The task this week was to try and determine ways to create a foothold on the compromised machine and pivot the attack to the rest of the network. Seeing as how I only got meterpreter injected into a process with non-admin privileges I thought this was going to be very tough. I realize that it is possible to load the priv extension and run getsystem. I tried that, but there is a problem with it in the VirtualBox environment. It uses the "KiTrap0D" vulnerability for escalation. When you try this in VirtualBox (3.1.4) it crashes the VM and brings up a "Guru Mediation" message.
I spent a lot of time during the week reading up on different types of privilege escalation methods, concentrating more on older methods because these are old, unpatched machines. I was trying everything from the shatter attack to abusing service permission levels and nothing was working, I was starting to have a bad feeling. Finally I found a solution. I was just over thinking things. The key to it all is routing, and that is made simple thanks to the great people working on Metasploit.
What you need to do is establish the first session, then send it to the background. At the msfconsole prompt, use the route command (-h for help) to add a route to the 192.168.2.0/24 network using the meterpreter session number (1 in my case) as the gateway i.e. route add 192.168.2.0 255.255.255.0 1. Once this is done, switch to a good ole exploit like ms08-067 netapi. You then set the RHOST to the machine you have session 1 open on and exploit it. Soon you should have a session 2 coming back to you and this time when you getuid you should see NT AUTHORITY\System. At that point I like to remove the routing entry, kill session 1 and redo the route entry using session 2. Once this is done you can hit any other machine on that network.
As to the question of establishing a foothold, I tried a few methods. There is a meterpreter script called persistence that is supposed to automate this (details here) but I didn't have any luck with that method. It just wrote its vbs script in Windows\temp and nothing else. I also experimented with manually making an executable with a meterpreter/reverse_tcp payload. I uploaded this to the victim then manually linked it in the HKLM run key, but this didn't work either. The one thing that did work for me was to use the scheduleme script to set up a constantly running task with this exe. I set it to try and connect back every 5 min and it worked like a charm, although I realize this is a very obvious and noisy method. I was a little worried about it spawning a hundred instances on the victim but it seemed that as long as one was running, another wouldn't start. You could further customize the instance by opening a shell and using schtasks
The next goal is to see what other machines I can compromise. It would be nice to be able to route nmap through meterpreter sessions, but I haven't figured out a way to do this yet. There is a video I looked at briefly that shows how to tunnel a nessus scan through meterpreter using ssh that might be adaptable for nmap (links here). Even without that I can always just upload and install nmap and go from there. Metasploit does have some scanners available, but not as good for general recon as nmap. More next week.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment