powershell

All posts tagged powershell

TryHackMe – Corp

Posted by d3nni5 on 18/04/2023
Posted in: Red, Windows. Tagged: , , , , , , , .

Walkthrough of privilege escalation techniques on a windows machine.

Bypassing Applocker

First of all a couple of words about Window’s Applocker. Applocker is an application whitelisting solution of Windows, so with the usage of it certain *.exe files or *.msi packages can be blocked. The default rules of Applocker are:

  • All members of the local Administrators group can run apps
  • All members of the Everyone group can run apps which are located in the Windows folder
  • All members of the Everyone group can run apps that are located in the Program Files folder

If AppLocker is configured with these default AppLocker rules, it can be easily bypassed by placing the executable into the directory of “C:\Windows\System32\spool\drivers\color”. Let’s get “whoami.exe” from our Kali Windows repository and upload it to the victim computer first and run to check whether it asks for further permissions.

Let’s answer the first question by checking the history of Powershell.

What is the first flag?

Kerberoasting

Kerberoasting is a post-exploitation attack that abuses the Kerberos protocol to obtain password hashes of Active Directory accounts with Service Principal Name (SPN) values which is the mapping between service and account. Ticket Granting Service (TGS) tickets from which the service account password hash can be extracted can be stolen from memory or by network traffic sniffing. Thus any request of a TGS for an SPN by a user may contain the password hash of the service account and as such capturing them makes it possible to offline crack and obtain the password. So, first let’s try to find users with SPN requests.

What user is that for?

We can see that there is an SPN for a user, so we are in a position to make use of the Kerberoasting script of Empire. We can try to download it directly to our target machine, but it has no public internet connection.

So, let’s download it to our Kali and get it from there.

Ok, now let’s try to get the SPN ticket using the Kerberoast script.

Now let’c crack the hash with Hashcat using the code 13100 as this is a Kerberos 5 TGS-REP etype 23 hash.

What is the users password in plain text?

Now all we have to do is just RDP into the machine with the credentials gathered.

What is his flag?

Privilege Escalation

Now we still have only user privileges, so let’s get another PowerShell script to examine the Windows machine to find potential weak points and get admin rights.

The script has identified a couple of ways to elevate our privileges, one of them would be a UAC bypass and another one is an unattended path option.

The unattended path is about an unattended install file which is mainly a corporation program installation method. Let’s check out the file first and then decoding the Base64 type encoding.

What is the decoded password?

We also can decode the Base64 code in our attacker machine if PowerShell not available.

Now, that we know the admin password, all we need to do is just remoting into the machine with these credentials and get the admin flag.

Thanks for reading and as always, any feedback is most welcome.

TryHackMe – SteelMountain Walkthrough

Posted by d3nni5 on 08/01/2023
Posted in: Red, Windows. Tagged: , , , , , , .

Walkthrough of a Windows machine exploitation. The room has a description of two methods, the first is a semi-auto Metasploit one and a manual one afterwards. 

Introduction

In this room after the usual enumeration and initial access Powershell to be used for further analysis. Please note that this machine does not respond to ping (ICMP).

Who is the employee of the month?

This question can be easily answered with a couple of clicks instead of the advised reverse image lookup. All we need to do is just right click on the page to inspect the picture.

Initial Access

Scan the machine with nmap. What is the other port running a web server on?

Take a look at the other web server. What file server is running?

This could be easily answered with a quick curl request as shown below.

What is the CVE number to exploit this file server?

Usually all the exploit scripts have a short explanation of the vulnerability with the relevant CVE number as highlighted below.

Use Metasploit to get an initial shell. What is the user flag?

Privilege Escalation

Now that we have an initial shell as Bill, we can do further enumeration in order to get root privileges. We shall use a powershell script called PowerUp for this purpose finding common Windows privilege escalation vectors that rely on misconfigurations. The script can be downloaded from here.  Meterpreter can be used to get the file uploaded.

Also, the Powershell extension of Meterpreter can be utilized to make our life a bit easier.

What is the name of the service which shows up as an unquoted service path vulnerability?

We use msfvenom to generate a reverse shell as an Windows executable.

We shall upload the newly generated binary and replacing the legitimate one with it. Then restart the program to get a shell as root.  Note: The service showed up as being unquoted (and could be exploited using this technique), however, in this case we have exploited weak file permissions on the service files instead.

What is the root flag?

The exploit works by grabbing a Netcat executable which to be hosted from the folder in which the HTTP server is setup and running. Also a local Netcat listener is necessary to catch the backward connection.

Access and Escalation without Metasploit

Now let’s complete the room without the use of Metasploit. For this we will utilise Powershell and WinPEAS to enumerate the system and collect the relevant information to escalate to. The same CVE to be used with this exploit. As with the previous case, a webserver and a Netcat listener should be up and running at the same time in order for this to work. We can use the same Netcat static binary as above. The exploit should be run two times as the first time it should pull the Netcat binary to the victim system and the second would execute the payload to gain a callback.

We need to modify the exploit as shown below.

Setting up the HTTP server in our working directory.

Receiving the low privileged shell on the Netcat listener.

Now we can pull WinPEAS to the system using powershell -c. Once we run WinPeas, we see that it points us towards misconfigured unquoted service paths vulnerabilities. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

Let’s generate a new payload with msfvenom and pull it to the system using powershell. Now we can move our payload to the unquoted directory about which WinPEAS alerted us and restart the service with “sc stop AdvancedSystemCareService9” and “sc start AdvancedSystemCareService9”. Once this command runs, we shall see a new Administrator shell on the listener.

Before stopping and re-running the service, we could check whether it runs as normal user with the “sc qc AdvancedSystemCareService9” command.

Running the webserver from the working directory as before.

Uploading the payload from Powershell using the wget command.

Receiving the system level shell on our listener.

Thanks for reading and as always, any feedback is most welcome.