Bypass AppLocker whitelisting and capture Kerberos tickets to escalate attack. Technical walkthrough of completing Corp Room on the TryHackMe platform.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Applocker is a windows application used to whitelist programs that are allow on a specific user account. Further it allows users to only execute programs based on paths to include specific application publishers.
bypass app locker
Bypass can occur by places executables within the directory:
Using powershell to download
nc executable to directory:
nc.exe successfully executes within the folder bypassing the app locker.
Powershell history location:
Print contents of bash history:
Extract spn’s from windows
User enumeated to
Empire - Invoke-Kerberoast
Github link: https://github.com/EmpireProject/Empire
Invoke-Kerberoast.ps1 to target:
Add line insdie Invoke-Kerberoast.ps1:
TGT Service Hash (needs to be one line)
Crack Kerboeros 5 TGS Hash
Login as User
started session with
Escalate Privileges with PowerUp.ps1
download to target:
(caught by AV in my case)
Check Unattened.xml for cleartext passwords
Password is Base64 encoded by default
Login as Administrator