Set (users.xml + bruteforce SMB + plink + custom msfvenom module)

[TryHackMe] Set — Write-up

Once you have successfully jumped over the obstacle, do not be happy. You do not know where you have just landed.

Abstract

This time I will present Windows machined exploitation process. The Set machine is classed as a hard one. I had to jump over many hurdles and sometimes a countless number of times over the same one ;)

Today I will present a few concepts such as:

• password spraying,

• fetching NTLM hashes (more about LM, NTLM, Net-NTLMv2 hashes here written by Péter Gombos),

• hash cracking,

• using Windows link file (.lnk) as an attack vector,

• uncommon tool for Windows SSH port forwarding and tunneling,

• and Metasploit exploit module customization in Ruby.

You will be given a reference to the relevant documentation for self-studying the presented concepts deeper.

Foothold

Three ports open.

Time to enumerate and fuzz the webpage. Do not forget to add hostname to the /etc/hosts file and use -k flag to skip SSL certificate verification (port 443 HTTPS) using gobuster dir.

The enumeration led to interesting findings.

The contact search form showed some results. I tried proxy via Burp Suite but to no effect. An investigation of the webpage’s source code revealed promising-looking file.

A small trick with awk and cut commands allowed me to extract only usernames.

I had the usernames list. The gobuster scan revealed an interesting text file.

Password too common!!! Let’s use the password spraying attack vector using our freshly built usernames’ list and wordlists with a “common” word included in their names. I used well-known SecLists.

Unfortunately, my favourite hydra tool did not do the job, most likely due to the host constrains. I used the Metasploit module trying to fuzz SMB login.

Let’s check the credentials.

The credentials worked perfectly. I found a readable share and a file with exciting content.

The first flag found! The content of the file suggested uploading a zip file which would be read later on. I started wondering how I might exploit the upload file opportunity. The uncle Google helped, and I came across a very informative publication “How Attackers are Using LNK Files to Download Malware” presented by the Trend Micro web service.

In a nutshell, I had to modify a bit the above attack embedded in a .lnk file a request to call SMB share I had created locally. I aimed to fetch the NTML hash of the user who would be unzipping the file with the .lnk file. Getting this done without firing up the Windows machine, I found a great tool called mslink.

Time to see if it worked. I created a new directory share and copied the hook.zip file in there. I fired up SMB server sharing the directory.

You might use a broad range of different tools to do the job. For instance, a combination of python scripts Responder and its friend MultiRelay (the Responder git repo is here) might be a right choice. This combination of is commonly known as SMB Relay attack description you can find here.

I had a quick meeting with my friend John The Ripper tool and got cracked credentials. sc015020 describes in “How to crack passwords with John the Ripper” how to use the tool.

Having a new set of credentials, I decided to check my two favourite ports allowing remote access to the Windows machines: 3389 (Remote Desktop Protocol) and 5985 (Windows Remote Management).

I discovered the port 5985 opened. At this moment, I could check if the cracked hash and related username would work. I picked up from my favourite toolkit Evil-WinRM to get access.

Privilege escalation

So far, that was nothing significantly newer. I did not expect that the escalation part would be a real hardcore. Having valid credentials, I tried to upload a bunch of binaries such as mimikatz and others. Windows Defender did a job banning them all.

You might use enumeration’s binary such as winPEAS making your life a bit easier. I started from a necessary manual enumeration. I came across port 2805 attached to PID 3524, which looked to be a bit suspicious.

Let’s investigate the identified process sitting on the PID 3524. It happens that you forget a command syntax (it occurs to me quite often). The PowerShell Get-Help command does the job.

The Veeam One Agent Service was new to me. I did a research (just googled ;) finding that the service had been identified vulnerable.

Getting to be sure I had to find out the version of the running service. The PowerShell Get-Process with the available parameters gave me nothing. A manual enumeration using Get-ChildItem (searching) and Get-Item (reading file properties) commands succeeded.

The port 2805 was inaccessible from the outside world. I had to get access to the port from the attacker’s machine. Once I had failed using standard SSH tunnelling solutions, Google search came handy again. I found a plink.exe binary working correctly. The relevant tutorial is here.

I set up the Metasploit Veeam exploit module.

I tried all available exploit targets and some of the advanced options but ended up without establishing a reverse connection. The Windows Defender was giving me a hard time. I decided to dig dipper and learn how to add the payload to the existing module in the Metasploit. This task required from me a bit of Ruby coding refresher.

Adding payload to the exploit required the below elements modification.

I added a new exploit target.

The original register_options() function required some modifications as well.

The modification required registering a new option “CMD”.

The Ruby “case statement” required adding an extra option to execute commands set and registered in “CMD” field.

I added “when” option in “case statement” to execute desired commands by the payload.

The modifications completed. I checked if the changes applied would be visible.

Once I had been implemented all required changes, the time came for verification of the effectiveness.

The final chain of actions left to be done:

• setup SMB share on the attacker’s machine containing Netcat binary,

• setup Netcat listener on the attacker’s machine waiting for a reverse connection from the victim machine,

• setup exploit to call Netcat binary from the set SMB share, call and establish a connection with the listening attacker’s machine (setting up a workable concatenation of those two commands took me countless number of attempts ;)

I expected to establish a reverse connection running windows command line as a privileged user.

Summary

The machine fully deserves to be classed as the hard one (I would say — insane). At least in my opinion. The number of different elements, stages, traps, countless somersaults to be dealt with or overcome is impressive. The journey I took was fantastic and gave me a lot of a hard time but as always worth every second.