As the title implies, it’s been quite the week of learning. I was furiously attempting to finish the course I’m taking so that I can move onto another one. The one right now has a little bit of everything when it comes to hacking. The next one will focus directly on privilege escalation for Windows, and I’m looking forward to that!
Most of this week has been dedicated to hacking Windows, and playing around with PowerShell to manipulate a computer. There were also some awesome enumeration tools that I was introduced to. Those included PowerView, Bloodhound, smbenumgpp, and winpeas.
Following the enumeration, I learned about some attacks that were pretty awesome. It was impressive how easy it was to take advantage of the convenience of an Active Directory system. Kerberoasting was fun, and used a ticket granting service to make Windows give you the hash dumps. From there, it was simply a matter of obtaining the passwords with hashcat. Those passwords were then used to gain access to the domain controller. Although all pen testing environments won’t offer the same playground, it was important to understand how the system worked in order to open my eyes up to the challenges of a client’s Windows network. It also showed me just how important it was to make sure that a network and all of its users employs very strong passwords of over 14 characters. In addition, this environment of which I was playing gave domain admin to local user accounts on workstations. That made it rather easy to hack as well.
The next attack used Group Policy Preference which is what allows admins to create their policies using embeded credentials. The cred were in a place called cPassword, which was found in a file called groups.xml. To get to the file, there was a bit of post-compromise privilege escalation so that I could get to a folder called SYSVOL. Using a tool called ‘gpp-decrypt’ I was able to paste the hash from that xml file. After that, I just did some further privilege escalation using a python program called psexec which gave me a shell.
After plenty of playing with the last two attacks, I moved on to the most fun part of what I was learning. It’s a program called ‘Mimikatz’ found on GitHub. It was from a GitHub site called Gentilkiwi. So much fun! It was pretty much simply a tool used to view and steal credentials. The attacks that mimikatz makes possible are plenty: cred dumpi9ng, pass-the-hash, over-pass-the-hash, pass-the-ticket, golden ticket, and silver ticket. I’m sure there’s more, but these were the main ones taught by TCM. The mimikatz tool doesn’t work all the time, and that’s because the developers don’t always update it when Windows does their patch, but it worked great in my lab.
So far in the week, I was able to cover enumeration and exploitation (and a little bit of priv esc), but next, I went into some more advanced privilege escalation. The first was a simple strategy to upload malicious files. With access to the machine, I just had to look for folders of which I had write privileges. Then, I could use the certutil.exe to download the file to the server. I hosted it on the kali box using an ftp server on port 21. Using msvenom, I created an executable with a reverse shell. To maintain access, I added a user. I’m not so sure how great that would be on a penetration test because it just leaves the chance of a mistake by forgetting to delete the account after the assessment; but it was a great learning technique for learning purposes.
Toward the end of the week, I did some basic networking things. I’ve been admin on so many networks, that this was a pretty easy concept to master. It centered around pivoting from one network to another if a workstation had access to both.
So with that, I was pretty much done with the Windows portion of the learning. Like I mentioned before, there’s a ton more to learn, and I look forward to it. My next course will concentrate solely on that.