In this Lab, We utilize SSH access (tech.key)acquired from the previous lab to log back into the Second Office(ssh -i tech.key tech@192.168.101.11 -p2222). Once in, we run an nmap scan to foot print the subnet 192.168.13.1-3 and notice that rdp port 3389/TCP is open on all 3.
To access the RDP Service from our local host, we will be using SSH Tunneling. First, we will have connect back to the Office 2 Router and forward port 3389 from 192.168.101.11 to our local device then use ~C to open the SSH Client and commands "-L 3389:192.168.13.1:3389".
Even though we have RDP access to the machine, we don't have credentials to login. Rdesktop can enable us see the accounts/usernames but cannot authenticate via Kerberos as the user has to be a part of the RDP Group in AD to connect. There is a tool: XFreeRDP (apt-get install freerdp-x11) which utilizes Kerberos authentication and works on 32 BIT architectures only! We will try using it before we have to brueforce RDP to get in. Alternatively, you can use hydra or crowbar to bruteforce RDP: We find user arm554 using xfreerdp (xfreerdp /v:127.0.0.1 -sec-nla /u:"") then bruforce the password.
ssh -L 3389:192.168.13.1:3389 -p 2222 -i tech.key tech@192.168.101.11 ./crowbar.py -b rdp -u arm554 -C /usr/share/john/password.lst -s 127.0.0.1/32 -v
hydra -t 8 -V -l arm554 -P /usr/share/wordlists/rockyou.txt rdp://127.0.0.1 (We are able to connect to our localhost because our RDP Port 3389 is being forwarded to 192.168.13.1 via SSH Tunneling)
or hydra -t 8 -V -l arm554 -P /usr/share/wordlists/rockyou.txt rdp://192.168.13.1
We find the password: tiger and (arm554:tiger) which we use to RDP into the Windows Machine using Rdesktop.
User arm554 user has limited permissions and we are unable to view other users files or hidden files as access is denied.
For privilege escalation, we use MS16-032 Privilege Escalation Exploit for PowerShell located at https://www.exploit-db.com/exploits/39719/ which we will share from our kali establishing a shared drive by reconnecting back using Rdesktop with a new session (rdesktop -u arm554 -r disk:share=/root/Downloads/ 127.0.0.1).
We copy the exploit to the Desktop and access it via PowerShell. We then run the PowerShell command "powershell -ExecutionPolicy Bypass" which allows executing third party scripts then import our exploit and Invoke it. We then get NT Authority System!!
We then navigate to the user "user" Desktop and find our token.
Comments
Post a Comment