sobota, 26 października 2019

Responding to Windows 10

I decided to prepare a small Windows-based VM to check few cases related to 'workstation security'. Below you will find the details about Windows 10 I used against Kali Linux. Here we go...

We should start here:

The goal of this scenario was to get inside "company's internal network" via Windows10 workstation (vulnerable to attack ;)). Before we'll start - few more details about the VM box:


I created a 'normal/default user' (called User). Our ('normal') User is also in the admin's group but we will get back to that later. For now we have:

So far, so good. According to few tutorials available online we can use responder to grab password hashes (and for example: use them later during other attacks). That's cool but I decided to also check if I will be able to achieve similar results - using - let's say - an XSS and/or phishing attacks. ;)

So I started Kali and prepared a small web page - like you can see below:


Our scenario starts when the victim user will visit somehow our content/page/code - you name it (it could be done various social engineering attacks like emails, simple/targeted phishing attack or via communicators used in the company).

Let's start the tool:


As you can see we are ready to go:


Just when I started IE to 'visit (malicious) page with that funny cats' - responder received few interesting lines. You can see them on the screen below:

Visiting the link:


As you can see we grabbed the hash and we can continue this step of the pentest in our local box:


...but for how long...?


We don't know. So I decided to run enlil.py against the target Windows VM:


Unfortunately I wasn't able to relay my new hash...


... so I found an excellent article related to lateral movement using msfvenom with templates:


Let's try:


As you can see (the victim) user will see 2 alert messages that this EXE could be dangerous.

But user is the user, so he will find his/her way to run malicious app anyway :)

...and this is the moment where we're waiting:


Continuing?

No problem:


So now we should be here, listing our session(s):


Let's move to our new shell to look around a little bit:


In the meantime on the Windows-box we can also see:


As this is our "normal" user - we already should have an admin rights. So let's create another user (tester) without admin's rights. We will use this configuration to try to escalate to more privileged user.

One of the way to do it is looking for files we can control. To to that we can use the command presented on the screen below:


When I was looking for some good examples of privesc bugs at Exploit-DB I found this case. I decided to install it on the Windows VM and check if I will be able to achieve similar results.


App is ready - we can continue using icacls:


In the meantime I found another vulnerable application installed on the box so I decided to prepare another reverse shell (TL;DR EnterpriseSystemManager didn't worked for me this time):

Now we should be somewhere here:


Preparing:


To download our new revshell I used powershell command presented on the screen below (PS1 was saved to poc.ps1 file and started):

Preparing python SimpleHTTPServer to download prepared file from our Kali VM:


WService.exe is replaced so after an OS will reboot:


Last check:


I think this case is done now. :) We will back to that VM during another scenario. ;)


One note to add:
as you can see (on the right top of the blog) I added a Paypal button. If you like the blog and the content you can find here feel free click "donate". Any help is appreciated.

In case of any questions - you know how to find me. ;)

See you next time.

Cheers


Posted by at
Labels: , , ,

1 komentarz:

Subskrybuj: Komentarze do posta (Atom)