Thice Security

De Star 6, 1601 MH Enkhuizen
Thice Security

Swiss Cyber Storm write-up 1: CarGame Challenge 4

24/05/2011, by Thice, category CTF

This article is a write-up of the Swiss Cyber Storm CarGame Challenge 4 (February 2011). For more info on the Swiss Cyber Storm Conference please check my post about the conference here.

I only joined the CarGame in level 4, which meant I could not qualify any more to play the CarGame challenge during the conference. However since the challenges seemed fun I did the last two CarGame challenges anyway. The number and title of this challenge were:

  • 7031 Gain Windows Domain Admin Privileges

I submitted my solution and it was accepted by the organisation, however I do not know if this was the solution the organisation expected and if any other participants have other solutions.

Challenge Description

Taken from the Hacking-Lab website:

We provide a Microsoft Windows 2003 Active Directory infrastructure consisting of a terminal server (csl-ts.compa.ny) and the Active Directory (csl-ad.compa.ny) itself. You also have a standard user account in the directory. Please use one of the following user accounts

You have a valid, unprivileged AD user in this wargame.
UserID: hacker10 or hacker11 or hacker12 or … until hacker30

Domain: COMPA

Password: compass
NOTE: You might be logged off in case other users use the same user name.

OpenVPN connection is required to solve this wargame (dns resolution, availability of the microsoft servers)


Swiss Cyberstorm write up Car Game 4 - 1


Goal of this Challenge

  • Gain Enterprise Domain Admin Privileges on the provided Microsoft Active Directory infrastructure. Proof you were there. Write your hack verbose journal and attach it to your solution submission.


Wargame Questions

Please use the SendSolution button within the Hacking-Lab to send your solution. We can’t accept e-mail solutions – Sorry. Please send the following information

  1. How you were able to gain the Enterprise Domain Admin Privileges
  2. How to mitigate the risk
  3. Please attach Screenshots with your solution (proof)


Hacking csl-ad.compa.ny

After performing a NMAP scan on the csl-ad.compa.ny host it shows that the system has quite some open ports. The output of the NMAP scan is shown below.



One of the open ports on the system is the RDP (Remote Desktop Protocol) port, when connecting to this port by using the Linux rdesktop program we can see that the server is running Microsoft Windows 2003.

The amount of exploits available for Microsoft Windows 2003 is not that high, one particular exploit that is available targeting both Windows 2003 SP0 and SP1 is the exploit for MS07-029, more information on this exploit can be found on the Metasploit module website for this exploit:

The exploit for this vulnerability can be found and executed using the Metasploit framework, the specific Metasploit module (windows/dcerpc/ms07_029_msdns_zonename) and its options can be seen below.



After setting all the options in the module the exploit is ready to be executed. The output of this exploit is shown below.



The exploit against csl-ad.compa.ny was successful and launched a remote shell (using the payload windows/shell/bind_tcp). Using the ipconfig command we can see that we are indeed on csl-ad.compa.ny (which uses IP and using the whoami command we can see we currently are logged in with the user system. The output of these commands is shown below.



Since we are the system user we can use our privileges to create a new local admin account, the commands and output used for that can be shown below.



We now have a local admin user which we can use to remotely log in to the system, to do this we use the Linux program rdesktop.



The login and password that we will use are of the account we just created.

The screenshot below shows us being logged in as user ‘hawkje’ which has admin privileges. These admin privileges can be checked by using the net localgroup administrators command.


Swiss Cyberstorm write up Car Game 4 - 2


When opening the Active Directory settings we can find our account between the users. Here we can easily add our account to the Domain Admins group. The membership properties screen can be seen below.


Swiss Cyberstorm write up Car Game 4 - 3


Alternative exploit

Besides the previously used windows/dcerpc/ms07_029_msdns_zonename Metasploit module the same vulnerability (MS09-27) can also be exploited by using an alternative exploit. This alternative exploit is the Metasploit module windows/smb/ms07_029_msdns_zonename, the configuration and the output of this module can be seen below.



Hacking csl-ts.compa.ny

The csl-ts.compa.ny system does not need to be exploited to gain administrator access to the csl-ad.compa.ny system, and thus could be seen as being out of scope for this challenge. However, since the system is part of this exercise I decided to exploit it as well, in a totally different way than the csl-ad.compa.ny system.

As part of the challenge we received a set of user accounts. These user accounts can be used to log in to the csl-ts.compa.ny terminal server. The user account that will be used is the account hacker14 with password compass.

To connect to the csl-ts.compa.ny server we will use the Linux rdesktop program, the command to start this program is shown below and it will open a RDP session to the system.



When the RDP session is opened on the csl-ts.compa.ny system we notice that we are not getting a normal Windows session, we only get a session with Outlook 2003. This means that we should break out of this Outlook 2003 session.

One way to break out of this session is to launch explorer.exe, this can be accomplished by getting a “Open” dialog screen in Windows. From Outlook this can for example be done by going to:

  • File –> Open –> Outlook Data File

This action is shown on the screenshot below.


Swiss Cyberstorm write up Car Game 4 - 4


In the “Open Outlook Data File” dialog screen we can browse to the Windows directory (C:\Windows\) and when we select “All Files (*.*)” as “Files of type:”, explorer.exe will show up. When we right click explorer.exe we can choose “Open” to execute it.


Swiss Cyberstorm write up Car Game 4 - 5


After executing explorer.exe a script can be seen that will pop up, this script can be found in the start menu as shown in the next screenshot.


Swiss Cyberstorm write up Car Game 4 - 6


The script name is init_script.bat and it contains the following command:



The script seems to run the lsrunase.exe program and uses the runbatch account to do so. This runbatch account is part of the local administrators group as can be seen below after executing the net localgroup administrators command.



The command in the init_script.bat file can easily be adjusted to execute other commands, which means we can execute commands as the runbatch user. Since the runbatch user is a local admin account we can execute commands as a local admin. The easiest command to execute is cmd.exe to get access to a local admin command shell. The cmd.exe command can be executed with the following adjustment to the init_script.bat.



After executing this command from a cmd.exe command shell a new command shell will open with the runbatch (and thus local admin) rights. This command shell can then be abused to add a new local admin user. These actions can be seen in the screenshot below.


Swiss Cyberstorm write up Car Game 4 - 7


Mitigating the risk

To mitigate the risk I would propose the following actions to be taken on both of the systems:

  • Install the latest software and security updates from Microsoft.
  • Disable any unneeded services.
  • Activate a firewall on both of the systems or place both systems behind a hardware firewall. The firewall should block all traffic except the traffic that is needed for operational use, only traffic from legitimate systems should be allowed.
  • Install and maintain an Antivirus solution.
  • Disable and remove the init_script.bat script running on the csl-ts.compa.ny system.
  • Disable the execution of explorer.exe on the csl-ts.compa.ny system. Or enable Outlook Web Access (OWA) instead of the current Outlook 2003 sessions.
  • Remove any unnecessary data from the systems, including the currently present old password dump files and exploit files.


So, what do you think ?