Koadic – COM Command & Control Framework

Hello friends!! In this article we are introducing another most interesting tool “KOADIC – COM Command & Control” tool which is quite similar to Metasploit and Powershell Empire. So let’s began with its tutorial and check its functionality.

Table of Content

  • Introduction to Koadic
  • Installation of Koadic
  • Usage of Koaidc
  • Koadic Stagers
  • Privilege Escalation with Koadic Implants
  • Post Exploitation
    • Generate Fake Login Prompt
    • Enable Rdesktop
    • Inject Mimikatz
    • Execute Command
    • Obtain Meterprter Session from Zombie Session

Introduction to Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience.

Source – https://github.com/zerosum0x0/koadic

Installation of Koadic

It must first be downloaded and installed in order to start using Koadic. Run following command to download Koadic from github and also take care of its dependency tools while installing koadic.

git clone https://github.com/zerosum0x0/koadic.git

cd koadic

Usage of Koaidc

This tool is majorly depends upon stager and implant. It contains 6 stager and 41 implant

Stager: Stagers hook target zombies and allow you to use implants.

Implants: Implants start jobs on zombies.

Once installation gets completed, you can run ./koadic file to start koadic. Then run the most helpful command to get synopsis of the use of koadic is help. The help command summarizes the various commands available. Koadic functions similar to other frameworks, such as Metasploit.

To load all available module in the terminal run “use <tab> <tab>” command. This will dump all available implant and stagers for execution or explore stager module with following commands:

This will give you all stagers that will be useful for getting zombie session of target machine.

Koadic Stagers

The stager enables us to describe where any zombie device accesses the Koadic command and control. Some of these settings can be viewed by running info command once the module is selected. Let’s start with loading the mshta stager by running the following command.

Set SRVHOST where the stager should call home and SRVPORT the port to listen for stagers on or even you can set ENDPOINT for malicious file name and then enter run to execute.

Now wit for the victim to run below command to execute above generated malicious file.

Once the malicious sales file will get executed on target machine, you will have a Zombie connection just like metasploit.

Privilege Escalation with Koadic Implants

Once you have zombie session after than you can use implant modules for privilege escalation that includes bypassuac.

Koadic contains all modules to bypassuac of Windows 7, 8, 10 platform, so that you can extract system level information. We can load this module by running the command below within Koadic.

Then, we will set the payload value to run the module. You can use default zombie value as “ALL” to attack all zombies or can set the particular zombie id you want to attack. Use the command below to adjust the payload value and zombie.

Post Exploitation

Generate Fake Login Prompt

You can start a phishing attack with koadic and track the victim’s login credentials. We can load this module by running the command below within Koadic.

This will launch a Prompt screen for login at victim’s machine.

Therefore, if the victim enters his password in a fake prompt, you get the password in the command and control of Koadic.

Enable Rdesktop

Just like metasploit, here also you can enable remote desktop service in the victim’s machine with the following implant module.

As you can observe in the below image that job 4 is completed successfully and it has enabled rdesktop service.

We can ensure for rdesktop service with the help of nmap to identify state of port 3389.

Hmm!! So you can observe from nmap result we found port 3389 is open which means rdesktop service is enable.

Inject Mimikatz

It will let you inject mimkatz in victim’s machine for extracting password from inside the machine. We can load this module by running the command below within Koadic.

As result, it will dump the NTLM hash password which we need to crack. Save the NTLM value in a text file.

Then we will use john the ripper for cracking hash value, therefore run following command along with the hash file as shown below:

As you can observe that it has shown 123 as the password extracted from the hash file.

Execute Command

Since we high privileged shell therefore we are free to run any implant module for Post exploitation therefore now we are using exec_cmd to execute any command on the Windows system. To load this implant, run the command given below.

Then, we will set the CMD value to run the specify command along with Zombie id.

Obtain Meterprter Session from Zombie Session

If you are having zombie session then you can get meterpreter session through it. Generate a malicious file with the help of msfvenom and start multi handle, as we always do in metasploit.

Koadic provides an implant module that allows you to upload any file to the machine of the victim if you have zombie sessions. To load this implant, run the following command:

Now set the file location and Zombie Id then run the module. This will upload your malicious in writable directory i.e. %TEMP% .

 

Once the job is completed then again use exec_cmd to run the uploaded file with the help of this module.

Then, we will set the CMD value to run the uploaded shell.exe file along with Zombie id.

Once you will execute the malicious exe file within Koadic zombie session, you will get a meterpreter session in the metasploit framework as shown below:

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Windows Applocker Policy – A Beginner’s Guide

Hello Friends!! This article is based on “Microsoft Windows – Applocker Policy” and this topic for System Administrator, defines the AppLocker rules for your application control policies and how to work with them.

Table of Content

Introduction to Applocker

  • What is applocker Policy?
  • Who Should Use AppLocker?
  • What can your rules be based upon?

Configure the Applocker to Allow/Deny Execution of an App

  • Configure Enforcement rule
  • Create Default Rules

Modify Executable Default Rules to Allow an App

  • Rule conditions
    • Publisher
    • Path
    • File Hash

Modify Windows Installer Default Rules to Allow an App

Modify Script Default Rules to Allow an App

Creating New Rules to Block an APP

Introduction to Applocker

What is applocker Policy?

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. Windows AppLocker lets administrators to control which executable files are denied or allowed to be run. With this policy, administrators are able to generate rules based on file names, publishers or file location on unique identities of files and to specify which users or groups can execute those applications.

What can your rules be based upon?

The AppLocker console is ordered into rule collections, those are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections allow you to easily distinguish the rules for different application types. The following table lists the file formats that are included in each rule collection.

Who Should Use AppLocker?

AppLocker is a worthy for organizations which have to accomplish any of the following jobs:

  • Check which applications are allowed to run inside the company.
  • check which users are allowed to run licensed program.
  • offer an audit log of what program customers were running.
  • prevent trendy users from installing software per user.

Configure the Applocker to Allow/Deny Execution of an App

In the Group Policy Object Editor at Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker, the Windows AppLocker settings exist.

Configure Enforcement Rule

Use the enforcement setting for each collection to configure to Enforce rules, rules are enforced for the rule collection and all events are audited.

  1. Select the Configured check box for the rule collection that you are editing, and then verify that Enforce rules is selected.
  2. Click OK.

Open Advance tab and enable the DLL rule collection.

Create Default Rules

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.

  • Open the AppLocker console.
  • Right- click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules.
  • Click Create Default Rules.

Executable Default Rule Types Include:

  • Allow members of the local Administrators group to run all apps.
  • Allow members of the Everyone group to run apps that are located in the Windows folder.
  • Allow members of the Everyone group to run apps that are located in the Program Files folder.

Modify Executable Default Rules to Allow an App

A rule can be configured to use allow or deny actions:

  • ALLOW : You can specify which files are allowed to run in your environment, and for which users or groups of users.
  • DENY : You can specify which files are not allowed to run in your environment, and for which users or groups of users.

Once you have configured default rules as done above, then you can modify it as per your requirement. For example if you want to modify rule :“Allow members of the Everyone group to run apps that are located in the Program Files folder” for specific user or group to allow a specific program file execution, then go its property by making right click on that rule and follow below steps.

Select the file or folder path that this rule should affect. The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles% \* indicates that all files and subfolders within that path.

Rule conditions

Conditions of rules are criteria for AppLocker to identify the applications to which the rule applies. The three main rules are publisher, path and hash of the file.

Publisher

Identifies a digital signature- based application. The digital signature encloses information about the company (the publisher) who created the application.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Advantage:

Frequent updating is not required.

You can apply different values within a certificate.

You can use a single rule to allow a complete product suite.

Within the publisher rule, you can use the asterisk (*) wildcard character to specify that any value should match.

Disadvantage:

While a single rule can be used to allow a complete product suite, all files in the suite must be uniformly signed.

Path

Identify an app in the computer file system or on the network by its location. For well-known paths such as Program Files and Windows, AppLocker uses custom path variables.

Advantages:

Many folders or a single file can be easily controlled.

The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles%\Microsoft Office\* indicates that all files and subfolders within the Microsoft Office folder will be affected by the rule.

Disadvantage:

It could be at risk if a rule that is organized to use a folder path holds subfolders that are writable by local user.

File Hash

Represents the calculated cryptographic hash system of the identified file. For non-digitally signed files, file hash rules are safer than path rules.

Advantage:

Since each file has a unique hash, a file hash condition only applies to one file.

Disadvantage:

Whenever the file is updated (such as security updates or upgrades), the hash of the file changes. Consequently, you have to manually update the rules for file hash.

Modify Windows Installer Default Rules to Allow an App

Windows Installer Default Rule Types Include:

  • Allow members of the local Administrators group to run all Windows Installer files.
  • Allow members of the Everyone group to run all digitally signed Windows Installer files.
  • Allow members of the Everyone group to run all Windows Installer files that are located in the Windows\Installer folder.

Similarly if you want to modify Windows Install default rules, then repeat above steps.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Publisher: The asterisk (*) character used by itself represents any publisher.

Product name: The asterisk (*) character used by itself represents any product name.

File name: Either the asterisk (*) or question mark (?) characters used by themselves represent any and all file names.

File version: The asterisk (*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:

  • Exactly. The rule applies only to this version of the app
  • And above. The rule applies to this version and all later versions.
  • And Below. The rule applies to this version and all earlier versions.

Open Exceptions and then again select Publisher.

Modify Script Default Rules to Allow an App

Script Default Rule Types Include:

  • Allow members of the local Administrators group to run all scripts.
  • Allow members of the Everyone group to run scripts that are located in the Program Files folder.
  • Allow members of the Everyone group to run scripts that are located in the Windows folder.

Similarly if you want to modify Script default rules, then repeat above steps.

Select the file or folder path that this rule should affect.

Open Exceptions and then again select Publisher.

 

In this way, you can implement Default rules and modify them for Executable file, Script rules or Windows Installer files according to your situation.

Creating New Rules to Block an APP

If you want to make your own rule in order to allow or deny action for any application, you can choose the options ” Create New Rule” below. Let’s say, I want to create a new Executable file rule to restrict command prompt execution for everyone.

Then, you will get a wizard that helps you to create an Applocker rule, which will truly based on file attribute such as the file path and digital signature.

NOTE: Install the applications you want to create the rules for on this computer.

Now the action to use  and the user or group that this rule should apply to. A deny action prevent affected file from running.

Select the type of primary condition that you  would like to create. Here we have chose “Publisher” options.

Browse for a signed file to use as a reference for the rule. Here we have browse the cmd.exe and then click on next.

Choose the Publisher as exception and then click Next.

And finally, this will add your rule to restrict the cmd.exe.

Set Application identity to Automatic mode:

Then navigate to “Application identity Property” through Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Application identity.

Then enable “Automatic” option as the service startup mode.

Now update the Group policy with the help of gpupdate command.

Now when you will try to open command prompt “cmd.exe” then you will get services restriction prompt as shown.

Note: If you are configuring these rule on single machine then it will take some time to impose the rule over machine.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

SMB Penetration Testing (Port 445)

In this article, we will learn how to gain control over our victim’s PC through SMB Port. There are various ways to do it and let take time and learn all those, because different circumstances call for different measure.

Table of Content

Introduction to SMB Protocol

  • Working of SMB
  • Versions of Windows SMB
  • SMB Protocol Security

SMB Enumeration

Scanning Vulnerability

Multiple Ways to Exploit SMB

  • Eternal Blue
  • SMB login via Brute Force
  • PSexec to connect SMB
  • Rundll32 One-liner to Exploit SMB
  • SMB Exploit via NTLM Capture

SMB DOS-Attack

Post Exploitation

File Sharing

  • smbserver
  • smbclient

Introduction to SMB Protocol

Server Message Block (SMB), the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request

Working of SMB

SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.

Versions of Windows SMB

CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.

SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.

SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.

SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.

SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.

SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.

SMB 3.1: This version used in Windows Server 2016 and Windows 10.

Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

SMB Protocol Security 

The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.

SMB Enumeration

To identify following information of Windows or Samba system, every pentester go for SMB enumeration during network penertation testing.

  • Banner Grabbing
  • RID cycling
  • User listing
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval

Here you can observe, we are using nmap the most famous network scanning tool for SMB enumeration.

As a result, we enumerated following information of the target machine:

Operating System: Windows 7 ultimate

Computer Name & NetBIOS Name: Raj

SMB security mode: SMB 2.02

There are so many automated scripts and tools available for SMB enumeration and if you want to know more about SMB Enumeration then read this article “A Little Guide to SMB Enumeration”.

Scanning Vulnerability

During enumeration phase, generally we go for banner grabbing to identify version of running service and the host operating system. Once you enumerate this information then you should go for vulnerability scanning phase to identify whether the install service is vulnerable version or patched version.

Nmap serves various scripts to identify state of vulnerability for specific services, similarly it has inbuilt script for SMB to identify its vulnerable state for given target IP.

As result, it shown the target machine is highly vulnerable to Ms17-010 (eternal blue) due to SMBv1.

To know more about Ms17-010 read complete article “3 ways to scan Eternal Blue Vulnerability in Remote PC

Multiple Ways to Exploit SMB

Eternal Blue

As we know it is vulnerable to MS17-010 and we can use Metasploit to exploit this machine. Therefore we run the following module which will directly exploit target machine.

Boomm!! We have successfully access remote machine shell as shown in the bellow image.

SMB login via Brute Force

If you get fail to enumerate the vulnerable state of SMB or found patched version of SMB in the target machine, then we have “Brute force” as another option to gain unauthorized access of remote machine.

Here we only need two dictionaries that contains list of username and password in each and a brute forcer tool to make brute force attack.

-L –> denotes the path of username list

-P –>denote the path of password

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra cracks the credential, as you can observe that we had successfully grabbed the SMB username as raj and password as 123.

To know more about it, read complete article from here “5 Ways to Hack SMB Login Password

If you have SMB login credential, then you can use following module to determine what local users exist via the SAM RPC service.

PSexec – To Connect SMB

Once you have SMB login credential of target machine then with the help of following module of metasploit you can obtain meterpreter session to access remote shell.

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

There so many script and tools are available to connect remote machine using SMB protocol, we have already written an article for connecting SMB in multiple ways. Read complete article from here “Multiple ways to Connect Remote PC using SMB Port”.

Rundll32 One-liner to Exploit SMB

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

This will generate a link for malicious dll file, now send this link to your target and wait for his action.

As soon as victim will run above malicious code inside the run prompt or command prompt, we will get meterpreter session at metasploit.

SMB Exploit via NTLM Capture                   

Another method to exploit SMB is NTLM hash capture by capturing response password hashes of SMB target machine.

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can observe that port 137 is open for NetBIOS network service in our local machine.

Now when victim will try to access our share folder therefore he will try of connect with us through his network IP, given below image is a proof to demonstrate that victim is connecting malicious IP: 192.168.1.109. When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured:

Username: raj

Now use john the ripper to crack the ntlmv2 hash by executing given below command

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

To know more about it read complete article from here “4 Ways to Capture NTLM Hashes in Network

SMB DOS-Attack

SMB Dos attack is another most excellent method we have in our metasploit framework.

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer or a Word document otherwise.

Now, when the victim will try to access share folder through our malicious IP, the target machine will get crushed and this attack is very effective.

Post Exploitation

This module will enumerate configured and recently used file shares.

As you can observe that, here it has shown three UNC paths that have been entered in run dialog.

File Sharing  

Smbexec.py

Now we will use a python script that activates SMB service in our Linux machine. This is useful in the situation where the target machine does NOT have a writeable share available. You can visit to github for this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it. In this way we can use smb python script for sharing file between windows and Linux machine.

Smbclient

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using raj: 123 login and transfer the user.txt file.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Fighter Walkthrough

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Penetrating Methodology

  • Network scanning (Nmap)
  • Browsing IP address through HTTP
  • Adding Domain name to /etc/hosts
  • Bruteforcing subdomains
  • Adding new domain name to /etc/hosts
  • RCE using SQL injection
  • Upgrading shell to meterpreter session
  • Finding vulnerable service
  • Editing Exploit to bypass OS check
  • Finding root.exe
  • Reversing program to find the password
  • Creating a C-program to find the password
  • Getting root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage we find a Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run dirb scan on the members.streetfighter.htb and find a directory called “old”.

We then find webpages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

We setup our listener and got a reverse shell.

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create a XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

We start our python HTTP Server to send our file to the target machine.

We download the file using certutil.exe on the target machine.

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

We still don’t find anything to escalate our privilege. As this machine on street fighter game we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

We find this metasploit exploit here, we try to run it but are unable to get shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administratror\Desktop and find a file called “root.exe”. We run it and find that it asks for password. There is also a dll file called “checkdll.dll”, as the password might be checked using this dll file.

We download both the files into our system using meterpreter.

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analysing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here