Gathering Information with an Account
Searching for Accounts in Group Policy Object (GPO)
Two CrackMapExec modules can help us to find credentials and usernames.
gpp_password
Check for clear text credentials and others users information through Group Policy Preferences. More on this attack here.
Mount the SYSVOL and check for .XML files such as
Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml or Drives.xml.
gpp_autologin
Check for clear text credentials in Registry.xml where autologin information can be found.
CrackMapExec Modules
CrackMapExec offers a ton of modules that can be used to compromise a domain and retrieve domain information.
It might be interesting to take a closer look to the source code of the modules to gain a better overview of what the module is doing. The source codes can be found in the following directory : CrackMapExec/cme/modules/
To check modules available for a specific protocol and list its available options:
Working with Module Options
As an example of working with modules, Hack The Box Academy used the module user-desc, which display user domain descriptions based on specific keywords.
When using option, add the flag -o
and the value in form of key-value pair.
Add Custom Modules
We can add scripts module to CrackMapExec in the CrackMapExec/cme/modules/
directory.
Here is an example of fetching a CrackMapExec script on Github and saved it in the modules directory for later use.
MSSQL Enumeration and Attacks
If we have credentials for a SQL server, we might perform SQL queries on the server using CME using the -q
switch and the mssql
protocol.
MSSQL supports various method of authentication (see Password Spray section)
Local Account
Active Directory users account
MSSQL custom account
MSSQL Queries
Retrieve all databases name
Use the --local-auth
flag to login with a MSSQL user instead of a domain user account (default)
Retrieve all table names from a database
Where core_app
being the name of the database to retrieve the table names from.
Retrieving data from a table
Retrieve all data from the table tbl_users
from the core_app
database.
Authenticating with a DBA Account
The DBA (Database Administrator) is the highest user of the database. CME will display if a user authenticating to the database is DA using (Pwn3d!)
xp_cmdshell
The DBA has the privilege to use the xp_cmdshell
command allowing users to execute Windows command from the database. Use the flag -x
Transferring files
CME allows attackers to upload and download files via MSSQL. See Wiki.
Only available for CME version >= 5.4
Upload files on the victim machine
Use the --put-file
flag.
Download files on our host
Use the --get-file
flag.
To download the whoami.txt
file in our /tmp/
directory
SQL Privilege Escalation Module
CrackMapExec has modules to escalate privilege on the database.
The module mssql_priv
allows to identify potential privilege escalation paths and to escalate privileges to sysadmin.
Three options can be specified for this module:
enums_priv (default)
privesc
rollback
As seen in the output below, the user robert
can impersonate julio
which is sysadmin.
It is possible to elevate our privileges by using the option ACTION=privesc
. Robert will become sysadmin. If we want to return to a previous state a remove robert high privilege we can use the option: ACTION=rollback
Error encountered
mssqlclient : 'SSL routines', 'state_machine', 'internal error' #856: Github issues
Finding Kerberoastable Accounts
CME can be used to find Kerberoastable accounts. Domain users credentials are needed. Make use of the LDAP protocol.
Using Grace credentials, we have been able to identify Kerberoastable accounts and dump the $krb5tgs
We can use Hashcat to crack the kerberoast hashes obtained.
Once the password for an account is obtained, we can check to authenticate with these credentials on a domain asset.
Shares Discovery
Modules and options are using the SMB protocol.
We can identifying shares that an user has access to using this command. This will output what shares the user grace have access to on the asset 10.129.203.121 and its permission (READ/WRITE)
Spider Module
The Spider option is a convenient module to search in shared folders and find sensitive information within files. This module allow us to search for file based on the file name or the file content.
Searching for files with the file name containing txt
This command aim to search for any files containing the "txt" in the file name in the folder IT
.
It is also possible to match pattern using the flag --regex
instead of --pattern
. To search for files containing a specific pattern, we need to use the flag --content
. This will search the content of the file, not only on the file name.
To list all files in a specific folder (IT):
Search for files containing the word "Encrypt".
Retrieving/Uploading Files
To retrieve a file within a shared folder, we can use the option --get-file
. On the contrary, if our user has WRITE access to the shared folder, we can upload the file on the target machine with the flag --put-file
--smb-timeout
option to use if transfer of a large file failed.
Spider_Plus
The module Spider_Plus aim to fetch the file names and retrieve files from multiple shared folders at the same time. The list of the shared folders and containing files that the user can access to can be found in a json file at /tmp/cme_spider_plus/<IP>.json
The command below will list all folders and files accessible to the user grace. The option EXCLUDE_DIR
can be used to exclude some folders we do not want the tool to look into.
By default, Spider_Plus module only make the list of files and folders. To download all files from a specific shared folders, use the option -o READ_ONLY=false
Stealing Hashes
HackTheBox introduced us with two modules aiming at capturing NTLMv2 hash. These hashes can be captured when a user is authenticating to the SMB server of the attacker through a fake .lnk
or .searchConnector-ms file
. The hashes can be cracked offline or relayed to another target to pivot through the network.
Slinky
The slinky module is creating a fake .lnk
file pointing to a SMB server controlled by the attacker. When a user will click on the fake link, we could capture the NTLMv2 hash of the victim. If not specified a directory, the slinky will create the .lnk
file in all directory that our user has WRITE access to.
The command below will create a .lnk
file titled important on the target 172.16.1.10 pointing to the attacker SMB server (10.10.14.33).
To remove the .lnk file on the target system, we can use the option CLEANUP.
Drop-sc Module
Similar to the Slinky module, the drop-sc module can be used to create a file on a target machine that is pointing to a SMB server owned by the attacker. Instead of creating a .lnk
file, the drop-sc module is creating a file with the extension .searchConnector-ms
.
The command below aim to create a .searchConnector-ms
file titled secret in the IT-Tools
share on the target 172.16.1.10. When a user will click on the file, it will force the authentication to the SMB server owned by the attacker on 10.10.14.33.
Capturing/Relaying the NetNTLM hash
The objective of forcing the authentication of a user using a fake file pointing to the attacker SMB server is to be able to capture the user's hash by forcing the authentication to our attacker machine. Once a user hash is captured, we can crack it offline or we can perform a relay to another machine where the user has permissions onto to perform lateral movement.
The exercises proposed us to practice both scenarios. We also had to reinvest the knowledge we learned from the previous model using proxychains since the machines to target were located on another subnet.
Setting up the proxy
I used the tool Chisel to set up the tunnel to be able to reach the 172.16.1.0/24 network.
As seen below, the Chisel server has been started on the jump machine with the IP 10.129.91.134. I used a socks5 proxy.
I used Chisel on my attacker machine, to connect to the server.
The tunnel being set up properly, I could join the target on the network 172.16.1.0/24 and drop the .lnk
file on the target with the IP 172.16.1.10 using the module slinky. As seen in the picture, the file is pointing to my attacker machine (10.10.15.126).
Responder
HackTheBox introduced us to Responder which can be used to intercept Windows authentication requests over the network.
Once the .lnk file has been dropped on the target machine. I started the tool Responder on the tun0
interface on my attacker machine. This allowed me to capture the Julio's NetNTLMv2 hash, Julio being a simulated user clicking on the .lnk
file we dropped. When Julio clicked on the .lnk file, this forced the authentication to the attacker SMB server at 10.10.15.126.
Below is an example of NetNTLMv2 hash captured using Responder.
Julio's hash could then be cracked using hashcat -m 5600.
Relaying with ntlmrelayx.py
Instead of cracking the hash, we could relay the authentication to another machine with SMB signing set to off and on which Julio has permission onto.
HackTheBox Academy asked us to relay the authentication to the MS01 which has the IP 172.16.1.5. Because Julio is administrator on the system, ntlmrelayx tool automatically dump the SAM when Julio successfully authenticated.
The command below aim to relay Windows authentication attempts that are coming to our attacker machine to the system which has the IP 172.16.1.5.
As seen below, we have been able to dump the administrator hash of the machine (172.16.1.5) by relaying Julio's authentication attempt.
Last updated