Shell is just a beginning

Hi Guys,

It been long time since my last post. Recently I came across and amazing blog post which made me forced to replicate the scenario in my lab. But I made additional changes in the lab where we can learn few more cool things.

So let create a fictional story which will make us feel more excited. So lets assume we have got an assignment where we are suppose to perform an external Red Team assessment and our goal is to gain access on the domain controller.

As this is a lab environment for demonstration, let's consider this 10.0.2.6 IP as an external IP system/address

Step 1:

Let scan the IP address on port 8080 for Apache tomcat



Step 2:

As we see we need an login credentials to access the tomcat manager. So lets try to brute force using Metasploit auxiliary module.


Hurrah we got the credential for the tomcat manager tomcat:tomcat

Step 3:

Lets create a normal webshell and generate the war file for uploading it on tomcat. You can read this blog for more details




Step 4:

Login in Apache Tomcat manager and upload the webshell.



Step 5:

Access the web shell and check the privileges of current user


Step 6:

We have System privileges so let create a new user and add him into local administrators group

Command :- net user popo secretpass@123  /add
                      net localgroup administrators popo /add


Step 7:

So we have local admin user on the system. Let create a tunnel which can help us to access RDP from our system 😀. 
Please read the tool manual for more understanding. 
We are going to use ABPTTS and generate webshell in jsp format and build the war file for uploading it on the tomcat manager.





Step 8:

Lets access the tunneled webshell and access the RDP service with our newly created user popo over http. 




Step 9:

Now lets dump the lsass file and download it using Apache tomcat example page 😀





Step 10:

We will use Mimikatz to parse the lsass dump and get the credentials.



Step 11:

Hurrah we got the domain administrator NTLM hash from the system. So let try to access RDP using the domain admin users NTLM hash. 


Step 12:

We cannot access the RDP service by passing the NTLM hash so let make some changes in order to access RDP via NTLM hash.

Enter below command in powershell to enable restricted admin mode

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force


Step 13:

Now let try again to access the RDP service with domain admin users NTML hash 


Step 14:

Now let access the DC using PSremoting.


So we have gain access to DC with domain admin privilege. Now it time to Report the client 😋 

As I mention in the beginning this is fictional red team story. But in real world you can still find some default credential for Apache tomcat and try to penetrate in the network.

Thanks for reading. Please comment for any suggestion

Thanks to my friends and family who always support me
🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏 

Comments

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I