We all love Exploitation and gaining access to a machine elevate our privileges and gain that SYSTEM, Administrator, Domain Admin Shell. It’s a rush that us as hackers love to see when we try to gain access to a box “Meterpreter Session 1 Opened”, Beacon, Grunt, etc. Oof hasn’t that been one of the most awesome sentences that you can see on your terminal when something you’ve been working on just works.
But how do we get here?. We don’t magically know the payload that needs to be used, or the exploit to use against our victim machine.
Enumeration , that one very important step taken before we continue with our hacks around the network. Can we access the machine?. Enumeration. Can we exploit it?. Enumeration. What about Privesc, Enumeration. Anything on Persistence? Yep let’s enumerate to see what’s allowed as a user OR where to leave our backdoor that can blend with the environment, need to move around the Environment?, lets enumerate and see what is available.
Here I will demonstrate how enumeration can be achieved in many ways and also the variety of tools used for the same category so that you don’t have to be limited to this very well-known tools. For example nmap, everyone uses nmap the famous port scanning tool with incredible functionality that works well everywhere, but let’s not forget we have other tools, unicornscan, masscan, amap, rustscan. Let me work on an environment and show a variety of ways to enumerate and reach our goal and not be dependent on well-known tools.
Initial Access
My target machine is 10.0.2.24 I will start enumerating and search for access here see a way to gain an initial foothold.
As my scan from different tools finished these were my results.
Nmap:
Rustscan:
And amap:
With different tools for enumeration this may help in confirmation on what is going on, tools might use different methods to acquire information about a specific target. In this matter I can confirm that these ports are open as different tools have confirmed this now I can move forward and attack these ports or gain more information on them to lower my chances of failure when try to exploit these targets.
So let’s approach 135/139:
Rpcclient we will approach this port and enumerate with and without credentials (realistically this wouldn’t be available since it would most likely be a Blackbox test).
As seen above I am trying to enumerate users but this is most likely not going to happen with an anonymous user we will try with someone with credentials.
No luck with rpcclient as the user is not part of a Domain and only from the local machine, we can continue grabbing more info that is needed from the local machine but we will stop here.
Now let’s approach the 445 port (SMB):
I have used 3 different tools with the approach on anonymous enumeration but I had no luck finding shares smbclient, smpmap, smbclient.py from impacket
I can also use the crackmapexec tool and I can see that the anonymous user has access to a share named Scans
From here you can choose your favorite tool to access the share and start exploring what is going on in that share.
Seems that we have a File that advises people to upload there work so it can be reviewed at the end of the day, the fact that we know this means that there is a user accessing this share at A certain time we can use this to taint the share and have it send us an NTLMv2 hash and try to crack it, so let us try and grab the hash of this user with the help of Responder.
I will build a LNK file with the ICON of the LNK pointing to my Machine so when Windows tries to load it, it will reach responder now I wait until the user browses the Share once that happens I will have responder listening on my attacking machine and capture the NTLM hash
Then I use PUT from smbclient and move the file on the share with my anonymous access to the share utilizing SMBCLIENT
I add the file (LNK) and once the share is browsed Windows will search for the ICO that is pointing to my attacking machine
And hashes are captured
Now we will use these hashes to crack the password, my favorite is using hashcat and a few rules “One_rule_to_rule_them_all” (Do let me know if I messed up the name). And here I like using Windows for hashcat
And we managed to crack the Hash
Once we have the credentials let us try them and see what Adrian’s permissions are on the machine. Will utilize crackmapexec.
Fantastic we have credentials, but now from our limited options let us try and get a Shell on the machine from checking out nmap again we see that there is PSRemote available
Let’s use this and get a connection.
Now I will upgrade my Shell to a Grunt from Covenant C2 (Just my taste). Now that we have our Grunt With Medium Integrity and running on PowerShell with the user anovoa time to Privesc to a higher user.
I will use the SharpUp Task to gain information on how to Privesc but I will also use another favorite as I really love the output and the details check it has PrivescCheck.
AlwaysInstall Elevated Key OK good sign we can use this, I always have the option to validate with PrivescCheck or by querying the Registry Keys manually
PrivescCheck
Now let us upload our MSI Installer built from VS with a GruntSMB and grab a higher privileged Grunt.
I will execute using msiexec and connect back to the Grunt with higher privileges
No worries if it hangs on Tasked its normal behavior, we can see our new grunt as SYSTEM
And from here we can continue our enumeration and move forward with Compromising the Domain or leaving a persistent access or much more, the reason for this was to demonstrate the importance of enumeration as (Myself as well) I read that various people are just trying to throw exploits to machines and saying, “It doesn’t work”. Trying to search for ports, users, services, privilege escalation methods and others. I hope this has been helpful and maybe learned something from it.
Dumping Hashes from SAM (Got an error because Covenant is using and older version of Mimikatz, well the version I am using)
Happy Hacking!