0 - Overview - JA Smith

# Takeaways - Organize `tmux` windows - vpn | pivots | shells - Create separate folders for loot and nmap - Create separate creds, users, passwords, hosts files - `ligolo-ng` autoroute feature only works for single pivot - use manual process for second pivot - `fping` not super relaible - Instead, try a BASH `for` loop ```bash for i in $(seq 1 200); do ping -c 1 172.16.5.$i | grep "bytes from" & done for i in {1..200}; do ping -c 1 172.16.5.$i | fgrep ttl & done 2>/dev/null | sed -e 's/^.*from //' -e 's/:.*$//' | sort -n -t. -k4 ``` - `ping` and `nmap` results may change so run multiple times - try different permutations of `nmap`: - `-Pn` flag (disable ping) - `-sn` flag (ping only) - `-sT` flag (full TCP connect) - `-sS` flag (TCP SYN scan only) - Once on a new host perform internal enum AND hunt for additional creds - Linux - Basic internal enum for privs and internal subnets - Privs: `whoami`, `id`, `hostname`, `groups`, `sudo -l` - Check networking: `ip a`, `ss -lntp`, `realm list` (domain joined?) - Peruse through fs for docs/creds - Windows - Basic internal enum for privs and internal subnets - Peruse through fs for docs/creds (including network connected drives) - Attempt to extract secrets remotely with `nxc smb <target_ip> -u user -p <password> --sam/lsa` and `nxc smb <target_ip> -u user -p <password> -M lsassy` - Use `lazagne.exe` and `mimikatz.exe` to extract secrets - run `lazagne` first - run `sekurlsa::logonPasswords` first with `mimikatz` before other commands - If we have local admin privs, dump LSASS manually with PowerShell and move `lsass.dmp` to Kali host to extract secrets with `pypykatz` - Uninstall and/or disable Windows Defender when files get deleted ```powershell Uninstall-WindowsFeature -Name Windows-Defender Set-MpPreference -DisableRealtimeMonitoring $true ``` - Cleanup `ligolo-ng` ```bash ifdel --name <name> route_del --name <name> ``` - If we cannot restart `ligolo-ng` proxy - Determine PID of proxy process that is holding port 11601 ![[images/Pasted image 20251024130518.png]] ```bash sudo netstat -ap |grep :11601 sudo kill -9 <PID> #here the PID is 15353 ``` - White board attack chains, pivots, and exploit PoCs ![[images/IMG_5266.jpg]] # Attack Sequence 1) given shell access when visiting the initial webserver in browser 1) dropped into shell as www-data 2) enum on webserver as www-data reveals: 1) an internal subnet on 172.16.5.0/16 ![[images/Pasted image 20251023152501.png]] 2) readable `/home/webadmin` directory, which includes SSH privkey for webadmin and interesting file `for-admin-eyes-only` includes creds for user mlefay ![[images/Pasted image 20251023153748.png]] 3) SSH into webserver as webadmin with `id_rsa` 4) enum on webserver as webadmin reveals sudo privs but we need a password 5) establish pivot on webserver to poke around internal subnet 172.16.5.0/16 1) move `ligolo-ng` agent to webserver with `scp` 2) execute `ligolo-ng` proxy on Kali host 3) execute `ligolo-ng` agent on webserver 1) attach to session and autoroute 4) confirm with `ip a` and `ip route list` 6) `fping` sweep on internal subnet reveals one additional target: 172.16.2.35 (PIVOT-SRV01) ![[images/Pasted image 20251023155717.png]] 7) enum PIVOT-SRV01 1) ping test 2) light nmap scan reveals SSH, SMB, RDP, WINRM services open (must be a Windows machine) ![[images/Pasted image 20251023160051.png]] 3) run `nxc smb/rdp/winrm` scans against PIVOT-SRV01 with mlefay's creds 1) SMB accessible with `--local-auth` flag ![[images/Pasted image 20251023160728.png]] 4) connect to PIVOT-SRV01 with `smbclient`, which reveals `id_rsa` for mlefay ![[images/Pasted image 20251023161306.png]] 8) SSH into PIVOT-SRV01 as mlefay with `id_rsa` 9) enum on PIVOT-SRV01 reveals a second internal subnet on 172.16.6.0/16 ![[images/Pasted image 20251024101359.png]] 1) we have local admin privs as mlefay 2) move `mimikatz.exe`, `lazagne.exe`, ligolo-ng `agent.exe` onto PIVOT-SRV01 with `python3 -m http.server` on webserver 1) run `lazagne.exe` ![[images/Pasted image 20251024130830.png]] 1) find NT hash for new users Administrator and apendragon 2) run `mimikatz.exe` ![[images/Pasted image 20251024115318.png]] 1) `sekurlsa::credman` reveals new user vfrank 2) `sekrulsa:tickets /export` reveals nothing 3) `sekurlsa::logonPasswords` reveals plaintext password for vfrank 10) establish double pivot on PIVOT-SRV01 to poke around internal subnet 172.16.6.0/16 1) move `ligolo-ng` agent to PIVOT-SRV01 with `scp` 2) execute `ligolo-ng` agent B on PIVOT-SRV01 1) attach to session for agent B 2) manually create interface and route, then start tunnel ![[images/Pasted image 20251024105236.png]] 1) NOTE: autoroute only works for sinlge pivot 2) confirm with `ip a` and `ip route list` 11) `fping` sweep on internal subnet B reveals two additional target: 172.16.6.25 (PIVOTWIN10) and 172.16.6.45 ![[images/Pasted image 20251024132853.png]] 12) enum PIVOTWIN10 1) ping test 2) light nmap scan reveals SMB, RDP, WINRM services open (must be a Windows machine) ![[images/Pasted image 20251024133122.png]] 3) run `nxc smb/rdp/winrm` scans against PIVOTWIN10 with vfrank's creds 1) SMB works when adding domain flag: `-d inlanefreight.local` ![[images/Pasted image 20251024133927.png]] 2) RDP shows PWNED ![[images/Pasted image 20251024133816.png]] 4) SMB connect to PIVOTWIN10 with `smbclient` reveals `id_rsa` for vfrank ![[images/Pasted image 20251024134445.png]] 1) prepend domain to username for access: `-U inlanefreight.local/vfrank` ![[images/Pasted image 20251024134408.png]] 5) RDP connect to PIVOTWIN10 with vfrank's creds ![[images/Pasted image 20251024134956.png]] 1) we can open PowerShell as admin; we have local admin privs 2) move `mimikatz.exe`, `lazagne.exe`, ligolo-ng `agent.exe` onto PIVOTWIN10 simple RDP drag+drop 1) files keep getting deleted so disable Windows Defender ![[images/Pasted image 20251024140835.png]] 3) run `lazagne.exe` > almost same output as on PIVOT-SRV01 ![[images/Pasted image 20251024141207.png]] 1) attempt to crack vfranks's and apendragon's NT Hashs with `hachast -m 1000` but unsuccessful with `rockyou.txt` 4) run `mimikatz.exe` > almost same output as on PIVOT-SRV01 5) run PowerShell script as `fping` analogue (ping sweep): reveals a third subnet 172.16.10.0/16 and one additional target 172.16.10.5 ![[images/Pasted image 20251024140912.png]] 6) finally, poke around file explorer and spot a network share associated with DC that has the final flag 13) enum 172.16.6.45 1) SSH with vfrank's id_rsa 1) password protected and vfrank's password that we found does not work ![[images/Pasted image 20251024144614.png]] 2) Red herring