diff --git a/Lab-Setup-Binary/Checksum-Binaries.txt b/Lab-Setup-Binary/Checksum-Binaries.txt index f002efd..9f9eeda 100644 --- a/Lab-Setup-Binary/Checksum-Binaries.txt +++ b/Lab-Setup-Binary/Checksum-Binaries.txt @@ -1,6 +1,7 @@ -Monitor_AMD64.exe D7CD130E242A2CEFCC33A8F8529DDDA7 -NCV_AMD64.exe 21A208E615C77D2CA3B2C16C86851A0F -Service 1.exe AD78384BB3D30A47E32B7080D24B332C -Service2.exe 936D5F332168C263C1B43DCF24350438 -Service3.exe 9883769C732076059739DC1F11B91155 -Service4.exe 867A96D7C60FD18109B717E20A416531 \ No newline at end of file +Monitor_AMD64.exe D7CD130E242A2CEFCC33A8F8529DDDA7 +NCV_AMD64.exe 21A208E615C77D2CA3B2C16C86851A0F +Service 1.exe AD78384BB3D30A47E32B7080D24B332C +Service2.exe 936D5F332168C263C1B43DCF24350438 +Service3.exe 9883769C732076059739DC1F11B91155 +Service4.exe 867A96D7C60FD18109B717E20A416531 +CustomDotNetApp.exe 9E7CF367A5550FDCA2665D91064D6111 \ No newline at end of file diff --git a/Lab-Setup-Binary/CustomDotNetApp.exe b/Lab-Setup-Binary/CustomDotNetApp.exe new file mode 100644 index 0000000..607aef3 Binary files /dev/null and b/Lab-Setup-Binary/CustomDotNetApp.exe differ diff --git a/Lab-Setup-Source-Code/CustomDotNetApp.cs b/Lab-Setup-Source-Code/CustomDotNetApp.cs index 9fa2f01..d967cca 100644 --- a/Lab-Setup-Source-Code/CustomDotNetApp.cs +++ b/Lab-Setup-Source-Code/CustomDotNetApp.cs @@ -1,15 +1,20 @@ using System; -using System.Diagnostics; using System.IO; +using System.ServiceProcess; namespace CustomDotNetApp { - class Program + public partial class Service1 : ServiceBase { - static void Main(string[] args) + public Service1() { - string username; - string password; + InitializeComponent(); + } + + protected override void OnStart(string[] args) + { + string username = "Adminstrator"; // Set your username + string password = "Asa31904#!"; // Set your password // Check if the provided credentials are correct if (Authenticate(username, password)) @@ -20,8 +25,8 @@ static void Main(string[] args) using (StreamWriter writer = new StreamWriter(outputFile)) { - Process[] processes = Process.GetProcesses(); - foreach (Process process in processes) + System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcesses(); + foreach (System.Diagnostics.Process process in processes) { writer.WriteLine($"Process Name: {process.ProcessName}, PID: {process.Id}, Memory: {process.WorkingSet64} bytes"); } @@ -36,10 +41,15 @@ static void Main(string[] args) } } - static bool Authenticate(string username, string password) + protected override void OnStop() + { + // Clean up any resources if needed + } + + private bool Authenticate(string username, string password) { // Hardcoded authentication (for demonstration purposes only) - if (username == "admin" && password == "password123") + if (username == "Adminstrator" && password == "Asa31904#!") { return true; } diff --git a/Lab-Setup-Source-Code/CustomJavaApp.java b/Lab-Setup-Source-Code/CustomJavaApp.java index a481f2e..e398096 100644 --- a/Lab-Setup-Source-Code/CustomJavaApp.java +++ b/Lab-Setup-Source-Code/CustomJavaApp.java @@ -31,6 +31,6 @@ public static void main(String[] args) { static boolean authenticate(String username, String password) { // Hardcoded authentication (for demonstration purposes only) - return username.equals("admin") && password.equals("password123"); + return username.equals("Administrator") && password.equals("Asa31904#!"); } } diff --git a/Lab-Setup-Source-Code/ProjectInstaller.CustomDotNetApp.Designer.cs b/Lab-Setup-Source-Code/ProjectInstaller.CustomDotNetApp.Designer.cs new file mode 100644 index 0000000..5fba0dd --- /dev/null +++ b/Lab-Setup-Source-Code/ProjectInstaller.CustomDotNetApp.Designer.cs @@ -0,0 +1,60 @@ +namespace CustomDotNetApp +{ + partial class ProjectInstaller + { + /// + /// Required designer variable. + /// + private System.ComponentModel.IContainer components = null; + + /// + /// Clean up any resources being used. + /// + /// true if managed resources should be disposed; otherwise, false. + protected override void Dispose(bool disposing) + { + if (disposing && (components != null)) + { + components.Dispose(); + } + base.Dispose(disposing); + } + + #region Component Designer generated code + + /// + /// Required method for Designer support - do not modify + /// the contents of this method with the code editor. + /// + private void InitializeComponent() + { + this.serviceProcessInstaller1 = new System.ServiceProcess.ServiceProcessInstaller(); + this.serviceInstaller1 = new System.ServiceProcess.ServiceInstaller(); + // + // serviceProcessInstaller1 + // + this.serviceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.LocalSystem; + this.serviceInstaller1.StartType = System.ServiceProcess.ServiceStartMode.Automatic; + this.serviceProcessInstaller1.Password = null; + this.serviceProcessInstaller1.Username = null; + // + // serviceInstaller1 + // + this.serviceInstaller1.Description = "DotNet Custom Service"; + this.serviceInstaller1.DisplayName = ".NET Custom Service"; + this.serviceInstaller1.ServiceName = "Service5"; + // + // ProjectInstaller + // + this.Installers.AddRange(new System.Configuration.Install.Installer[] { + this.serviceProcessInstaller1, + this.serviceInstaller1}); + + } + + #endregion + + private System.ServiceProcess.ServiceProcessInstaller serviceProcessInstaller1; + private System.ServiceProcess.ServiceInstaller serviceInstaller1; + } +} \ No newline at end of file diff --git a/Notes/LeakedCredentialsHardcodedCredentials.md b/Notes/LeakedCredentialsHardcodedCredentials.md index d5af56f..9f3cfb8 100644 --- a/Notes/LeakedCredentialsHardcodedCredentials.md +++ b/Notes/LeakedCredentialsHardcodedCredentials.md @@ -24,3 +24,25 @@ An adversary can leverage hardcoded credentials to escalate to elevated privileg ### Manual Lab Setup (.NET App) :warning: If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named [EnableLocalAdmin.ps1](/Lab-Setup-Scripts/EnableLocalAdmin.ps1), designed to enable the local Administrator account and set a password. Please run this script with elevated privileges. + +1) Open a PowerShell with local Administrator privileges and run the following command to create a new folder: + +``` +mkdir "C:\Program Files\CustomDotNetApp\" +``` + +2) Download the file [CustomDotNetApp.exe](/Lab-Setup-Binary/CustomDotNetApp.exe) to the 'C:\Program Files\CustomDotNetApp' directory. + +3) Install the new Service: + +``` +New-Service -Name "Custom Dot Net Service" -BinaryPathName "C:\Program Files\CustomDotNetApp\CustomDotNetApp.exe" -DisplayName "Custom .NET Service" -Description "My Custom .NET Service" -StartupType Automatic +``` + +Outcome: + +![Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp](/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp.png) + +4) Verify the new service (services.msc): + +![Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-Verify-Service](/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-2.png) \ No newline at end of file diff --git a/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-2.png b/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-2.png new file mode 100644 index 0000000..8013c06 Binary files /dev/null and b/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-2.png differ diff --git a/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp.png b/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp.png new file mode 100644 index 0000000..3132d26 Binary files /dev/null and b/Pictures/Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp.png differ