Good morning my fellow #infosec and other curious individuals! Today is day TWO of my <semi> live tweeted Internal Penetration Test with Acme. Updates to follow. Here's the thread from yesterday:
First things first, gotta get the house situated so that I can be undistracted. Let's grab some breakfast, reestablish my tunnels and start taking a look at overnight scanning data.
Oh and If anyone is interested, This is my base playlist: music.youtube.com/playlist?list=…
BUT I click "Start Radio" so that it gets stuff like the playlist. :)
Looks like one of the Nessus scanners picked up a bunch of WebLogic/Tomcat issues overnight. This is common with SWIFT. Let's take a look and maybe get a shell?
That AsyncResponse Vuln in WebLogic never disappoints! Linux shell obtained!
Need a ghetto TTY?
python -c 'import pty; pty.spawn("/bin/bash")'
Need to do some privilege escalation. For the sake of time, we'll use LinEnum. (I'm aware there are a bazillion other options) github.com/rebootuser/Lin…
I'm pretty sure it's an easy upgrade and this device is on the domain, so there's at least more I can do with it like 1/x
if it will allow me to login with the domain user I have, I may be able to escalate through that via some arbitrary policy that I've not discovered yet.
While enumerating stuff myself as the script is running, I found some passwords in ~/.bash_history! They don't work on any account on this device directly, but maybe in the domain?
That's a nope. Let's keep going.
Ok. Device wasn't connected to the domain, and there's no immediate way to root. Probably a ton of files that have juicy info in them, but we'll come back to it. There is another WebLogic server with this vulnerability. Let's hit that.
Ohh! This one is Windows, should be an instant SYSTEM shell if I can get it stable.
Was not a SYSTEM shell. But it did get me another user. Looks like this user has the ability to escalate to high-integrity:
Meterpreter is being killed immediately, so currently I'm just stuck with a shell. @zerosum0x0 created an awesome tool called Koadic, and I forked it when they took their leave of absence. I didn't really modify it. github.com/offsecginger/k…
This should be enough to dump lsass
@zerosum0x0 Ok. So even Koadic is getting eaten. No worries. We can do this with something else. I'll hold off on using Cobalt Strike for now.
@zerosum0x0 Ok had to step away for a second to marvel at the realization of what device I'm actually on. I can see every single SWIFT message before it's sent to the autoclient. Hell, I think I can manipulate them too. Screw it. I'm standing up Cobalt Strike.
Ok. Back. That was annoying, and Cobalt Strike isn't needed. I just decided to exhaust different avenues of getting a solid shell. I was unsuccessful. BUT! Here's what I DO have now:
- Weak CMDShell
- A local Admin user I created (unneeded now)
- Valid TGT's for domain users! 1/x
I was successful in using the Weak CMDShell I got from exploiting WebLogic to execute Rubeus in memory. Check this out:
2/x
More DNS trouble. Back on track now! I think my next step will be to escalate in the domain. Playing with these half-privileges is causing more trouble than it's worth.
I stole one of the TGTs from this SWIFT device and used it against the only device that the user was Local Admin on. SMBExec'd and now I have a SYSTEM shell on a device!
Ok that's going to be all for the day! I was able to dump some hashes with CrackMapExec (which gave me a cleartext password), sprayed that and it gave me 3 more accounts, which gave me one more device to dump LSA. Pulling threads, I tell ya!
Speaking of:
I'm going to <semi> live tweet this Internal Penetration Test. Calling the company Acme
Important notes:
Assumed Breach (Already have a Debian based image, no creds, but solely for the sake of having tools locally)
Landing in the SWIFT gateway network
Flags: DA/SWIFT 1/x
Non-Evasive (we can sound alarms, they're only monitoring and validating our actions, this is not a purple team assessment to fill gaps in their NIPS)
Crystal/Glass/Full-Disclosure whatever your org calls "we'll give you any info you need to progress in terms of network topology"
Starting off with good old Nessus/Nmap one-two punch against the in-scope ranges provided to us during our kick off. #nessus#nmap