Ace the OSEP Exam with Sliver Framework

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone uh thank you for tuning into to the live stream uh my name is John gu and I'm going to talk to you guys today how I use the silver framework to basically pass the ocp exam um a brief intro about myself I am an Air Force veteran and that's where I got all my cyber training so I did about a year in the Air Force just straight training and then went to a network operation Squadron here in Colorado and ever since then I've been hooked and just just to give you more of a background once I got out I continued my cyber training and I want to kind of go through some of the techniques I've learned over the years uh I've now been in cyber security for about 10 years so everything I've learned is kind of what I've culminated in that time and it's not just something you pick up like overnight um there's probably some people that can't pick it up overnight but that wasn't me um I took it all and just found that I really enjoyed this field enjoyed what I like to do I like to hack into machines um I did defense for a long time as well so I've seen that side of the field and I kind of just want to go through that with you all and some of the training that I've done was the EP let me bring up my agenda here and the O really kickstarted me after I got my ocp into active directory hacking and that is a really fun area that I found a lot of love in um so with that when I came down to the ocp um some of the things that I did that helped me succeed was that I was able to take the prabs from hack the box cybernetics that lab really helped Kickstart my methodology when I was using my C2 framework sver in this case so I think what a lot of people will struggle with when it comes to the ocp is that they don't really have a vulnerable environment to Target to use and so that's what cyber provided me it gave me a vulnerable environment where where I could see where the strengths and weaknesses of of sliver where I needed to switch to Linux how the tool set worked and everything when I was going through the training um when when you've signed up for ocp they give you some labs to work in but not always as inde depth as you would want it to be so that's where cybernetics really helped out um a con to that though is that's really expensive so when I published this blog post I mentioned in there there is this uh vulnerable framework you can do it's called go ad game of active directory bring it up over here and you can actually install this on your Linux machine so this is actually my dedicated Cali machine that I have right here let me clear this out and on my dedicated Cali machine I have installed um this lap and it's a you know completely vulnerable it's got a bunch of different attack paths and the only thing is it's free it just takes around like 80 gigabytes of space and you know some RAM and CPU and whatnot so you know if you have a beefy enough machine I highly recommend installing this and playing around the way I'm going to show you and let me scroll down here so in my blog post what I ended up doing was taking one of the paths that they have let me pull this up there's actually two paths you can take see if I can bring this up here we go um I actually took in the blog post you know we went to Castle black and we hacked this machine and then we escalate over to Winterfell which is the domain controller in this particular domain and the end go is to actually become Enterprise admin over here on Kings Landing um dc1 for today we're actually going to look at a different path and I think this will be really fun to take we're actually gonna attack this machine called braavos which is in it a different domain we're GNA escalate our privileges up to the Marine domain controller and from there actually get Enterprise admin on the primary uh DC over here seven kingdoms. local and you can kind of see the trust that they have and everything and I will go through you know my methodology how to attack it and how I think about it um so one other thing just to bring up is like the target audience I I want this to be open to everyone uh if you're a beginner don't know much about actor directory hacking or just you know like sliver in general I definitely want you guys to watch this and be a part of it um there's a lot of things to show when I first started using sliver I I barely used half of its potential uh it wasn't until I took the uh certified red team oper ation uh certificate course uh training from rosta Mouse where I learned how to use certain tools that was actually present in Cobalt strike that are actually also present in sliver so you know being having that exposure early on is really going to help if this is what you're into um I think if anything you know the people that are get the most out of it in a sense are those who are taking the OSP class or about to take the exam or even those who have already passed it and if you're in advance and been cyber security for a while you know you're your pen tester all that good stuff um maybe you can uh stick around and you'll see some new things that I have learned that you may not have known before um I always like watch people that are you know same level or more advanced Etc and then I'll pick something up like hey I didn't know I could do that so with that um if there's any questions that you guys have you know feel free to put them in the chat wherever you are that's Twitter LinkedIn or YouTube um the team will actually get them to me I think I can see some of them over here too so I would love to be as interactive as possible and uh I will try to explain as much of it as I go along and yeah so any questions just pop them in there so uh to kind of start off with we don't really have much I have sliver up here um if I put up my jobs I have two listeners um I have my MTS basic connection listening on P 443 and I have a staging um listener on 80 just in case we if we want to use that or not and over here in the bottom I just have you know really regular uh terminal window that I can use on my left I actually have a bunch of notes as you can see the agenda um but next to it I actually have a walkthrough over here which I'm going to use so that way I'm not fing around with all the different commands but you guys can actually follow along with that as well but let me go back to the agenda um so first thing we're going to do is enumeration that's anything you want to do uh let's like the first step so um I don't really have anything particular to start off with uh when it comes to my methodology when I begin to like scan any sort of network U especially when did the ocp you know you always start with like an m app um we're gonna actually going to start off with this 23 if you don't have your IPS or don't know like what's on the network something you can always start with you know crack map exec um so we'll do that over here crack map exec if those who don't know what this tool is it's basically a Swiss army knife for active directory hacking um I use this tool all the time it's like uh I don't think this is like the greatest analogy but if you were to go into a force you want bring your Hatchet or whatever this is my Hatchet crack map EXA is a huge um Swiss army knife so um I to start off with you know with an SMB scan so you give it the name of the program you tell it what kind of scan you want to do like if you just you know look at the help like this you can see the different protocols you guys can do SMB Ms SQL 1 RM Etc so M SMB is usually the first one I do and uh we give it the IP range just like this it's going to go on scan let's make that full screen and like I said we're actually G to attack starting off with braavos and then to Marine which is actually it domain controller so its IP is on23 um so whenever you land on like an internal Network this is like one of the first things I do just to kind of get a lay of the land um just to get the IP range you know scan the whole 24 see what else is out there so you can also do this SSH just SE Linux ners in this lab there aren't um so let's kind of get started with that let's do a quick end map scan it's always good to have something going on in the background um in this case we're just doing you know nmap give it verbose basically it's going to print out any of the discovered ports as it scans scanning the whole Port range and we're actually doing a fast scan so instead of going through and doing a service scan and looking at you know what's running on all those ports I just want to see what ports are open um I do this because I think it's a more efficient manner to scan the port to get the ports that are open and then if you want to tailor it and then go through like with n map and be like all right target these ports specifically that would be better than versus you know hey I need you to scan all the ports and then see what services are running of them it makes it very very slow but this just speed it up um we're giving it the do 23 over there but we can see that we got oh this interesting Port right here 1433 so it looks like Bravos actually does have MS SQL running um mssql there we go and we can actually see 135 139 445 normal stuff inter interesting enough it's got Port 80 open as well um seeing that on a server is very interesting so be let's actually go check that out so if you come over here we'll use this tab give it the IP 23 see what's running on Port 80 nope it didn't pull it up 192 168 5623 there we go uh we kind of get like a basic I server page now something that I've seen over the years um taking into this is that certificate services are now a big thing in actor directory so whenever I see a splash page like this I always check to see if you know the certificate service is running on this machine so you do that by doing aert SRV and we got a basic authentication page so that's telling me that this machine has adcs running on it and we can actually once we get some credentials we can actually uh scan that more but that's just like a a quick way to check and I like like to do that um something else okay so I finished it scan here are all the open ports um like I said one of the big ones that stands out to me is this one and then Port 80 so something else to think about um usually when you're Landing in internal Network you want to do some ENT uh you want to you know look at LinkedIn for a company's users and see like how can you see what our valid usernames are in the network well since this is a lab environment it doesn't exactly equate the same way but this is a Game of Thrones themed vulnerable lab um and I think it's totally within the realm to go ask you know chat GPT um for some ideas so I come over here what I did as I asked CH Chad GPT hey make me list of all the characters in Game of Thrones I like for them to be in this format first. last um you can try different ones where it's like the first initial than last name or you know it's just first and last name with no dot or maybe an underscore you could try different variations and there's actually a bunch of other tools out there that can do this for you but this is a quick way to do it as well so it did that it gave me some uh names over here so let's kind of go through copy them all we're going to go back to this over here let's remove everything that's in this uh yep or delete everything in here perfect so we're kind of starting fresh so for the hashes go away hashes okay so let's make a nano users just like this let's paste in that um doesn't look the way I want it to so let's use Vim to get that up all right control V to highlight all these go all the way down X exit out there we go so now if we C the users we now have a list of potential users that we could use in this domain um what I'm going to check for next right now since we're just starting fresh is if as um as uh rep roting is enabled sometimes um usernames will have or certain users will have you know pre-authentication um not checked or or checked not needed for their user account so what that means is that we can actually get users to crack um their hash offline so uh it's always something worth checking right away and something else to check I always do this too is using crack map exec is that sometimes users will use their uh username as their password so you can actually do that like this so we use crack map exec um we'll just go down to 23 we'll give it the user file like this give the password of users and then we'll do a continue on success and then Das Das no root and I think it's no root um if if you do this what's essentially what we're doing is we're passing the same user file as their passwords and we're going to tell to not brew Force we want to basically you know try Samuel tlee as samel Charli's password and you'll be surprised at how often this appears in an actual corporate environment um that happens quite often so it's always something good to check um if it is you know you don't want to like start brute forcing and act direct environment because you don't want to lock out these users but if I'm going to try anything it's this one you can also try you know like that summer 2023 or fall or Autumn whatever it is maybe even the company name then the year maybe an exclamation point um but this is something that I always like to try right after bat and to know how you get these flags and everything I just looked at the help file I'll show you that in a second let's do enter just gonna try it um so this like really interesting because it's saying that they're all valid but they're not so anyway this is something I do like to try something else to do is to actually look at Curb root to see which users are valid we even know if these users are valid here um so we can actually do that with curb root over here so we come over here grab this command uh we're going to run curb root this is like another like tool you can use within an internal Network I really like it um you're GNA give the user enum um The Domain our domain is ss. looc you can see that over here um when we actually did our crack map exact from before scroll up from here you can actually see the the different domains so like you know Kings Landing is seven kingdoms. local and then we have you know ss. loo for marine which is the domain controller um Etc so let's try this we're gonna give the users files that we have and it should tell us all right actually we have one two three four five valid users that um out of the user that we provided we have viseris Daenerys cogo um and Jorah in C Drogo um actually has over here that it is as roastable so what that means we can actually take this hash and crack it offline and see if we can get a password for it and just just so you know like I have like fiddle with this toil before um the curb root and I haven't been able to crack it I'm not sure why sometimes it's just good to have different tools to do different things um but it's good to know that this tool lets you know like hey you know you can crack this hash offline so even if this hash doesn't crack um we'll use a different tool to do that um so here we're going to use from the impacket tool set get MP users now in um the ocp you know course material they talk about impacket a few times it is an invaluable tool um just like crack map exec something that I will take with me like everywhere having the impacket tool set installed and knowing how to use it is invaluable not just for the exam but if this is what you want to do in your career just having um that tool available uh and knowing how to use it does wonders so let's uh let's actually run it over here all we're doing is we're getting we're running to get MP users which is just another fancy way of saying you know as roast uh asre roasting uh we're going to give it the dcip which is12 that's marine and we're going to give it just the domain we're not even going to give it like any uh user because we don't have any valid user accounts but we're going to give it this user file and the format is hash cat because that's the format I want to use to crack it and it gave us this one over here and you can see that says UF don't require pre offet um C Drogo does which is why we can grab this hash and crack it so let's grab it and let's make a file called hashes paste that in there and let's run hashcat so with hashcat over here um we're running it with Tac m8200 this is the format you want to use if you don't know the format you can always go to hashcat example like this let's go back over here um I just grab like the first couple characters like this and then just do a search like that and there it is 18200 is the mode we want to use it's just that simple so nothing crazy um and we're g to try to crack it um we gave it the hashes file and here is the wordless just typical rock you give it a run give it a second and it says recovered one out of one we scroll up we get a password of horse so that makes sense if you seen the the show C Drogo and thei love their horses so password of horse kind of makes sense um so now that we have that uh we actually have our first like user account and what can we do with uh an initial like low we don't know if he's like low or a high privilege user um we can do a lot of enumeration we can actually go back and use a crack map EXA but this time we can actually give it um a user account so let's do s CM M crack uh crack map exec you can shorthand it to CME SMB um let's just do like this 23 you can see I've kind of done this a couple times delete all this we don't need that and let's just run it um and we're actually going to do it on like this 12. through 23 like this full screen okay um that's interesting to see right off the bat um first off Marine shows that he is a valid user here but also on braavos which is the first machine we want to actually hack into it says pwned um which to me tells me that this is a local admin on this uh machine so you might get lucky with that sometimes um you might not but something to keep in mind from our initial Recon was that this user also uh this uh machine also had MSS SQL uh SQL running on it so we can actually check that out um in case you didn't want to like you know go straight for the the throat and just you know be ad on this machine something else to check out when it comes to like enumeration and this is like part of my methodology is to use the different modules so if we actually get rid of all this if you haven't checked out Crack map exec um it does list out SMB modules that you can use so if you do Dash L it's going to give you bunch of different things you can use there's a lot um some of the ones that I like a lot um where are they is ppam um patiam is basically a coion uh I don't want to say vulnerability but it's just a coion method kind of like the uh the prce spooler that they teach you in the course um essentially we can make computers authenticate to us and we can relay that if it's you know if it's possible and needed in that domain and there's a couple other ones in here too um let's see um Slinky if you want to put in some windows shortcuts to see if someone's going to go in there you can get a hash that way there's just a bunch of different modules you can use you in here doing here so let's do- M you know for you just give it the options like that um let's just do the domain controller and it does say it's vulnerable um that to me is just saying hey you know we can use ppot in the future if we want to to co this domain controller to authenticate to our machine and then we can relay that um something else to show um something that I now included in my methodology is to look for actor directory certificates services so if you go over here to LP and same thing as before let's take a look at the [Music] modules we can see we actually got quite a few um so we got adcs we're going to run we can do enumerate trust that's a great one to do um you can read the laps passwords the machine account quota um there's a gold mine here so whenever I get my first domain user I usually do the ldap um modules here because there's a lot of good information you can get and this will be invaluable like once you land inside of a a network if you're doing you the OSP and stuff if you want to quer and be like what is out there what can I do U what is my machine account quot like is it zero or is it the default is 10 which if you don't know what this is um the default 10 machines you can create any user can create 10 machines in a network and what that means is that you can just create a computer account that you know the username and password of um and there's a couple different Primitives we can use to uh escalate privileges which is actually what I'm going to show later so um let's do this2 168 you can see you can also do Cur roasting there as well um let's do DM machine account cot just like this and we can see that the machine account Coda is the default 10 so make check like I said adcs we saw that on Port 80 that the CER certificate service was running and it did find an enrollment server now when I went through the ocp course material was like over a year ago now um they didn't teach adcs um I'm not sure if that's been updated now to reflect that but to be honest this is something that I think you should incorporate into your methodology to look for regardless um adcs it can be if it's set up incorrectly it can lead to domain admin right away um it's very powerful uh it's something you should just always look for at this point and uh yeah we can see here we have the SS CA and it's on Bravos so as we saw C drers actually owns the machine so we actually own the certificate service on there I'm going to show a different way um since we own this machine basically already we can actually do what's called a golden certificate we can actually get a backup of the certificate and then generate it um and be any user on the domain so there's actually multiple ways to like escalate on your privileges so like just by owning this and knowing that we have certificate Services we we can be anyone so that's very very powerful another one I like to look at is trusts nope trust oh I swear oh in inum trust there we go so let's run this one just like that and we can see we actually do have a trust uh with Seven Kingdoms um it's bidirectional and it's forc transitive so this is not we're not within the domain of Seven Kingdoms whatsoever we are an external for um but there's some transitivity there anyway that's what it is this is like some of the initial enumeration steps that I do like to do um something else to show um before we keep going on was like that mssql was running when I was practicing for the OSP um in the course materials they taught how to create your own C binary and how to run queries and how to you know use those queries to enumerate can you impersonate someone um how do you enumerate those links within the mssql and it was very tedious to compile the binary upload it to my machine execute it on the target then go back and change it and everything else when I said with impacket is very very powerful uh I mean it they actually have just like this their own tool um the impacket uh toolkit is just a way to interact with different protocols and that's just a fancy way of saying it can interact with Windows Active Directory um so here we're going to give it the m SQL SQL client and we're going to give it our domain our user C Drogo with a password of horse and the Target that we want to hit braavos and we're actually going to give it the windows off if we don't it's going to fail so it's gonna say log and failed um because it's going to try like log in kind of like locally essentially but if we do windows off which like this we actually have a shell on there and once you do like enough mssql exploitation um this service actually runs with with SE impersonate um anyone who's done like any Windows privilege escalation when you see the SE impersonate privilege um that means you are system um that's basically what it means so if you can exploit this service on this on this machine you can then escalate your privileges to system and then just own the machine so if we run help here we can see the different commands you can do um when I was talking about before that you had to compile all these binaries that's what they showed you in the course this stuff does it automatically for you so we can enumerate the different logins so if I you know just paste that in there we actually have a lot that tells me that c Dro is a uh system administrator in this box um so we can actually take you know essay over here and we can execute as login um you can see there's actually two here execute as user execute as login um the way I like to think about these two um is that executing as login is basically you're logging into the machine and executing as user is basically more restricted and is giving you access to a database so we want to do execute as login and then we're going to give it essay and we're now the system administrator um through here so we go back to help um if you want to execute command shells on here um you want to enable this and you have to be you have to have essay privileges to do that so if we hit this it just does it for you and we can now execute commands on here and just to show you uh let's do execute command shell just like this and we can do uh I don't know who am I says we are the SS SQL service um let's do uh you know who am I SL all and you can see it gives us the SE impersonate privilege so if we wanted to exploit this and go that down that route we can all right um but we don't need to like I said um C jgo is basically systemat administrator is uh is the owner of the braavos it showed us that in crack map exact with the with the pwned so we can just just you know use Evo winner Rim do nor that like just like this we give the username and password and we're log in if we do who am I all and you can see that yeah we're definitely an administrator um whether it's local or whatever we're supposed to be owning this box this machine is now done and that's uh that's great so um I wanted to really showcase sliver when it came to this because that's what I used during the ocp um when I was looking through the different C2 Frameworks I want to use um you know can't use cobal strike or anything like that and I think they teach you ppeter um in the course and stuff like that I wasn't a big fan of using ppeter and I didn't want to use like Posh C2 or anything like that um I was really drawn to sliver and I really wanted to use that so if you want to get the full potential of it you need some sort of a loader and I did want to take just like a few minutes to look how you can build your own loader on you know so you can bypass AV because in my blog actually mentioned that bypassing AV is crucial it's it's you you have to know how to do that so you can do that through Powershell uh you can you know bypass amsi I'll show you guys that later and stuff but having your own loader uh knowing how to build one is uh very powerful so let's actually switch over to my windows box and here here we are so um this is like one loader that I was practicing with and we're actually going to start off with the new one I'm going to show you guys how to make this from scratch um so we'll kind of go through here what I did uh was I came over to um this early bird uh technique over here um when I actually went through ocp um I used this repository uh I don't know how to pronounce his name here um but this was like a god and he actually has a uh a web a web blog as well where he talks about the different techniques he used to on the o exam so I use that exclusively and I use his Co Snippets um the Shell Code process hollowing is great it's written C I've been going through the malev academy and I highly recommend it I've gotten some awesome understanding of how C works and building your own loaders and stuff um this stuff works great um but I kind of want to take a look at building my own stuff so that's kind of what we're going to go through um so all I did uh was when I built my loader here was I just copied this entire thing you can you don't need this top part I don't know why it includes that but you can just copy all this and that's kind of like what I did over here so we'll actually come over here to this early bird one and if you come down to the main function I ended up just pasting it in here early bird is just a technique on how to spawn a service in a suspended state so all we're doing is using Windows apis to create notepad in a suspended State that's all we're doing once we have it in a suspended State you know we're going to use Virtual allocation um to basically allocate some memory and then we're going to write that memory and then we're going to use Q user APC to start this alertable thread that we uh actually set in a suspended State um all that's a fancy way of saying is we're creating a program and we're going to inject our Shell Code into it that's it um and if you copy and paste what he has here um it's going to get flagged and it's going to get flagged by Defender because one is this this is just gonna pop calculator for you it's just gonna pop Cal and this is generated from msf Venom and is a known static and it's basically known bad uh even though calculator isn't bad it coming from msfm and knowing that it's uh used to test out malware and stuff uh Windows Defender is going to flag on it so um you have a couple ways of getting around it um one way of doing that is to you know host the Shell Code yourself uh host on your server and then you can have the your loader remotely downloaded another way is to encode it or uh encrypt it in your loader itself which is actually the kind of method that I did um you can see in this in this case he used calc but here we're actually we used notepad we just switch it up to notepad so um one thing I did then was I host did the Shell Code over here I created a new Shell Code file I'll show you guys how to do that here in a second um but it's massive um when it comes to sliver binaries when you get the Shell Code they are huge um like this is what almost it's over 800,000 lines like this is just massive um but this is all I'll show you how I got this um we just have an unsigned character buff array and and then we have the link the very very bottom that's the problem with uh these uh huge loaders in Visual Studio they tend to like hang up like that so all I did was put that in a separate file and then I'm calling it using the extern I'm saying hey this is an external file um that way it it knows where it is so we're telling it it's an unsign character buff and then unsign integer buff link those are the only two things we need um now when you what I did was I encrypted it and I used this rc4 encryption routine it's nothing crazy it's literally just what rc4 is um this is a symmetrical encryption algorithm um when you do it one way it works the same way backwards to to decrypt it so that's all we're doing here and we go down over here I'll talk about that one in a second um all I got to do is add in the key and I encrypted it with this key that I called you know ntdll.dll um so that way if anyone's looking at it it looks kind of I say benign but it's like all right and DL is doing something but it's actually my key um after that uh it still gets caught when you run the binary and it it's going to basically go through it's going to decrypt the Shell Code and it's going to try to inject it um Defender is going to catch it and the reason it catches it is because it's running the binary um it has two ways of kind of detecting something on a box one way is static you know looking at known signature so if you put um calcul on there it's going to look at and be like hey I see bad bites in here so that's why we that's why we encrypted it but whenever you are about to execute it or I think you even just like look at the file it runs in its sandbox within Defender and it'll look through and go like hey I'm seeing bad bites here I'm gonna kill it I'm G to delete it so in order to get around that um we're going to do a delay function and that's what this is here the delay function is just going to check to see if it's running in a sandbox and all I did for this code was I just looked up C library hey how do I do a time delay comparison and I literally just copied this all you needed to include was this time um directive header and I just copied everything that was inside this main function and if we go back take a look at it um I just kind of copy paste it but I change it up a little bit um this is the same this is the same I made the integer I here six you can change it to number of seconds that you want for you to delay um 10 would be a delay of 10 seconds but I put six for here and then we're starting a clock um and I'm I'm printing out you know sleeping for x amount of seconds and then the sleep function this is where Defender will Fast Forward it's going to go through and be like hey is you know is there a sleep function if there is I'm gonna skip it because I don't have enough time to wait around for this program to do whatever and then we're g to end the clock after it's ended I'm going to do a comparison here saying like hey the time it took for the program to start or the time time it took for the program to run versus minus uh time it took to start if it's less than you could do I if you want but I just did four and a half seconds if it's less than this time I want you to exit just don't run um and then Defender will scan it and go like hey I'm skipping this sleep function here and then it's gonna be like hey this didn't do anything malicious this is good to go so when it actually runs that run time it's gonna wait you know six seconds and then it's going to go all right cool and then it's going to go and run my shell code through all of here so so U if we actually go and build it give it a second generating code um this sliver shell code is huge it succeeded um if we come over tooop early bird that's this project here release and we can actually you know click on it right click go to prop uh no show more options scan with Microsoft Defender no current threats it doesn't see it so this effectively bypasses Defender um which is great and I'm going to copy this over to my Cali machine um so let's do that give me one second and I actually do got a couple questions um first one is p Pam used for UNC relay you reference The Print Spooler service but as a local admin you don't need to leverage spooler service for system um what is the UNCC like the network path you can do that if you want um what I use patiam for more is if there's like a certificate service running but yes you can use that for a UNCC uh relay if you want so if you see that the it actually works like on any machine like we could use it on braavos as well so as long as we have um a set of credentials that work we can actually use that user and Trigger it to co back to our machine so when we co it back to our machine we're going to get the machine credentials relate to us now don't ever try to crack a domain us a domain computer's credentials they're like 128 characters you're never gonna do it you're you're never gonna crack it what's good for is relaying it to a different machine that doesn't have SMB signing or relaying it to The Dig main controller um it's ldap which will have um ldap signing uh set to false by default um so that's a way to secure your environment is to have ldap signing um enabled um hope that answer your question second one between goad and hack the Box Zephyr which one is better for o ocp prep I actually haven't done Zephyr um so I really can't answer that one however I will say that go ad is great it it teaches you all the same things that you learned in the OSP uh you know resource based constraint delegation um as you we just saw how to build our own load and stuff um it's very vulnerable and you know the SE person privileges on there this is a great place and it's free so definitely recommend this but I do want to check out Z that is definitely another one I want to look at all right um I did want to show how I generated that Shell Code so you guys can do it yourself let me come back over here I'm missing there we go um to generate the Shell Code um all I'm doing is coming over here and sliver copy and then paste so we're going to do generate f for uh type of files Shell Code um we're going to give the mtls uh connection string which is my IP um by default in the goad environment We Are One um we are like like the router and everything so it's just there we're giving that 443 listener um I want to save it to Dev shm payload.bin skip symbols um might take a second to run but just to show you guys what it looks like yes overwrite the file um let me come over here to this one wrong one um let's cd2 Dev shm and we actually have a payload.bin over here which is huge now what I did to encrypt it um I have an rc4 uh file that just you know does the encryption for me um C it up over here documents X rc4 this is the it's like the exact same thing we saw on the C code um it's just an rc4 encryption so all I need to do to run it Python 3 U we give it theun DH key and then file name so if we do ntdll.dll and then we give it the file name which is payload up bin it's going to go through and do its thing and then it WR uh wrote out to pay. B.C and in order to get it into that c format so you can easily copy it over to your Visual Studio is you can actually use xxd and well before that let's move payload.bin to buff like this um the reason is when you run xxd the way I'm about to show you it will take the file name and make that the variable so instead of having to open up that file in visual studio and then having the change it and have it lag and stuff I'm just you know kind of skipping a step here so we can overwrite it yes done um and if we do xxd t i buff into shell cod. c um it's gonna look awesome so watch if we do like regular xxd let's do on a buff let's just do like this you can see it's massive like it's just a bunch of code it means nothing but if we do xxd now not xxd sorry if we do just a head on the shell code. C file like this you can see it's in a format that we can actually use in our C code um on sign character buff array it looks like this and if we do a tail um on sh code just like this you can see there's the buffer length and you can see it's like just under 10 megabytes it's massive so that's what we uh that's how you basically uh get this in the format you need you copy that over to visual studio you compile it and then I'm actually going to copy that over locally um over here I do got some more questions over here let's take a look um did you install go ad on your local box or with NES virualization um oh I saw it just straight on my box just to give you sense of what it looks like it's just over here like this I have it here under mount games goad um all you have to do is run vagrant up and that's going to start all the virtual machines for you um they're just regular virtual machines and then it gives you an anable script that once you run it it will get everything vulnerable and set up for you so that's all I did um the other one and how do I avoid Behavior detections I found sver sessions can be killed by defender on running rubius or keits oh we're definitely going to get into that one um and I still get detected you know it's just finding ways around it um it's using the tools to their strength and knowing when they're going to get caught and whatnot but I'm going to show you a couple different ways to get around it um what I've used in the past um what I use now um one of the main ways that I get around Defender um is just by doing everything through Linux just interacting um straight with the protocols and stuff using impacket that's is definitely one way to get around it um but with sliver there's a couple things you can do with like execute assembly um bypassing amsi and a couple different things so I'm going to show you guys that um but first we need to get this loader over here in our machine so um right here so we have that so let me secure copy from Bo you can see I was testing it before it was called early bird so it should be basically in the same area this early bird hopefully this [Music] works just like that don't hack me bro Dowing in a keyboard analytics or something and we have the file um so let's you go back to Evo Wim and we'll actually show some silver stuff now um best thing about Evo Wim the upload feature or download feature if you want so all I gotta do is give it this file name upload early bird just like this give it a second all right and to run it just like just like [Music] this there we go set set sleep for 6 seconds um the total time took for CPU 6 seconds there and we actually have our first uh Beacon so um I generate this with um with the beacon parameter in here you didn't have to use the Shell Code um so we can actually interact with like this one see and we are actually on this box but since this is our own liveb environment I want to make it interactive um we're going to get into the defender part in the next machine on Marine um because we're admin on the machine I'm going to show you my favorite command in the world on how to bypass AV it's l literally just to kill it with this um so cmd4 Le we're basically telling Defender to remove all definitions so since C Drogo is uh an admin on this box we can just remove the the antivirus now we don't have to worry about it um sometimes that happens you get those quick wins and when you have them I I don't even hesitate um if you're on internal engagement and stuff make sure you know your Roes and whatnot if you can do that but in this case you know like I said it's our lab environment I am all for it just kill the AV um it's now it won't trigger on anything that we do which is great um we're waiting for this machine to call back let's pull back over here we can actually come over here too you can run beacons see when the next checkin is gonna happen um I wonder if we actually may have lost it or something because it says next checkin is uh yeah looks like it might have died that's okay wrong one [Music] give that a second and you can see like you know Defender is still you know pretty decent um it we got our we got a call back now u66 um make that interactive and there's something I haven't shown yet which if you're going to do any sort of enumeration is blood hound and the reason I've waited to show this part is because this trips up a lot of people for a while if you try to run Blood Hound like right away got our session so now we can just directly interact with it um let's watch this like if I try to run Blood Hound without first doing anything um just like this you can actually run it uh through sliver the Shar Hound D4 C for all methods you're run it's GNA fail and it's G to fail because we don't have credentials um something to understand is that the authentication context that we're in we currently don't have any sort of a ticket in our s in our session by default keros is a single sign on protocol that's what it meant to do keros is just there to solve the single signon problem so you don't have to keep logging into different services and stuff so in this case if we do a klist we don't have anything and actually hack the box has a pretty good explanation on why it's called a double hop problem so when you use something like Evo Wim when you connect with network authentication our credentials are not stored in memory and so when you try to run sharp Hound it can authenticate so how do you get around this um well you can use rubius and what we're going to do is use what's called a net only or net log on toh create a process that will have our credentials it's basically like running like the run as command on Windows um but we're kind of doing it in a uh curve Rose setting so to do that you can just use the rubius that's installed on the machine on sliver so clear that out pop it in like this we're just going to ask for a regular TGT for our user K Drogo with password of horse give it the domain and we're telling it no wrap so we can actually you know copy and paste it so you run it no AV no problem um and now here's this is something that I didn't know for a while on uh with how to do this before this is something I I learned from roster Mouse's course so just a lot of different trainings over time let's grab this and I'll show you what I'm doing um in this case I captured the e u we're doing execute assembly execute assembly lets you run C uh or net programs um from your local file system so my rubius is located here under VAR wtml bin rus. exe and the dhm over here just means to bypass amsi and Das e is to bypass event tracing for Windows but we have disabled AV so we don't have to do those we do need the - I because that means in process a sver limit uh limitation is that if you don't do it in process process it can only be it can only took a look at the first like 256 characters so you can get around that by doing it in process so we're gonna come up to here we're gonna grab the TGT ticket that it gave us like this copy paste it come down here to the end control shift Fe sometimes that'll pop up just run it again I don't know and it successfully created a net log on type of nine for us and it gave us a process ID that we can actually migrate into um on copal strike what you can do is like steal token and steal the token of a process ID in sliver our version of it is migrate we're going to migrate into it give it a-p for the PID 3480 then use 6A make that interactive just like that um and I'm going to show you what the difference is between these two and let me actually go over to blood hound and I'm actually going to clear out the database because we're actually going to import it our own y it's all gone okay we come back over here we have our session use one F and now remember we use that U sharp Hound we can do like this and it will work now because if we do execute which means you can just execute a local command on the system - o to get the output cmd4 C klist we're just calling command prompt giving the forc to run this program klist we actually have tickets versus over here where we don't so we don't have any cash log on but we do here because that's what CER Bros is single sign on so we have our TGT and we also have LP with the Marine domain controller so this should work and to answer that question before how you can get around certain things um there if you download the sliver Armory there is unhook Beacon object file and what this will do is it will go through and unhook any sort of uh hooks that might be in the DLS such as ntdo you'll see this a lot in edrs um where they'll have a bunch of different hooks set into them um but you can actually run it here and uh bypass AV that way another method you can do like I said is the execute assembly - i- m-e um I've had VAR success to be honest I feel like Defender can be temperamental um there are times where I'll run the command and it won't get caught and then I'll try it again and it will get caught so it's like a pull you know it's a tug and pull game essentially um but something else you can do and actually go this in a little bit is there's this tool called um Nim Crypt Z Nim Crypt and I'll pull it up over which one is it this one here um you can basically it's a net PE and raw shell C Packer load written Nim you can install it and you can basically it'll unhook the uh the ntdll for you so anything that's in there it'll bypass amsi uh event tracing for Windows as well and it'll do like sandbox checks kind of like what we did before and I actually have had a lot of great success like I have a Nim rubius here a Nim um krb relay up um and a Sharps dump so you can just use this tool to kind of like make your own encrypted version um uploading it to the box and may or may not get caught um on my case it did um but running it with the side load parameter which I'll show case here in a minute um it gets through it so anyway you can see over here that sharp Hound actually ran um because we actually gave it the correct context we actually gave it the correct uh tickets that we needed all right so now we can actually uh import this if we do an LS we can actually download this like this and I'll just download to our default directory um and go add so if you come back over here you can open it up documents and if we go to go ad we actually have our blood hound here and you can import it now something to note is that you can run Blood Hound from Linux and it works great it doesn't capture everything so even though you can run it pretty early on and get get a sense of where you want to go um you what you really really want to do is run it from Windows um kind of like the way I just showed you and now that we have blood hound um used in case anyone doesn't know what it does it's just an attack path tool it can show you how to get from point A to point B and what's are vulnerable so like you know we can click on find all the domain admins over here so we have you know daen starger she's a domain admin and then administrator um we can see domain trust we can see that OS and 7 KS have a domain trust um my favorite one and I'm going to be sorry for the spaghetti thing that's going to show up is shortest path to high value targets we want OS and it showed us a bunch of stuff um let me see if I can parse through it we are yeah it's different every single time there it is braavos so let's see if I can zoom in so we have uh C Drogo and we can actually see a link right here so C Dro has generic all to faeries over here and viseris Can PS remote you gotta really like navigate this to Marine so if we can own faeries we can actually get onto the domain controller and it gives us that with this generic all option if you right click you can look at the help I know it's kind of small bear with me um if you look at the windows abuses it'll basically tell you that you can do a target a ceros attack on it um but you can also do a force password change um which is awesome in the live environment go for it do it in a real life engagement you need to check your Roe to see if that's possible because you're forcing a password change on a user account and that may disrupt their services their day-to-day work an even better options you look at the Linux don't don't ignore the Linux one is that you can actually come in here and do Shadow credentials without really getting into it trying to scroll down down um essentially it's just uh public key infrastructure just think public and private Keys we can upload a public key um to this users account and we can get their hash and it has over here a way to do it through Linux but there's also a Windows version and this just called Whisker see if I can find it add it up just do a search for whisker there it is um you can download and compile the tool over here um so make sure you have your undevelopment environment you can compile these things but with this you can just um add something to the key credential attribute um and this is what's called The Shadow credentials attack so if we come back over here that's what we're going to do I think it's a much better way um since we've bypassed this we're actually gonna copy this one over here and I'll show you what I'm doing so in this case once again doing execute assembly in process um bypassing amsi and ventory windows but we don't need to um we might need this d i anyway um I have downloaded the sharp collection to my local machine so we have whisker um and our Target is theer's as we saw before our domain there's the DC and we're actually going to save the certificate path on disk and we're going to give it a password of you know password one make yours more secure if you can PR it again sometimes that happens and there it goes um it did its magic if you want to know more more about the attack go look and read the uh the GitHub um but with that it's actually telling us what we can do next uh we can ask for a TGT for the user of the series we're going to give it the certificate that we generated and pass it our password the domain the DC get credentials show so let's do that we'll do rubius just like this and we'll just copy and paste this um we will run into an issue with the certificate you have to escape your backslashes just like this and it worked and just like that we were able to recover the ntlm hash so we can actually take this hash we're GNA lose our session here in a second exit it um and if you saw earlier that we own V series if you saw my prompt just like this well these two hashes the same we recover the same hash and now we can log on to the domain controller and now we are on uh let's do a uh where's it system info info host name just like this Marine we're now on the domain controller you can also do an IP config and we're on12 so we are now on it however if you look at our privileges we have nothing um we are a very very basic user and I'm going to try to wrap it up here and the next few minutes um just to showing the last thing um I don't think they really teach this in in the ocp but there is a no fix privilege escalation on all like Windows domain systems so if you come up to here um is it this one yep um curb relay with rbcd privilege escalation um this is a no fix local privilege station from a low privilege domain user to local system um this works if you're on a machine so we actually could have done on Bravos but since we already owned it we don't need to do that but since we're a low privilege user on the domain controller we can actually run this to modify one of the attributes the MSD um can I can't remember what it's exactly called um you can actually modify with uh through relay that we can uh do an rpcd attack or Shadow credentials on the domain controller um so just to quickly uh show that we come over here we're now on here we can upload our binary upload early bird. exe and let me come back over here to this one um there's another tool I really like it's called L deep it's a way to interact with um ldap I hate doing manual queries through um ldap I I don't I won't do them but through lde it has kind of like a wrap for it so all we're doing is giving us the user um the password the domain and our Target which is the domain controller we're look at delegations so Marine all the domain controllers have unconstrained delegation um but there is nothing that has any sort of you know other delegations to it and I want to show this before and after so if we come back over here let's run our uh early bird just like this give it a second time taken we actually have it now use CA interactive now in this case um for your for one of the users questions oh we actually lost it like right away um it can be a real pain um Defender can be like like I said like it's getting in the way already let's do beacons it might actually kill our Beacon yeah give it a second you can also do beacons prune tack D I think that's two minutes yep them uh use 3A make that interactive hope it doesn't die so sometimes you just got to give it a few seconds to do its thing if not we can do everything through the beacon that we have um it works gota wait for the check-in um but just to show you guys what we're going to do since we're on the machine we're going to use that curb relay up and that's a tool you can download and compile yourself use D5 so we now have an interactive session and I'm actually going to use this Nim Crypt that I I was telling you before um you can actually upload it this doesn't get caught by Defender um but this tool is they're the same tool one just has more of everything compiled into it already the other one doesn't it's more manual so let's use this tool and we're going to use side load I've had a lot of success with side load um it's just a way of running different binaries uh this one just any passet let go to the bottom wrong tool over here just like this I'll explain what I'm doing in a second um all right we're telling this tool to use the relay module of itself um domains OS and then we're going to give it a computer name Bishop Fox 2 BF the password we're going to tell it to create this machine because it doesn't exist and then if you guys have ever done like any the juicy potato stuff um you have to give it a CLS for the com object that's what this is give it a port and if we run it I think AV might actually catch it however if we are lucky should still have worked that didn't that time and but you can keep trying it again and that's kind of how I I was able to solve this um but that kind of like wraps it up I think we're really on time there let me bring this up over here there you guys go um yeah I kind of wanted to finish it up but that took a lot longer than I thought so let me know if you guys like the content you guys want to see more of it um when I solved this lab originally I did it a different way um like I said since it has certificate service on it I end up using petiam to relay the um domain controller to the actual braavos endpoint and that gave us a domain controller certificate and from there we can actually authenticate do Secret stump and then own the domain that way and then escalate up um so when it comes to you guys doing it um don't ever pass up adcs and check out the goad environment it's a great place to practice and use sver um but yeah so with that you know just let us no want to see more of this um sorry for running over there a little bit but thank you guys for tuning in and uh yeah keep hacking w

Info

Channel: Bishop Fox

Views: 6,015

Rating: undefined out of 5

Keywords: bishop fox, cybersecurity services, cybersecurity research

Id: YwiSqdIhl9g

Channel Id: undefined

Length: 65min 45sec (3945 seconds)

Published: Wed Oct 11 2023