Trent Walraven

A 2024 Cyber Security Engineering Student at Iowa State University

CYBE231 Lab 4 - Cracking & Lateral Movement

2 minute read

To start this lab we used the backdoor created in Lab 3 on the Windows XP machine to get back into the machine. After getting back into the machine, we started up the RDP server built into Windows XP, and created a new account for ourselves that had RDP and Administrator permissions. This was used to show how you can get into a system with a GUI remotely after getting into the system.

We then moved onto the main portion of the lab, where we dumped the LM hashes from the compromised Windows machine. From there we used John the Ripper to crack the hashes by setting it run on the LM hashes, and doing an incremental attack, which iterates through solutions until cracked. This will take sometime since we aren’t using a dictionary attack, so we moved on to talking about passing the hash.

Windows has features that allow a user to execute commands by sending the hash of their password instead of sending their password. Once such feature is PsExec is enabled by default, and included on the Windows 10 machine. Included in this default config is the ability to use LM hashes on top of the newer NTLM hashes to allow for backewards compatibility. From here we used Metasploit to with psexec module to pass in the hash of the admin user, then used it to create a reverse shell similar to the last lab. About this time the hashes had finished cracking, so we took a look back at those.

Looking back at John, we have the hashes cracked, but the LM hashes are not case-insensitive. Since our hashes are dropped from a Windows XP box, we also have the case-sensitive NTLM hashes. We created a word list from the password we had cracked, then started running John the Ripper with that password list, this time in NTLM mode, on the hashes we had. Since we knew the passwords this did not take very long to crack, as it was just trying cases for them. After it found the correct cases for all the hashes, we used these passwords to attempt to login.

Using scart’s password we logged into the Ubuntu box. However, this user has very little permissions, so our next step is to escalate privilege. Since we have some level access to the box, we took a look at the exact version on Ubuntu that is installed. It was found to be Ubuntu 12.10, which is vulnerable to the dirty cow exploit. On a server in ISEAGE we were given a hosted POC for dirty cow that we could download and run. Running this binary, it succeeds and gives us a root shell.

To end this lab, we had to find certain information about a few of the user’s on the machine. While searching we also found login details for a “home” server for the user manny. We had to connect to that server with ssh, and find a little more information about the user manny.

Categories:

Updated:

You may also enjoy

Cyber Tractor Challenge

3 minute read

My experience with the John Deere event that brought in students from around the country to test the security of John Deere equipment

CYBE231 Lab 12 - Final Project Part 3

4 minute read

The last part of the final project where we had to attack other networks and get into the systems that had been secured by other students