Penetration testing

Case Study: Leisure Industry

Our world-leading experts in cybersecurity deliver comprehensive security services to clients worldwide. In this case study, pen tester Warren Butterworth describes a recent engagement for a client in the leisure industry, where we faced a number of unique challenges on the way to success.

During a recent internal penetration test, we encountered a scenario where we had to work a bit harder than usual to gain Domain Admin access. As a rule, without using red team tactics like phishing, we need one of two things to gain initial access. Very simply, we need one of these:

  1. Something vulnerable
  2. Credentials

Less simply, we need to steal , sniff or crack some credentials or find something vulnerable (a juicy CVE will do nicely) to enable us to get a beacon/session on our initial target.

Often the first step that comes to mind in a test like this is responder/mitm6 or some sort of MITM attack to steal creds and relay/crack them. This is usually a fruitful process and usually finds some weak passwords, but in this case the client had been tested multiple times (including by ourselves) and had worked hard to push a new password policy. Even with an AWS hashcat instance these credentials were tough to crack.

Relaying credentials didn’t produce any joy either, so we were left with finding something vulnerable.

We started to hunt around for a vulnerability and came across Vcenter, a version of which was vulnerable to CVE-2021–22005. This exploit uses a file upload in VMware vCenter Server’s analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Once we gained access to vCenter as root, We were able to retrieve the data.mdb file containing certificates stored in clear text that could be used to sign any SAML authentication request for any user, including the built-in Administrator. With this file, we used a tool created by horizon3ai to create a cookie for the vCenter UI.

After injecting the cookie into a browser session on the vCenter/UI URL, we were authenticated onto the vSphere GUI administrator. We then came to a bit of a crossroads in terms of our next actions:

  1. Dump vmdks and mount them locally grab SYSTEM,SAM,SECURITY and dump hashes.
  2. Open all VMs to see if any gave us some sort of access.

After a mental coin toss, we started with downloading dumps. The process involved downloading the vmdk file, using kpartx to create device maps from the VMDK partition tables, mounting the partition, copying the SAM, SECURITY and SYSTEM files, and then running secretsdump on them. This process gave me access to some RID 500 accounts hashes and Domain Cached Credentials (DCC), which were slow to crack. The RID 500s didn’t have any access on the rest of the domain but it was a useful exercise.

Next, we opened every single VM to see if any didn’t need passwords to log in. Surprisingly, we found one VM that dumped us straight on the desktop with no password prompt. After an initial poke around, we found Sophos running, so we set up Responder and ntlmrelay. Using the VM, we navigated to our Kali VM, captured and relayed the hash. This was a privileged account so we could successfully dump credentials from 2x Management Servers. A lot of hashes were in here, including LSA secrets in clear text for an account that was configured to start a service. This account was a domain admin, so we could have packed up here and gone home for a sandwich, but we like to go the extra mile at Omni.

We wanted to get a CobaltStrike Beacon, so we wmiexec’d to the Domain Controller. Our regular foe Sophos was running again, so before dumping any file on the disk, we ran Hook Detector to see what Windows APIs were being hooked. We found a few Windows APIs hooked but a few that were not, including NTQueueApcThread. Using a little C#, we created a process inject executable that downloaded a bin file and injected a payload (our CS Beacon) into memory. After hosting the bin file, uploading and running the exe, we were presented with a High Integrity beacon for CobaltStrike. From here, a DCSYNC of the krbtgt NTLM/AES hash gave us domain dominance.

Time to write up that report.

Overall, this engagement with a client in the leisure industry was a challenging one that tested our pen tester’s lateral thinking, technical expertise and perseverance. It highlights the importance of having robust security measures in place to protect against cyber threats and the need for quality independent penetration testing, to give you a complete over view of your organisation’s cybersecurity, and to show you where you might need to improve. Contact our team today to find out more about our world-class pen testing services.

Contact us