Scribd
Upload
21 views37 pages

Advanced Infrastructure Attacks - Final Project

Uploaded by

Kuba Kozub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views37 pages

Advanced Infrastructure Attacks - Final Project

Uploaded by

Kuba Kozub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Advanced Infrastructure

0. Network Configuration

0. First, I checked the IP addresses of both operating systems involved in the task. It turned out the
IP address on Kali within eth0 interface wasn’t assigned.

In order to fix the issue I decided to change the /etc/network/interfaces file

The network configuration file was empty, except for the loopback interface. I decided to manually
assign IP addresses.
1.1 Using a fast Nmap scan I was able to determine that there are 3 hosts within the network.

1.2 I decided to perform a more advanced Nmap scan - sudo nmap -p- -A -sV -O --script=default
10.0.2.0/24 to see the netBIOS of the OSes available in the network and open ports.

* Windows Server 2016


* Windows 10:

1.3 I have created a payload using msfvenom:

1.4 I started a simple server:

1.5 Thanks to that the user on Windows 10 (Garyg) was able to access it.
1.6 I opened the msfconsole, used the handler exploit and set it appropriately.

1.7 After opening the file on Windows machine I managed to get access to it.

1.8 I managed to also spawn a system shell which allowed me to get access to PowerShell.
2.1 Having access to PowerShell I can now import the PowerView module that will enable me to
enumerate the needed information about the domain.

2.2 First, the Domain Controller.

2.3 All the users.


2.4 The groups.

2.5 The Organizational Units (OUs).


2.6 The domain admins.

3.1 First, I had to set up Java on Kali.

3.2 Then, I installed bloodhound and neo4j.

3.3 I started the console.


3.4 I navigated to the neo4j local host.

3.5 I started BloodHound.

3.6 I created a simple server in the Collectors’ directory of BloodHound and imported the module
directly from there.

3.7 In order to send the results on Kali from Windows I decided to use SSH, therefore I started SSH
service on Kali and sent two files generated by BloodHound.
4.1 I downloaded the Rubeus.exe file from https://github.com/r3motecontrol/Ghostpack-
CompiledBinaries/raw/master/dotnet%20v4.5%20compiled%20binaries/Rubeus.exe on Windows 10
machine. I opened it up on Kali using multihandler exploit. I decided to do so to make it easier for me to
copy the hash generated by Rubeus.

4.2 I decided to store the hash in do_zlamania.txt file.

4.3 I located the rockyou wordlist for password cracking.


4.4 I started cracking:

4.5 The password appeared at the end of the file:

4.6 Using the password: 1qaz!QAZ and login: brenta, I was able to log into the Windows Server machine.
5.A I’ve installed the Impacket with psexec.py. I ran the command to connect remotely to Windows 10
host, using Brent Ayers credentials.

5.B1 I started a simple HTTP server once again.

5.B2 I set up the Meterpreter session.

5.B3 I downloaded the same file:


5.B4 I was in.

5.C1 I loaded kiwi extension.

5.C2 After trying for hours it didn’t work. This problem seems to be independent from me.
5.C3. I decided to use an alternative method to possess NTLM hashes, using my NT-Authority\System
privileges. I saved SAM file: reg save HKLM\SAM C:\sam and system file: reg save HKLM\SYSTEM
C:\system, then using scp I transferred the files to Kali. Using secretsdump.py I extracted the NTLM
hashes.

5.C4 I managed to crack admin user using hashes.com:

5.D I managed to log in using the stolen credentials.


6.1. I downloaded the dnscat2 files on Windows and Kali.

6.2 I started the session on Kali.


6.3 Then I set it up on Windows.

6.4 I've successfully switched to the shell session in dnscat2 and executed system commands whoami
and hostname.

6.5. This enabled me to perform all kinds of commands from cmd.


6.6 Opening wireshark I can see how DNS tunneling works to obfuscate traffic and that there are lots of
packets UDP consistently sent back and forth by DNS protocol.

6.7 I cleared command history using psexec with NT-Authority privileges.

6.8 I also removed all the system logs.


6.9 After running wevtutil el command it turned out that there are no other logs related to DNSCat.

7.1 First, I searched for vulnerable targets that do not use SMB signing.
7.2 I wanted whether the SMB and HTTP settings are disabled in the config file.

7.3 I started the Responder session.


7.4 I’m using the ntlmrelayx.py script from the Impacket toolkit in Kali Linux to perform an NTLM relay
attack.

7.5 I started an interactive shell.


7.6 I opened the interactive shell with Netcat.

8.1 I downloaded the script from the git hub website.


8.2 I imported the module and ran it.

8.3 After writing something random in the search bar the hash was detected.

9.1 Using psexec I created a new user called Kuba.


9.2 I logged into the Windows 10 machine.

9.3 I wasn’t able to access the shared folder which was only available for domain admins.
9.4 I downloaded Mimikatz and I started it.

9.5 I created a golden ticket.


9.6 Then, using the information given I saved it in the same folder.

9.7 The ticket file ticket.kirbi is acknowledged as OK, meaning it has been successfully imported into the
session.

9.8 I’m able to get into the folder.


10.A1 I downloaded Powercat.

10.A2 As well as Invoke Obfuscation script from GitHub and imported it.

10.B1 I started the script.


10.B2 I set the script path.

10.B3 I obfuscated the payload.


10.C1 VirusTotal detected the threat.

10.C2 Windows Defender as well.


10.D1 I started listening with netcat on Kali.

10.D2 I Imported the obfuscated module using PowerShell and ran powercat command.

10.E I managed to get a reverse shell session.

11.A First I created the payload.

11.B Then I set up a listener.


11.C1 I opened the file on Windows Server.
11.C2 I copied the first part as macro.

11.C3 I left the second part in the document.

11.D In order to disguise it I decided to change the font to white and merge the cells. I also named the
file Paycheck2024, so it didn’t look that suspicious.
11.C4 I had to compile the macro differently so that it works in Excel
11.C5 I created the file on win-DC1, Window Server, I wanted the file to be downloaded by Windows 10,
so I shared it.
11.C6 It works on both Windows Server and Windows 10.
12.1 I created the payload.

12.2 I set up a listener using msfconsole.

12.3 I moved the patch.exe file on Windows 10 and created a simple Word document.

12.4 I changed the path to extract.


12.5 I set up the order of execution.

12.6 I turned on the silent mode.


12.7 I created an .ico file using chatgpt and loaded it.

12.8 The malicious file was created.


12.9 The file after opening created a reverse shell.

You might also like