
How I Hacked A Company (My First Red Team Engagement š©)
Hello World! I havenāt posted a writeup in a long time.Since the middle of 2022, Iāve been devoting my time and energy to learning Red Teaming techniques and am still exploring the vast ocean.During m
Hello World! I havenāt posted a writeup in a long time.Since the middle of 2022, Iāve been devoting my time and energy to learning Red Teaming techniques and am still exploring the vast ocean.During my training, I practised with vulnerable environments (Hack the Box machines and other vulnerable VMs set up locally). From all my experience, I would say this field is drastically emerging, with lots of new attack vectors and mitigations on a day-to-day basis. This field doesnāt stop, and it will be racing towards a competitive pace for Red Teamers š© and Blue Teamers š³ļø.
With my best efforts, I started to understand how enterprise networks work and how their typical architecture is set up.Recently, I came across my first red team engagement. The client for this engagement was a large FinTech company with a vast network. The approach for the engagement is to perform an adversary simulation withĀ Assume Breach Scenario. This blog purely describes the engagement methodology I follow on my own, and it may vary with the perspective of other Red Teamers.
The target company had many domains on the internet, hosting various applications for their employees and customers. Every piece of website information is important to a Red Teamer.Ā Web Application PentestingĀ plays a crucial role while performing a Red Team Engagement. After gathering information through the public internet, we got to know about the various other domains being used by the company. Some important enumeration tactics that are required to be done before starting to probe the enterpriseās internal network directly are,
- Subdomain Enumeration
- GitHub Dorking
- osint concept in cybersecurity. It describes techniques, risks, or controls that defenders and ethical hackers must understand to protect systems and conduct authorized security testing. Learning Shodan helps you recognize attacks in the wild and apply industry-standard mitigations aligned with frameworks like OWASP and NIST.">Shodan Dorking
- Google Dorking
- External Application Pentesting
- Familiarising with Enterprise Architecture
We can list various applications (both external and internal) used by the enterprise by performing extensive subdomain enumeration. The scale of the target scope just expands randomly based on the organisation while performing subdomain enumeration.
cat targetDomains.txt | while read -r domain; do
( echo $domain | subfinder -silent >>subdomains.txt );
done
For subdomain enumeration, I personally useĀ subfinder, which is integrated with many API keys. Itās always good to probe and check the subdomains, whether they are accessible from the public internet or not.Ā httpxĀ does the work for me.
cat subdomains.txt | httpx -silent -sc
Here I found many subdomains named for internal web applications that are not accessible from the public internet. But most of them are accessible. So, itās time to pentest these applications.
It was tedious work pentesting these applications, most of them were static ones for business marketing purposes. The more dynamic the feature, the more interesting it becomes for us. Our team had found many Web application vulnerabilities in the vast target scope. Personally, I love to test forĀ SQL Injection,Ā XML External EntityĀ andĀ Open RedirectionĀ for red team engagements. You may think, āWhy specifically these bugs?ā
Well, there is a pretty good reason to hunt for these bugs becauseĀ SQL InjectionĀ &Ā XML External EntityĀ are injection based attacks that help an attacker retrieve sensitive information from the backend / server, which is real-time data being used by the enterprise. This can be further used for lateral movement in the succeeding phase. And in todayās InfoSec world,Ā Open RedirectionĀ may be treated as an ordinary bug, where bug bounty hunters and platforms have normalised it. But Red Teamers know the value of it, because it can be used to lure a victim from the enterprise. Victims are easily duped by this illusion because the redirection to our malicious URL occurs from their enterprise domain name.Mostly non-technical employees in an enterprise fall for this technique. There are many known vulnerabilities in the wild, but these are my favourites to look for, which can be easily used to further our engagement.
While looking for web vulnerabilities, our team members found many SQL injections from the target scope. I started to aggregate the domains and manually fuzzed the vulnerability to find what database that server was using.
When it comes to SQL Injection, I always useĀ Portswiggerās SQL Injection Cheat SheetĀ for reference.
While pentesting those sites, I discovered one thing in common that was shared by all of them. Some specific groups of sites were using the same tech stack for their web applications. They were usingĀ .NETĀ for the front end,Ā IIS ServerĀ for hosting, andĀ MSSQLĀ (fuzzed manually) for the back end.Ā
# Typical Enterprise Web Application Stack
Front End (.NET) <---> Server (IIS) <---> Back End (MSSQL)
Apart from these, they have been usingĀ WordpressĀ applications and apps withĀ PHP + MySQLĀ which has similar behaviour to Wordpress but itās not Wordpress.
I usedĀ sqlmapĀ to dump the entire DB from the MySQL database, and the other sites (including MSSQL, where they had a common DB synced with many web applications) hadĀ Blind SQLiĀ which took more time to bruteforce and dump the data. Dumping the database names and table names alone gave me a good understanding of their internal domains and internal web applications.
#Fuzz for SQL Injection
sqlmap -r request.txt
#Specifying Database
sqlmap -r request.txt --dbms MySQL --level 3 --risk 3
#Fuzzing Vulnerable Param
sqlmap -r request.txt --dbms MySQL --level 3 --risk 3 -p <PARAM_NAME_VULNERABLE_TO_SQLi>
#Dump database names
sqlmap -r request.txt --dbms MySQL --level 3 --risk 3 --dbs
#Dump table names
sqlmap -r request.txt --dbms MySQL --level 3 --risk 3 --tables
#Dump all data from the given database & table
sqlmap -r request.txt --dbms MySQL --level 3 --risk 3 -D <DB_NAME> -T <TABLE_NAME> --dump
Dumping the SQL DBs was a gold mine because it had many email IDs and their passwords (stored in plain text, a bad security practice) stored in it.
Apart from web app pentesting, I got so many exposed internal domains with their IPs due to their SSL certificate fromĀ Shodan Dorking. From Shodan, I even got an openĀ RDP port 3389Ā into their organization.
Last but not least, I got a pair of credentials fromĀ GitHub Dorking, where their internal developers wrote some scripts to test some API functionality and left them without scraping it from their git commit. I also got a bunch of internal email IDs for their enterprise.
After using someĀ grepĀ commands andĀ bashĀ automation, I wrote those credentials from the SQLi dump and dorking into a single file, which had nearlyĀ 340 credentialsĀ in it. Thatās a huge number, and that shows the enterprise is not following good security compliance and mitigations. So whatās next?
Before actively using these credentials, I just wanted to try to explore other subdomains to look for other possibilities. During that phase, I came across aĀ MS Exchange ServerĀ of their domain. TheirĀ OWA Portal (Outlook Web App Portal)Ā login page was there, and seeing it I got very intrigued. Since I have been reading feeds from many security researchers whom I follow on Twitter, I know at the instantĀ ProxyShell ExploitĀ can be done on that server. Thereās a good talk byĀ Orange TsaiĀ about this vulnerability, and hisĀ blogĀ was a reference to me. Immediately I fuzzed the OWA app withĀ BurpsuiteĀ and found the Exchange Server version in the response header. I ran publicly available exploits for this attack, specifically thisĀ oneĀ and one of my friends who had reproduced this exploit helped me with his perspective on attacking it. Even though it got me a shell, I could not successfully run commands. I knew something was wrong and started reproducing the exploit manually usingĀ BurpĀ andĀ my own Python scripts. From doing that I understood, the email IDs in the Exchange Server was a rabbit hole to me. The FQDN and email IDs were specifically placed inside the server to lure a Red Teamer (my first time encountering Blue Team tactics). I had spent nearly 4 days on beleiving this exploit alone, atlast the belief became broken.
And bringing myself up from failed attempt for a fake low hanging fruit. I started exploring other subdomains too. Some of the sites redirected me to anĀ SSO login page.
https://login.microsoftonline.com/getuserrealm.srf?json=1&[email protected]
Querying from the above link, I confirmed that the domains run as aĀ Federated ServiceĀ for AD. That means theyāve connected to Microsoft Cloud (O365).
Now, itās time to use the credentials that I prepared earlier. I started spraying those credentials usingĀ O365 SprayerĀ over the target domain. Only one of those credentials was working. This was the turning point for this whole red team engagement. The password used for the valid credential is a simple combination used by the domain.
Itās time to go cloudy. Using that credential, I logged myself in as the user in their domain viaĀ Azure ADĀ PowerShell module. In order to connect with Azure Cloud, we needĀ Tenant IDĀ of the domain.
https://login.microsoftonline.com/<TARGET_DOMAIN>/v2.0/.well-known/openid-configuration
By querying the above link, we get theĀ Tenant IDĀ of the target domain in response. Using that tenant ID to connect with Azure AD.
Connect-AzureAD -TenantId <TENANT_ID>
After getting connected withĀ Azure ADĀ in ourĀ PowerShell, enumeration becomes much easier withĀ Azure AD PS Module. Enumerating Azure AD Users,Groups & Devices viaĀ Get-AzureADUser -All $trueĀ ,Get-AzureADGroup -All $true,Ā Get-AzureADDevice -All $trueĀ and many more. UsingĀ Get-AzureADDomainĀ we can check the authentication type for the domains connected to it.
I can now easily obtain all email IDs used in the domain from the enumerated users. I thought of performingĀ Password SprayĀ attack with default combinations for the domain considering theĀ Account Lockout PolicyĀ and its cool down period. After performing password spray, nearly 60 accounts have been compromised by their weak, predictable passwords.
Using these credentials, I got into a machine with a default AD user privilege account. The machine was running in a constraint withĀ several EDRs (not the top rated) and AV productsĀ for a newbie Red Teamer like me š. I started listing the process and found the Defending products running in the machine. When I tried to view some offensive PowerShell scripts in the browser, it flagged them as malicious sites. I understood my situation at the momemnt that Iām gonna walk on a landmine.
I knew if I dropped some executable on the disk, it was going to flag me. And configuring the same EDR scenario on my local machine and compiling those binaries will take a lot of time, which is a nightmare for me. SoĀ PowerShellĀ memory is the only hope for me. When I start downloading the exact offensive PowerShell scripts from GitHub, it flags that file. But if IĀ Base64 EncodeĀ it and load it in the PowerShell memory, it doesnāt get flagged.
# Store the Base64 encoded file
$file = <BASE64_ENCODED_CONTENT_FILE>
$data = Get-Content $file
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($data)) | IEX
# Delete the Base64 encoded file
Thatās it, the required scripts got loaded into PowerShell memory without getting caught (Suprising for me š¤Ŗ). I attemptedĀ Local privilege escalation, but to my dismay, there was nothing to escalate.
RanĀ SharpHoundĀ and moved the ingested data to my local machine to view inĀ BloodHound. After loading the ingested data (took more time for thousands of AD objects), I started viewing and analysing it carefully. Always look forĀ Outbound ACLs, because they are the hidden link between two AD objects. Some of the compromised users hadĀ PS-SessionĀ over some machines. I used their accounts to gain theĀ PS SessionĀ and started to enumerate the privileges.
Surprisingly, some of the users hadĀ Full PrivilegesĀ over their respective machines. I used that privilege to dumpĀ LSASS.exeĀ withĀ procdump.exe. This is a stealth way to dumpĀ LSASS.exe, sinceĀ procdump.exeĀ is a Microsoft-signed binary and that doesnāt get flagged by AV/EDRs.
After moving thatĀ .dmp fileĀ to my local machine, I ranĀ MimikatzĀ to analyse the dump file and got the NTLM hash for a user who is a member of a privileged group. I donāt haveĀ Local Administrator PrivilegeĀ over my controlled machine. As a result, I must only perform āPass the Hashā over PS-Session.My colleague helped me with writing an undetectable reverse shell inĀ Go. We copied that binary in the remote computer having the PS-Session and we triedĀ PTH using Invoke-MimikatzĀ to run the reverse shell withĀ PowerCat. Obviously, it ran and we got the privileged group user rights, but we stopped due to an issue. We were inside a firewall, so we were not able to query DC directly for further movement. Little poor me, didnāt know that I had a plain text password for the same user in the dump. Seeing as how I was ecstatic after attempting the reverse shell PTH
Also, from the user where I got my initial access, I was able to change an account password withĀ GenericAllĀ ACL rights. I was able to view theĀ LAPS passwordĀ viaĀ AllExtendedRightsĀ over a machine after using the password-changed account. Unfortunately, that machine was a waste of time to proceed with.
BloodHound showed that the compromised user from the LSASS dump had a session on the machine, where one of the domain admins was also having a session. Using that plain text password, I did lateral movement withĀ PS-SessionĀ and dumpedĀ LSASSĀ withĀ procdump.exeĀ again. This time I got the plain text password forĀ Domain Admin. Logging into DC, I have dumped theĀ NTDS.ditĀ file andĀ Registry Hives.
Thats it, the final showdown. I added my required accounts for persistence and dumped all hashes from the target enterprise usingĀ secretsdump.Ā
aidenpearce369@jackdaw:~/DC5-LSASSDump$ ls
RegHive allHashes.txt log.dmp ntds.dit
aidenpearce369@jackdaw:~/DC5-LSASSDump$ cat allHashes.txt | grep ':::' | grep -v "$:" | wc -l
43856
aidenpearce369@jackdaw:~/DC5-LSASSDump$ cat allHashes.txt | grep ':::' | grep "$:" | wc -l
48587
aidenpearce369@jackdaw:~/DC5-LSASSDump$
From the dump, I gotĀ 43856Ā user account hashes andĀ 48587Ā machine account hashes from the enterprise. From these engagements, I also learned a few EDR enumeration and bypass tactics from my colleague. This was my first red team engagement, and it was prettyĀ awesomeĀ for me. Because, for these many days I was trying in a intentionally vulnerable environment but in this engagement I had an oppurtunity to simulate as a offensive threat actor breaching into a company which was entirely new to me. For my future engagements, Iām planning to write my own offensive C# and Go binaries to avoid getting detected and to learn more aboutĀ Windows InternalsĀ for bypassing EDRs and exploit development purposes. Iām grateful to those who helped me during my difficulties and guided me to go one step higher in my learning. Iād like to end this blog post by saying thatĀ 2022Ā was a great year for me in terms of accomplishments and self-satisfaction. And to those who read this post:Ā Never stop exploring.
About Author
Monish Kumar is a highly skilled and accomplished security researcher and red teamer. With a passion for identifying and mitigating potential security threats, Monish has dedicated his career to staying ahead of the curve in the ever-evolving world of cybersecurity. His expertise and experience have made him a valuable asset to organizations looking to strengthen their defenses against cyber attacks. With a keen eye for detail and a drive to continuously improve his skills, Monish is a trusted advisor in the security community and an advocate for best practices in the field.
Related Articles
What Is a Security Operations Center (SOC)?
SOC roles, tools, and workflows ā how Tier 1ā3 analysts detect, triage, and escalate incidents using SIEM and playbooks.
How to Become Network Security Engineer
The network security engineer is responsible for the secure operation of the company's networks and systems. They work w
COMMENTS (0)
Sign in to post intel on this briefing.