.

Windows 2008 SP1 - Ways to exploit?

<<

r00tinflux

Newbie
Newbie

Posts: 7

Joined: Mon Apr 02, 2012 6:01 pm

Post Mon Apr 02, 2012 8:17 pm

Windows 2008 SP1 - Ways to exploit?

Hi All

I have registered for OSCP and have been enjoying the labs/modules for two weeks now. Recently, I have been stuck at exploiting a win 2008 server sp1 which is Master server in the lab domain. I have got shell on the Win 2003 Slave server and a few other XP flavors.

Just wondering whether anyone who is currently registered/finished OSCP can throw some light on ways to exploit the 2008 Master server? ASFAIK, there is no remote buffer overflow for the win 2008 server(atleast not reported to public).

Cheers,
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Apr 02, 2012 9:38 pm

Re: Windows 2008 SP1 - Ways to exploit?

Just checked my notes. It's possible to pwn that box and my notes also had a star by them that says, "Try Harder"
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Tue Apr 03, 2012 3:04 am

Re: Windows 2008 SP1 - Ways to exploit?

Good advice cd1zz xD

Just remember that with OSCP you are on your own, you just need to try a few things and think outside the box in order to achieve specific goals.
<<

r00tinflux

Newbie
Newbie

Posts: 7

Joined: Mon Apr 02, 2012 6:01 pm

Post Tue Apr 03, 2012 7:23 am

Re: Windows 2008 SP1 - Ways to exploit?

Agreed with the "Try Harder " approach ..there is no fun in spoon fed solution  ;)

I have been trying various approaches and wanted to confirm whether it is pwnable via remote exploit or not..

Cheers..
<<

r00tinflux

Newbie
Newbie

Posts: 7

Joined: Mon Apr 02, 2012 6:01 pm

Post Tue Apr 03, 2012 7:57 am

Re: Windows 2008 SP1 - Ways to exploit?

W00t W00t! Must be the magic of this forum..Pwnd 2008 box  ;D
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Apr 03, 2012 8:51 am

Re: Windows 2008 SP1 - Ways to exploit?

SO much more rewarding to do it that way then have it given to you.
<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Wed Apr 04, 2012 12:20 am

Re: Windows 2008 SP1 - Ways to exploit?

Damn. I'm in the same rut on the 2008 sp1 box. Guess I've got to try harder!
MCITP:SA, LPIC-L1, CWNA, SEC+, C|EH , C|PTE
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Wed Apr 04, 2012 11:41 pm

Re: Windows 2008 SP1 - Ways to exploit?

Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 05, 2012 7:24 am

Re: Windows 2008 SP1 - Ways to exploit?

impelse wrote:Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.




I don't think there's a good answer for that because it's totally going to depend on your background. I thought v2 was pretty serious when I got it a few years ago, but I went through the v3 material a couple months ago and was able to skim through most of it. The most difficult part for me is apparently to stop procrastinating and schedule the exam ;)
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Apr 05, 2012 7:59 am

Re: Windows 2008 SP1 - Ways to exploit?

impelse wrote:Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.




Here is something I will give a tip on concerning the OCSP and others like it: If you're machine is doing only one thing, and your focused on one thing... You're doing it wrong.

You're capable of opening up the amount of terminals allowed by the amount of memory on your machine to perform functions. If you're doing the exam or others like it using a Unix based system, I suggest creating desktops for specific tasks, e.g:

Desktop 1 - Scanning and Enumeration
Desktop 2 - brute forcing / password cracking
Desktop 3 - Web applications
etc
etc

This allows you to go back and forth and perform multiple tasks without getting lost. Scripting helps, e.g.:

nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf "\n\nDone"|wall

You don't necessarily have to wait for nmap to finish to perform another task. You can move on and do what you need to do. Let's better this example:

  Code:
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012     root@kenji:/usr/obj/usr/src/sys/SARU  i386
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-05 08:47 EDT
NSE: Loaded 16 scripts for scanning.
Initiating Ping Scan at 08:47
Scanning 10.4.64.89 [4 ports]
Completed Ping Scan at 08:47, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:47
Completed Parallel DNS resolution of 1 host. at 08:47, 0.08s elapsed
Initiating SYN Stealth Scan at 08:47
Scanning 89.64.4.10.in-addr.arpa (10.4.64.89) [1 port]
Discovered open port 80/tcp on 10.4.64.89
Completed SYN Stealth Scan at 08:47, 0.21s elapsed (1 total ports)
Initiating Service scan at 08:47
Scanning 1 service on 89.64.4.10.in-addr.arpa (10.4.64.89)
Completed Service scan at 08:47, 6.00s elapsed (1 service on 1 host)
NSE: Script scanning 10.4.64.89.
Nmap scan report for 89.64.4.10.in-addr.arpa (10.4.64.89)
Host is up (0.0010s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    VMware Server 2 http config
Service Info: Host: 89.vonworldwide.com

Read data files from: /usr/local/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds
           Raw packets sent: 6 (240B) | Rcvd: 2 (72B)


This is fine, but a waste of time. My goal is to find whether or not this host was running a webserver. Simply because I needed to enumerate it after the fact. Maybe with dirbuster or Nikto. I know that I need to do something AFTER the fact, and I don't want to sit around waiting for this to finish to get to the next stage.

  Code:
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012     root@kenji:/usr/obj/usr/src/sys/SARU  i386
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
>   print a[NR%2] "\n" a[(NR+1)%2]
>   print;getline;print;getline;exit
> }
> {a[NR%2]=$0}
> '|awk '/open port/{print $6}'
10.4.64.89
[root@kenji ~]#


Now that this solves one problem, I can create a script that does something like:

if [ this server runs http ]

then

run nikto using this directory list I created

fi

Let's see it in action:

  Code:
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
  print a[NR%2] "\n" a[(NR+1)%2]
  print;getline;print;getline;exit
}
{a[NR%2]=$0}
'|awk '/open port/{print "nikto -host "$6}'|sh
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          10.4.64.89
+ Target Hostname:    10.4.64.89
+ Target Port:        80
+ Start Time:         2012-04-06 08:53:41
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Root page / redirects to: https://10.4.64.89/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
^C[root@kenji ~]#


I killed it as it was only an example. In exams like this where time is a factor, don't get bogged down with waiting on anything. There is nothing stopping you from automating a lot of tasks to narrow down the information you will need. This applies in the REAL world of penetration testing. Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys ;) I also tend to use alternative means for extracting data. E.g., I will use DNS, ICMP UDP, SSL tunnels at a rate limited speed. I will throw data into comments on a webpage, then view the webpage and parse out the comments. Think outside the box. For some of these exams, its not always about an 0day either. There is escalation and so forth. Config files, sniffing the wire from one machine to another. I would add: "Try DIFFERENTLY" to their Try Harder motto
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Thu Apr 05, 2012 8:54 am

Re: Windows 2008 SP1 - Ways to exploit?

Sil I like your post, I was thinking something like that, how to speed it up the process, last night I was enumerating snmp and I was using two terminal with differents ip addresses trying to speed it up.

Also when in the extra mile they ask: create an script to do some scanning, after I make it work i try to modify like if other person will use it only typing the filename + ip-address.

Now to mix scripts with tools I like to speed it up the process..  Good.....
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Apr 05, 2012 9:04 am

Re: Windows 2008 SP1 - Ways to exploit?

When I did my exam, I created literally a script to do the entire thing and at the last minute, many of my machines were firewalled, bastille linux'd, etc., so I have to modify it and parse out sections on the fly. I submitted the script to them as well and explained what it was I did and why. Unsure if that gave me brownie points heh....

So an approach would be something like:

if [ this scan shows http ]

then

run these http based tools against those

else

if [ this scan show snmp ]

then

run these snmp based tools

else

if [ this scan shows http login forms ]

then

run hydra using this wordlist and dictionary list

fi
fi
fi

I would throw in wall's after each command so you'll know step X was finished
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 05, 2012 9:13 am

Re: Windows 2008 SP1 - Ways to exploit?

sil wrote:nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf "\n\nDone"|wall


What, you can't hear "\a" over all that KMFDM? ;)

sil wrote:Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys ;)


Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Apr 05, 2012 9:36 am

Re: Windows 2008 SP1 - Ways to exploit?

ajohnson wrote:Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?


Client sides. I am a stickler for spelling things out from the jump. When we meet with clients, I often take the time to explain to them the differences in attacks and attackers. I always explain to them the realities and costs associated with an attack because there is a cost for an attacker, and there are different types of attackers.

Once a client understands the differences (an INTENT attacker - someone who wants in no matter what the cost) they almost always allow me to try anything and everything. So most of the times I perform 4 types of tests. I've documented those different tests in the document I wrote for the RWSP (outside attacker, outside attacker w/creds, insider, insider w/creds). By insider, it does not solely mean: "Joe who works for the IT department" it extends to the social engineerer who'll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 05, 2012 9:54 am

Re: Windows 2008 SP1 - Ways to exploit?

sil wrote:By insider, it does not solely mean: "Joe who works for the IT department" it extends to the social engineerer who'll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.


This can be a surprisingly difficult point to get across. People are still fixated on the idea of a firmly defined perimeter between "us" and "them," and that hasn't been the case for a decade+. Sorry, your users will click on links, documents, and executables and disclose information with reckless abandon.

sil wrote:It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing


Absolutely. I was specifically speaking from a technical perspective where they wanted to leave NAC in place during an engagement.
Last edited by dynamik on Thu Apr 05, 2012 9:58 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
Next

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software