in Active Directory Certificate Services (ADCS), specifically the ESC1 vulnerability.

Resolute is a medium-difficulty Windows machine on HackTheBox that involves a realistic Active Directory penetration test. The initial foothold is gained by enumerating domain users via a null SMB session and discovering a default password in a user’s description, which is then reused to gain access as another user via WinRM. Lateral movement is achieved by discovering cleartext credentials for a more privileged user within PowerShell transcripts. Finally, privilege escalation to SYSTEM is accomplished by abusing the permissions of the DnsAdmins group to load a malicious DLL.