search

Blue

Wanna cry?

First thing first, let's edit our hosts file:

sudo nano /etc/hosts

Now, instead of typing target IP, we can use blue.htb, it's more comfortable.

Now, let's connect to the VPN, so that we would be able to access the machine on the network:

We can see that we have a successful connection:

To get out of the shell click Ctrl+Z and you wil see that job is stopped.

Let's:

  1. List the running jobs

  1. Move VPN job to background

  1. Check that the job is running

  1. Check that we have a working VPN connection and that we can hit the target machine

-c 2 stands for send 2 packets, so we sent 2 packet and we received 2 packets.

hashtag
Stage 1: Enumeration

First thing first, let's enumerate our target and find as much of information as possible.

Before any target systems can be examined and attacked, they must first be identified. This process is often called enumeration. Here a penetration tester will enumerate the customer, application, or system they are testing. The common things we are hunting during this early stage include anything from open ports, login credentials, DNS records, protocols on our target, and even publicly available information.

Let's give it a time to run, while it runs, I'll explain command that we are using:

  1. nmap - is a free and open source utility for network discovery and security auditing that we are using to enumerate target. Documentationarrow-up-right

    1. -sC - Scan with default NSE scripts. Considered useful for discovery

    2. -sV - Attempts to determine the version of the service running on port

    3. -p- - Port scan all ports

    4. -oN - Normal output to the file normal.fileCopied

    5. nmap_results.txt - file name where scan result will be saved

    6. blue.htb - remember us editing hosts file?

Now we know that we can enumerate more in to SMB and that it's an Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) that we can search some exploits available.

We have 5 SMB shares. Let's enumerate them too.

Windows keep a backup of all the activities and changes such as accessing folders, opening files, network shares, etc., in netuser.dat.LOG1 and netuser.dat.LOG2 during the live session and saves them into NTUSER.DAT during Log off. The NTUSER.DAT is the primary file for the HKEY_CURRENT_USER hive and keeps user-related information; however, Windows is not updating this file in real-time.

And this could be a rabbit hole as well.

What are the options?

Didn't find anything interesting so far:

This is really better and faster than going manually. As well as we can see what permissions we would have in the directories and what we can try to do with the files and can we make an upload anywhere.

I think I've pushed max I could with smbclient and smbmap, time to dig with rpcclient:

And let's have a look in to some SANS cheat sheet here

I will share here only if I get any data out of enumerating RPC:

Total of 3 users. There was a Forced Logging off on the Server.

Didn't get anything about users and groups. But we know we have Haris, Administrator.

It should be possible to extract details about a particular group, and we should have groups but I don't get output. This information includes the Group Name, Description, Attributes, and the number of members in that group. Let's try:

Now, I will try random guessing:

hah :D

We have 34 privileges assigned.

To enumerate the Password Properties on the domain, the

command can be used. This is made from the words get domain password information. This will help in getting the information such as the kind of password policies that have been enforced by the Administrator in the domain. It is possible to enumerate the minimum password length and the enforcement of complex password rules. If these kinds of features are not enabled on the domain, then it is possible to brute force the credentials on the domain.

It is also possible to get the password properties of individual users. I will try to do random guess again.

We have "access denied" meaning that someone is 0x1f4. #0x1f4

The SID of a user is the security Identifier that can be used for a lot of elevating privileges and minting tickets attacks.

Can we add our own domain user?

LogoAccess Mask Format - Win32 appsMicrosoftLearnchevron-right

Can we change existing user password?

Do we have a Network Shares on the Domain?

No output for these and because of that we cant enumerate further with, as example:

Can we create domain group?

Since the user and password-related information is stored inside the SAM file of the Server. It is possible to enumerate the SAM data through the rpcclient as well. When provided with the username to the samlookupnames command, it can extract the RID of that particular user. If used the RID is the parameter, the samlookuprids command can extract the username relevant to that particular RID.

The one that I got Access restriction before if you remember.
We can search backwards too.

Passing the SID as a parameter in the lsacreateaccount command will enable me to create an account object as shown in the image below.

It is possible to perform enumeration regarding the privileges for a group or a user based on their SID as well.

Can I manipulate the privileges any SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether?

No sense in deleting if can't add then.

Enumerate the security objects or permissions and privileges related to the security.

What else we can do?

Maybe we can mount share?

I've ran in to issues and doing TS now:

LogoMirrors | ParrotOS Documentationparrotsec.orgchevron-right
Hmm, this looks dofferent from the documentation. Let's make a copy of it and replace content with the info from documentation.
Okay, some progress here.
Now, let's try to install again.
Satisfaction.

Did not find any value there.

I think we are done with shares and SMB enumeration.

If we are able to log in in to "null" session, can we bruteforce in?

Lazy to wait.
Maybe Haris?

Checked NTUSER.DAT logs and files, nothing there. So I think it's time to read about

LogoCustomer Guidance for WannaCrypt attacksblogs.technet.microsoft.comchevron-right
LogoWannaCrypt ransomware worm targets out-of-date systems | Microsoft Security BlogMicrosoft Security Blogchevron-right

Let's google about MS17-010 since nmap says that it's vulnerable. And I want to do as much manual or semi-manual as I can because doing this in Metasploit is easy and won't teach me anything.

Just imagine what NSA and other Intelligence Services have now in their usage...

Let's try this one:

LogoMicrosoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)Exploit Databasechevron-right
LogoGitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHubchevron-right

hashtag
Stage 2: Vulnerability assessment

The vulnerability assessment builds on information gathered during enumeration. We’re probing for known vulnerabilities in the system or application; and will then test them with specialized tools and techniques to determine if there is indeed a method of exploitation.

Let's do the same for hands-on experience with Metasploit.

I think we are ready to attempt exploit semi-manully and automatically. Unfortunatelly I do not have required knowledge to understand in-depth how it works under the hood, but this is exactly what I wish to achieve. As a state of art develop a skill of creating same level personal exploits and tools crafted in tailored manner.

hashtag
Stage 3: Exploitation

Targeting the vulnerabilities identified in the previous step, an attack is crafted and executed. This could be anything from a crafted piece of code or malicious file used to exploit an OS or application vulnerability, to showing that file upload and execution capabilities exist within a web app.

Now back to Metasploit.

Now back to Enumeration, which make no sense, but:

hashtag
Stage 4: Post-exploitation

The post-exploitation phase is about diving deeper. An attacker will attempt to gather more information, elevate access (or privileges), and ensure they have a way to get back in if they lose access (this is called persistence). We’ll also revisit the information-gathering tasks performed earlier since we now have internal access.

We have highest privilege achieved with this exploit.

LogoGitHub - emilyanncr/Windows-Post-Exploitation: Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test. Contributions are appreciated. Enjoy!GitHubchevron-right

Let's try to get offensive 👿

LogoMetasploit Unleashed | Mimikatzwww.offsec.comchevron-right

Connection died. I feel tired now to get it back have no session. But we have 3 hashes.

next time I will use password from rockyou.txt to check how John and Hashcat do the job.

Still complaining, I know how to fix it but want to moveon, session is killed so I won't pull it.

These hashes mostlikely are for different attack vector because normal hashes usually looks like:

  1. 3d83c8e717ff0e7ecfe187f088d69954:343141

  2. $1$38652870$DUjsu4TTlTsOe/xxZ05uf/

  3. $BLAKE2$296c269e70ac5f0095e6fb47693480f0f7b97ccd0307f5c3bfa4df8f5ca5c9308a0e7108e80a0a9c0ebb715e8b7109b072046c6cd5e155b4cfd2f27216283b1e

And etc. with these one's John and Hashcat can deal.

hashtag
Stage 5: Lateral movement

Signaling the end of the engagement, lateral movement focuses on moving closer to valuable assets. The goal is to “follow the trail” and extend access to other hosts and applications. Now that we have a solid access point (or foothold) within the customer’s network, it's time spread out and survey the environment to pursue highly-protected, precious intellectual property (IP), sensitive resources, or access to a host.

In this case we have only 1 machine at the network and there is no valuable data to exfiltrate.

hashtag
Stage 6: POC

The proof of concept phase is where specific vulnerabilities and security flaws are noted for reporting purposes. We are crafting the narrative that explains to customers how we gained access to their systems and how highlighted issues affect their security posture. This phase is key to tying everything together and ensures that the customer receives useful insights.

hashtag
How exploit works?

Still much to learn.

Last updated