Room362.com

At CCDC, Sticky Keys via RDP was a very successful re-entry point for the Red Team. You can read more about how this works here:

http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html

So if you can get physical access or SYSTEM/Admin access at some point and enable + reach RDP, you can very easily follow those instructions and gain a level of persistance without the need of a pesky password :-)

However, this doesn't work so well with the advent of NLA or Network-Level-Authentication, which was enabled for Vista systems and beyond. In particular Win 2008 R2 uses it by default. StickyKeys don't work so well if you have to authenticate first. Boo!

But, if you are already on a box with Admin access for a time, you can make one additional change so that you are back to Sticky Key and Utilman heaven.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Change the value of UserAuthentication value to 0, and instantly you are back to slamming the shift key and popping system shellz.

-- mubix

P.S. I ran into permissions errors when trying to copy cmd.exe over sethc.exe and utilman.exe:

But a brilliant fix to this annoying security control ;-) was provided here:

http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html?showComment=1335891005473#c7632690272609583721

By setting CMD as the debugger for sethc.exe or utilman.exe Windows executes the debugger first, so back shelling again.

If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it's a "Full Web Stack with No Browser Required", basically it a GUI-less browser. One of the magical "example" files that it has is called "rasterize.js"

Rasterize.JS essentially renders a URL, screen shots it and give it to you in a number of different formats, here's it's usage:

Usage: rasterize.js URL filename [paperwidth*paperheight|paperformat]
paper (pdf output) examples: "5in*7.5in", "10cm*20cm", "A4", "Letter"

PhantomJS is sweet for sweeping a ton of IPs and suspected HTTP/S sites, and look through a gallery of them to start figuring out which looks the most interesting… and we are going to essentially just that, except from a Victim machine.

First, download the Win32 static bins for PhantomJS from: http://code.google.com/p/phantomjs/downloads/list

Pull out phantomJS.exe and rasterize.js from the zip, and upload it to your victim.

Make a special directory for your renderings (I use imgs), this also makes it easy for meterpreter to download it since meterpreter supports directories and download targets.

Now make a BAT file with the following in it:

FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO start /b phantomjs.exe examples\rasterize.js http://%%A imgs\%%A.png
FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO start /b phantomjs.exe examples\rasterize.js https://%%A imgs\%%A.png

There are some cool tricks in here. First we are using 'net view' as our target list, we are using the 'start /b' command to throw everything into the background to run so we don't have to wait for each to finish (a crude way to thread actions in BAT files). And finally we are checking for both HTTP and HTTPS. We we are not doing however is doing any logging, so if you want to catch errors it's all you, just remember that when trying to pipe output from a command started with 'start' you have to prefix the > with a ^ so it looks like:

start echo blah ^> blah.txt

You are ALMOST ready to rock. There is a slight bug in Rasterize.js, if it can't resolve the address or otherwise can't contact the web server (which is going to be the majority of the case for us) it hangs in an open state. This is bad, we don't want to have a thousand phantomjs.exe processes running hanged. Simply make a new line after LINE 20, and add 'phantom.exit();' so it knows to exit if it encounters a failed connection.

Thats it, happy hunting from both inside and outside.

P.S. PhantomJS supports SOCKS and HTTP proxies, so if you use them (Tor) or run into them internally, support is there. A quick mod to your batch file and you're golden:

--proxy=address:port Sets the network proxy (e.g. "--proxy=192.168.1.42:8080")
--proxy-auth=username:password Sets authentication details for the proxy (basic auth)
--proxy-type=[http|socks5] Sets the proxy type, either "http" (default) or "socks5"

I found a number of things interesting when reading the following post:

http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/

Too bad that nmap's interactive mode was taken out, but there are a great number of other such methods, most notably VI's shell mode. 

But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:

# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Both look commented out, but in actuality, exactly as-is the #includedir line is interpreted and acted upon. So any file that you put in the /etc/sudoers.d directory counts as an extension of the /etc/sudoers file. Make a small edit to the default README file with a bunch of added # commented out lines copied directly from the sudo man page, with a

nobody ALL = NOPASSWD: ALL

or www-data plus a webshell makes for easy re-exploitation

 Just an evil way to stay hidden on a 'nix box… 

Update: 

nmap --script <(echo "os.execute('/bin/sh')")

'nuf said…  (thanks @bonsaiviking )

@egypt and I have teamed up this year to teach at DerbyCon at the end of September. Here is the very basic outline of the class and subject to change:

(Sign up here: https://www.derbycon.com/training-courses/ )

A friend of mine is presenting at phDays in Moscow at the end of May. If you are in the area, or can be, I would highly recommend you attend, and in particularly his talk.

His blog is here: http://blog.gentilkiwi.com/

And since a picture is worth a thousand words:

You should really go check out what he is going to present... just sayin'