Relaying Hashes from Responder

 In this lab, I captured a hash using Responder, and then relayed it back to the same machine to open a shell. This shell was then upgraded and via pivoting a new machine was exploited.


To start with, I did a scan to find open ports on the target machine. Next, I did a more thorough scan of the discovered open ports. I found that the remote machine was using netbios and running Windows 7.





The remote machine was running x86 architecture (32 bit) so I had to remove the original x86-64 (64 bit) files from the relay tool before compiling 32 bit versions.




I then turned the responder http and smb servers off as I wanted to relay the captured hashes. This was achieved by editing the file found @ /etc/responder/Responder.conf


I then started the Responder and Multirelay tools. An ntlmv2 hash was captured and relayed to open an interactive shell. From this shell, I was able to ascertain that the remote machine was connected to a second subnet (10.100.40.0/24)







In order to upgrade this shell to a meterpreter session, I generated a 32 bit payload using msfvenom, uploaded it to the remote machine, started a multi/handler in msfconsole and then executed the uploaded malware.






Another way to achieve this upgrade would be to use the web_delivery module in msfconsole.






Either way, once the meterpreter session had been established, my next job was to pivot to the other subnet and scan it for live hosts. I used a slightly long-winded command to set up the route, but there is a faster way to do it, too.





The meterpreter arp-scanner showed me that there was a host @ 10.100.40.107 and the msfconsole port scanner showed me that this host had several open ports, including port 80.






I wanted to know more about the service running on port 80, so I forwarded that port to my local port of 1234 and then did an nmap scan against it. This revealed that there was a BadBlue was running. A quick look on searchsploit revealed that the 2.7 version of BadBlue is vulnerable to a buffer overflow attack and msfconsole has a module developed to exploit it.






It was now just a matter of using the module to exploit the machine @ 10.100.40.107 In order to do this, the LHOST had to be set to the exploited machine I was pivoting through (172.16.5.10) rather than my own attacking machine. I also needed to use a windows/meterpreter/bind_tcp shell instead of a reverse_tcp shell. This worked and a meterpreter session was established on the second machine.




Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more