Exploiting BITS Misconfigurations with PowerUp and Mimikatz
Exploiting BITS Misconfigurations with PowerUp and Mimikatz
Situation:
This project focused on identifying and exploiting misconfigurations on the costumes.artstailor.com host within the artstailor.com network. Using PowerUp and its obfuscated counterpart PowerDown, the goal was to elevate privileges, create an administrative account, and extract sensitive credentials using Mimikatz.
Obstacles:
- Antivirus Interference: PowerUp.ps1 was flagged as a threat by Windows Defender, requiring the use of PowerDown.ps1.
- Execution Policy Restrictions: Running PowerShell scripts with limited permissions required bypassing execution policies.
- Privilege Escalation: Identifying and exploiting the Background Intelligent Transfer Service (BITS) misconfiguration for escalation.
Actions Taken:
- Environment Setup:
- Created a shared
/tmp/ex9/directory on Kali to store the PowerSploit and Mimikatz tools. - Established a remote desktop session with
costumes.artstailor.comusing the credentials from Ex080 (s.wilkins:Fall2021). - Verified the connection by confirming the IPv4 address of the remote session.
- Created a shared
- PowerDown Usage:
- Mounted the shared directory using the
net usecommand. - Ran
PowerDown.ps1in PowerShell with execution policy bypass enabled. - Executed the
Do-AllCheckscommand to identify system vulnerabilities.
- Mounted the shared directory using the
- BITS Exploitation:
- Used
Do-ServiceAbuse -Name 'BITS'to modify the BITS service binary path. - Restarted the BITS service to execute the binary and create a local administrative account (
pasta:Password123!).
- Used
- Administrative Access:
- Logged into the new administrator account and disabled Windows Defender real-time protection.
- Successfully imported and executed Mimikatz to collect sensitive data.
- Mimikatz Operations:
- Extracted credential hashes, Kerberos tickets, and Security Account Manager (SAM) database entries.
- Generated a Golden Ticket using
kerberos::goldenfor persistent domain access. - Saved all extracted data to
plunder.pr0b3.com.
Results:
- Vulnerability Identified:
- BITS Weak Service Permissions: Allowed modification of the service binary path, leading to privilege escalation.
- Access Achieved:
- Created a local administrator account (
pasta:Password123!) and gained SYSTEM-level privileges.
- Created a local administrator account (
- Sensitive Data Extracted:
- Credential hashes for local user accounts, including
n.nolan, were dumped. - A Golden Ticket was successfully generated for long-term access.
- Credential hashes for local user accounts, including
- Risk Level:
- Critical: Exploitation enabled full compromise of the target host.
Tool Purpose Overview:
PowerUp:
- A PowerShell module for privilege escalation, used to identify and exploit system misconfigurations.
PowerDown:
- An obfuscated version of PowerUp designed to bypass antivirus detection.
Mimikatz:
- A post-exploitation tool used to extract sensitive data such as credentials, Kerberos tickets, and password hashes.
rdesktop:
- A remote desktop client used to connect to the target system and share tools from the attacker’s machine.
Recommendations:
- Harden Service Permissions:
- Restrict modification of the BITS service to administrative users only.
- Regularly audit service configurations for misconfigurations.
- Enhance Antivirus Capabilities:
- Ensure antivirus is configured to detect obfuscated scripts and block malicious binaries like PowerDown.ps1.
- Implement Strong Credential Policies:
- Disable default administrator accounts and enforce strong, unique passwords.
- Regularly rotate service account credentials.
- Monitor for Privilege Escalation Attempts:
- Use logging and monitoring tools to detect unusual modifications to services like BITS.
View PDF Document