Beruflich Dokumente
Kultur Dokumente
Task: Perform remote exploitation and post-exploitation tasks on vulnerable systems, and
gain access to the internal net block leveraging powershell and related tools for as many
tasks as possible.
Network Diagram:
• PowerShell
• Empire
• Smbexec
• Nmap
• Metasploit
Using information obtained via recon of the system, and other machines on the internal
network, pivot to, and exploit an internal system and obtain a SYSTEM meterpreter session.
From the meterpreter-based session on the exploited internal target system, use a
powershell download cradle to dump password hashes using a powershell-based MimiKatz
hosted on the attacker system.
Using nmap, we conduct a ping scan to identify live hosts within the in-scope external
network range:
From the scan, we find two hosts, our focus will be on the 172.16.80.100 system.
Since our identified systems are minimal at this point, we can run a scan for all 65535 TCP
ports to start our enumeration process on the system of interest:
A service scan reveals that this is potentially an HTTP port, we can we can see with the
banner returned by an nmap version scan:
Our next step, is to see if we can gain any more additional insight as to the purpose of this
port, we can either browse to it, or issue a GET request via netcat. We opt to browse to the
port and are presented with some credentials in what appears to be a configuration file of
sorts:
# nc 172.16.80.100 4983
GET /
@echo off net use "\\10.100.11.150\C$" /user:local_admin P@ssw0rd123 if
exist "\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" ( echo
"Copying errors..." copy
"\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt"
C:\Users\local_admin\Logs\Host1\ del
"\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" ) else ( echo
"No errors!" ) net use "\\10.100.11.150\C$" /delete
Now that we’ve obtained some credentials, we can try and use those credentials to execute
commands using the “smbexec.py” tool (part of the impacket toolkit). We know the system
is exposing NetBIOS ports, so we will attempt to exploit those ports with our newly obtained
credentials.
First, we use smbexec to get a semi-interactive shell on the target (possible since we found a
privileged set of credentials):
Note: A quick note about smbexec.py. Every so often, if you exploit the machine with the above
method, and it fails, or disconnects for whatever reason, due to the way smbexec creates a
BTOBTO service, it may fail to delete the created service causing re-exploitation to fail. This
may require a machine reset if in the rare case you need to re-exploit the machine using that
specific attack vector.
We conduct some basic local enumeration, show the interfaces configured on the system,
and determine the system is multihomed, with an interface configured for the internal
network (10.100.11.101):
We also run the “echo %userdomain%” command to see if our current user is part of a
domain, a quick way to get the current domain name if present, and we also learn that the
user is part of the domain “ELS-CHILD”:
C:\Windows\system32>echo %userdomain%
ELS-CHILD
Our next task is to obtain a connection from the system back to an Empire listener. Before
getting started with this step, please follow the instructions on installing Empire here:
https://github.com/EmpireProject/Empire#install
Note: This lab was tested with Version 2.1 of Empire. Later versions may have some issues in
regard to following the lab tasks presented here. Please download the correct version from the
following link: https://github.com/EmpireProject/Empire/releases
# ./empire
At the (Empire) > prompt, we type the “Listeners” command to enter into the Listeners
menu:
Next, we configure a new “http” listener by issuing the “uselistener” command followed by
“http,” which will put us in the http listener configuration area:
The “info” command can then be used to view all options related to the http listener we’ve
selected, and can be used similarly to how we set options with metasploit; with the “set
<option> <value> syntax.
There are several options available, but most importantly, for now, let’s just set the “Host”
option with our OpenVPN tunnel interface IP address which should be in the 175.12.80.0/24
range:
Once that is complete, we use the “Execute” command to initialize our listener:
Now that our listener is up and “listening,” we’ll want to generate a “stager.” The “Stager” is
the code we’re going to run on our target once we generate it. We can generate a stager by
first exiting out of the “Listener” area back to the “main” section by executing the “main”
command and then typing the “usestager” command. If we type “usestager <space> <tab>”
we should get a listing of all available stagers:
And again, we’ll configure the necessary options, which is typically just telling the stager
which listener to connect back to. We use the “set Listener <listener name>” command here.
In this Example, our listenername was “http”:
Once our stager is configured with the name of the listener, we can once again type the
“Execute” command to have Empire generate our stager code:
At this point, Empire has generated a powershell encoded command; we will then execute it
on the smbexec shell we obtained previously:
We then copy and paste the Empire-generated powershell code, to our smbexec shell and
press <enter>. Upon doing so, we should receive an agent connection back to our Empire
listener:
If we now type the “agents” command within Empire, we can confirm our agent has phoned-
home to the Empire C2 and is currently active via the “powershell” process on the target
system:
Seeing as we had determined that our agent had an internal interface configured with an IP
address on the 10.100.11.0/24 network, our first task should be to identify live hosts on that
subnet. We conduct an ARP scan against the 10.100.11.0/24 range.
We can use the “arpscan” module to accomplish this. First, we should interact with the agent
by using the “interact” command followed by our active agent name:
We can then load the “arpscan” module with the “usemodule” command:
We then set the CIDR block for the 10.100.11.0/24 network, and the agent name, and run the
“execute” command:
After several seconds, our agent returns the results of the ARP scan:
Let’s first load the portscan module with the usemodule command, configure the “Hosts”
value and set our Agent name as well, and finally run the “execute” command:
We’ve identified TCP 8443 as being open on another internal machine. However, our next
step is to use our current host as a pivot to the newly found machine, and port.
Since we’re going to need some additional tools (Metasploit) to accomplish the next task, we
need to transfer our existing Empire Agent over to Metasploit. We can use the Empire
“invoke_metasploitpayload” module for this. The module, as its name implies, allows us to
execute a Metasploit payload, which will effectively send our empire agent to a listener we
have configured within Metasploit.
Our first step is to generate a payload we can feed to the Empire agent. We’ll use Metasploit’s
“web_delivery” module for this. The web_delivery module will allow us to generate a
powershell payload URL, which we will then provide to the empire agent via the
“invoke_metasploitpayload” module.
Next, we set the “target” option to “2” in order to use a compatible powershell payload:
We then configure our SRVHOST IP address option. This is the IP address our web_delivery
module will bind to. It should be the testers’ VPN Tunnel Interface IP address:
Lastly, we configure a payload option and our LHOST IP for the payload. We’ll use a windows
meterpreter reverse_tcp payload:
And finally, we run the “exploit -j” command to initialize our handler, and generate our
Powershell Payload URL:
We’re going to use the URL identified by the “Using URL:” message in the above web_delivery
module output.
http://175.12.80.21:8080/JAFRM0WEjw6cf
Back at our Empire C2, in order to pass our agent to metasploit, we need to load the
“invoke_metasploitpayload” module.
We then configure the “URL” value to be that of our metasploit web delivery URL and assign
the stager to an Active agent in Empire, and finally, when that is complete, we can use the
“Execute” command.
Now that we’ve transferred our agent to Metasploit, we’ll first want to run the “autoroute”
module on our new meterpreter session. This will add the necessary routes to the Metasploit
routing table that will allow us to pivot to the 10.100.11.100 machine:
Now that our routes to the 10.100.11.0/24 network are in place, we can use the socks4a
module to proxy the 10.100.11.100 machine and conduct additional recon:
We’ll then set our proxy SRVHOST value to be that of our VPN tunnel IP address, and run the
module:
Next, after we’ve configured our browser to use our socks4a proxy:
We should able to browse to the TCP 8443 port that we discovered on the 10.100.11.100
machine, and we discover an Apache Tomcat configured with version 7.0.81:
We can also see there is a Metasploit module available. Before we can try to exploit this, we
need to use the “portproxy” module so that the payload can successfully connect back from
the internal machine, to our tester IP address by proxying the connection from the first host
we compromise, the 10.100.11.101 machine.
Once the portproxy is configured, we can load our Tomcat Exploit module for the JSP Upload
Bypass vulnerability, and configure it. We need to modify the default RPORT option to be
that of the TCP port 8443 we found, and we’ll also need to change the default payload as well,
in addition to making sure we also define our LHOST to be that of the pivot machine’s
external IP 172.16.80.100:
At this point, we should have received a shell from the Tomcat system:
Our next step, is to upgrade our shell to a meterpreter shell. We’ll accomplish this by first
generating a new payload, and then use python’s SimpleHTTPServer to host it, and deliver it
to the tomcat host via a powershell download cradle.
We then host the payload with a python SimpleHTTPServer on port 8000 on our attacker
machine:
We then need to create another portproxy to serve the payload to the Tomcat machine and
configure it on the windows 7 pivot host SESSION:
We then need to configure a new listener to accept the connection from our payload.exe once
we execute it on the Tomcat system, but first, we need to kill our previous listener:
Once our new listener is running, we can execute the following powershell download cradle
from the tomcat session:
And then execute our payload, which should now be in the C:\windows\Temp directory on
the tomcat machine:
Our last task is to use the meterpreter shell to download a powershell-based mimikatz to
dump local credentials from the Tomcat System using a powershell download cradle.
Since our portproxies are already configured, this task should be a bit more straightforward.
First, let’s make sure we’re hosting the Invoke-MimiKatz.ps1 script on our attacker system,
again in the /tmp directory, for which we should already have a python web server running
on port 8000.
https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-
Mimikatz/Invoke-Mimikatz.ps1
Next, on our new SYSTEM meterpreter session on the Tomcat machine back on metasploit,
we can drop into a shell with the “shell” command:
C:\Windows\Temp>
It should also be noted that another useful command we can use with Empire is the “psinject”
module.
To use the psinject module, we should first, interact with our agent; we can do that with the
“interact <agent name> command. Once we interact with our agent, we can issue the “shell
ps” command to execute a shell command on the target that will list all of the processes:
Next, let’s use the “psinject” module to inject into the LSASS process for a bit more stability
with our tasks. We can use the “searchmodule” command to find modules. We then use the
“usemodule <module name>” command to load the module we’d like to use, in this case, the
psinject module:
powershell/management/psinject
The LSASS PID from our previous “shell ps” output showed that the PID for the LSASS process
was 472, let’s use psinject to inject into that process. First, we tell it the Agent to use with the
“set Agent <Agent>” command, then the Listener, and ProcId values:
Once that is done, a new agent should phone-home, from the lsass process: