In a network security operation, the unit's bidding information was collected through Enterprise Check. By conducting a penetration test on the winning company, it was discovered that there was a vulnerable version of Confluence within its IP range, which was promptly exploited.
The system is 2008R2, X64. It was found that there is 360 security software installed, with permissions for nt authority\network service.
The permission restrictions were quite strict, and attempts to bypass them using 360 security software were unsuccessful. There was no response when executing the exe file. The next plan was to consider escalating privileges through port 3389.
While browsing through the directory, a program called todesk was discovered. By replacing it, the plaintext password was obtained. However, when connecting to the system, it was found that the administrator had logged out.
However, it was discovered that there was a guest user, and attempts were made to escalate privileges using 1388. However, it seemed that the guest user did not have the necessary permissions, and the attempt failed.
Bypassing UAC also failed as no whitelisted programs were found, indicating a possible connection to the guest user. Attempting to escalate privileges locally with guest permissions resulted in failure.
Finally, it was discovered that the machine had sqlps, and commands were executed in the webshell to elevate privileges to network service and connect to CS.
In CS, the potato module was used to successfully escalate privileges, but there was a complication as the permissions were uncertain.
During the process of extracting passwords, it was prompted that the user was not an administrator, but CS confirmed that the permissions were system level.
When checking the CS session, it was found that the network permissions were still in effect.
Later, process injection was used to inject a system-level process.
Then, mimikatz was used to export passwords.
After obtaining the password, instead of using a proxy, the todesk login was used directly.
I declare myself the ultimate winner, as there are always more solutions than difficulties.
As for the internal network, it was simple. Information about the local machine was collected, and the desired information was found in the knowledge base.
At the same time, the VPN account and password for direct connection to the unit were obtained from the project development progress document.
Bastion machine permissions were also obtained.
That's the end, nothing particularly noteworthy.