Shell is just a beginning

Written by on
Hi Guys,

It been long time since my last post. Recently I came across and amazing blog post which made me forced to replicate the scenario in my lab. But I made additional changes in the lab where we can learn few more cool things.

So let create a fictional story which will make us feel more excited. So lets assume we have got an assignment where we are suppose to perform an external Red Team assessment and our goal is to gain access on the domain controller.

As this is a lab environment for demonstration, let's consider this 10.0.2.6 IP as an external IP system/address

Step 1:

Let scan the IP address on port 8080 for Apache tomcat



Step 2:

As we see we need an login credentials to access the tomcat manager. So lets try to brute force using Metasploit auxiliary module.


Hurrah we got the credential for the tomcat manager tomcat:tomcat

Step 3:

Lets create a normal webshell and generate the war file for uploading it on tomcat. You can read this blog for more details




Step 4:

Login in Apache Tomcat manager and upload the webshell.



Step 5:

Access the web shell and check the privileges of current user


Step 6:

We have System privileges so let create a new user and add him into local administrators group

Command :- net user popo secretpass@123  /add
                      net localgroup administrators popo /add


Step 7:

So we have local admin user on the system. Let create a tunnel which can help us to access RDP from our system 😀. 
Please read the tool manual for more understanding. 
We are going to use ABPTTS and generate webshell in jsp format and build the war file for uploading it on the tomcat manager.





Step 8:

Lets access the tunneled webshell and access the RDP service with our newly created user popo over http. 




Step 9:

Now lets dump the lsass file and download it using Apache tomcat example page 😀





Step 10:

We will use Mimikatz to parse the lsass dump and get the credentials.



Step 11:

Hurrah we got the domain administrator NTLM hash from the system. So let try to access RDP using the domain admin users NTLM hash. 


Step 12:

We cannot access the RDP service by passing the NTLM hash so let make some changes in order to access RDP via NTLM hash.

Enter below command in powershell to enable restricted admin mode

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force


Step 13:

Now let try again to access the RDP service with domain admin users NTML hash 


Step 14:

Now let access the DC using PSremoting.


So we have gain access to DC with domain admin privilege. Now it time to Report the client 😋 

As I mention in the beginning this is fictional red team story. But in real world you can still find some default credential for Apache tomcat and try to penetrate in the network.

Thanks for reading. Please comment for any suggestion

Thanks to my friends and family who always support me
🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏 

Comments

Post a Comment

Popular posts from this blog

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ?
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage
Read more

Exploring the Dark Side of Package Files and Storage Account Abuse

Written by on
Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th
Read more