Proxmox AD Lab: Finishing Touches

# Finishing Touches ## WC1 ### Powershell History Run powershell as user ![image](https://hackmd.io/_uploads/Sy248ULZ0.png) ![image](https://hackmd.io/_uploads/r16SUIU-0.png) Enter following commands into wyldstyle's powershell session ![image](https://hackmd.io/_uploads/ryfavI8ZA.png) If we go to users we see that wyldstyle has a folder now ![image](https://hackmd.io/_uploads/r1my_8IbR.png) And we can see the console history - which will also be part of the investigations later ![image](https://hackmd.io/_uploads/By_cuLUWC.png) ### Enable Local Administrator Account We need to set a password for the local Administrator account first ![image](https://hackmd.io/_uploads/BkMfK88-R.png) ![image](https://hackmd.io/_uploads/B12QYIL-0.png) ![image](https://hackmd.io/_uploads/H1WrYULWC.png) ![image](https://hackmd.io/_uploads/BycItIU-0.png) Enable ![image](https://hackmd.io/_uploads/ryDuK8LbA.png) ![image](https://hackmd.io/_uploads/ryCcKLI-A.png) ### Housekeeping Delete it-users.zip from C:\setup Delete useradd.ps1 from C:\setup Restart the machine and it should log in automatically as Lucy. Switch users ![image](https://hackmd.io/_uploads/SkfjTLLW0.png) Log in using the local Administrator accoung ![image](https://hackmd.io/_uploads/S1F2hULb0.png) - This will prevent the password for the domain admins from being cached #### Delete local accounts with administrator access that are not part of the lab This PC > Properties ![image](https://hackmd.io/_uploads/rJCU08LbA.png) ![image](https://hackmd.io/_uploads/ByMcRLLZA.png) Delete from Computer Management as well ![image](https://hackmd.io/_uploads/rkjoxDIb0.png) ![image](https://hackmd.io/_uploads/HyXRxPUbR.png) ## Creating Loot ### On Kali VM We create three text file containing different hashes ![image](https://hackmd.io/_uploads/r1cyGDIWA.png) Let's clean this up a bit ![image](https://hackmd.io/_uploads/HJ94GDI-R.png) So we just have the hashes ![image](https://hackmd.io/_uploads/BJGpfPLZ0.png) Send to WC1 ![image](https://hackmd.io/_uploads/SJwy7v8-C.png) ### On WC1 Access share and copy ![image](https://hackmd.io/_uploads/SyKmmDUZA.png) ![image](https://hackmd.io/_uploads/ByCHXwUW0.png) #### local.txt Place in Lucy's desktop (limited-privlege user) ![image](https://hackmd.io/_uploads/H1T9mPUZC.png) #### proof.txt Goes to Administrator desktop ![image](https://hackmd.io/_uploads/r12AmDL-R.png) #### proof2.txt Goes to WC2 ![image](https://hackmd.io/_uploads/ryzFEPUWR.png) Rename to proof ![image](https://hackmd.io/_uploads/HyBrSvL-C.png) #### proof3.txt Goes to DC1 ![image](https://hackmd.io/_uploads/SyY-rPUZ0.png) Rename to proof ![image](https://hackmd.io/_uploads/rJs7SwIbA.png) ### Disable local administrator account after everything ![image](https://hackmd.io/_uploads/rJ1QIvU-R.png) ## Kali VM We can go in and clear the history of everything we've done, and delete all the files etc. Or we an back it up somewhere else - we just don't want our prep getting in the way of our exercise.